Cyber Defense: Aaron Shilts of NetSPI On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack

Evaluate your current security posture. Before reinventing the wheel or overhauling any security program, it’s important to first see what you have in your security arsenal and determine if it’s effective. If there are too many tools or services, this often creates more vulnerabilities and confusion. As part of this audit, ensure you’re looking holistically at the organization’s attack surface, customer environments, vendor relationships, and other partnerships to understand the true exposure to malicious actors.

In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?

In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.

As a part of this series, I had the pleasure of interviewing Aaron Shilts, CEO of NetSPI.

As President and CEO of NetSPI with 20+ years of industry leadership, Aaron Shilts is known for his honest, open, and energizing leadership and his undeniable focus on corporate culture, collaboration, and business growth. Under Aaron’s leadership, NetSPI has experienced 35% and 50% Organic Revenue Growth in 2020 and 2021 respectively. In addition to his work at NetSPI, Aaron is the co-founder of “Change Starts With Me,” a Minneapolis non-profit, and advises several global firms. Aaron earned his B.S. from St. Cloud State University and proudly served in the Army National Guard.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in a small midwestern town with three younger siblings. We were a very tight knit family and throughout my summers I’d spend a lot of time working on my grandparents farm. I grew up around and learned the value of hard work at a young age. I also was given the opportunity to work at the local computer store at 15 years old, working full time through high school and feverishly learning technology.

I worked in technology throughout college and was given an opportunity to focus on cybersecurity at Sprint in Kansas City in the late 90’s. From there, I joined an early stage cybersecurity company called FishNet Security and spent 14 years of my career there as we grew from a small team to a multi billion dollar leader in the industry.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I’ve always been passionate about working closely with people to solve real, hard problems. Early on, I mapped out a career path that included technology but focused on people. At the time I had no desire to be a developer or spend an inordinate amount of time heads-down with technology. Cybersecurity was just emerging and presented a massive challenge solving technology and human issues.

Can you share the most interesting story that happened to you since you began this fascinating career?

One of the most fulfilling parts of my career has been watching colleagues — many of which were along for the same ride I was, getting my footing in the early days of my cyber journey — go on to do amazing things in the industry. The journey my colleagues and I have been on — founding companies, innovating, building teams, and giving back to the community — is the most interesting and rewarding part of my career.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

The three character traits that have led me through my career have been:

• Being a servant leader. Over the years I’ve realized that if you are willing to lead from the front, set an example and truly serve your team, they will build the business alongside you.
• Maintaining a people-first mentality. The key to any successful business is hiring and surrounding yourself with incredible talent. The ability to identify talent and build high performing teams is absolutely essential.
• Having grit. I am up at 5am each day and beat others to the punch. This has helped me to succeed — it’s as simple as that.

Are you working on any exciting new projects now? How do you think that will help people?

One of our newest projects is NetSPI’s Attack Surface Management (ASM) platform — which launched in February 2021. We searched long and hard for acquisition targets, but ultimately built it ourselves. The new platform brings together ASM capabilities, penetration testing, and adversary simulation into one encompassing tool. Our ASM platform changes the way our customers are able to uncover possible vulnerabilities by offering a full suite of offensive security solutions and continuous testing capabilities. Organizations no longer have to wait to uncover possible vulnerabilities — they have the technology at their fingertips to provide peace of mind that all unknown exposures are identified and remediated in a timely and efficient manner.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?

I’ve spent over 20 years working in the cybersecurity space with some of the largest organizations globally. To be a leader in this industry, it’s important to never pretend to have all the answers — but to listen to our clients and work to solve their problems. This is what I do day in and day out at NetSPI and have done throughout my career.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?

In today’s environment there are many types of cyber attacks that could impact a business. Some of the top forms include:

• Malicious software. Better known as malware, is a file or code used to infect a server or computer to steal or alter any information the attacker wants to access.
• Ransomware. Is designed to restrict or deny a user, or organization, access to files on their personal or corporate computer. These attacks usually come with demanding a form of payment to regain access. While a form of malware, these attacks can cause costly disruptions to an organization’s flow and result in reputational damages.
• Phishing. One of the most common forms of cyber attack, phishing is easy to carry out and only involves one person within an organization falling for, say, a false link in an email. These encrypted emails can spike during the holidays or during times of unrest — when organizations may be looking for donations to a cause. W’e’ve also seen a rise in vishing attacks — unsolicited phone calls to trick victims into disclosing personal information.

Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?

In today’s evolving threat landscape where cybercriminals have become more sophisticated and motivated than ever before, cybersecurity is now everyone’s responsibility. In fact, the weakest link within any organization is typically its employees. Everyone working for, or with, the business should understand that security is everyone’s business — from the CEO down to the seasonal intern, and even the third-party contractor.

