Tim Chang of Imperva: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity
Rethink how you protect critical business data: Given the growing volume of disruptive security incidents we’re witnessing globally, organizations must take a different approach to securing their data. For too long, security teams overlooked data security because it was too complicated or it operated in a silo within the legal or compliance department. That must change because organizations have to focus on protecting data and all paths to it — including services at the edge and applications and APIs that interact and access critical business data.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Tim Chang of Imperva.
For more than a decade, Tim has helped hundreds of organizations around the world address their unique and complex security challenges. Working closely with C-level leaders and practitioners, Tim has counseled organizations on how to best analyze, secure, protect and govern data to meet the requirements of customers and regulators. He is passionate about sharing strategies on how to keep information secure in the rapidly evolving world of business and technology.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Boston, but later traveled West to study economics at Stanford University. Growing up I was involved in the sport of fencing, competing internationally and throughout college. I continue to be involved in the sport today as it continues to teach me lessons that shaped who I am in business and in life.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
My entire education and career has been focused on data. As an economics major, my focus was on analyzing data and modeling how data drives the world. After graduation, my first job was helping organizations put their data online with an e-commerce platform. Later, I had the opportunity to work with fantastic technologies that helped organizations consolidate, store, manage and govern their data. Working now in cybersecurity, I see it as a natural fit for my career as I am helping organizations protect their data.
Can you share the most interesting story that happened to you since you began this fascinating career?
Over the years I’ve been fortunate enough to work with amazing teams and smart individuals that accomplished more than what they thought was originally possible. For example, the first time I was asked to travel internationally was to work with a team on a customer project, which happened to be one of the CEO’s top five priorities. The project was a success, and the experience made me aware of the great things a team of people can do together when they are focused on a singular mission and striving to win.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
My parents have been a significant influence on me and helped me get to where I am today. Through their continuous support, I’ve been able to learn from both the ups and the downs of life, helping me achieve my goals personally and professionally.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Make time for yourself and enjoy the things in life that make you happy!
The cybersecurity industry, as it is today, is such an exciting space. What are the 3 things that most excite you about this market?
The global pandemic fueled a wave of innovation and accelerated digital transformation. For many of our customers, cloud-based technology became a centerpiece of the IT strategy — an undercurrent that will change how organizations manage security in the future. For this reason, it’s an exciting time to be in cybersecurity. There are three things I’m particularly excited about:
1) Security innovation will accelerate at an unimaginable rate. To keep pace with all the challenges that organizations face in a hybrid and multi-cloud world, new innovations will emerge to help address really complex problems. However, while much is changing, budgets and resources are not necessarily growing at the same pace. Many organizations will need to do more with less, which will further fuel innovation. I suspect we’ll see some amazing — if not groundbreaking — technologies emerge in the coming years as a result of these market drivers.
2) As someone who has spent his career focused on data, I am really intrigued by the various kinds of innovations and tools that are available for managing data. And because I work in security, all of it begs the question: “How will organizations proactively keep track of data in these new data stores?” Alongside that, I’m also wondering how organizations will keep personal information private — particularly at a time when more data privacy regulations are coming into effect.
3) The preponderance of APIs is something everyone should be closely following. It will enable the future of digital innovation, but it’s also opening the data center and powering modern applications. It’s now up to security professionals to ensure our organizations are adequately protected from more complex attacks targeting APIs.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
A: The IT landscape is transforming before our eyes — mostly a result of our collective ambitions and desire to enable an online, digital-first economy.
The concept of a data center is gone. There is no such thing as protecting data within the confines of four walls any longer; the traditional IT perimeter has disappeared. In its place, you now have a complex ecosystem of cloud, microservices, containers, serverless functions and APIs. Sophisticated software makes it more challenging to monitor and protect. As such, I believe in the coming years, you’ll see more attacks targeting vulnerable web applications and a continued rise of data breaches.
