Spiros Liolis of Mico Focus: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

Establish a proper cyber resiliency program: You can’t have a cybersecurity or resiliency program without an established Governance plan. It demonstrates ownership, formal control and risk management, the objectives of due diligence, and through compliance it shows the process and policies were followed. More often than not, when I ask for an organization’s cybersecurity plan, I get a security policy document, or a set of procedures within the IT dept. These are the cases where I start with the 101s.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Spiros Liolis.

Spiros Liolis is a Chief Technologist with 20+ years of multi- discipline, multi-national experience in over 55 countries. His experience in Digital Transformation, Intelligent Automation, GRC (Governance, Risk, Compliance) and Business Continuity & Resiliency, has led to creating break though solutions, innovations, early technology adoptions and is working on patent-candidate solutions in AI.

Spiros, has led some of the largest DX projects in EMEA, AsiaPac and USA, for some of the largest clients in Financial, Telecommunications, Manufacturing, O&G, and comes with excellent knowledge of industry solutions emerging technologies and trends.

He has a Master of Science in Engineering Management and a Bachelor of Science in Mechanical Engineering. Lastly, passionate about the sea, food, and photography. A “Big fat Greek wedding” kind of guy with a lovely wife and two kids!

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was born and raised in Greece, mostly Athens, and had a great childhood. Given the conveniences of the times, we traveled to many places all over Greece. We spent quality time as a family, and this gave me perspective. I was constantly encouraged by my parents to aim high and get a university degree. They funded me to go to the USA and study. I received my B.Sc in Mech. Engineering and M.Sc. in Engineering Management from the University of Tennessee before returning home to serve in the Navy and start my career.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage was, perhaps, the first documentary I saw that intrigued me to get more involved in the computer landscape. While I was studying mechanical engineering in the early 90’s, I got a university job with the Computing Applications department and was able to engage with multiple systems, such as mainframes, UNIX systems and pretty much anything available. But I didn’t start my security career until 10 years later.

Can you share the most interesting story that happened to you since you began this fascinating career?

Oh, where do I begin! Somewhat security related, though not a cyber-attack but an Availability, Continuity and Disaster Recovery matter. An incident occurred which disabled all client’s mission critical systems for over 3 days, losing significant revenues and impacting market perception. The client took legal action to reclaim millions of dollars worth of damages that occurred during the course of downtime. I was called in, given 10 days to assess the situation, and come up with a report and a strategy before legal action would enter the next phase. It takes a village, so I led a small team of experts, and together with senior leadership’s support, we assessed, analyzed and ultimately developed a strategy of how to enable higher resiliency for the client’s environment that we presented to C-level executives where we received very positive feedback. The plan and quick deployment of the strategy my team mapped out was so well-received that not only was the case dropped but the client managed to get an additional multimillion dollar contract to build a highly available, highly resilient environment for the client’s business.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

Different people have helped me at different times along the way. My family who kept pushing me and supported me in the early days of my career, when I traveled like mad. My first manager at HP who promoted me to an international career. In fact, I’m grateful for all my managers who helped me build character, skills and knowledge. I’m even thankful for the times when I learned the ugly side of this industry. And my first security mentor, Stuart Hotchkiss, an old colleague and a friend, who taught me how to think of security outside the box. He was instrumental in giving me perspective of how security is not just about passwords, zeros and ones or penetration testing; it is all about process. I remember him saying “Don’t let security define your career, make security enrich your career.” I followed his advice, religiously, and made (cyber)security always part of my career, even when I held portfolios in other areas, such as Data Centers, Cloud, IoT, Intelligent Automation or other emerging tech areas.

Are you working on any exciting new projects now? How do you think that will help people?

