CISO for Technologent, Jon Mendoza, was interviewed for Authority Magazine detailing how companies can optimize their approach to #DataPrivacy and #Cybersecurity. Jon explores various aspects of today's security landscape, including the shift in perspective required to tackle modern cybersecurity threats.
Read through the full interview here: https://medium.com/authority-magazine/jon-mendoza-of-technologent-5-things-you-need-to-know-to-optimize-your-companys-approach-to-data-da8203d4c505
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born in the Philippines and came to the United States when I was 12 years old. As far back as I can remember, I liked to disassemble toys and devices in hopes of learning how they worked and functioned. My interests when I was growing up were like other boys of my age at the time ─ video games and computers. When I was in high school, I made side money by building PC clones for my friends. I liked ordering mail order computer parts (prior to the advent of eCommerce) and assembling them, selling the PCs that I built. I also dabbled in computer programming (Basic and Visual Basic) and was active in the BBS world.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
There was not one notable event to which I can attribute my decision to pursue cybersecurity. I guess due to the nature of my profession, it came naturally. I began my career in the IT world as a systems administrator and as an instructor teaching students Microsoft Windows NT server and Cisco technologies. I acquired my first CCIE certification in 2001 and started to work for an internet service provider. While working there, I saw the promise and future of the internet as well as the negative ramifications of its open and anonymous nature. I experienced the disruptive effects of the Nimda virus and the code red worm to massive DDOS attacks that severely disrupted our customers.
Can you share the most interesting story that happened to you since you began this fascinating career?
I was working for another internet service provider in the mid-2000s and was approached by a law enforcement agency. I remember that day when I received a call and request for wire taps. The case involved a subscriber who made threats to a politician and the law enforcement agency wanted to monitor their electronic communication. Another similar event happened when another law enforcement agency requested assistance with another subscriber who was running a counterfeit ring. I assisted in the gathering of intelligence and evidence.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There have been many great influences in my personal and professional life but none that stands out more than Technologent’s current CEO, Marco Mohajer. He has been instrumental in my development and influence as a leader and has supported my personal and professional growth. When I first started with my company, I possessed a very technical background but was quite unpolished in my abilities as a leader and communicator. Marco empowered me to develop my leadership skills as well as strive to become a better communicator and speaker. He also showed me that one can be an effective leader but also demonstrate compassion and care. There are many qualities that Marco possesses but the one that I admire most is his desire to be a better, more caring person. Marco taught me that work and your professional life shouldn’t define you as a person. Instead, one should define their work and career by the principles that they live by.
Are you working on any exciting new projects now? How do you think that will help people?
At any given moment, we have multiple customer and internal projects. The more exciting projects that I am involved with center around application and API security, cloud security, helping our customers prepare for their CMMC audits and maturing the information security programs.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Love what you do and do what you love. I have seen that the most successful people in this field are truly passionate about their domain. There are many who are in this profession simply because it is of convenience or necessity. The fortunate ones are the individuals who have a passion and desire to be better and to gain new knowledge.
Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
This domain is exciting for me because it is constantly evolving and dynamic. The threat actors and their methods, techniques, and approach are innovative, and one must keep up. We simply can’t rely on legacy mindset and the status quo. For the cyber security professional this means that to be effective and relevant, one must strive to understand the threats and vulnerabilities as well as the people, processes, and technologies.
There are things on the horizon that I believe will cause a major shift and change in how we approach cyber security. First, I believe that the problems we face today in this domain have solutions in the future ─ particularly in Artificial Intelligence. Not narrow AI or pseudo-AI, but AI that is truly learning and adapting. I believe the domain of artificial intelligence will cause a race condition between the attackers and defenders. This will result in the escalation of the cat and mouse games that we play. Second, the emergence of deep fake will have profound ramifications in how we consume information and how we view the integrity of the information. Third, the duality and dichotomy of our desire to maintain our privacy versus the global nature of how we transact will reach a critical point in the not-so-distant future.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Attackers will and already are attacking the data itself and not so focused on the infrastructure that houses the data. Along with this threat, maintaining the confidentiality, integrity, and availability of the data will be paramount as more and more regulations around privacy emerge. Consumers will hold organizations and corporations accountable for the data they collect and transact.
