July 25, 2023
Mishaal Khan, Mindsight’s longtime Security Leader and Solutions Architect, knows all the best tools and methods for preventing cyberattacks. And he regularly shares his vast knowledge with others. But he still has the same challenge he’s always had: Convincing companies to take security more seriously, even as attacks continue to rise. We spoke with him about that and much more.
Q: How would you describe your role at Mindsight and its ongoing evolution?
A: I started off on the technical side of things, performing assessments and pentests, but the role quickly became more strategic. So now I advise customers on the overall cybersecurity direction they should take in order to secure themselves better. That involves advice that’s technical and policy-based as well as advice on training and developing secure habits.
Q: Is it easier now to convince people that security is something they really need to take seriously, or is it still an uphill battle?
A: It’s still an uphill battle. It always has been. I don’t see this getting any easier. Every customer is unique when it comes to the roadblocks they face. And oftentimes, it’s the assumption that security is going to be expensive. The conversation always becomes, “Well, it’s not our priority yet.” Or, “We’ll get to it when we have more time.” What they’re really saying is, “When we have more in the budget.” A lot of times they think it’s going to be expensive, but companies are shocked at how inexpensive security controls can be. So I always try to have that conversation upfront about cost versus the value that they’re getting.
Q: It must be hard to convince them based purely on theoreticals and what happened to other companies that didn’t take security seriously enough.
A: I think that’s the hardest piece of this. It’s hard to convince them because they can’t see it. Even after they’ve spent a lot of resources and money on cybersecurity controls and they are secure, prevention is very difficult to show. How do you measure “more secure?” Unlike any other product, like cloud storage or a SaaS-based solution where I can crunch numbers and actually log into stuff and see changes, with cybersecurity prevention and protection, it’s hard to visualize. Even if you gave them examples where similar companies were attacked and this is what they lost, that doesn’t do anything to move the needle because it’s not them. And a lot of those fear tactics are being done by the media. They listen to the news about ransomware, or the next company that got attacked, but what’s happening is they’re becoming immune to it. Their answer is, “Everyone’s getting attacked, so how is this any different?” Or, “We will recover; we’ll be fine because that other company was fine.” I still continue giving examples of financial loss and reputation loss, and try to tell them that you don’t want to be like that next company that got hacked for these reasons. At the same time, they start looking at the statistics of how likely they are to get attacked, and in their head, they’re saying, “We likely won’t be next.” So they start convincing themselves out of it rather than convincing themselves to be more secure.
Q: At minimum, what should companies be doing cybersecurity-wise?
A: At minimum, the basics of cybersecurity controls should be put in place. These are things like multi-factor authentication, or performing a risk assessment internally to see which systems are more at risk in terms of patching and vulnerabilities. And I believe the shortcut answer to assessing all of this risk is putting it to the ultimate test, which is an ethical hack or a pentest. It’s not that expensive, and you’ll see in real time how a hacker can get through your defenses. And whatever the result of that report is, fix those things first, because that’s the way the adversary will get in. I’m a certified ethical hacker with a lot of experience on how to avoid security systems. So I have many tricks up my sleeve on how to get through systems and get to the data. And I use those skills and techniques to show customers, “Here’s how I would get in, so here’s how you should protect yourself.”
Q: What’s the key to getting buy-in from C-suite leaders in order to improve security?
A: That’s a really good discussion point, because usually the people I’m convincing are not the people signing the check. Those are CFOs or the CEOs, and those individuals are usually not on the call. Since this is a cybersecurity discussion, they’ll send their IT director or some other technical person. But those people don’t need to be convinced; they’re already convinced. In fact, they have the same battle I do of convincing upper management that they should be spending more resources or time or money on cybersecurity. When I talk to CFOs or the board of directors, the conversation can’t be technical; it must be around risk and how we are protecting their company.
Q: Do a lot of these key stakeholders want to know the ROI of enhanced cybersecurity? Because that’s hard to show.
A: It’s hard to prove ROI. A lot of times they’ll tell me that cybersecurity is more like an insurance policy. They’re spending all this money to protect themselves, and they may never need it. But they’re likely to have vehicle insurance, home insurance, life insurance. Also, it’s kind of unfair to put it in that category, because most companies have cyber insurance as well. So cybersecurity is not like insurance. It’s more like a security system for your home. It’s like the locks on your door, the seatbelt in your car or the lock systems in your vehicle. It’s prevention for when bad things happen.