I always engage, or at least try to, with new projects that excite me. Currently, there are a couple of things I’m involved in. First, is a fully integrated, end-to-end XDR (extended detection and response) solution. The recent cybersecurity incidents have proven that we need to increase our awareness but more importantly our capabilities and technology on cyber resilience. Second, is an under-development technology that uses neuroscience for cybersecurity purposes. I’m working on a technology that through the use of Machine Learning, can use brain signal readings from fingertips and through a small touch interface, convert them into a security action. You could, ultimately, have a small sensor, that could be attached to a keyring, or a wrist-strap, or anything really, that reads an individual’s brain signals and converts it into an action, such as to unlock a door, or enter a PIN. The applications of such technology are endless. We are still in the early stages of development but it is very promising and exciting.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

I learnt, early on, the analogy of airplanes. Fly at 65%, and use short calculated outbursts, to 90% or 100%, when needed, such as strong headwind, or take-offs, etc. The professional career of an individual is a hyper-marathon so you need to preserve your power for this long period. Again, using the same analogy, when planes are taken to a hangar for maintenance and tech-refresh, do the same with your skills. Learn something new; a skill, a technology, a methodology. And return back to the business, trying new routes. And while planes have a physical limitation as to how far they can go, humans can really grow to new levels and challenges.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

First is the continuous growth of the attack surface. This introduces new methods of attacks, new challenges in defense and new methods of resilience. Gone are the days where an enterprise had a controlled perimeter with pre-defined assets and “one policy to rule them all.” The continuous increase of cloud services, the new technology that has been, literally, embedded in our mostly automated lives, the connected-things, the devices that are used, put together with the new way we work in the pandemic and post-pandemic periods have annihilated the old ways. Technology has been the accelerator of development not only in cybersecurity of course, but it is the area that has the largest business and organizational impact.

Second is Risk Management. I find risk assessment and management to be the force of protection for people and organizations. It is a constant battle to find ways, such as defining or redesigning processes, procedures and products to minimize or mitigate the impact on people and organizations. It is also a business attitude, one that always forces me to be able to convince customers of the expertise, market perspective and prior experience I carry for over 20 years, and having dealt with projects and opportunities in over 60 countries.

Third, and by far the most exciting for me, is my version of Cybersecurity Transformation I keep pontificating about. When I speak to customers, partners, vendors or solution providers, I hear two main versions of Cybersecurity Transformation. The first one is solely technology focused. I hear things such as “we have this new tech, or we have this great app, etc.” but in my opinion, that’s an empty promise. The second version is when they speak of People, Process and Technology Transformation. Now, we are onto something. This is a good start and an indication that they are looking at a wider spectrum. What I’m preaching adds a far bigger element to the three pillars of people, process and technology. I speak about thinking systemically in terms of risk. The Colonial Pipeline cyberattack proved to be a systemic incident. This company-level incident triggered severe instability in the market for over a week. Gas shortage, stock-market panic, and price gouging were some of the events we witnessed, not too long ago.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

I was asked not too long ago “whom do you fear the most, which adversary country of the USA poses the largest risk?” I told them that I fear the unprepared more. There will always be adversaries and forces that will constantly exploit. I’m certain that incidents, similar to the Colonial Pipeline and SolarWinds, among many other recent ones, including corporate espionage, will appear more and more frequently. For all reasons I mentioned previously, such as the attack surface, together with trade wars, embargoes and the old “east vs. west” dichotomy, there will be a continuous flow of threats. If companies haven’t seen the signs and haven’t started working on a cybersecurity program, they will be impacted. There is no such thing as “this won’t happen to me.” It’s not a matter of if but when.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Not so long ago, I received a request to evaluate a potential opportunity, by speaking to a senior executive of a major manufacturer. The customer had a number of concerns he wanted to discuss with his cybersecurity program and felt that he had no way of knowing if he had been breached or how to detect a breach. Following a few sessions with key members, we understood the challenges. To begin with, the customer didn’t have any formal cybersecurity program in place. While there were network security specialists, or systems and application security specialists, among others, they operated in silos with no coordination of activities. Furthermore, the concept of a Security Operations Center was merely a few people who primarily looked at physical security areas, and some network detection alerts. Given that the organizations had no experience in SOC design and implementation, and weren’t confident that the controls in place were optimal and effective, we suggested a complete, ground up approach to their program.

