Michiel de Bruin of Odesso: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

Team training and education — A cohesive team is crucial when responding to cybersecurity threats as timing is crucial. A high performing team with a strong foundation built on trust will have the ability to adapt and overcome. Send your team to as many events as possible and have them bring that knowledge back in house through weekly or monthly presentations.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Michiel de Bruin, CSO of Odesso.

Michiel is the CSO of Odesso. Michiel leads the enterprise-wide security management and operation programs for the purpose of protecting physical and technology assets. Michiel is an experienced Cyber Security expert and was a Chief Information Security Officer of a major California Hospital network. He’s a veteran with secret clearance and Military experience.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

My family has a strong military background that stretches several generations. I wanted to follow our tradition and joined the Marine Corps when I was seventeen. After a great tour, l spent the next decade working on military bases as a civilian contractor. This gave me deep insight into all aspects of cybersecurity and set the stage for the rest of my career.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

During my time in the military, we were protecting information that truly would put lives at risk if it were to be compromised. This gave me a deep respect for the field and the level of effort (from top to bottom) necessary to implement and maintain a security program. This influence inspired me to stay in the field and make a difference whenever possible.

Can you share the most interesting story that happened to you since you began this fascinating career?

One of the most interesting stories comes from working with a client that had a ransomware scare soon after I began the engagement. The interesting thing about this type of malware is how quickly it can cripple an entire organization’s operation. Fortunately, we had just rolled out an Advanced Threat Protection (ATP) agent which thwarted the attack. Often it is difficult to find a direct correlation between efforts and outcomes. In this instance, however, it was a very reaffirming experience.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

As in many areas of life, cybersecurity is truly an organizational effort. Not only does the team need to be highly cohesive, but to be successful cross-functional efforts such as cyber-education need to be implemented. Early in my career, I was fortunate enough to have a mentor by the name of Karen Selby. She taught me soft skills that have to bear much fruit over the years. As much as technology needs to be in place to thwart attacks, relationships are what truly make a difference when improving cybersecurity posture.

Are you working on any exciting new projects now? How do you think that will help people?

The most exciting project comes from being CSO at Odesso. Odesso has built a no-code platform that allows enterprises and individuals to develop omni-channel (mobile, tablet, desktop) applications without needing to learn complex programming languages. As CSO, I get to drive the security framework which allows users complete creative freedom while still protecting them from inadvertent coding mistakes which may lead to data breaches. While GUI interfaces have long been the norm for common tasks such as building websites there are still preconceived notions regarding app development. We work on dispelling these and accelerating the industry.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

It is truly a work-life balance function. I read an article the other day showing the average tenure of a CISO is approximately two years. Having been in that role I agree with the assessment and the stress can be quite high. Looking back, I recognize that much of it was self-inflicted (fear of the unknown) rather than some expectation from my employer. Make sure you train up a second in command, take time off, and go somewhere with no cellphone reception.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

• Always evolving. If there is one thing no one can complain about in our line of work it is boredom. The threat landscape is always evolving which provides continual learning opportunities.
• Opportunities to network. I love meeting new people and learning about their successes and/or challenges. With the ever-growing need for professionals in our industry, it is a great opportunity to forge friendships.
• New Technology. I love playing with new technology and it is great to see new offerings on the market every year. While fundamentals don’t change how we face them always will.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

The greatest threat I see is from state-sponsored cyberespionage. These groups have deep pockets, government support, and have long-range goals. While threats like ransomware will always exist, we need a chess game-like approach to combat subversive attacks in which the desired outcome is not immediately apparent. We need to be three steps ahead of our opponent(s).

