For our next specialist interview in our series speaking to technology and IT leaders around the world, we’ve welcomed Abhay Bhargav to share his thoughts on the topic of cybersecurity.
Tell us about the business you represent, what is their vision & goals?
Our business is called AppSecEngineer. We are a hands-on learning platform for Application Security, Cloud Security and more. Our vision is to end the security skills shortage by making world-class hands-on technical security skills available to all.
What inspires and energises you within your work?
I have been a trainer in this space for several years now. Every time a student writes to me or tells me that they were able to apply something that I had taught immediately to their work and get great results, it energizes and inspires me. I love that feeling and it pushes me to do better.
Can you share a little bit about yourself and how you got into cybersecurity?
As a kid, I loved working with computers and networking. But for some reason, I studied commerce and wrote and passed the CPA exam in the US. As soon as I finished that, I realized I wanted nothing to do with finance and decided to get into an area that was at the crossroads of IT and "Audit/Assessment" and that happened to be Cyber Security
What advice would you give to someone wishing to start their career in cybersecurity?
Cybersecurity, although sounds strange, is still in its infancy. There's a lot of growth and exploration to be done here. Having a curious mind and a relentless mindset is a great asset. Understanding how things work in its depth is extremely important before you try and secure or attack them. So focus on learning things deeply.
Can you give an example of security issues at your jobs, and how you and your team fixed them?
One of the most common issues that companies have is training their developers to write secure code. Our team has trained thousands of developers to write secure code. We've done this by first explaining how a particular vulnerability works, showcasing its impact (and it's often devastating) and then showing them how to fix or mitigate it.
We've found that over 90% of the developers who have gone through this approach we use for training have started thinking or using more secure patterns when they write code subsequently.
Does your organisation use log and metrics data to improve and secure your systems? How do you find managing logs assists your day-to-day work?
Our training platform is used by thousands of people all over the world. We use logs quite extensively. Logs from our application are processed and enriched by our data warehouse for insights on usage patterns, possible security exceptions and more.
What are common weaknesses in IT security strategies that companies often overlook?
- Security Awareness for developers
- Not upskilling their existing security team
- Not investing in skilling up other members of their team on security.
What are your thoughts on companies looking to prepare for CMMC compliance?
Regardless of compliance, the first thing companies need to do is to perform a Risk Assessment and a Threat Model. These two activities are the bedrock and essential requirement for any compliance requirement, and it makes further compliance validation or verification much easier to do.
What are your takes in response to the Log4shell incident?
Log4Shell is one of the many such issues that keep happening in our industry. We rely extensively on Open-Source Code, but we don’t spend nearly any time trying to review it for security issues or invest any time or energy in helping the maintainers with security until a catastrophic incident like this happens. We need to have more robust approaches to supply-chain security through open-source contribution.
Would you like to share any cybersecurity forecasts or predictions of your own with our readers?
The Security skills shortage is here to stay. It's likely to get worse because the pace of technology is far outpacing the pace of security skills available. Organizations need to address this in a meaningful way, else they will find it extremely hard to stay on top of their several IT and IT security initiatives