I led a team of experts to put together a master plan to build a new state-of-the-art next generation Security Operations Center, including functional and administrative processes, intelligent automation and advanced analytics technology, operations, and a thorough training and awareness plan. We developed the project roll-out plan, with well estimated durations and project cost per phase. We also recommended industry-specific regulations and practices to be integrated into the SOC program for compliance monitoring.

A year later, we had completed the deployment of a state-of-the-art NextGen SOC to detect and prevent devastating security breaches. We also built an annual SOC evaluation to support continuous improvement, and established a relationship with a 3rd party organization for Threat Hunting and Modeling.

It was at that time we had solid evidence that the organization was under constant attack and breaching efforts based on data. These efforts were likely corporate espionage efforts to steal important IP on manufacturing efficiency and future design of products. Unfortunately, we didn’t have enough information prior to the SOC implementation if such efforts were successful, but at least we now had a starting time, where we could measure success. And with confidence we can tell today that the customer has faced a breach.

I guess the key takeaway from this story is “don’t be afraid to admit weakness.” It is best to seek help from security leaders, or masters of their domain and build a solid program.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

I work for a company that develops leading Cybersecurity software, so “we eat our own food, yet we have side dishes from our great partner ecosystem.” Our portfolio consists of four major product categories.

• NetIQ Identity and Access Management: A comprehensive identity management and governance solution that spans across the infrastructure, consistently enforces access rights across business environments, and manages privileged account activities for all credential-based systems.
• Fortify Application Security: A comprehensive suite of software security solutions which secure vulnerabilities in applications, automates the process of fixing security vulnerabilities by securing the software development lifecycle (SDLC), and protects applications against attacks in production.
• Voltage Data Security: A suite that drives data-centric security innovation with encryption and tokenization solutions. It enables organizations to neutralize a data breach impact for data at rest, in motion and in use by de-identifying sensitive information.
• Arcsight Security Operations Center: A comprehensive SIEM and advanced analytics platform that enables security analysts and operations teams to respond faster to indicators of compromise. ArcSight detects and points analysts to real threats, in real time. At the core, it has user and entity behavior analytics (UEBA) which detects and responds to threats before your data is stolen. It distills billions of events, generating a prioritized list of high-quality security leads to focus and accelerate the efforts of security operations centers (SOC). Given the type of work I do, I also use a few other leading software solutions from leading vendors, which integrate with our suites, including:
• Crowdstrike for Endpoint Protection solutions.
• Dragos and Nozomi Networks: ICS/OT technology that enables teams to visualize the greater Connected/IoT environment and detect malicious behavior.
• Snowflake: A cloud Data Platform for all of organization’s data and essential workloads.

The list is long but these are the primary solutions that are on my day-to-day work.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

To begin with, there will never be enough hands to manage cybersecurity operations. The exponential growth of technology, attack surfaces and attack mechanisms are no match to any size of security teams. I recommend that companies consider two approaches.

If an organization has existing skills and has invested, over the years, in cybersecurity solutions and teams, then they should invest heavily in intelligent and automated solutions. Such a solution will help the organization to, first, optimize and handle the level-1 events, the ones that are almost commodity and they come at large volumes, leaving time for teams to manage the more critical and important events. Second, these solutions allow for orchestrating and automating actions, based on rules, while they allow options for manual intervention.

If an organization either doesn’t have the skills or they are growing to be a larger organization, then I recommend partnering with a cybersecurity agency. But be very selective and thorough in the process of selecting the right agency. No two companies are ever the same, so no canned offering will address the organizations specific needs. The two parties should take the time to get to know each other’s businesses and specific needs and then define and offer a managed solution.

