Roger Neal Of Apona On 5 Things You Need To Know To Optimize Your Company’s Approach to Cybersecurity

Employees are your first line of defense, so invest in education. Employees should be trained to recognize phishing attempts, use strong passwords, and follow best security practices. A healthcare company I worked with avoided a significant data breach when a trained employee recognized a suspicious email and reported it, preventing a phishing attack from compromising their customer data. Regular training and awareness programs can empower employees to act as a strong defense against cyber threats.

As a part of our series about “5 Things You Need to Know to Optimize Your Company’s Approach to Cybersecurity”, I had the pleasure of interviewing Roger Neal.

Roger Neal, the Head of Product Development at Apona is a former Division One athlete who earned his degree in Information Systems. While he has since transitioned into the field of cybersecurity, he has worked his way to overseeing the development and execution of Apona’s product strategy.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I appreciate the invitation; it’s an honor to be here. My childhood was quite fascinating. I grew up in Folsom, California, a quaint suburban town with a strong football culture. Friday night games were more than just sports events; they were significant community gatherings. I was brought up by my remarkable single mother, who undertook the immense challenge of raising me and my two sisters alone after my father passed away when we were very young. His untimely death was a severe blow, but my mother’s resilience in stepping up to support us is something that continues to amaze me. She balanced her demanding work schedule with being a constant presence in our lives, whether it was helping with schoolwork or cheering us on in our various activities. Through all the difficulties, my mother imparted to me the values of hard work, resilience, and the significance of education. She strongly believed that a solid education was the key to unlocking life’s opportunities and often reminded us that ignorance can hold you back. Although I lost my father at a young age, I credit my technical aptitude to him. He was a technical prodigy, known as a ‘human calculator’ and was recruited by Intel after designing Macy’s payment and inventory database, which is still in use today.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

My passion for cybersecurity began when I was 12 years old, after my mom became a victim of a cyber scam. This personal incident opened my eyes. As I delved deeper into understanding the scam, I discovered numerous stories of other victims, which both saddened and angered me. The idea that people could exploit others’ hard-earned money and personal information for their gain was deeply troubling to me. This experience ignited a drive within me to be part of the solution and to help create a safer digital environment where people can interact and conduct business without the constant fear of cyber theft. Although I had a passion for sports, security and technology were always a part of me.

Can you share the most interesting story that happened to you since you began this fascinating career?

Since I began my career in cybersecurity, one of the most interesting experiences I had was when I was working with a client who had recently suffered an attempted data breach. At the time, I had provided a tool that applied file-level encryption and blocked files from being exfiltrated. The client’s accountant had clicked on a malicious email link, which instantly tried to exfiltrate sensitive files identified through a regular expression set in the malware.

This was particularly interesting to me because, through our tool, we were able to see every action that was blocked and prevented in real time. I got to witness firsthand how having proper controls in place can prevent disasters and how quickly and sophisticated malware attacks have become, as it attempted to touch over 1,000 files in under 30 seconds.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

Outside of my mother, I am grateful to my sisters, who have been an incredible support system for me. Although, being the youngest, they spent the majority of their time bullying me, there were numerous times when I had to prepare for crucial certification exams and interviews. My sisters stayed up with me whenever I needed it, asking me interview questions and quizzing me on various topics from my practice exams. Their support and belief in my abilities helped me pass the exam with flying colors. This support didn’t stop there; they have always encouraged me to further my education and career, and their continuous encouragement has been instrumental in my success.

Are you working on any exciting new projects now? How do you think that will help people?

Yes, I am currently working on an innovative project that focuses on automating security tasks with the help of AI, primarily in development. Its aim is to streamline and enhance the efficiency of security operations by leveraging machine learning algorithms to analyze and respond to potential threats triggered by existing systems. This automation can significantly reduce the workload on security professionals and support a shift-left approach, allowing employees to focus on more strategic tasks while ensuring faster and more accurate threat detection, response, and mitigation. Ultimately, this project will help organizations maintain a stronger security posture, protect sensitive information more effectively, and reduce the risk of cyber attacks.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

First, I would suggest that they manage and plan out their workload to eliminate anxiety and stress. As it’s important to prioritize tasks and set realistic goals to avoid feeling overwhelmed. Breaking down large projects into smaller, manageable tasks can make a big difference.