For this reason, organizations should implement frequent, hands-on security training, and regularly test the effectiveness of such training with simulated attacks to determine if more work needs to be done. After all, it only takes one accidental click on a malicious link to cripple an entire organization and its assets.

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?

Knowing how to respond to a cyber attack can be one of the most complicated parts of the breach occurring. With every organization and every state having a different reporting requirement, it’s sometimes impossible to know where to start. We’re seeing a lot of companies still working through if they should notify customers or the federal government first when an attack occurs.

Generally, when a breach happens it’s important to notify every party involved — or those that could be affected by the attack. To ensure the proper protocols are followed, organizations need a preemptive Incident Response Plan (IRP) in place. An IRP alerts all relative parties when a security incident occurs — both internally and externally — and helps to start to convey the details of the incident to internal parties, customers and authorities in a quick and clear manner, and, in high-profile situations, present the case to the public.

As legislation continues to be put in place and organizations evolve reporting requirements, the process to report a cyber attack will hopefully become clearer. But, for now, the important part is to make sure as a leader you’re being as open and honest as possible when reviewing and conveying the details of an attack or breach.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

One of the most common mistakes I see business leaders make is neglecting the need for proactive cybersecurity testing. In fact, it is oftentimes an afterthought for businesses when evaluating breach preparedness. In reality, enterprise security testing tools and penetration testing services that boost an organization’s cybersecurity posture from the onset should be a top priority, now more than ever before.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

The first place to start to help limit the frequency or severity of cyber attacks is to evaluate the company’s current security posture. Before implementing any new initiatives or overhauling existing measures, it’s important to evaluate the organization’s current security posture. This means taking a closer look at its attack surface, customer environments, vendor relationships, and other partnerships to understand an organization’s true exposure to malicious actors.

It’s also important to read up on the latest recommendations from the U.S. government as it relates to the geopolitical tension escalating based on the situation in Ukraine. Specifically, the Cybersecurity and Infrastructure Security Agency (CISA) recently launched Shields Up, a free resource that features new services, the latest threat research, recommendations for business leaders, as well as actions to protect critical assets. Whether an IT security professional, or a top C-suite leader, all roles within an organization should familiarize themselves with Shields Up and the actionable advice recommended by CISA.

Such advice includes reducing the likelihood of a damaging cyber intrusion; taking steps to quickly detect a potential intrusion; ensuring that the organization is prepared to respond if an intrusion occurs; and maximizing the organization’s resilience to a destructive cyber incident.

Once the initial audit and research is done, I recommend organizations reevaluate their proactive cybersecurity testing measures, which again, is often neglected within businesses today. While many tend to focus on the physical disruption nation-state attacks can cause, popular cybercriminal tactics like distributed denial-of-service and ransomware can be mitigated through proactive offensive security activities like Penetration Testing as a Service (PTaaS), red team, breach and attack simulation, or attack surface management.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)

1. Evaluate your current security posture. Before reinventing the wheel or overhauling any security program, it’s important to first see what you have in your security arsenal and determine if it’s effective. If there are too many tools or services, this often creates more vulnerabilities and confusion. As part of this audit, ensure you’re looking holistically at the organization’s attack surface, customer environments, vendor relationships, and other partnerships to understand the true exposure to malicious actors.
2. Implement an offensive approach to security. Cyber attacks can not be prevented, but they can be prepared for and minimized. Taking an offensive approach to security — and elevating existing pentesting programs — can help organizations stay ahead of possible vulnerabilities. Today, organizations need to do more than enable an annual check-the-box approach to security, they need to implement and elevate their pentesting program to better prepare for a breach.
3. Go back to the basics. It’s a tumultuous time and the stakes for our industry are really high. To better protect and respond to threats, I think organizations have a real opportunity to refocus on their fundamentals and get back to their security roots.
4. Educate your workforce. Oftentimes, security breaches are caused by a lack of awareness within an organization. Implementing mandatory training programs can teach employees about how to monitor, prevent and report potential dangers. Every staff member, regardless of level or job description, should understand the organization’s view on security, including how to respond to phishing attempts and how to protect data in a remote environment.
5. Don’t ignore third party vendors. How we exchange information with people outside of our organization is critical in today’s environment. Cyber attacks through vendor networks are becoming more common. Once a third-party vendors is chosen, business leaders need to ensure everyone is assessed with a risk-based vendor management program.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

I am a proud American and veteran. The opportunity we have as Americans is unmatched in the world — we can build, innovate and lead in the global economy. That opportunity seems to be lost on many as of late and I would love to see a movement of young, globally-minded entrepreneurs working to put our differences aside and get back to BUILDING in the land of opportunity.

How can our readers further follow your work online?

Readers can connect with me on LinkedIn and follow NetSPI on Linkedin, Twitter, and Facebook. They can also check out NetSPI’s blog page for the latest product announcements and executive insight.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!