Organizations need to put an emphasis on protecting all paths to their data; with a focus on securing the data itself.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
On a Friday afternoon, one of our customers reached out urgently needing help responding to a sustained attack on their website from some nasty bad bots. The automated traffic was disrupting legitimate users on a login portal for one of their online gaming properties. As a result, the company saw an increase in negative social media chatter around their brand — a potential threat to reputation.
Imperva, a leader in advanced bot management, was able to quickly assess and mitigate the attacks — stopping the bad bot traffic without interfering with legitimate users. While we receive many escalation calls like this from customers around the world, it’s a reminder that security incidents can have a detrimental impact on a company’s reputation and even its bottom line.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
As a provider of market-leading security products and services, Imperva utilizes its own innovations across edge, application and data security to protect our employees, our business-critical web applications and sensitive data.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Many organizations have become increasingly security-conscious, as they should, but they don’t know where to start. If you’re a smaller business, some of the turnkey, basic security solutions are likely enough to protect your business without needing a large team to manage the tools. This includes: maintaining a data backup service, patching software regularly, encouraging strong password usage, using multi-factor authentication (MFA) on company devices, using antivirus software or deploying a web application firewall.
As the organization expands and the management of more data is required, the organization should then seek outside counsel.This is also when the business may need to invest in more robust security solutions that are designed to mitigate complex attacks across the software supply chain, in hybrid or multi-cloud environments and for services that operate at the edge.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
When it comes to security, organizations need to be thinking proactively with a “when, not if” mentality. Deploying a stack of point solutions is not the silver bullet for addressing a growing volume of cyber-attacks. Organizations need to proactively monitor for things like: unauthorized access to a database, exfiltration of data outside of the network, appearance of suspicious files and altered privileged user credentials.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
In today’s economy, consumer trust is won and lost through the actions organizations take to adequately protect sensitive information. While no organization wants to be the victim of a data breach, there are steps they must take after the fact to bolster their security posture.
Organizations need to think holistically about security and protecting any path to business-critical data. That means implementing protection for the edge so digital services are not disrupted and customers have always-on access. In addition, organizations need to bolster their defenses at the application layer — particularly as more development is happening in microservices, containers and serverless functions. These are incredible innovations, but require sophisticated and trusted security solutions. Further, organizations need to think about protecting their mobile and web applications from fraud that is driven by bot activity — a growing threat for every industry — that has the ability to disrupt legitimate users and deter access to the company’s services. Lastly, and perhaps most importantly, organizations need to protect their data anywhere it lives. They need to understand where it exists, what data they store, what form it exists in and then apply the right amount of controls to ensure only privileged users have access.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA, GDPR and other related laws affected your business? How do you think they might affect business in general?
Every data privacy regulation has one thing in common: they all require an organization to be able to produce records on an individual upon request within a short period of time. They also require organizations to take action on an individual’s request to be forgotten. If the organization doesn’t know what data they have or where it lives, they can’t respond to those requests. A failure to action an individual’s requests can lead to high fines and reputational damage. This is a substantial business risk that will impact every organization on Earth.
The move towards greater privacy regulation — while a clear benefit for consumers — will require organizations to rethink their approach to data security and data privacy.
The good news is that tools exist today to assist organizations with data discovery. By deploying these tools, organizations can locate and classify the types of data they have, can map where it resides and can determine who has (or should not have) access. Some solutions even include integrated features which assist with the management of data subject access requests (DSARs). Based on the findings these tools provide, an organization can then develop a plan of action to reduce its overall data privacy risk. Making an investment in those tools can save an organization from substantial costs down the road, including fines, legal fees and loss of reputation.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The velocity of business innovation is accelerating more quickly than the security team can keep up. Too often, security is an afterthought. What I hear about most often from our customers is that various departments are spinning up new databases or SaaS platforms without guidance from the information security team. This creates shadow IT and gaps in the organization’s security that could later become an entrypoint for a motivated bad actor.