In addition to effective workload management, it’s important to utilize time off. Many of us feel as if the world will fall apart if we don’t show up to work, but it’s important to remember that our own health and well-being should come first. Taking regular breaks throughout the day can help refresh the mind and improve focus. More importantly, taking full advantage of vacation days and personal time is critical for preventing burnout.

Lastly, I want to emphasize the importance of staying active and having hobbies outside of work that they enjoy and that help them relax. I would suggest taking up some form of sport, as I have found that it helps with clearing the mind. Whether it’s spending time with family and friends, pursuing hobbies, exercising, or simply resting, these activities are vital for mental and emotional rejuvenation.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

Great questions! There have been a lot of advancements in cybersecurity over the past

few years and many interesting topics. The three that interest me the most would be, first, the shift-left mindset. This approach is transforming how we handle security by integrating it early in the software development lifecycle. This interests me because we are seeing security being taken more seriously in the earliest stages of application development, which should lead to hardened applications and a significant drop in successful breaches.

Second, the emphasis on security by design, which is increasingly being enforced by regulatory bodies, is another exciting development. Over the past few decades, security has often been thought of as an afterthought or a burden, leading to a staggering number of breaches as commonly no one cared until they got hit. As security by design continues to be pushed, I believe companies will see just how important and helpful security can be.

Lastly, the use of AI for automation in security is extremely exciting to me. Over the past few months, security experts have adopted AI and machine learning technologies more and more to help automate repetitive tasks and analyze vast amounts of data with incredible speed and

precision. This automation will significantly reduce the workload on security teams, allowing them to focus more on what they do best.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Looking ahead to the near future, there are critical threats on the horizon that companies need to start preparing for. The good thing is I believe that we are going to continue to see many of the attacks we have already seen. The bad thing is that the variations of how they are being performed will be different and more complex, especially with the use of technologies such as AI.

I do believe that we are going to see more attacks focused on autonomous vehicles and Bluetooth. It is becoming more and more known the dangers of push-to-start keys and the ability to capture the enumerations from them. Additionally, the way phones constantly look for Bluetooth networks opens up new avenues for exploitation. I believe we might see a shift toward more malicious Bluetooth spoofing attacks. These attacks could potentially trick devices into connecting to malicious networks, leading to data breaches or unauthorized access.

As these technologies become more prevalent, it is crucial for companies to stay ahead by implementing robust security measures, regularly updating their systems, and educating their employees about these emerging threats.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

I would have to go back to the most interesting story that happened in my career when I was able to see the audit logs of our tool blocking an exfiltration attack in real time. My main takeaway from that situation is that these attacks can spread in a matter of seconds due to a slight mistake. Having the proper solutions in place can stop millions of dollars in potential damage. This experience showed me the importance of proactive security measures and real-time monitoring to protect sensitive data and prevent breaches. It also reinforced the need for continuous vigilance and education to ensure that everyone in an organization is aware of potential threats and how to avoid them so that the risk gets stopped at the front door with our employees. Having robust security protocols and tools in place can make all the difference in stopping an attack before it causes significant harm.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

The main tools I use on a frequent basis are SAST, SCA, and SIEM. SAST, or Static Application Security Testing, is used to identify potential attack points in proprietary software developed in-house. This tool is crucial for locating vulnerabilities such as SQL injection, buffer overflows, CSRF, and memory leaks of sensitive data before an application is deployed and becomes susceptible to attacks in the wild. By analyzing the source code, SAST helps developers find and fix security issues early in the development process, reducing the risk of exploitation in production environments.

SCA, or Software Composition Analysis, is another essential tool for managing open-source software risk. Many people don’t realize how risky it is to use open-source software, as it is accessible to anyone, including attackers who can continuously test that code to find unreported vulnerabilities. SCA helps identify any potentially vulnerable components in the open-source libraries and frameworks you incorporate into your projects. It ensures you stay up-to-date with the latest security patches and are not susceptible to known vulnerabilities. By providing visibility into the security posture of your open-source dependencies, SCA enables you to mitigate risks associated with third-party code effectively.

