Nikhil Gupta of ArmorCode: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity
Automate and orchestrate security as much as possible. As mentioned, security professionals can be easily overwhelmed by security issues and alerts — and automation is key to organizing and prioritizing them. Orchestration will help make the work flows flow seamlessly across the organizational and tool silos.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Nikhil Gupta.
Nikhil Gupta is a successful serial entrepreneur with more than 25 years of experience. Prior to founding ArmorCode, Nikhil was CEO and Co-Founder of Avid Secure, which was acquired by Sophos. Avid Secure built a market-leading AI-powered multi-cloud security and compliance platform. Nikhil has held several leadership positions in VMware, Cisco, ForeScout, Ericsson (Joined through the acquisition of Entrisphere), Alcatel, and Bell Labs. Nikhil holds an MBA from Columbia Business School and a BS and MS in Computer Science.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in India, where I enjoyed my studies and kept active with a variety of sports: gymnastics, field hockey, cricket, table tennis, and badminton. My mother was instrumental to my success: she always encouraged me to learn new things and to dream big. She taught me to have a growth mindset — to challenge myself and do things outside my comfort zone — long before it was popularized. I received a degree in Computer Science from B.M.S. College of Engineering, Bangalore, and then came to the USA in 1997 to work. By that time I had already dabbled in entrepreneurship by starting a couple of companies. While I failed with those ventures, I learned a lot. Most importantly, I learned that failure is not the opposite of success but a crucial part of success. Those experiences instilled a sense of continuous learning, which led me to pursue a Masters in Computer Science, followed by an Executive MBA from Columbia Business School and London Business School.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My entry into the cybersecurity world was very deliberate. When I was at VMware (2013–2016), I was working a lot in network segmentation and security, and I recognized that it’s an evolving field that will need innovation. So when I was planning for my next career move, I chose to focus on cybersecurity. As an entrepreneur, I love starting new things and rallying a team to innovate. Security is a cat-and-mouse game and,unfortunately, the “bad guys” (hackers and cyberattackers) always seem to be one step ahead. I took it as a challenge to out-maneuver them by being proactive with cybersecurity. Software is powering the world and bad actors are now focusing on getting into the software development life cycle (SDLC). That is, inserting malicious code in the software when it is in its infancy or creation phase. When hackers insert themselves here, they can evade controls put in place to monitor and detect threats later. This can have a devastating impact — take the Solarwinds breach, which impacted tens of thousands of companies. This is the problem we are solving for the customers at ArmorCode.
Can you share the most interesting story that happened to you since you began this fascinating career?
In 1999, I joined Bell Labs in Murray Hill, NJ, the ultimate place of all the innovations. During the interview process, my hiring manager told me that I’d get a chance to work with the founders/creators of UNIX, which I thought was just a carrot to get me to join the company. A week after I joined, a colleague showed me a room where we could make our own cappuccino — which was a relatively new concept at that time — so every day I would go there to make a cappuccino. One day, a colleague asked me if I would like to see the place where UNIX was invented. Excitedly, I said yes. To my surprise, he took me to the very same room where I was making my daily cappuccino! Later, I was fortunate to work with Ken Thompson, the “Father of UNIX” and even after 20+ years in the industry, this experience stays with me and inspires me to build, grow, and innovate.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I have several mentors to thank for the leader I am today. Long ago, I was advised by a mentor that as we grow in our career, we will need different mentors with different skills; not just one mentor at any given point but a kind of “personal advisory board” that can help you on different fronts. As a startup CEO, I’m fortunate to be surrounded by mentors who can help me with sales, marketing, leadership, and more. I wouldn’t be doing justice to name only one since there are so many who have helped me at every stage of my career. And they know who they are!
Are you working on any exciting new projects now? How do you think that will help people?
As we all know, the pandemic has rapidly accelerated software development. The software development lifecycle has shrunk from several years to months to weeks to days — and software is increasingly being rolled out continuously as user needs evolve in real time. Additionally, software security is no longer just the security team’s responsibility.
ArmorCode is building a developer-friendly security platform that will enable application security at the pace of DevSecOps. ArmorCode provides comprehensive visibility of your application security posture and application inventory. Most products and companies are built with technology first in mind; however moden application security cannot be solved by technology alone. People, processes, and technology are critical. That is why I got together with a number of security leaders to start the Purple Book Community. We are now a thriving community that offers visitors timely thought leadership on the biggest challenges in the software security space and best practices to solve them.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
According to ZDNET, the average tenure of a Chief Information Security Officer (CISO) is 26 months due to high stress and burn out. That’s partly because there’s a severe lack of trained security professionals driven by dwindling security and IT budgets in the face of increasing security and IT pressure. Cyberattacks are increasing and the application structure has changed from monolithic (“waterfall”) applications to agile microservices delivered at the edge. This has led to the usage of multiple different programming languages for a single application, including the prolific use of open source. And to make all things worse, the application security engineer-to-developer ratio is 1:100. As a result, CISOs and security professionals are constantly worried that they haven’t done everything to secure their applications. For securing one application, many companies need almost a dozen different types of tools such as SCA, SAST, DAST, RASP, IAST, Bug bounty, pen testing etc. These tools generate a lot of false positives, and the outputs of these tools are not correlated. On the flip side, bad actors are super sophisticated and are increasingly leveraging AI and automation to do advanced attacks.