Q: Are there specific cyber-attacks you’re seeing more often now, especially post- COVID?
Social engineering is still the most common type of attack. And with people working from home more now, those attacks have increased in frequency. The phone calls, the phishing emails, the impersonations are on the rise. Especially with technology like AI, hackers can produce better scripts, better emails and also mimic people’s voices, so it’s become even more potent. But AI is just another tool hackers use to enhance their creativity. Tomorrow it will be another tool.
Q: Which sectors are being threatened most often these days?
A: A hacker will look at how they can get something out of an organization, primarily money. So if it’s healthcare that’s willing to pay a ransom for data that’s been locked or stolen, they’re going to be targeted. If it’s the financial sector that’s willing to pay, they’ll be targeted. A lot of the smaller companies cannot afford to be down for too long, and they don’t have a lot of defenses, so they rarely pay ransom. And hackers know that. And larger companies either have cyber insurance that foots the bill, or they’ve built enough resilience into their environments that they can get back up and running without ever paying ransom. The SMB market is starting to be a juicier target because they can’t afford to be down but have the money to pay a ransom. They’re the perfect sweet spot.
Q: Are companies better now than they were a couple of years ago at protecting themselves from these attacks?
A: I would say they’re better off than a couple of years ago, and that’s due to awareness. Not only are attacks covered by the media, but they’re aware of easier, cheaper ways to introduce security controls. That’s also thanks to a lot of vendors that have introduced security by default in a lot of their products. As an example, cloud services have built-in security features that are turned on by default. In order to put your data or compute resources in the cloud, you have to individually configure access privileges, or you have to poke holes in those firewalls to allow access. Whereas in traditional on-prem infrastructure or operating systems, everything used to be open. It’s much easier to implement cybersecurity in the cloud. That’s primarily due to the concept of Zero Trust, which is secure by default — everything’s locked down.
Q: Are consumers also better at protecting themselves?
A: They’re slightly better than a couple of years ago because systems are becoming more secure. They’re requiring multi-factor authentication on almost everything nowadays. And privileged access rights have changed. If you log in to any website now, they’ll have better security controls. If you’re using a VPN, they’ll block you out. Or if you log in too many times, you’re locked out. They’re still learning and they’re still fine-tuning their systems, but I would say we’re much better off now from a consumer perspective than we were in the past.
Q: How did you get into the cybersecurity world in the first place?
A: I initially got into it more from a hacking perspective. I was into computers at a very young age, primarily because of gaming, and then I figured out how to hack games to skip levels or to unlock features, and that led me to the network side of things and how to bypass certain features within computers for small gain. That quickly became fun, never malicious, and mostly to help people out. One of my first hacking incidents was when I helped out somebody whose accounts had been hacked. I had to hack back their accounts, and that was kind of satisfying. It also showed me how I could use my technical abilities to help people. And from then on, I chose this field. But I never realized it was going to be such a vast field. Twenty years ago or more, cybersecurity was very simple; it didn’t have a lot of specialized branches. Now, it’s more like the medical field. If somebody says they’re a doctor, you have to define what type of doctor they are by knowing their field of specialization. It’s the same thing in cybersecurity.
Q: What’s one thing you do that’s not digital or computer-related?
A: I did play the guitar at one time. Drawing is something I do every time I get some downtime. Even though I have the ability to draw on the iPad, which I do often, I always go back to just paper and some markers or colored pencils and draw with my kids — usually faces and cartoons. I think it’s mentally very soothing to create art.
About The Expert
Mishaal Khan, Mindsight’s Security Solutions Architect, has been breaking and – thankfully – rebuilding computers for as long as he can remember. As a Certified Ethical Hacker (CEH), CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester, Khan offers insight into the often murky world of cybersecurity. Khan brings a multinational perspective to the business security posture, and he has consulted with SMBs, schools, government institutions, and global enterprises, seeking to spread awareness in security, privacy, and open source intelligence.
Mindsight is industry recognized for delivering secure IT solutions and thought leadership that address your infrastructure and communications needs. Our engineers are expert level only – and they’re known as the most respected and valued engineering team based in Chicago, serving emerging to enterprise organizations around the globe. That’s why clients trust Mindsight as an extension of their IT team.
Visit us at http://www.gomindsight.com.