In either approach, though, an organization must name a CISO, one who has complete responsibility of the cybersecurity program and is accountable. His role is to oversee the cybersecurity technologies, promptly address incidents, define the company’s suitable standards and controls, based on geography, industry, compliance and regulatory frameworks, and finally manage the execution of the program, whether internally sourced or having an agency.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

When reading the book The Cuckoo’s Egg, one will notice that the entire investigation started with a financial discrepancy of $0.75 (75 cents of a US dollar). It was this small abnormality that drove someone’s curiosity and started looking for other abnormalities in the environment, until the breach was finally fully investigated and the hacker faced charges. So look for such warning signs, regardless of how small they may appear, that you may have been breached. They can be signs such as unexpected changes to files, increasing number of spam emails sent from corporate accounts, unusual financial activity, peculiar IoT device behavior, changes to security settings (identity, files, applications, access control lists, etc.). There are solutions that will analyze such signs and will report the abnormalities, the “out of the ordinary.” But the technology itself is not enough. It will take skilled people and thorough processes to further investigate, create a plan, execute, resolve and evolve further.

But don’t wait to see these signs before you take action. Defense starts with prevention.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

I believe the first and most important step is to communicate. Instead of “hiding dust under the rug,” make sure that all parties, internal and external, employees, partners, customers, and media receive proper communications. It is paramount that a proper communications plan, one that defines the channels, the frequency and the owners of communications, is in place. This gives the opportunity for all parties to take the necessary actions, involve their teams, and plan coordinated activities where needed.

Second, and when necessary, involve official or other government agencies to assist and make aware of the situation. Go back to my earlier response, about systemic risk, and you realize that the earlier these agencies get involved, the better management of the crisis can be achieved, avoiding panic or other instabilities in the business environment and market.

Third, learn and evolve. Start with lessons learnt sessions. Involve all parties and be frank about everything that happened. Be critical but not blaming. Then, re-evaluate the cybersecurity program. Conduct a Business Impact Analysis and Risk Assessment to set the organization’s new risk appetite and mitigation strategy. Identify gaps and invest to optimize the Technology, People and Processes but always view them as living organisms, a system. Do periodical checks of the program and, I repeat myself here, never forget that “Defense starts with prevention.”

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

Let’s start by saying that these privacy measures are not only here to stay but we will be seeing more and more regulations, either country or region specific or industry focused. According to a Boston Consulting Group study, though dated as 2017, it is estimated that the number of regulatory changes relevant to the financial services industry alone, has more than tripled since 2011 to an average of 200 per day. I expect this theme to hold for some time especially following the recent cybersecurity incidents. Furthermore, individual jurisdictions will remain the source of most new compliance initiatives, whether they are a Federal, State, industry or even corporate bylaws. Given the increasing complexity of the regulatory environment and the speed of change, it is paramount for organizational compliance teams to deploy automated and proactive approaches to managing regulatory change. Organizations that continue to use manual processes or outdated compliance software to track these regulatory changes will not be able to keep up. By automating regulatory monitoring, the compliance function begins to reduce costs and finds ways to mitigate risks. We, at Micro Focus, offer simplified, automated solutions that provide security and governance over identities, applications, and data — from creation to disposition and throughout the information lifecycle.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Fifteen years ago, I got the same question, and today the response remains the same. There are three mistakes, which over the course of my consulting career, I keep coming across.

Management Failure to commit to a program. Management usually considers the cost of the impact to be overdramatic. There is also very little information and data to define the cost of success, hence they don’t invest. Management can’t underspend on the cybersecurity program and in fact, they should set up a minimum spending for cybersecurity, which needs to be re-evaluated every year.

Assuming Technology alone will bring resilience. While technology and automation is great to handle the exponential growth of attacks, and help in orchestrating a response, technology alone isn’t enough. An organization needs to build a cyber resilience program, one that defines which resources are needed to make the plan work and who does what, how you kick it off — what are the circumstances, an EXACT description of the steps or procedures to follow for every team member, and a process to return to normal operations.