My advice to the security professionals and colleagues to avoid “burnout” would be to leverage AI and automation to reduce alert fatigue. Technologies like ArmorCode can help with this by normalizing, deduplicating, correlating and performing impact analysis on security vulnerability findings. This can save the time associated with manually sifting through the vulnerabilities by 90%. This time saved can be well spent with your family, which will rejuvenate you, help you thrive, and prevent you from burning out.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- The world is getting more and more digital, and the pandemic just accelerated all the cloud software/SaaS trends that were already happening over the last decade or more. So, securing our digital assets is becoming even more important. Security is often one of the top three issues cited by the Boards of Directors of many enterprises. It has become so important that President Biden recently passed executive orders on software security. We’re happy to be in the right place at the right time to help enterprises to solve this problem. The magnitude of this challenge is attracting some of the best talent to this industry, so it is very exciting to have an opportunity to work with them.
- Thinking from the adversary perspective is also exciting, even if it’s a bit daunting. We must think one step ahead of their motivations in order to work backwards to stop them. Finding ways to stay a step ahead of bad actors can sometimes feel a bit like being in a superhero or spy movie!
- Building a community of “good guys”. Security leaders are realizing the importance of organizing together as a community to tackle cyber security challenges. I am proud that we now have the Purple Book of Software Security, which I mentioned earlier.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Software supply chain attacks will continue to be a big part of the threat vector. The recent string of high-profile attacks were perpetrated through the software supply chain, rather than a direct attack on an individual company. By the time the security vulnerability was discovered deep in the software, the malicious code had already infected thousands of companies. By finding and compromising a weak link in a software supply chain, cyber criminals can attack many companies at once. Put another way: rather than poisoning one person, they are poisoning the village well. 80% of software dependencies are never updated, which means that there are vulnerable backdoors waiting to be exploited in most business software. And because most software makers do not include a list of “ingredients” for the software they sell, software buyers — all of us — have no idea what’s inside or how safe it is.
The other type of attacks will be ones that exploit the software and web application vulnerabilities. Studies have shown that software and web application vulnerabilities together form the biggest attack vector, with one study from Forrester showing that they form 69% of the source of external attacks. There is a reason: building strong software security can be very painful and hard to scale. Software application development has changed radically from waterfall to agile development and from monolithic application architecture to microservices delivered at the edge. Software development is growing exponentially and the speed at which it is being created has also accelerated dramatically. We have gone from a time when software releases happened once a year, to every month, every week, or in some cases every hour. However, the application security has not kept pace. Application security professionals increasingly find themselves unable to keep up — and many are forced to piece together security tools as stopgaps.
At ArmorCode, we have spoken to hundreds AppSec and Development leaders and following emerged as common themes in their biggest pain points:
1. Lack of visibility: An organization cannot secure what it cannot see. 95% of the 200+ organizations that we interacted with couldn’t correctly answer the question, “How many Applications, Microservices, and APIs are in their environment?” Worse, different teams often give different answers.
2. Lack of Automation: There is a lack of orchestration and automation between the various application tools. For securing a single application, we need various types of AppSec tools such as SCA, SAST, DAST, RASP, IAST, Bug Bounty, Pen Testing. The outputs of these tools are not correlated and customers end up using abundance of excel sheets in ad hoc fashion. To make the problem worse, there is 1 AppSec engineer for every 100 developers which makes the job of security engineers even more difficult.Tremendous business value remains untapped because antiquated processes and workflows are wearing down AppSec engineers and developers.
3. Lack of Meaningful Compliance: In a DevOps-driven software development world in which releases are done on a weekly or even daily cadence, once-a-year compliance is no longer sufficient.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
While I can’t talk about a cybersecurity breach in detail since I am bound by confidentiality agreements, I can talk about the lessons I have learned from helping companies tackle them. In cybersecurity, the first big challenge is about having full visibility into assets, because we cannot secure what we cannot see. Avid Secure, the cloud security startup that I co-founded and later sold to Sophos, helped companies gain visibility of its assets in the cloud. At ArmorCode we help companies get a consolidated view of the applications in use in an organization. It may be surprising but more than 95% of the organizations don’t know how many applications, microservices, and APIs are in use in their organizations. So, we help stop breaches by giving full visibility into the asset. Once the visibility is secured, keeping our eyes on the highest priority risks becomes very important. We help developers find issues that truly matter among an overwhelming deluge of alerts and findings and alerts. Prioritizing alerts by their business impact is of paramount importance and finding them requires a whole lot of automation to sift through alerts and we provide a platform that helps do a risk based vulnerability prioritization.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
We use a whole gamut of security tools to make sure that our assets are well protected. Since we are in the application security space, I will talk about some of the AppSec tools we use.