Given the adoption of cloud database environments, expanding use of microservices and serverless functions and the multiplying number of APIs that connect everything together, security teams face a formidable challenge: How can they keep up when they don’t even know what needs to be protected? The answer is not to throw more point solutions at the problem. Security teams need more effective, unified solutions that can give them visibility into all the various paths to the organization’s critical data.
Since the COVID-19 pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Cyber-attacks are absolutely on the rise — undeterred by the global pandemic. For example, Imperva Research Labs monitored 187 million web application attacks on healthcare targets per month globally, on average in 2020. That’s roughly 498 attacks per organization each month, a 10% increase year-over-year.
Beyond that one industry, Imperva researchers have also seen an increase in attacks across many vectors. Last year, application distributed denial of service (DDoS) attacks increased in intensity by almost 80% while attack duration grew 21%.
Separately, bad bot traffic across all websites reached a record high in 2020 — accounting for more than 25% of all web traffic while the volume of human traffic decreased by 5.7%. This is a legitimate business risk as bad bots can be responsible for high-speed abuse, attacks and fraud on websites, mobile apps and APIs. In fact, websites last year experienced an account takeover attack, on average, 16% of the time.
The escalating level of cyber-attacks is unlikely to stop. In fact, there are already signs that we’re on pace to see the most records compromised this year by data breaches. In January 2021, more records were compromised than in all of 2017, according to Imperva researchers. Further, data leakage attacks were up 74% in Q1 2021, underscoring the vulnerability of data and not just the network, servers and applications around it.
What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
1. Rethink how you protect critical business data: Given the growing volume of disruptive security incidents we’re witnessing globally, organizations must take a different approach to securing their data. For too long, security teams overlooked data security because it was too complicated or it operated in a silo within the legal or compliance department. That must change because organizations have to focus on protecting data and all paths to it — including services at the edge and applications and APIs that interact and access critical business data.
To prevent security incidents, the InfoSec team has to identify, discover and classify data across the enterprise and detect anomalies by mapping and monitoring all data access privileges. They need to respond to events by monitoring and reporting any inconsistencies or unusual changes, while predicting future events using a data risk assessment to identify gaps or inconsistencies in policies. This establishes a holistic top-down approach, delivering a strategy that addresses key business priorities and governance requirements.
2. Ensure data visibility: Public cloud services offer businesses many benefits, but organizations should not assume their data will be protected with the native security offerings built into the platform. Because cloud environments are heterogeneous, they create new domains of data security risk as data is accessed and stored in a variety of ways. If assets are invisible, you cannot protect them. An organization has to be able to see the entire data estate, including retained data so they can easily monitor user accounts for policy-violating behavior.
3. Prevent data loss: Public cloud services are highly valued targets for cybercriminals because they often hold large volumes of critical information concentrated in a single repository. Organizations have to protect all sensitive structured information stored in databases, such as personal data, credit card information, customer data and medical records. They need security controls in place that help govern the data in all its forms and help provide visibility into who has access to the data, how are they accessing it, when are they accessing it and what are they doing with the data.
4. Keep your services up to date: Maintain patches and updates to ensure the public cloud services you use are not exposed to vulnerabilities. This is especially important if there are known vulnerabilities that have not been resolved. In this case, the attacker knows exactly what vulnerabilities exist on your systems and how to exploit them.
5. Audit and optimize configurations: When configuring your public cloud service, never assume you have configured it correctly. There may be configuration errors, and even if there aren’t, a configuration can change as applications and cloud resources are updated as workflows or users change. A regular review of cloud configurations will ensure that no accidental changes have occurred and that any changes are safe. This will also help to identify less secure configurations, improve performance and reduce the cost of unneeded cloud resources.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
Say (or send) a thank you to someone who is not expecting it. This will bring a smile to anyone, any day. Think of how many people you can make happy with two simple words!
How can our readers further follow your work online?
Be sure to follow Imperva, as I often present during our public virtual events.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
