Sanjay Bhakta Of Centific On Cybersecurity Compliance in the Age of AI Threats

An Interview With David Leichner

Cybersecurity Frameworks: It goes without saying but security frameworks such as MITRE ATT&CK, and NIST should be put in place and used by security tools to assess the vulnerabilities within an organization and better position itself to detect, respond, and mitigate to protect digital citizens.

Compliance with regulatory standards and industry-specific guidelines for product security is an indispensable part of cybersecurity. In an age where malicious AI poses a significant threat, how do organizations ensure their product security strategies are not just effective, but also fully compliant? As a part of this series, I had the pleasure of interviewing Sanjay Bhakta.

Sanjay Bhakta is Vice President and Head of Solutions at Centific who is leading and developing collaborative, innovative, and disruptive solutions that help clients protect their technology infrastructures and enhance business processes. His industry knowledge spans multiple areas of digital safety that include cybersecurity, fraud detection and prevention, and the adoption of various technical frameworks and standards as best practices in the 21st century.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I had a typical childhood, but I remember being in middle school when my father brought home a new computer. My eyes lit up and I was completely enamored with this new device. Over the years, I went from simply playing around on the computer to actually developing various software engineering products. During the Apple IIc era, I developed a software program identifying overcharges and redundant charges on invoices for my father’s Defense Consulting firm, achieving $2.5+ M annual savings. This was a proud achievement of mine and it solidified my interest in technology that intersected with business and data science.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Decades ago, during college, one of my siblings’ identities was stolen, creating a complex network of challenges lasting years, impacting them and our family, financially and emotionally. However, there were very few rigorous cybersecurity mechanisms that existed back then, and it tormented me that I was unable to assist. The entire ordeal inspired me to pursue a career in fraud and cybersecurity.

Can you share the most interesting story that happened to you since you began this fascinating career?

One of the most interesting events that happened since embarking on the journey of combating fraud was with one of the largest banks in the world, which was experiencing a significant surge in fraud in specific geographies. High-net worth customers with a more senior demographic were targeted. I led the teams responsible for investigation and resolution using AI, mitigating further losses, recovering funds under certain conditions, and saving the financial institution millions of dollars.

You are a successful leader. Which three-character traits do you think were most instrumental to your success? Can you please share a story or example for each?

The three-character traits most instrumental for me have been creativity, integrity, and resilience.

· Creativity: Fraud is consistently evolving daily, and a creative mindset is essential, iteratively trying new approaches, rapidly, infusing different techniques with different combinations of technologies.

· Integrity: Integrity with your organization, team, and customers is paramount, and when the calculus of assumptions misaligns, we need to recognize the signposts, acknowledge the errors, succinctly communicate the impact and mitigation to our stakeholders.

· Resilience: Resilience is paramount to digital safety, with rapid test-and-learn approaches providing temporary mitigation, accelerating pattern recognition, while iteratively identifying the next resolution.

Are you working on any exciting new projects now? How do you think that will help people?

Yes, our team is currently working on exciting new services and solution offerings aimed at Financial Services companies to help them thwart fraud, protecting the identity, data, and assets of digital customers. Digital Fraud Protection by Centific is an AI-powered platform that constantly learns and adapts to fraud patterns, so financial institutions can stay one step ahead of cyber-criminals. You can read more about it at https://www.centific.com/dynamics-fraud-protection-unmask-fraud-financial-institutions.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. How does the emergence of malicious AI threats impact compliance requirements for organizations? Are there specific regulations or standards that address the unique challenges posed by AI-related security threats?

AI threats are evolving daily, which in turn escalate mitigation costs, impact the effectiveness of compliance requirements for organizations by putting them at the crossroads between protection and regulation. While there are many regulations and standards pertaining to security, those we interact with most often seem to be: CCPA, CPRA, FACTA, GDPR, HIPPA, PCI-DSS, PSD-2. In regard to standards, we leverage NIST 800–53 and ISO/IEC 27002. Interestingly, we’re closely following NIST’s AI RMF 1.0 and the AI Bill of Rights, regarding responsible and ethical usage of AI. These recent additions are very relevant to fraud and security solutions using AI and should be monitored regularly.

Can you provide an example of a compliance framework or approach that organizations can adopt to effectively address security concerns arising from malicious AI? How does this framework help organizations mitigate risks and stay compliant?

