February 12, 2019 by Siobhan Climer
Mishaal Khan, Mindsight’s Security Solutions Architect, sat down with Siobhan Climer, Mindsight’s Science and Technology Writer, to discuss Mindsight’s vision for providing cybersecurity and data privacy offerings to our clients.
Mishaal has been breaking and – thankfully – rebuilding computers for as long as he can remember. As a Certified Ethical Hacker (CEH), CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester, Khan offers insight into the often murky world of cybersecurity. Khan brings a multinational perspective to the business security posture, and he has consulted with SMBs, schools, government institutions, and global enterprises, seeking to spread awareness in security, privacy, and open source intelligence.
Want to meet Mishaal in person? Join him and other cybersecurity experts for Building A Secure Foundation: Cybersecurity Framworks on May 2 from 11:00 am – 1:30 pm in Oak Brook, IL for lunch and hacking.
The Cybersecurity Landscape
SC: Here at Mindsight, you are the chief architect for the security solutions we offer our clients. What do you see as your primary responsibility and why is it important?
MK: My primary role here is to spread security awareness. Security encompasses a lot of things and it can be overwhelming to take in – there is an endless list of issues and ways to resolve those issues – but it all starts with awareness, and that awareness comes from knowing how hackers act.
The value that I bring to Mindsight is the other side of the perspective. Everyone talks about security from a CIOs perspective, or the business perspective, or the customer’s perspective. I bring it to you from a more practical approach because I do a lot of pentesting. Since I’m a CCIE and know how to build networks – I understand them, the protocol levels, how they work – I know how to break them, too.
If you know how stuff works, then it’s easier to know how to infiltrate it, how to compromise it, where the bugs are. I bring this different perspective on security to the business world.
You always have to think: what is it you are trying to protect? Start with that. And that’s what my goal is: to define those things for our clients.
SC: Is the layering of security still a valid model for the way security architectures should work?
MK: Absolutely. I always tell people you can never secure yourself 100% from anything. Even I cannot help you be 100% secure or 100% private. It’s a layered approach. You have to pick and choose your battles. You have to pick and choose what threats are relevant to you. What are you trying to protect? Protect those aspects of your lifestyle, your business, your security posture, because everything else – if you start approaching every aspect of security, perfecting every single security control – it will never end. There will always be new holes, new vulnerabilities. That’s a losing battle in my opinion.
To me, this is practical. Hackers are always ahead of us. So, we need to have a layered approach and then get narrower and narrower, going through the multiple layers. The layered approach has many advantages. If somebody infiltrates one or two layers, there are still more. Even if all those layers, individually, are weak – like the DNS layer, or the network layer, or the human layer, or the software layer – combined they form a strong deterrence to attackers.
SC: What do you think is the biggest misconception around security policies today?
MK: There are two big ones. First, people think they are secure. To that I ask, “Well, how do you know?” And they may say, “Because we know,” or, “Because we installed it ourselves.” And that’s a huge misconception, an arrogance almost. It instills a little bit of arrogance in me, as well, and a part of me wants to challenge them and say, “You wanna bet?”
A lot of people think that because they have a firewall or had phishing trainings, they are secure. No, you’re not. Even I cannot help you be absolutely secure. I can get you where you want to be and target your top ten threats, but never say you’re secure. I’m not secure. I’m exposed as well, and I do this for a living. Nobody’s immune.
The other misconception is on the opposite end. I hear this a lot: “We don’t need security. What do I have to lose?” and this comes from both customers and individuals. When I start pointing out the different things that they can lose and what would happen – the repercussions – those same individuals start to think in a different way.
It’s the data you can lose. It’s your reputation you can lose. And all of that amounts to money. Your business can be shut down because you got hacked and no one wants to do business with you. Nothing got lost on the way, but your reputation got lost. Is that not worth anything to you?
These are two big misconceptions that cause most hindrances to security.
Technology Developments in the Market
SC: There is a lot happening in the technology world: AI, blockchain, IoT, cloud, etc. What market trends are the most critical today in your view to information security?
MK: These technologies are all relevant and they’re all growing, but they aren’t new. The buzzwords are new, but most of the technologies are fifteen or twenty years old. And when I look at them from a security perspective, I see that security is always an afterthought. These industries want to scale quickly, so security is only slapped on at the end. And that inherently is a problem because when IoT devices come in the market, they are not secure.