To “eat our own dog food” as they say in Silicon Valley, we use our own platform, which provides visibility into all the applications, APIs, and microservices that we use. It provides risk-based vulnerability prioritization so that the developers get a list of a few critical issues to fix rather than a list of thousands of issues that contain a gamut of false positives, duplicates, and low priority issues. It provides frictionless DevSecOps orchestration across the CI/CD pipeline and across developers and AppSec teams. Its agentless solution consolidates four key AppSec needs — Application Security Posture Management, DevSecOps Orchestration, Knowledge Base, and Continuous Compliance — into a single intelligent platform.
We also use Software Component Analysis (SCA), Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Bug Bounty tools. SCA tool helps manage software components included in a source code. In addition to providing visibility into open source use, some SCA tools also help fix open-source vulnerabilities through prioritization and auto remediation.
SAST tools help analyze source code or compiled versions of code to help find security flaws. SAST tools can be added into the Integrated Development Environment. These tools help us detect issues during software development.
DAST simulates realistic threats and attacks. DAST includes a number of testing components that operate while an application is running. Security professionals simulate real-world functionality by testing the application for vulnerabilities. It then evaluates the effects on application performance. The methodology is often used to find issues near the end of the software development lifecycle.
Bug bounty programs allow independent security researchers to test and report bugs to an organization and receive compensation. These bugs could be security exploits, vulnerabilities, process issues, hardware flaws, and so on.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
The kind of a security program that a company puts together really depends on the size of the company, the regulatory requirements placed on it, and the asset mix it has to protect. So, there is no “one size fits all” model.
Everybody should be using tools from the SDLC process — but not every company can afford it. So, fortunately, there are so many free OWASP tools like OWASP dependency checker and Sonarqube. Companies can get started with their AppSec program with very little capital investment. But these open source tools come with their set of limitations; as complexity grows, companies may need to upgrade to commercial tools. Unfortunately, there’s a huge shortage of AppSec talent. As mentioned before, companies may have one AppSec engineer for every 100 developers. But we know the pace of software release is accelerating, and there is a lot of automation in the application development process traversing across the CI/CD pipeline. But there is not much automation in the AppSec space. This is where ArmorCode can help: we automate AppSec processes so that AppSec engineers can keep pace with development cycles.
In terms of hiring a CISO, I have seen companies hire one when the revenues are $75M to $100M. So, for companies that cannot afford to have a dedicated CISO, there are security leaders who provide vCISO services which is like a fractional CISO. Companies could also look at Managed Security Services Providers (MSSP) to access these services without actually making upfront investment.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Visibility is very important both at application and infrastructure level. People can look at anomalous behaviour either in traffic or user behavior. For example, there could be unusual outbound network traffic; web traffic that doesn’t fit with human user patterns; DDoS attacks which are then used to hide the main attack elsewhere; anomalies in privileged user account activity; geographic traffic irregularities; unusual login patterns; unusual database accesses; varied HTML response sizes; large number of reads for a specific set of files; mismatched port-application traffic; and more.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
There are several key steps that need to be taken once the attack has been detected. First, the infected endpoints and servers need to be immediately isolated and “quarantined” by disconnecting them from the rest of the systems to prevent the malware from spreading. Call the IT team so they can secure and transfer any key information that needs to be protected and inform partners, suppliers, and customers so they can take necessary precautions. Also, notify the concerned agencies like the police department, FBI, US-CERT, and the Federal Trade Commission. Once this communication happens, it’s important to identify vulnerabilities, deploy fixes, initiative recovery processes if needed, and do a post-mortem analysis to prevent such attacks from happening again.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
These two standards affect the data protection policies and procedures for enterprises. These standards penalize companies that don’t comply. CCPA requires that enterprises must know what data is private data and what is not and then decide the necessary data privacy and security protocols accordingly. The problem with many of these compliance standards is that they are measured once a quarter or once a year — even though software releases often happen much more frequently. So, compliance can be broken the moment new software is released. And it’s important to note that compliance doesn’t necessarily mean security or privacy. In order to fix this problem, we need to have continuous compliance, so compliance can be checked in as frequently as the business needs. At ArmorCode, we have a separate module for this called “Continuous Compliance” that helps enterprises elevate their privacy and security game by providing them compliance status on demand.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The primary mistake is not securing the software they are creating as they create and deploy it. If the software development processes are not secure then the systems that are built using that software will not be secure (think: a house built on a poor foundation). Companies also don’t tend to pay attention to the Software Bill of Materials (SBOM) and what the total sum of ingredients in their software. This causes huge risks because companies are deploying software without studying their full scope of vulnerabilities. Some of the open source software are not fully-vetted and may actually have compromised elements.