Lastly, I also frequently use a SIEM (Security Information and Event Management) system to ensure our cloud posture is up to standards. SIEM tools collect and analyze log data from various sources within the IT infrastructure, providing real-time analysis of security alerts generated by applications and network hardware. This helps in detecting, monitoring, and responding to potential security incidents, ensuring that our cloud environment remains secure and compliant with industry standards.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

Dealing with cybersecurity as a small team can be challenging, which is why it is crucial to have the correct tools in place. The smaller the team, the more important it is to have “over the counter” tools like SAST, SCA, or SIEM. Start with a baseline, especially with SIEM, to understand your current environment and frequency of attacks. If the frequency is low, you can supplement many controls with the use of these tools and even open-source solutions, but continuously monitor for increased activity.

Regulatory compliance is another critical factor. If you are in a heavily regulated space, you should start to look at a dedicated CISO to maintain compliance. Failing to comply with regulations can result in costs that far exceed what you would pay for a CISO.

Lastly, evaluate the level of cybersecurity expertise within your team. If your team lacks the necessary skills to manage and respond to security threats effectively, external support can be a viable option to fill that gap. This can include hiring a cybersecurity agency or a dedicated CISO to ensure robust protection.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

Absolutely, even for the best-prepared organizations, breaches or hacks can still occur, and sometimes it takes a while before they are detected. However, there are a few signs that a layperson can look out for that might indicate something is amiss.

First, look for unusual system behavior. If you notice your computer running unusually slow, crashing frequently, or if programs start or stop unexpectedly, it could be a sign of a breach. These symptoms often indicate that malicious software is running in the background, consuming resources and potentially collecting data.

Second, watch for unexpected pop-ups or new toolbars in your web browser, as this can be a red flag. While some pop-ups are merely annoying, an increase in frequency or the appearance of toolbars you didn’t install can indicate that your system has been compromised by adware or more malicious software.

Third, look for unusual account activity. If you receive notifications of password changes, login attempts from unfamiliar locations, or other account activities that you didn’t initiate, it’s a strong sign that your account might be compromised. Always pay attention to these alerts and take immediate action if something seems off.

Lastly, it can be challenging for anyone to detect a breach, which is why it’s important to run frequent security scans so that you can be sure. However, by looking for these signs, you might be tipped off to a breach early enough to mitigate potential damage.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

After a company is made aware of a data or security breach, there are multiple steps they should take to protect themselves further and protect their customers.

First, isolate the infected systems and any connected systems to prevent the spread of the breach. This containment step is critical to stopping the attacker from accessing more data or causing further damage.

Next, identify what data has been affected and assess the extent of the breach. It’s essential to understand what information has been compromised to gauge the potential impact on both the company and its customers.

Then, report the breach to the appropriate regulatory bodies and inform your customers promptly. Transparency is vital in maintaining trust and ensuring that affected parties can take necessary precautions, such as changing passwords or monitoring their accounts for suspicious activity.

After that, conduct a thorough investigation to determine how the breach occurred and close any security gaps. This might involve updating software, changing security protocols, or implementing additional security measures to prevent future incidents.

Finally, review and update your incident response plan based on the lessons learned from the breach. Continuous improvement of your security posture and following these steps can be crucial in maintaining customer trust and business operations.

What are the most common data security and cybersecurity mistakes you have seen companies make?

The most common data security and cybersecurity mistakes I have seen companies make start with encrypting everything. Most companies believe that they should encrypt everything and

anything without proper planning. While encryption is crucial, encrypting everything can negatively impact the CIA triad. It can lead to performance issues and complicate data management, making it harder to ensure data integrity and availability.

Second, many companies fail to perform a risk assessment to map out their critical assets and continuously monitor for the creation of new assets. Without a clear understanding of what assets are most important, companies can’t prioritize their security efforts effectively. Continuous monitoring is essential to detect unauthorized changes and additions, which could indicate a potential breach.

