Arvind Parthasarathi of CYGNVS On 5 Things You Need To Know To Optimize Your Company’s Approach to Cybersecurity

Develop a plan: The worst time to put together a plan is in the moment when it’s needed most. Create a cyber response plan that is readily accessible, concise and easy to navigate during a crisis. Long and complex documents will only add to the confusion and chaos of a data breach. The plan must include clear action items, including the roles and responsibilities of team members involved.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Cybersecurity”, I had the pleasure of interviewing Arvind Parthasarathi.

Arvind Parthasarathi is the Founder and CEO of CYGNVS Inc. He is dedicated to helping organizations reduce their cyber risk. He founded CYGNVS, which recently emerged from stealth with a first-of-its-kind guided cyber crisis platform for cyber crisis preparedness and response management, backed by $55M in funding led by Andreessen Horowitz. The CYGNVS platform enables companies to be connected, confident, in control and compliant during a cyber crisis. Previously, Arvind was the Founder/Director of Cyber Crossroads, a not-for-profit collaborative of researchers from nine universities globally defining a cybersecurity standard of care. He was also the Founder/CEO of Cyence (now merged with NYSE: GWRE), which created a cyber risk analytics platform to quantify the financial impact of cybersecurity risks. Before that, he was President/CEO of YarcData (now merged with NYSE: HPE), which created a platform for cyber data discovery. He serves on the technical advisory council of the Allen Institute of Brain Sciences and on the board of trustees of the Center for Excellence in Education.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it. We’d also love to hear the most interesting story that’s happened to you since you started this fascinating career.

One story does come to mind. I was at a board meeting for a company and the cybersecurity team was presenting. Most of the directors were sitting there, kind of listening, kind of on their phones. What the security team was sharing was going over the heads of most of the people in the room. Then, one of the directors put his phone down and asked, “How much did you spend on cybersecurity last year? How much are you spending this year?” The team answered with essentially the original amount, plus however much more they were investing in security. And then the director asked, “And how much safer is the company going to be?”

It was one of those incredibly simple questions that just stopped the meeting in its tracks. That was a turning point for me in cybersecurity.

No matter how much a company invests in protection, they’ll always need a response plan in place because no amount of money can guarantee you won’t experience a cyber crisis. And I have been on a mission of helping organizations worldwide improve their preparation and readiness for that cyber crisis.

Are you working on any exciting new projects now? How do you think that will help people?

Cyber crises can hit without warning and can be devastating for businesses of all sizes. The unfortunate truth is that it’s not a matter of if, but when a company will experience a cyber crisis. I have seen that while many companies may devote large amounts of resources to cyber-attack prevention, they’re woefully unprepared for when that cyber-attack manages to slip through the multitude of prevention measures. Prevention is a great Plan A, but no one can claim they are immune to cyber crises, so a Plan B is also necessary.

The most prominent gap we’ve seen in enterprise cybersecurity posture is the lack of preparedness — what to do during a breach, who needs to do what, and when. This lack of preparedness can devolve a breach response into chaos as teams scramble to communicate and jump into action. That’s why earlier this year, we launched CYGNVS, our flagship guided platform for cyber crisis preparedness and response management. The CYGNVS platform helps companies practice and build preparedness for imminent cyber breaches to boost overall cyber resilience.

The platform operates out-of-band from a company’s regular network, which could be compromised during a cyber crisis. The platform includes ready-made playbooks for cyber crisis response across industries and provides step-by-step guidance on the necessary actions. CYGNVS is an entirely auditable environment, which means users are able to understand what actions were taken, when and by whom, which is critical for navigating the ripple effects and legal responsibilities following a cyber breach.

Organizations can buy CYGNVS directly and have their own plans and playbooks, vendors, and processes and our clients include the world’s cyber-leading organizations both large, mid-size and small.

But we recognize that a large section of the world’s organizations do not have the expertise and resources to deal with cyber threats themselves but are still equally vulnerable to a cyber crisis — and have purchased cyber insurance. CYGNVS has partnered with the insurance industry making our platform accessible for policyholders as a no-cost benefit of their cyber insurance policies from leading insurers and brokers. Insurance providers also provide pre-onboarded panels of preferred vendors for various services like breach counsel and forensic consultants.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

The industry is evolving tremendously and becoming more and more mature, and I think that’s very exciting. In the past, the focus was really on prevention. Companies thought they could prevent everything — any cyber threat — from occurring. Now there’s an appreciation that this simply isn’t true. As the industry matures it realizes that there’s no amount of money that you can spend to guarantee you won’t experience a cyber incident. Rather, the focus needs to be on both prevention and having a an easily accessible response plan in place so you’re ready when the inevitable cyber crisis happens.

The democratization of cybersecurity brought on by this increased shift towards preparedness and response is another area that’s exciting. Traditionally a distinct line has separated the haves and have-nots — a sort of cyber “poverty line” as some experts have dubbed it. While prevention is critical, it’s also extremely costly. But even small organizations with tight budgets can prepare for what to do after an attack. Part of our mission at CYGNVS is to reduce or even eliminate the cyber poverty line, enabling companies of all sizes and across industries to protect their business operations and thus the livelihoods of their employees. This, among other things, gets me up and moving in the morning.