Cybersecurity mistakes also include not having full visibility into the assets as visibility is foundational. Lack of or not enough automation to cut through the noise-to-signal ratio; not having a dedicated security team; not updating/patching software; not securing endpoints — especially Internet of Things (IoT) and mobile phones; and not having effective cybersecurity policies or not enforcing them. Not training a team to get them up to speed with the latest prevention process.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
The pandemic has increased the overall attack surface since critical systems work within a tighter security infrastructure at onsite offices. The circle of protection tends to break down once workers are accessing software and services at offsite locations such as their homes. Studies have shown that the frequency and severity of attacks has gone up since the pandemic started. Bad actors can sometimes move invisibly across enterprise networks if they have gained access through a less-secure endpoint in a remote setting (such as a poorly managed home network). The phishing attacks have increased as well.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
Software applications are at the heart of all our digital experiences and they are changing the way people live, work, and play. We believe application security or software security is foundational to protecting the digital infrastructure that is getting built rapidly around us. ArmorCode’s platform simplifies software security by consolidating three key AppSec needs into a single intelligent platform that minimizes tooling and alerts.
- Align cybersecurity to your overall business strategy. Cybersecurity has become one of the top three concerns for the board of directors because of the catastrophic and costly effects a cyberattack can have. Cybercrime damages will total $6 trillion globally in 2021 — $190,000 every second — and will reach $10.5 trillion annually by 2025. CEOs need to think about the business case behind security investment. What would a ransomware attack cost your bottom line if you paid a costly ransom (sometimes hundreds of thousands or millions of dollars) or if you didn’t pay a ransom and then had to rebuild your IT infrastructure from scratch. What would a system outage or failure mean for your sales? How would it impact your relationships with customers, partners, investors, etc.? Calculating the cost of various cyberattack scenarios is the only way to know how much the cybersecurity “insurance policy” is actually worth to your business.
- Secure code at the speed of development. There has been a lot of innovation and acceleration in the development cycle with the introduction of agile methodologies and DevOps. At the same time, application security has not kept up with application development — and the consequences have been shown time and time again with the continuing scourge of cyberattacks. Securing software as it is developed is no longer a nice-to-have, it is a business imperative.
- Seek Continuous Compliance. In a world where software gets released every week, quarterly or yearly compliance cycles no longer work. Set up continuous compliance processes so you know the status of security and compliance at any moment.
- Create a clear organizational risk matrix that identifies and prioritizes the risks that have the highest business impact (cost). Not all risks are equal and in an environment where security professionals receive dozens, hundreds, or even thousands of security risk alerts per day, businesses need to be able to prioritize or face overwhelming the security team.
- Automate and orchestrate security as much as possible. As mentioned, security professionals can be easily overwhelmed by security issues and alerts — and automation is key to organizing and prioritizing them. Orchestration will help make the work flows flow seamlessly across the organizational and tool silos.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
- Be part of a community where you can share and learn from others. There is a great power in being part of a community of “good guys” who can help you understand all the dimensions of a problem, explore best practices, and learn from case studies. Community is a great way to get organized and fight against cybercrime. There are many good communities to join and I welcome you to consider joining the application security community we have started: Purple Book Community.
- Write a blog, get on a podcast, or write a book to share the wealth of knowledge you have accumulated.. Never underestimate the power of your knowledge, it may very well be the information that will save a company, a career, or a person’s life. We have all benefited from the work of those that have come before us, now we have an opportunity to pay it forward. So, go ahead and share.
How can our readers further follow your work online?
- I have started a blog series to share my personal journey as an entrepreneur: https://nikhilgupta2453.medium.com.
- I recently began contributing to Forbes Tech Council and will begin posting on a regular basis: https://profiles.forbes.com/members/tech/profile/Nikhil-Gupta-Founder-CEO-ArmorCode-ArmorCode-Inc/9e4bcbca-e019-4f60-8566-853c4937a6c7
- I also share a lot of my work on my LinkedIn: https://www.linkedin.com/in/nikhilgupta/ — please feel free to connect or follow me there. If they refer to this interview in their introduction message, I will prioritize it.
- I also will be sharing a lot of my thoughts on the Purple Book Podcast which focuses on matters related to improving the state of application security and DevSecOps. Those can be found here: https://www.thepurplebook.club/podcasts.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!