Cyber Defense: UL’s David Nosibor On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack

Treat cybersecurity as a shared responsibility. When it comes to securing data and assets, various players have distinct roles and priorities. Collaboration among all stakeholders is crucial to minimize gaps in security defenses.

In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?

In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.

As a part of this series, I had the pleasure of interviewing David Nosibor.

As the platforms solutions lead and head of UL’s SafeCyberTM project, David oversees digital platform development and the management, implementation and experimentation on new solutions and business models for UL’s Identity Management and Security division. He has addressed corporate innovation and digital transformation for more than a decade. Before joining UL, David was the growth lead at Rainmaking Innovation in Singapore, a corporate innovation consulting firm, and served as the head of Digital Innovation at Mazars in Asia Pacific, an international audit, tax and advisory firm.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Growing up in Provence, France, I was lucky enough to have a good and peaceful childhood. My father worked at HP, which helped me become familiar with computers, hardware and software at a young age. Using the internet in the mid-90s made me realize great things could be done from anywhere, and I wanted to be part of that.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Before working in cybersecurity, I focused on contributing to the United Nation’s (UN) Sustainable Development Goals (SDG) and have long believed tech is a massive enabler in achieving the UN’s 17 SDG goals. Making sure the world is safer and more secure has been a deeply personal motivation.

As the adoption of Internet of Things (IoT) devices has exploded over the years. It was easy to see how they would become a major attack vector, despite all the sustainable benefits they bring. The Mirai botnet attack was the event that made me want to get involved in securing these devices to protect governments, businesses and everyday people.

Can you share the most interesting story that happened to you since you began this fascinating career?

While I was working on a new security solution, my team identified an open-source framework that we thought would be a good starting point. I reached out to the authoring organization, and to my pleasant surprise, they were quite open to supporting and helping us think through some of our ideas and suggested improvements. Believe it or not, cyber experts and advisors from different firms are impressively keen to collaborate to benefit the entire ecosystem.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Insatiable curiosity, being a persuasive communicator and resiliency.

First, being curious has helped me identify weak signals and areas of business opportunity in cybersecurity and my career. I started my professional journey as a self-taught social media marketer in 2009 and became an innovation lead spearheading corporate entrepreneurship in 2014. I then wanted to become a corporate entrepreneur with my current product management role in IoT security. All that was made possible by closely monitoring trends and events then connecting the dots with constant upskilling.

Second, my ability to inspire action and make things possible with persuasive communication has been key to my journey, winning over skeptics, turning them into advocates and raising funds for strategic projects. That foundation enabled me to develop UL’s SafeCyber digital security platform concept. It required a sound pitch and vision to win over the company’s internal stakeholders so we could raise the necessary funding.

Last, but certainly not least, resiliency allows someone to see successes materialize over time, as there can be many setbacks on the road to achievement. I’ve found that the key to resiliency is to accumulate positive energy from successes and victories to mitigate disappointments along the way. Like any other new and innovative software product, SafeCyber’s development required a lot of dedication and commitment at every step of the process. Our relentless attention to granular details and the persistent pursuit of the highest quality helped keep us on track. We learned a lot during the process and emerged as a more resilient and robust team.

Are you working on any exciting new projects now? How do you think that will help people?

Given our highly connected world and the increasing rate of cyberattacks worldwide, UL recently launched SafeCyber, a security and compliance posture management platform for connected devices. SafeCyber helps customers look at their security governance and processes and manage and reduce product security risks. It gives product security and development teams at device manufacturers, suppliers and system integrators the ability to assess the maturity of their security governance and processes for all products. They can then proceed with product testing and compliance activities in one singular integrated digital solution.

With SafeCyber, it’s easier to communicate security maturity levels with internal and external stakeholders and achieve clarity on a company’s current security posture and areas where it can improve. Additionally, it helps speed up firmware turnaround times while simultaneously addressing vulnerabilities, helping ensure product security and compliance readiness.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?

I’m proud to work for UL, a global safety science leader. We have tremendous cybersecurity expertise from our global network of Internet of Things (IoT) and Operational Technology (OT) security laboratories, including security experts and advisers with specialized knowledge in global security standards, frameworks and best practices. At UL, we’re committed to helping the industry innovate with new technologies and bring secure products to the marketplace.

As UL’s platform solutions lead and head of the SafeCyber project, I head up digital cybersecurity platform development and management and implement and experiment with new cybersecurity solutions and business models in UL’s Identity Management and Security division.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of? -

There are numerous types of cyberattacks. However, it is essential to highlight the most commonly executed ones, particularly for businesses. The three cyberattack forms that businesses experience most frequently are malware, ransomware and distributed denial-of-service (DDoS). Malware is the overarching term used to describe malicious software intentionally designed to cause harm to infrastructures or services. Ransomware is a specific type of malware that remains a disruption until a certain ransom is paid. A DDoS attack intends to render a service or resource temporarily or indefinitely unavailable for use.

