For the newest instalment in our series of interviews asking leading technology specialists about their achievements in their field, we’ve welcomed the CEO of Curricula, Nick Santora.
Tell us about the business you represent, what is their vision & goals?
At Curricula our mission is to make security awareness training fun for everyone. What I mean by that is removing the classic 'death by PowerPoint' experience surrounding typical corporate training and embracing a more relatable and fun approach to employee training.
Our vision is to lift the bar across the information security industry on how to build a more positive security culture inside of organisations.
What inspires and energises you within your work?
What inspires me is hearing stories from our customers directly from an employee about how we saved them from a cyber attack. We frequently receive thank you letters from our customers about how we changed the way their employees think about security.
We also are inspired by people recognising all the details we put into our training to make our content resonate because it actually is fun. There are a lot of tech companies claiming they're here to 'save the world' and we're actually doing our part to make the world a little bit better.
Can you share a little bit about yourself and how you got into cybersecurity?
I started getting into security when I was 11 years old building websites for small businesses with my best friend and Curricula's CTO and co-founder, Joe Rucci. Then when I got to high school, I was in the Cisco academy my junior year and started collecting IT and security certifications and was really interested in the subject. From that moment in high school, I could already tell there were ways for bad actors to bend the rules or manipulate systems to get what they wanted.
That was the bridge that led me to major in Computer Information Systems at Ryder University. I even worked for the Office of Information Technology related to everything on campus with IT and security. When I graduated, I landed a job at the North American Electric Reliability Corporation (NERC) headquartered in Princeton, N.J., while I pursued my MBA. This is what jump-started my career in cyber security.
Can you tell us about how you earned both CISA and CISSP certifications before the age of thirty?
While I was at NERC, I wore a lot of hats, just like every IT professional. I was inspired by NERC's chief security officer, Mike Assante, who was so approachable in the way it came to talking about security. Mark Weatherford came in as the next chief security officer of NERC and I asked him how I could do more on the cybersecurity side for the organization.
Mark said to go get my CISSP and start interacting more with his team. So I went on the journey to achieve my CISSP, which I earned when I was 26, as well as my CISA because then I could become an expert as both an auditor and an advisor. Then I was officially out in the field auditing critical infrastructure (CIP compliance for utilities) and on this career path, all because someone gave me a chance.
As there has been such a surge in working from home, this has created concerns for cybersecurity professionals, exposing businesses to many threats. What preventive measures would you recommend a business takes to fill those gaps?
Communication has become really difficult for organisations that weren't prepared for remote work, and it still is for everyone. Communicating cyber security best practices was even more difficult. As a preventative measure, we recommend businesses take a proactive approach to security awareness for all their employees, whether they've returned to the office or not.
What we're advocating for is not just saying 'we've checked the box for training' it's actually caring about the quality and effectiveness of the cyber education you're providing employees. We know phishing is a huge attack vector, so providing phishing simulation training and education is one of the only ways we'll be able to solve the problem of human error leading to a data breach or costly ransomware. And security awareness training needs to be continuous, not just an annual training, but ongoing to make sure security is always top-of-mind.
What advice would you give to someone wishing to start their career in cybersecurity?
First, know that no one is going to do anything for you unless you make the 'ask'. Cyber security is a very broad discipline that involves many variations of career paths.
I recommend that you explore at a surface level all of these areas such as networking, coding, advising, auditing, patching, training, starting with something simple like teaching someone how to set up multi-factor authentication. The goal is to have a broad knowledge of all of these concepts in order to understand which one you want to focus on.
What are some misconceptions that you believe businesses have about cybersecurity?
Number one is that business leaders think becoming compliant means they're secure. Just because you've achieved compliance, doesn't mean you're secure. It's a good start but it doesn't solve the security equation. The other misconception is that you have to do everything all at once. You can't boil the ocean, especially when it comes to cybersecurity. The last is that it's too expensive to be secure.
Tools are available to help you tackle the problems that organizations experience. Simple things like turning on multi-factor authentication, using a password manager (vault) for employees' accounts, and implementing a security awareness training program (like Curricula! we're free to get started) is a cost-effective way to build towards better security for the best ROI.
Does your organisation use log and metrics data to improve and secure your systems?
Logs are important for two reasons. One, proactively finding potential vulnerabilities through a series of data collection and patterns. These can be things like remote access trojans, unusual network activity, or suspicious files on your network.
Two, logs are good for reactive measures such as immediate alerts that something might be compromised and needs attention, such as a server error, to notify your team that something needs to be investigated.
Are there any books, blogs, or other resources that you highly recommend?
There's an excellent book by Nicole Perlroth, "This Is How They Tell Me The World Ends" and Nicole just joined CISA after working as the lead cybersecurity reporter for the New York Times for years.
We have tons of resources from Curricula for security awareness education content, including our blog and free training on our website.
Would you like to share any cybersecurity forecasts or predictions of your own with our readers?
Businesses will continue to have extraordinary difficulty finding cybersecurity talent, and retaining those infosec employees. Especially small businesses and growing startups. There is still not enough talent in the field to fill all of those open roles. We're seeing a shift to more automation and external consultants to achieve compliance and security.