Finally, I think the role of insurance is very interesting as it will ultimately help reduce risk. Just as the insurance industry helped greatly reduce fire risk by driving adoption of building sprinkler systems, the cyber insurance industry has deep expertise in cyber crisis preparation and response that will help all companies become safer and more prepared over time.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

One of the biggest threats any company can face is a workforce that is not informed or involved in a company’s cyber breach response planning. The responsibility to be prepared should not be reserved solely for leadership teams — every C-suite leader, manager, and employee must be equally aware of a company’s cyber breach response protocols. As we look ahead, malicious actors are becoming better equipped with more advanced technologies, including artificial intelligence. The entrance of ChatGPT, for example, enables attackers to develop more realistic phishing emails and other approaches that take advantage of human error or lapses in judgment.

It’s very much a game of cat and mouse, and while companies must certainly put efforts into prevention, preparedness is the way forward to ensure that when a breach does happen, everyone within an organization knows their exact roles and can quickly leap into action.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Yes. Years ago, I had a startup, and we were just getting on our feet. One day, our office manager’s car was broken into, and a company laptop was stolen. Luckily, even though we were still a relatively young startup we already had a plan in place for what we needed to do. All the information on the laptop was encrypted and we were able to wipe the laptop remotely as well as effectively communicate to both customers and investors what happened and the actions we took immediately to address it.

I share this story because it shows the importance of being prepared — which is what CYGNVS offers, but also because I think sometimes when we think of cybersecurity breaches, we think of some hacker on another continent doing super sophisticated work to break into a system. Of course, that does happen, but that’s not the only way security issues arise. It can be as simple as a stolen laptop or someone having what should be a private conversation loudly in a café. It’s important to remember that there are many different ways that a company’s security can be compromised.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

The most important thing actually happens before a crisis, in our view. And that is having an established cyber response platform that you are ready to use to protect yourself and your customers. Having your plan and platform in place allows you to bring in all of your internal and external stakeholders so the proper team members can begin execution. Having a plan in place in advance is the real key. If you have this, you’ll be ahead of two-thirds of organizations should you experience a breach.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

There has absolutely been an increase in cyber security threats since the COVID-19 pandemic. As the workforce abruptly shifted to remote and hybrid models, companies had to hastily adapt their security measures. This left windows of opportunities for cyber criminals to more easily exploit the vulnerability of employees working from their home offices, which often do not have the same security protocols and protections in place as an in-person office. In addition to a remote workforce, the world moved to a digital-first way of life which creates new and increase opportunities for cyber hacks.

Ok, thank you. Here is the main question of our interview: “What are the 5 things every company needs to know to tighten up its approach to data privacy and cybersecurity and why? (Please share a story or example for each.)

• Develop a plan: The worst time to put together a plan is in the moment when it’s needed most. Create a cyber response plan that is readily accessible, concise and easy to navigate during a crisis. Long and complex documents will only add to the confusion and chaos of a data breach. The plan must include clear action items, including the roles and responsibilities of team members involved.
• Practice and update your plans regularly: Having a cyber crisis response plan is futile if it’s merely filed away and dusted off only when a crisis arises. Given how common turnover is, it’s important to regularly test, practice and update your plans so that all employees are aware of the company’s response protocols and be stewards, not liabilities, for a company’s cybersecurity.
• Build an organization-wide culture of cybersecurity: It’s crucial to involve every frontline employee in maintaining data security. Relying solely on a Chief Information Security Officer and their team is inadequate for organizations of any size. Employees may come across cybersecurity threats but might not realize their significance or may put off reporting incidents. To have a truly effective early warning system, all employees must actively participate in the organization’s cybersecurity efforts. Without a comprehensive culture of cybersecurity, it’s likely that the ripple effects following a breach will have massive and long-lasting impacts on an organization.
• Use a secure, out-of-band network to execute your breach response: After a breach, the biggest mistake companies make is trying to execute their response on a network that has already been compromised. If one area of your network is breached, it can be difficult to assess where any contagion might have spread to other areas of your network. Once cybercriminals have gained access, assume that they have ongoing access and could impact other areas of your network. It’s crucial for a company to plan their response before a breach occurs and ensure that they have procedures and protocols in place to quickly and effectively respond to an incident through secure, encrypted communication tools that operate out of the company’s regular network.
• Organize and maintain documentation: During a crisis, it’s easy to overlook who did what and when. However, regulators, investors, and cyber insurance providers will all require detailed reports. Diligently documenting your response can reduce the prolonged impacts of a cyber crisis, including legal and regulatory issues from any missteps in your response, especially if the company is in highly regulated industries such as healthcare and financial services. Detailed levels of documentation can also help organizations learn from the experience to improve responses to future breaches.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

This isn’t my idea but that of Marc Goodman, who was formerly with the FBI and Interpol and is now the bestselling author of a great book called Future Crimes that I strongly recommend about cyber threats. Marc has this great concept called “Cyber Up” where we as a society need to up our cyber understanding, knowledge, preparation and readiness. What he means by this is that it takes all of us — we all need to be more aware of the world we’re living in and keep cyber threats in mind in everything we do. From sending a text or email to having a conversation in a coffee shop or sharing credit card details over the phone — we should all be more aware of cybersecurity.

How can our readers further follow your work online?

Readers interested in learning more about CYGNVS and how we’re enabling meaningful cyber preparedness for organizations can look to our website (www.cygnvs.com), where we regularly post updates, blogs featuring industry insights and other materials related to the platform, the company and the cybersecurity industry at large. We’ll also share news and perspectives on LinkedIn.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!