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I worked with an organization that had been breached and needed to improve its posture to regain public trust and financial viability. The board approved a significant sum of money and as this was a top priority speed to delivery was crucial. My main takeaway from the experience is that it takes much more than money to improve an organization’s cybersecurity posture. The most difficult aspect was adjusting the actions and perspectives of the individuals that made the breach originally possible. While technology and education investments are crucial to improving the posture of any organization, without a shift in mindset many companies are unknowingly setting themselves up for failure.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

The main tools I use are publicly available cybersecurity briefings, FBI releases, and news publications. This information allows one to extrapolate which industry verticals are currently being targeted, attack vector, and desired outcome. From there an organization can focus efforts effectively to minimize chances of a breach.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

Cybersecurity is never a problem until a breach occurs and an ounce of prevention is worth the pound of cure. Due to this it is difficult to justify ongoing investments when balanced against other departmental needs that may provide more immediate returns. With that said, there are so many offerings on the market today at price points acceptable to companies of any size. For the SMB I would recommend starting with an outsourced organization that provides all the necessary protections. As always, the level of ongoing expense will inform when it becomes more cost effective to bring certain aspects in-house. Regardless of size all organizations should have a cybersecurity insurance policy which is reviewed annually to ensure the minimum requirements are met for payout in the event of a breach.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

This is a good question and a difficult one as well. As the industry has matured so have the attacks. Gone are the days of a Nairobian prince offering to send you gold in exchange for money orders. This of course makes it more challenging for the layperson (who is busy with their own job) to detect sophisticated attacks. What we can still look for is the following:

Increased amount of email (including spam). May indicate you or the company is being targeted.

Unexpected attachments in emails from outside (primarily) and inside your organization. Once an internal email account is breached hackers commonly use it to spread malware around the company.

Always be wary when clicking hyperlinks in an email and browsing the web. These are another significant source of attacks as the text in the email may not match the website.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

The best thing to do is treat it like a car wreck:

• Call the police
• Call your insurance agency
• Notify customers — better they find out from you.
• Hire a PR company
• Put a cybersecurity improvement plan together
• Continue to provide updates and notifications to news outlets and customers on progress towards the plan.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

As I have worked in regulated industries for the majority of my career GDPR does not significantly affect my business. With that said, GDPR represents a leap forward in privacy requirements and will accelerate the need for cybersecurity professionals in all industry verticals.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Lack of employee engagement — The vast majority of breaches do not come from sophisticated cybersecurity attacks but from under-educated end-users. Whether it is opening email attachments, clicking on hyperlinks, or web browsing, users represent the broadest attack surface. The best and cheapest improvement any company can make is regular cybersecurity training coupled with simulated cyber events. This gives the organization an opportunity to improve before disaster strikes.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Surprisingly I have not. This may be due to how quickly COVID impacted business operations. Many times, homegrown solutions are built and then connected to the Internet without the proper security considerations. With COVID there was no time to pursue this avenue thus most organizations simply purchased off the shelf solutions that already had the appropriate security measures in place. Of course, this is just a theory.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

Honestly, I can’t think of anything we haven’t already covered. Please find a repeat of my top five.

1. Employee engagement and education. Simply put, they are the target of over 90% of attacks.
2. Presenting to the Board of Directors. As stated previously the cybersecurity posture of an organization is dictated from the top. Regular presentations at this level are a great way to show progress (before or after a breach) and retain ongoing support.
3. Cyber-Insurance Policy — Would you drive without auto insurance? In the current business climate, an organization cannot afford the potential risk of a major security breach. Having this in place provides a fallback mechanism in case of disaster.
4. Cross-Functional engagement — As much as we wish, technology is only a small piece of an overall cybersecurity program. Policies, procedures, third party audits, penetration tests and the list goes on. All of these require coordination with departments outside of InfoSec and IT. Relationships are the key to making them successful rather than an annual battle.
5. Team training and education — A cohesive team is crucial when responding to cybersecurity threats as timing is crucial. A high performing team with a strong foundation built on trust will have the ability to adapt and overcome. Send your team to as many events as possible and have them bring that knowledge back in house through weekly or monthly presentations.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

#BattleApathy! — Too often I see individuals in our industry (and others) give up hope with the constant onslaught of new technologies, threats, breaches etc. Apathy is truly the great killer of human ingenuity and creative flow. Have you heard the saying “necessity is the mother of invention”? As humans we are built to adapt rather than stagnate. If change is inevitable, we might as well embrace rather than fear the future.

How can our readers further follow your work online?

Please find me on LinkedIn: https://www.linkedin.com/in/madebruin/

We also post regularly on the Odesso blog: https://www.odesso.com/blog/

This was very inspiring and informative. Thank you so much for the time you spent with this interview!