Lastly, improper access control is a widespread issue. Companies often give too many privileges to too many users, increasing the risk of insider threats and accidental data leaks. Implementing the principle of least privilege, where users are granted only the access necessary for their roles, can significantly reduce this risk.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Definitely! With the shift to remote work, resources have been moved to the ‘edge’ to make services more accessible for workers. In non-zero trust architectures, this has opened up systems to a wide variety of attacks. Additionally, we have lost a lot of the security controls that were implemented on-site.

When resources and systems are moved outside of a controlled, centralized environment, naturally the attack surface increases, and bad actors have taken advantage. Remote work often necessitates the use of personal devices and unsecured home networks, which can be more vulnerable to cyber threats compared to secured office environments.

Additionally, employees working remotely might not always follow the best security practices, such as regularly updating software or using strong, unique passwords. Phishing attacks have also increased, targeting individuals who may not have the same level of IT support at home. You also lose the group collaboration effort of stopping attacks as those less tech-savvy lose the ability to consult with more tech-savvy coworkers quickly.

The lack of physical security measures, such as restricted access to devices and network monitoring, has also contributed to an increase in cybersecurity incidents. In a traditional office

setup, there are multiple layers of security controls like firewalls, intrusion detection systems, and physical security measures that are harder to replicate in a remote working scenario.

Lastly, the rapid shift to remote work has put a strain on IT departments, which may have been unprepared for such a sudden change. This has sometimes resulted in rushed implementation of remote access solutions, potentially overlooking crucial security aspects. All these factors combined have led to a noticeable uptick in cybersecurity and privacy errors during the pandemic.

What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why?

This is a great and important question. Five things that I think every company needs to know to tighten up its approach to data privacy and cybersecurity is first, perform a risk assessment to understand what assets are critical so that you can put proper controls in place. For example, a financial services company performed a risk assessment and identified that a critical transaction system was missed. Once identified and with proper controls in place, they were able to detect an active data breach and prevent further damage.

Second, employees are your first line of defense, so invest in education. Employees should be trained to recognize phishing attempts, use strong passwords, and follow best security practices. A healthcare company I worked with avoided a significant data breach when a trained employee recognized a suspicious email and reported it, preventing a phishing attack from compromising their customer data. Regular training and awareness programs can empower employees to act as a strong defense against cyber threats.

Third, no one is perfect; it’s important to have necessary controls in place to protect against human error, whether the service is proprietary or open source. For example, I have to go back to the story I stated earlier where our solution was able to prevent over 1000 files from being breached. The employee didn’t mean to click on the link, but they did, and thanks to having the right controls in place, the company was able to overcome that human error.

Fourth, think of security in development, not just after a breach. Incorporating security measures during the development phase of software can prevent vulnerabilities from being exploited later and not only this but lower the cost of fixing these vulnerabilities by over 50%. A healthcare

company that implemented SCA was able to identify malicious components before releasing their IoT device, which could have caused a multi-million dollar recall.

Fifth, continuously monitor and update your security measures. Cyber threats are constantly evolving, so it’s crucial to regularly review and update your security protocols. A company that is consistently making sure that they have all critical business systems monitored and a strong business impact analysis will see less downtime and effect of a breach than a company that didn’t take the time to update their policy and missed a system being breached for years.

The list can go on and on, but I believe that these 5 strategies can be used for SMBs all the way to enterprises to ensure that they are upholding the strongest security posture possible.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

One thing I would hope to inspire is a movement to follow security baselines. I would encourage everyone to take a look at their current security posture and implement as much of the NIST 800 framework as they are capable of. By focusing on these basics, organizations and individuals alike can achieve a significant head start in securing their data and systems. Implementing fundamental security measures, such as access controls, regular updates, and continuous monitoring, can dramatically reduce vulnerabilities and protect against common threats. This simple, fast, and effective approach can make a substantial difference in improving cybersecurity for everyone.

How can our readers further follow your work online?

You can connect with me on LinkedIn — https://www.linkedin.com/in/roger-neal-70b15319b/

You can follow my work with Apona.ai or at We-Bridge World LLC. Feel free to reach out to me with any questions. Thank you for having me today!

This was very inspiring and informative. Thank you so much for the time you spent with this interview!