Organizations that rigorously adopt frameworks such as MITRE ATT&CK, NIST Cybersecurity Framework and SOC2 can effectively address security concerns from malicious AI. The frameworks should be complemented with the appropriate tools such as threat detection, SIEM tools, SOAR tools, breach, attack, and simulation, as well as employing methodologies such as Zero trust.

In the context of compliance and regulatory requirements, what are the key considerations for organizations when deploying AI systems? How can organizations ensure that their AI deployments align with relevant compliance standards and guidelines?

I think it takes a dual approach by being proactive and reactive.

PROACTIVE: Regarding key considerations of compliance and regulatory for organizations deploying AI systems pertains more to the usage of security and adoption of safe AI. Therefore, security pertains to employing techniques and tools that use differential privacy or federated learning, that mitigates the risks of deanonymization where the AI decision(s) reveal attributes that lead to identification of people or business entities. With respect to safe AI, responsible and ethical frameworks, ensuring decisions made by data science models are unbiased and uncompromised.

REACTIVE: For reinforcing AI models that are uncompromised, Microsoft’s AI security risk assessment uses Counterfit to analyze data science models for potential threat vectors. Thus, those organizations desiring robust security programs should incorporate automated DevSecOps tooling within their enterprise, integrating with many of the tools. This would facilitate compliance with regulations and standards, respectively.

Are there any specific compliance challenges that organizations commonly face when dealing with malicious AI threats? How can these challenges be overcome, and what steps can organizations take to enhance their compliance efforts in this area?

Compliance challenges are in context to industry and maturity capability of digital safety programs by organizations. To overcome challenges with compliance to regulations, it’s critical to develop a rigorous digital safety program, elevate the EQ to the organization, employ security frameworks and methodologies, incorporate fraud detection platforms identifying bots, and interrogate authenticity of transactions.

Ok, thank you. Here is the main question of our interview. What are your “5 Things We Must Do To Protect From AI-Powered Cyberattacks” and why?

1. Digital Safety culture: Every organization needs to adopt a Digital Safety initiative to combat the growing levels of damaging risk that are rampant today. I recommend that organizations stay agile and develop strategic communications that include robust, informative session(s) highlighting the latest techniques from fraudsters, the potential impact to the enterprise, the responsibility of every team member, and success of attempted thwarted attacks. I recommend that organizations stay agile and develop strategic communications that include robust, informative session(s) with ongoing communications highlighting the latest techniques from fraudsters, the potential impact to the enterprise, the responsibility of every team member, and success of attempted thwarted attacks. Quite frankly, every employee should be involved in Digital Safety activities and have visibility of their contributions to keep the organization safe.

2. Emotional Intelligence: AI and data technologies can mine and assess the emotional intelligence of a given organization’s employees and customers. This is helpful to determine specific areas to improve upon and how to address them. The Myers Briggs personality assessment, and other tools or frameworks, incorporated by AI, may be compared with the attributes of fraudsters, which assist in the detection and response to fraud and security attack vectors.

3. Cybersecurity Frameworks: It goes without saying but security frameworks such as MITRE ATT&CK, and NIST should be put in place and used by security tools to assess the vulnerabilities within an organization and better position itself to detect, respond, and mitigate to protect digital citizens.

4. Well Architected Framework: Organizations that adopt this architectural discipline, as well as deploying best practices of DevSecOps throughout their application and infrastructure ecosystem, can generate early visibility of potential channels that may be exploited by fraudsters. This includes the proper usage of defining access to systems via identity, access management policies, and rules-based access for permitting users to only utilize those systems that pertain to their role.

5. Simulation: The practice of using breach & attack simulation, ethical hacking, as well as Purple Teaming, will further improve an organization’s ability to detect potential fraudsters. A fraudster typically performs reconnaissance prior to their criminal activity and employing these techniques may provide further awareness of the looming threats, which may be mitigated by your security professionals.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

Safeguarding digital citizens around the world would be a top focus of mine. I’ve seen and heard too many people who have lost their life savings to online criminals and if I can help a small percentage of them, I would be happy. It’s about uplifting complete safety in the digital economy across the globe, regardless of demographic, by citing examples of cyber risk and fraud, illustrating impacts, and prevention mechanisms that either mitigate or reduce those negative outcomes.

How can our readers follow you and your thinking online?

I invite readers to follow me on LinkedIn: https://www.linkedin.com/in/sanjaybbhakta/.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.