IT in charge. IT is often made responsible for cybersecurity and resiliency programs and the head of IT wears one more hat. It is true that IT is instrumental in the program but they can’t be owners of it. IT manages technical controls, applications and are custodians of data, however they are only one member of the key stakeholders of such a program. There are also Leadership & Governance functions that provide authority and oversight, reporting to or within executive level, HR, finance and business who manage process controls and own organizational data, and lastly there is the legal and audit function who make sure the company remains in compliance.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

There is enough data out there to prove that since the pandemic there has been an increase in cybersecurity incidents. According to a recent study by Skybox Security, in 2020 there were 20,000 new vulnerabilities identified and a 72% increase in malware. I believe this is due to a number of contributing factors. First, is the lack of security discipline or awareness when people work from home. It is a sense of relaxation when at home that can lead to human-related errors. Second, is the increased attack footprint. People now use personal, usually insecure, devices from unsecure networks which opens the doors to more vulnerabilities and increasing threats. Third, is the rush to develop more apps and connected experience to manage the digital “nomadization.” This tremendous pressure to get apps and features to market to address customer demands, results in a tsunami of apps and highly compressed cycles of application development which come with increased vulnerabilities.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

Fearing that I may sound like a broken record, here are my 5 things I always recommend to any company. They are part of my “Holy Book of Best Practices” which I have collected over the years.

1. Establish a proper cyber resiliency program: You can’t have a cybersecurity or resiliency program without an established Governance plan. It demonstrates ownership, formal control and risk management, the objectives of due diligence, and through compliance it shows the process and policies were followed. More often than not, when I ask for an organization’s cybersecurity plan, I get a security policy document, or a set of procedures within the IT dept. These are the cases where I start with the 101s.
2. Define information and data assets: For organizations to get the most value out of their data, while protecting themselves from exposure, they must design an end-to-end data privacy and protection framework to deliver data insight and control, data resilience, and usability, across the entire data lifecycle, from discovery to disposal. Though it may sound over simplistic at first, start with “our data” and “not our data.” Then take the first category and distill it further. Use context aware tools to identify candidate private data, but verify using compliant processes.
3. It’s a system: Use technology controls where they work, but involve people who manage processes. Users are the eyes and ears for reporting governance variances and policy violations, and an astute user is the best host intrusion detection system. They are the most important source of input for control and process improvement.
4. Keep policies clean and simple: Understand what is a policy, what is a standard and what is a procedure, and what is a product. Policy is a directive (“x must y”), it has purpose, authority, concise supporting information and does not change frequently. Standard specifies the metric by which compliance is measured. Procedures say “how we do it today.” These may change more often.
5. Crisis Management and Communications plan: Every organization shall have a plan which deals with disruptions and unexpected incidents, especially the ones that threaten the well-being of the organization and its stakeholders. It should dictate how the crisis is handled, the key members of crisis management, the expected return to normal, and should lay out communications channels to both internal and external audiences. In times of crisis and events, the stakeholders should have very clear instructions on their duties, whether these duties are to restore a system, or execute a manual backup process, or release a press statement. And, as I always say, the LAST thing an organization should do is… think!

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

With so many online courses available and at very attractive prices, in tandem with the fact that most people have been working from home this last year, I can’t imagine that they aren’t spending 30 minutes to an hour learning a new skill. I’d love to see this time being spent further educating themselves on cybersecurity. Coursera, Udemy, Cloud Academy, and many universities offer courses on cybersecurity, from the 101s to advanced and expert levels that can provide people with a very good understanding of the general landscape. They don’t have to pursue a career in cybersecurity, but it will certainly give them perspective and will help protect themselves and/or potentially the organizations they work for in the long run. They can enrich their career, not define their career. If we, collectively, raise the bar we will achieve a greater sense of security.

How can our readers further follow your work online?

I’m frequent on LinkedIn for business discussions and interaction with my business connections, and I’m a member of the Forbes Technology Council. I have fun time on Facebook with my friends around the world and I occasionally post pictures of my 2 favorite hobbies, photography and cooking, on Instagram.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!