Business email compromise campaigns will become more elaborate and credible. Attacking the weakest link will never go out of style and the threat actor’s methodology will continue to improve and raise their effectiveness.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
My team is often called upon to respond to an incident. There was a particular time that was memorable when a new client called asking for help as they were in the midst of a ransomware event. I got on a bridge/Zoom meeting, and we provided guidance over the phone. The net result was that the actions that we took in the early phase of the attack saved the organization from an extended downtime. Contrast that with another new customer who called us for help in recovery and we were joining the fight towards the latter phase. That customer was down for a significant amount of time as our involvement was hampered and limited. The key take way from our experience is that during an event, there needs to be a strategy and a leader executing that strategy. The fog of war can cause processes to fail and teams to act in disarray. Incident preparation and “fire drills” are highly recommended.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Tools that we use on a regular basis are SIEM reports, cloud posture reports, firewall and IDS/IPS logs. I like using Wireshark on a regular basis to stay sharp and see networks at a microscopic level as well as working with open-source tools such as Zeek, as a reliable monitor of suspicious or malicious network security.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency or hire their own Chief Information Security Officer?
Cybersecurity and protecting our resources are everyone’s responsibility. Organizations need to stop thinking that their cybersecurity posture starts and ends with the cyberteam. Raising security awareness from the part-time, seasonal worker all the way to the board member is critically important and often neglected. When an organization adequately trains their user population in a continuous manner, this strategy becomes a force multiplier for the organization. Implementing proactive measures such as regular social engineering drills, ransomware tabletop exercises, and regular DR/BCP exercises go a long way in helping organizations improve their security posture. Contracting with a competent security firm is always a good idea and many of these firms offer virtual CISO services.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be “amiss”?
Some telltale signs to look for:
- Unwanted browser toolbars or add-ons
- Internet searches redirected
- Frequent, random pop ups.
- Passwords not working
- logs in timelines don’t match up, you can see gaps.
- Your email and credentials show up in the darkweb (monitoring services such as Spycloud provides services that help with this)
- Anomalous network traffic
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The most important thing to understand post-breach is the scale and scope of the event, the impact to your business, partners, and customers, and which security controls that were circumvented or did not exist that facilitated the breach. Understanding the posture of your security program and areas where you need to prioritize improvements is critical.
It has affected our business in a positive way as it elevated the conversation with our customers from simply a technical conversation to a business conversation. Organizations need to understand that Cybersecurity is not a function relegated to just the cyber security teams. It is the responsibility of everyone, and it can potentially have a drastic impact on your business.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Most organizations cannot account for where their sensitive data is stored and transacted, who owns and manages the data, to whom it is shared, and unable to tell how much sensitive they are responsible for and cannot account for how much risks associated with that data.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
We have seen significant activity in breaches and hacks, particularly ransomware. The evolution of ransomware is that the threat actors have become very sophisticated. Encrypting the workload is secondary to the goal of actually exfiltrating sensitive data from an organization.
Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Understand how your organization creates, stores, communicates, archives, and destroys information. Identify, categorize, and enact policies and security controls to protect the confidentiality, integrity, and availability of data. This is applicable to physical and digital assets also.
- Develop a security program that supports your organization’s business goals. Have an outcome-based approach that considers threats and risks. The goal should be reducing risks to the organization without getting in the way of the business.
- Focus on training the user population to safeguard your data and recognize social engineering attacks. Cybersecurity is everyone’s responsibility ─ and everyone should be trained on a regular basis. Don’t forget about the people and processes. Empower your users!
- Conduct regular cyber drills (tabletop, phishing exercises) to test your users, teams, stakeholders, executives, and even board members. These mock emails can test all users’ reactions and sense of security when they least expect it.
- Get help! You are not alone and should not operate in a vacuum.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective, and something everyone can do!)
I want everyone to know and understand that cyber security is everyone’s business. It does not just impact large enterprise organizations. It affects people and their lives. In our connected world, breaches, and hacks, have far-reaching implications and impact.
How can our readers further follow your work online?
You can see our Cyber security related posts on blog.technologent.com or follow me on twitter @point1
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
December 14, 2021