Nabil Hannan is the Field CISO (Chief Information Security Officer) at NetSPI. He leads the corporate’s advisory consulting practice, specializing in helping clients solve their cyber security assessment and threat andvulnerability management needs. His background is in constructing and improving effective software security initiatives, with deep expertise within the financial services sector.
NetSPI is a proactive security solution designed to find, prioritize, and remediate essentially the most critical security vulnerabilities. It helps organizations protect what matters most to their business by enabling a proactive approach to cybersecurity with greater clarity, speed, and scale than ever before.
Are you able to share a bit about your journey in cybersecurity and what led you to hitch NetSPI?
I’ve been programming since I used to be seven years old. Technology has at all times excited me because I desired to understand how things worked, which consequently led me to take a variety of things apart and learn the way to put them back together at a young age.
While studying computer science in college, I started my profession at Blackberry, where I worked as a product manager for the Blackberry Messenger Platform and have become taken with hardware design. From there, I used to be recruited to hitch a small company in the appliance security domain – I used to be so enthusiastic about it that I used to be willing to maneuver to a brand new country to get the job.
After I consider my journey in cybersecurity, it began from the underside up. I started as an associate consultant doing penetration testing, code review, threat modeling, hardware testing, and whatever else my bosses threw my way. Eventually, I worked my way as much as constructing a penetration testing service for Cigital, which later got acquired by Synopsys. All of this led me to NetSPI to assist support its growth trajectory within the proactive security space.
How has your experience within the financial services sector shaped your approach to cybersecurity?
While working at Synopsys, I helped construct the strategy for selling security services and products to the financial services industry. So, while I wasn’t directly working in financial services, I used to be answerable for constructing strategies for that sector, which required diving deep into that vertical to grasp its drivers and pain points.
Growing up within the technology space, I spent quite a little bit of time working with large financial services organizations across the globe. Having that background, I focused my time and skills on developing a technique for targeting and constructing services tailored to the financial services industry as an entire.
The most important thing I’ve learned from exposure to the financial services sector is that hackers go where the cash is. Hackers are usually not on this only for fun; it’s their source of income. They go where there’s essentially the most financial impact – whether or not it’s actually stealing money in some form or causing financial harm to a corporation. That mindset has helped shape my understanding of cybersecurity and led me to achieve success in my current role as a Field CISO.
With cyber threats evolving rapidly, what do you see as the largest cybersecurity challenges organizations face today?
The most important challenge today is the speed at which each and every organization must operate to combat evolving threats and keep pace with emerging technology, like AI. Historically, there was a waterfall methodology for constructing software, which wasn’t necessarily a quick process in comparison with how quickly software is deployed today. Now, we have now a rather more agile methodology, where organizations try to construct software and release it to production as fast as possible and do more bite-sized implementations.
The last 10 years have shown rapid change and acceleration in the safety ecosystem. That is causing many issues for giant organizations, like shadow IT, making it harder to realize insight into their attack surface and assets. You may’t protect what you possibly can’t see.
Cloud adoption adds to this fireplace – the more people adapt, adopt, and migrate to the cloud, the more elastic the software systems and assets change into. The flexibility to scale software and hardware up and down in an elastic way makes change even harder to administer. As systems are built with elastic potential, you cause challenges where assets change ownership more incessantly and create opportunities for bad actors to seek out ways into a corporation.
How do you think that the cybersecurity landscape will change over the subsequent five years?
The necessity for greater visibility into each external and internal assets will proceed to be necessary over the subsequent five years and alter how customers work with vendors. It’s already an area we’re heavily focused on at NetSPI. In June, we acquired a cyber asset attack surface management (CAASM) and cybersecurity posture management solution called Hubble Technology. Adding CAASM to our established external attack surface management (EASM) capabilities enables our customers to repeatedly discover recent assets and risks, remediate security control blind spots, and gain a holistic view of their security posture by providing an accurate inventory of cyber assets, each external and internal – something that was missing within the industry up until this point.
Merging our EASM and CAASM capabilities into The NetSPI Platform allows us to supply customers with the tools they need to handle ongoing visibility challenges. This also enhances the power to accurately prioritize risks related to assets and vulnerabilities. Moreover, it helps security leaders assess the exposure of their most significant assets in relation to those risks.
