Safety Detective’s Aviva Zacks sat down with Tony Velleca, founder and CEO of CyberProof and asked him how he changed the face of cybersecurity with his risk-based approach.
Safety Detective: You have a background in engineering and design. How did you get into cybersecurity?
Tony Velleca: I’m an aerospace engineer by training. I worked for Boeing/McDonnell Douglas for 10 years, in advanced design of next generation airplanes. After earning my MBA in 1997, I started a company with my classmates called Huddle24-7, a first generation of software as a service (SAAS) company designed for architects and engineers. This was my transition from airplanes to software. For the past 20 years, I’ve helped CIOs with the information technology solutions eventually becoming the CIO at UST Global. This included responsibility for information security.
Today, UST Global employs around 26,000 people, supports 25 different countries, and has some of the toughest clients in terms of regulation, like those who navigate HIPAA and PCI security.
As the world embraced information technology as part of a broader “digital” business strategy, I recognized the need for a more effective approach to cyber security. It was not just about compliance anymore. I formed CyberProof as a wholly owned subsidiary of UST Global. We got our initial traction with some existing UST customers and quickly noticed an opportunity to disrupt the competition by delivering a better outcome, but this required a combination of platform and service.
SD: Tell me about CyberProof’s risk-based approach.
TV: What we saw in the market were two extremes: managed security services, which were a thin layer of monitoring escalating alerts, and companies helping customers after there was a breach. We also found that since this was looked at as a compliance need, nobody wanted to spend a lot of money. The current service providers were commoditized and therefore minimum service levels and low customer service. To do deliver a higher service level, we knew we needed to first target the customers who care about more than compliance, those going through digital transformations; and leverage trends in AI focused on autonomous sensing and response.
We wanted to have a way to see everything and prioritizing what we respond to and then automate the response to get to where the market wanted to be. The prioritization mechanism needed to be business aligned and the alignment to business risk.
In the past three or four years, you have probably noticed that risk was being quantified in terms of large data breaches or business disruption (where ransomware took over a system). We focused on reducing our customers’ corporate risk in terms of large-scale breaches. To deliver this as an outcome, we needed to define a service plus a platform and price this aligned to value provided.
SD: What are the cybersecurity issues that the end user should be concerned about today?
TV: End users tend to be the initial target for a break-in or attacks. So, whether they’re receiving emails with links or exposing their credentials, they’re the first line of defense and the users generally have some sort of access to cloud environments as well as internal environments.
SD: And how can we prevent that from happening?
TV: This has created a new category of defense called endpoint detection and responses (EDR) in the market, as they realize that security used to be about protecting everything inside the firewall versus keeping everything out. But because the IT environments are complex, your end points now have access to a lot of these other systems such as clouds – and are expanding into OT and IoT environments.
SD: How do you see cybersecurity developing in the next five years or so?
TV: There are two major trends in cybersecurity: There’s the need to see all the events called zero trust then to develop algorithms to find the relevant events corresponding to an attack then to predict the next steps so we can respond quickly and cost effectively. The second trend is expanding what I call “sensing” endpoints to clouds to applications. You’re seeing that a lot of the attack scenarios are coming in from these areas because they’re more difficult to control. So, we need to be able to see a much broader attack surface area, which will expand to IoT and tons of different end points as we go forward.
SD: How do you see the AI world developing?
TV: We need to stop using the term AI these days because it can mean a lot of things to different people. That said, algorithms, machine learning, and deep learning methods should be selectively applied to change the balance of power between the hackers and the corporations in the form of better detection and faster response. We have to try the different types of attack scenarios and be able to use algorithms to predict the next steps.
We must also spend a lot more time planning how we should respond to the important attacks – and practice. This is the area where reinforced learning algorithms may be applied to interpret what worked and what didn’t, learns from those, and then automates them in a way so we can respond faster and more effectively. The attack landscape is changing too quickly that to this manually, is not practical anymore. This is where AI will play a role in the next generation of cyber defense.