You know every house has at least five to ten IoT devices that you don’t even think about.
In my own house, I guessed I had maybe two devices. I knew I had a nest thermostat, but that was probably it. Well, I did a network scan in my own house just to verify how many devices were active, and I was shocked to see that there were way more than two. My smart TV was an IoT device, my roku TV player – that was on my network. There was a Raspberry Pi on my network. There’s my printer – my printer was online. None of those devices had any security built into them. They were using weak protocols, or none at all, and that’s an issue.
When it comes to our clients, there is a trickle-down effect. Companies use IoT devices all the time in industries like manufacturing. Unless you have discovery done, unless you have an external party look into your security postures, you don’t know what you have, and you don’t know what the threats are. That’s why IoT is relevant. Our clients need to be made aware of this.
The truth is, you don’t know what you don’t know. So, let’s find out together.
SC: Are there any industries you find are particularly at risk for security threats? Why?
MK: Security is always measured from a risk perspective. No one can be secure all the time. You have to look at your risk levels. A hacker can attack a manufacturing plant just as easily as he can attack a hospital or your home or anywhere else. But what’s more at risk?
If he attacks my social media account, no big loss. I can recover from that. But if he attacks a manufacturing plant, then whatever they’re producing gets affected. If he attacks healthcare, the ER gets affected and people die. So, these industries are more at risk because the services they provide have a more immediate impact on a large number of people.
The Mindsight Difference
SC: How do you see managed services playing a part in evolving security architectures for business?
MK: Just like you would outsource your security guards – your physical security – you want experts managing your cybersecurity. Most companies cannot afford to have information security experts on staff, especially with the lack of resources available today.
This is why roles like the vCISO (virtual Chief Information Security Officer) have emerged. CISOs to give direction. Unfortunately, qualified CISOs are few and far between because the role requires experience and relevant knowledge. That’s why companies are choosing to outsource to the vCISO. Companies are trending toward managed security, which makes sense. Leave it to the experts, people who’ve been doing it for ages, people who know how to do it well.
The other big benefit of managed security is your experts are also managing security for other customers and environments and clients, so they have a bigger picture in mind. If you hire your own security professional, they only see your network, they are not aware of everything else around them. It’s a narrower window, a more isolated picture of the security landscape.
That’s where the value of managed security comes in. Threats that are not threats to you today can affect your tomorrow. Prepare today by learning from what’s happening in the world around you. You can only get this view from someone with a broader, more diverse perspective.
SC: What is something people don’t know about you?
MK: Well, my social security number. So – if I answer this question, it nullifies the answer itself. No, but who am I outside of security at Mindsight? I have many interests, which is good and bad. It’s good because I never get bored. When, and if, I have free time, I always have things to do. I’m an artist, I love to draw with charcoal, pencils, colored pencils, and I try to teach my kids as well. I spend time with family and friends. I like to design circuits and I like building things – I’m building a house – so the electrical piece, the plumbing side – I prefer fixing it myself rather than hiring someone.
SC: What keeps you excited at Mindsight? What are you interested in learning more about?
MK: The freedom that Mindsight provides, the freedom to make decisions, choices. Mindsight gives me a voice to be heard because that’s what’s lacking in most organizations. I think it was Steve Jobs who said, “We don’t hire people and tell them what to do. We hire them so they tell us what to do.”
And I am inspired by that. I’m not here to take orders. I’m here as a team player and to help everyone out. It’s a symbiotic relationship. I get help and the company gets help as well. It’s mutual.
Mindsight nurtures creativity. And that’s a good thing. As long as that continues, I’m excited to be here, helping our clients secure themselves, their data, and their future.
Like what you read?
Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our highly-certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for an emerging business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.
About The Author
Siobhan Climer, Science and Technology Writer for Mindsight, writes about technology trends in education, healthcare, and business. She previously taught STEM programs in elementary classrooms and museums, and writes extensively about cybersecurity, disaster recovery, cloud services, backups, data storage, network infrastructure, and the contact center. When she’s not writing tech, she’s writing fantasy, gardening, and exploring the world with her twin two-year old daughters. Find her on twitter @techtalksio