How does NetSPI’s approach to vulnerability management differ from other corporations within the industry?
Recently, we unveiled a brand new unified proactive security platform, which marries our Penetration Testing as a Service (PTaaS), External Attack Surface Management (EASM), Cyber Asset Attack Surface Management (CAASM), and Breach and Attack Simulation (BAS) technologies together in a single solution. With The NetSPI Platform, customers can take a proactive approach to cybersecurity with more clarity, speed, and scale than ever before. This recent proactive approach mirrors trends we’re seeing within the industry, and the shift away from disparate point solutions, and toward the rapid adoption of more holistic, end-to-end platform services.
How is AI getting used to boost cybersecurity measures at NetSPI?
Like every cybersecurity leader will let you know, AI has the potential to catalyze business success, but it surely also has the potential to feed adversarial attacks. At NetSPI, we’re attempting to help our customers stay ahead of the curve by implementing AI/ML penetration testing models, which ensures security is taken into account from ideation to implementation by identifying, analyzing, and mitigating the risks related to adversarial attacks on ML systems, with an emphasis on LLMs. In cybersecurity, AI capabilities have enhanced and adopted our ability to watch and remediate threats in real time.
What are the potential risks related to AI in cybersecurity, and the way can they be mitigated?
Based on conversations I’m having with other cybersecurity leaders, the largest AI risk is organizations’ lack of basic data and cybersecurity hygiene. As we all know, AI solutions are only as effective as the info the models are trained on. If organizations don’t have a firm grasp on data inventory and classification, then there is a risk that their models will suffer and be vulnerable to security gaps.
When people see the word “intelligence” in AI, they mistake it for being “inherently intelligent” and even having some style of sentience. But that is just not the case. Security practitioners still must program AI models to make them understand what assets are personal, private, public, and so forth. Without those mechanisms, AI can descend into chaos. That, in my view, is the largest concern amongst CISOs immediately.
Are you able to elaborate on how NetSPI’s Penetration Testing as a Service (PTaaS) helps organizations maintain robust security?
Penetration testing is critical to a corporation’s overall cybersecurity posture since it gives teams greater context into vulnerabilities specific to their business.
Penetration testing can be a fantastic litmus test to see how effective other security controls, like code review, threat modeling, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), and others that you might have implemented previously, are.
Regular penetration testing fosters real-time collaboration with security experts which may bring one other perspective that adds more depth to data. At the tip of a successful pentest, organizations could have higher insight into which parts of their IT environment are more at risk of breaches. When a pentest detects vulnerabilities, they may often highlight gaps in controls earlier within the lifecycle or controls which might be missing altogether. They’ll also understand the way to achieve compliance, where to focus remediation efforts, and the way IT and security teams can work together to remain on top of potential business implications.
By working with vendors that concentrate on PTaaS to complement a strong security posture, organizations could be more prepared to proactively prevent security incidents.
How do you integrate each technology and human expertise to supply comprehensive security solutions?
NetSPI believes you would like each technology and humans to supply a sound technique to stay ahead of known and unknown threats. Humans should be within the loop to validate, prioritize, and contextualize the outputs that tools generate. We’re not within the business of giving people false positives or generating noise, leading them to spend more time determining what really matters. In other words, you possibly can have great technology, but you would like someone to truly use it and interrupt it to achieve success.
There are a variety of mundane tasks that AI can do faster and more accurately than humans. If technology could be in-built a trustworthy manner, then that may allow us to automate certain tasks and unencumber time for security teams to show their attention to more creative considering and significant problem-solving that AI simply can’t replace.
What strategic advice do you sometimes offer clients to strengthen their cybersecurity posture?
A typical trap people fall into is investing in things they understand. For instance, an organization may herald a frontrunner with a cloud security background. Naturally, they then deal with constructing out a cloud security team, as a substitute of, say, compliance, network security, application security, and so forth, where the organization might really need the support.
It’s higher to have a more well-rounded program that focuses on every little thing holistically. Then, you begin constructing defense in depth and have controls that mitigate other failures you would possibly have in numerous parts of the organization. Constructing a well-rounded program is healthier than investing more time, effort, and tooling into one particular sector.