In the infrastructure space, in particular, people should be aware of an important and underappreciated factor. They need to understand that attacks are not always financially motivated. In some instances, the goal of threat actors is to cause as much disruption or inconvenience as possible as leverage for motives other than financial gain.

Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?

While both businesses and private individuals should be concerned about cyberattacks, given the sharp increase over the past few years, the pressure is mostly on businesses to be wary of these increasingly sophisticated threats. This is primarily due to companies experiencing a cyberattack. An attack on critical infrastructures can have catastrophic consequences such as losing food, water, electricity, oil supplies and supply chains. The stakes are high for enterprises, especially those with fully connected ecosystems, as a cyberattack-triggered failure is likely to have a ripple effect across operations and services.

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?

If a business experiences a cyberattack, the first step is to act quickly to secure systems and address any vulnerabilities that may have caused the incident. That said, the new Strengthening American Cybersecurity Act passed by the U.S. Senate in February 2022 requires critical infrastructure organizations to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours. United State (U.S.). government agencies can assist with investigating the incident, mitigating its consequences and helping prevent future incidents.

In its fact sheet on cyber incident reporting, the Department of Homeland Security encourages businesses to report all cyber incidents to the Federal Government that may:

• result in a significant loss of data, system availability, or control of systems;
• impact a large number of victims;
• indicate unauthorized access to, or malicious software present on, critical information technology systems;
• affect critical infrastructure or core government functions; or
• impact national security, economic security or public health and safety.

If personal health data has been compromised, organizations need to take additional steps, such as contacting the Secretary of the U.S. Department of Health and Human Services (HHS), the Federal Trade Commission and, in some cases, the media. Additional guidance can be found in HHS’s HIPPA Breach Notification Rule and FTC’s Health Breach Notification Rule. If social security numbers have been exposed, businesses should contact the major credit bureaus.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

Overall, businesses have been largely unsuccessful in keeping up with the complexity of their devices and security systems due to an increase in digitization. Complexity in said devices and systems is security’s greatest enemy because security leaders cannot keep up with the growing fleet of devices that must be managed and protected to remain adequately operable. The inability of organizations to maintain acceptable levels of security is what makes organizations vulnerable to ransomware attacks, as their critical infrastructure is vulnerable to cyber threats and attacks. Moreover, not investing enough in employees’ cybersecurity awareness has proven to be devastating, as it only takes a couple of clicks for a phishing attempt to be successful.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

With the continued uptick in both the volume of attacks and their sophistication, businesses must act now to modernize their cybersecurity efforts to defend themselves and their customers properly. Hardening security requires a proactive, tactical approach to risk management and security, with protections built into the product development process. Additionally, meeting legislative and industry compliance requirements should be an essential piece of every company’s security program. That’s a core focus at UL: helping organizations assess the maturity of their security processes and governance across all of their products.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)

UL’s approach to reducing cybersecurity risk is known as security by design. This strategy enhances trust for all stakeholders and is implemented through the following steps:

1. Treat cybersecurity as a shared responsibility. When it comes to securing data and assets, various players have distinct roles and priorities. Collaboration among all stakeholders is crucial to minimize gaps in security defenses.
2. Stay up to date. As bad actors evolve their tactics, businesses must track and remediate known vulnerabilities and threats to consistently maintain a solid security posture.
3. Meet the standards. Given the global nature of today’s markets, it’s imperative to meet both international regulatory requirements and industry-specific standards and security frameworks.
4. Test regularly. Products and systems need to have built-in security to keep up with a dynamic regulatory landscape, but it doesn’t stop there. Organizations must also regularly test and verify their security capabilities against standards.
5. Practice and cultivate cybersecurity transparency. Communicating product security to partners, stakeholders and end-users will help ease security concerns across the entire ecosystem, contributing to a safer, more secure world.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

Every person can do good in this world by sharing knowledge. A movement incentivizing technical experts for sharing their knowledge on specialized topics, such as IoT security, as a way to generate funds for a good cause could be a good start. In this example, hosting a knowledge-sharing event that benefits a a charity or association advocating for better cybersecurity, has the potential to be the very definition of social good enabled by technology.

How can our readers further follow your work online?

For more information about UL SafeCyber, please visit https://www.ul.com/services/safecyber, and feel free to check out the various cybersecurity resources and materials at https://www.ul.com/services/solutions/cybersecurity!

This was very inspiring and informative. Thank you so much for the time you spent with this interview!