Engineering Under Siege: Navigating the Cybersecurity Frontier

Show Notes

In this episode, we dive into the critical realm of cybersecurity within engineering projects. As the landscape of cyber threats evolves, it's more crucial than ever to manage risks effectively. We'll discuss strategies for safeguarding sensitive data and infrastructure, drawing insights from recent incidents like the CrowdStrike breach.  

Our guests will share best practices for embedding security into the design process, and we'll explore real-world case studies of major cyberattacks on engineering infrastructure. Looking ahead, we tackle emerging challenges, such as the security implications of IoT devices and the role of AI in engineering. Join us for a deep dive into the complexities and future of cybersecurity in the engineering world. 

SheCanCode is a collaborative community of women in tech working together to tackle the tech gender gap.

Join our community to find a supportive network, opportunities, guidance and jobs, so you can excel in your tech career.

Chapters

• 0:01: Navigating Cybersecurity in Engineering Projects
• 10:10: Lessons Learned From Cybersecurity Incident
• 19:35: Balancing Innovation and Security in Engineering
• 36:36: Enhancing Cybersecurity Frameworks and Practices

Transcript

Speaker 1: 0:01

Hello everyone, thank you for tuning in Again. I am Katie Bateman, the Content Director at Sheik Co. And today we're discussing engineering under siege navigating the cybersecurity frontier. Today, we're going to dive into the critical realm of cybersecurity with engineering projects. As the landscape of cybersecurity threats evolves, it's more crucial than ever to manage risks effectively. I'm lucky enough to have two incredible ladies with me from Capco today. I have Shassi and I have Manua, also known for Capco as MK. Welcome ladies. Thank you so much for joining us today. It's an absolute pleasure to have you here, thank you.

Speaker 2: 0:37

Thank you for inviting us.

Speaker 1: 0:40

It's a pleasure to have you both on. Can we start off with a little bit of a background about each of you? These would be great. Mk, can you tell us a little bit about you, what you do at capco, um and how you got into?

Speaker 2: 0:53

tech? Yeah, absolutely. Um. So I I could probably do a reverse. I've been in over a decade plus trying not to age myself, or a decade plus started in the industry when Sobhanoxley was the big thing and everyone was responding to that threat, specifically within financial institutions, did a lot of GCC computing control work for management consulting firms and I would say I started in the industry when everyone called everything tech and the sexiness of cyber wasn't yet available, where when you say you're in cybersecurity, everyone is like oh, that's interesting. Specifically, at Capco, I'm part of the lead, the cyber leadership team, and at Capco the. The work has married pretty well with what I studied in school, which was information security as well as finance, and my job is to basically support our clients with their cyber security strategies to ensure that whatever strategy they're thinking of implementing across the board within their organization, we have the team in place to support them in meeting those goals that they're trying to set.

Speaker 1: 2:19

You know, it's always so interesting when we speak to ladies that study something at school and then actually went into an area. That's similar to that, because some ladies they do fall into tech from completely different areas. Was there something at school that inspired you to go into that area, or was there a teacher or someone you knew who worked in that area?

Speaker 2: 2:40

There wasn't something at school, it was twofold. It was the fear of being broke that inspired me. That's a good place to start. I'm an immigrant child and my guardians basically looked at me and said hey, you love art, you're creative, you're also very analytical. Let's think about a way that, at the end of this, we're not paying your rent.

Speaker 2: 3:09

So I was in the house with two people who are programmers. So you know, at first I thought it was really boring, but over time I just started hearing about Cisco and programming and I didn't want to necessarily go into programming, but it piqued my interest in the sciences more and I think, being that my parents were in that industry, it was a pretty seamless sort of process to get in it, because I was able to actually see people that are part of my family doing this thing. Um, and I thought, well, I can do it, but let me layer it with finance and some other things. Um, as I, as I learned it, just because one, you don't want to be exactly like your parents and on the other side, I was like I want to be a little different.

Speaker 1: 3:59

So I had finance very creative yeah, well, it's easier when you see role models and people in those. Those roles, um, we talk on here about, you know, being visible and inspiring other people to realize those jobs exist and and what they entail yeah, it definitely made me think oh, this is doable, I, I can, I can do it yeah, yeah. Um, shashi, tell us all about your job. What do you do at Capco and did you fall into tech? What happened there?

Speaker 3: 4:32

Yeah, so I actually am a solution architect at Capco. So what that means is, when there's any new projects, either from a strategy phase or actually delivering it, I design the end-to-end the application or program or anything like that. I look at all the systems involved and come up with a design based on what the requirements are. So I studied computer science at McGill when I was a long time ago and I loved math and I liked programming. So I think it just was a good place for me and I was a programmer for a long time. And funny enough at that point, as Empty said, is, you really don't think about cyber, you just want to code and get the thing working.

Speaker 3: 5:28

Um and again like um, as the years involved, more and more cyber prisons have increased and threat actors has increased. So, um, it is sort of now coming into my as you design systems and we can talk about it later, sort of like. Okay, one aspect to cover is cyber. But, yeah, in terms of passion, I love programming and I do code on the side. But now every time I code something you know um with or sit down with our dev, we have to make sure that we check mark the cyber aspects of it too. Not just you know the thing working, which is what everyone is eager to do, but at the same time, you have to think about a lot more other dimensions yeah, I, you know what.

Speaker 1: 6:12

I always admire people when they say they love maths, because it was something that used to scare the hell out of me at school and I wish I was that student. It was like I just love maths. You know, it's very black and white, things work or they don't work, but that's that's kind of how maths goes. Um, and I just I struggle with that again with you. Is that something that? Was there, somebody at school, a teacher, who inspired you to really enjoy maths? Or was it just a subject that you found easy?

Speaker 3: 6:40

it's something that I gravitated to, I understood much more easily. I knew I was not going to go into biology. It was like sort of process of elimination. You know, I wanted, I didn't want like, biology, chemistry, all the other sciences Like I don't think I really gelled well with, like I couldn't stomach blood. Number one, number one, um. Number two is um.

Speaker 3: 7:09

I liked physics as well because physics involved a lot of math. But at the same time I actually discovered programming, accidentally, um, for summer school, because I wanted to go into pure math and physics. And in summer school, um, I took a basic programming language called basic. I was like oh, was like oh, this is interesting. So you know, it's logic and I think the excitement of getting to see something working, like at the end that was, I think, still excites me. So with math it's a lot of theory, you know, and you really don't get to see things working right away where you sort of use the math basics and do computer science and write programs, and you get to see things working right away where you sort of use the math basics and do computer science and write programs and you get to see it working. And I think that's the thing that always excites me, you know, building a program yeah, yeah and actually see it working.

Speaker 1: 7:55

Yeah, yeah, um, ladies, today we're going to cover off um cyber security and threats, um and uh, we're going to dip into a little bit into your roles as well. Can we start off with? How have cyber threats in engineering projects evolved in recent years?

Speaker 2: 8:17

In engineering specifically, I think cyber threats has always been laden, and I say that because when you think about the design of a product, we, as security people, always want to think about security first, and I think sometimes when folks are producing a product, they're thinking about how quickly can we get this to the market to meet a particular service?

Speaker 2: 8:44

And in some ways, in those cases, security is thought of as last and these products are put up into the ecosystems and it's being used and later on, of course, we're discovering vulnerabilities throughout those products.

Speaker 2: 8:58

That is then basically creating a rich landscape for hackers to come in and hacker systems and exploit the vulnerability that is sitting there.

Speaker 2: 9:08

But I think over the years now what we're seeing is the expansion of the attack surface, just based on the increase of putting IoT devices online. Like IoT device from an infrastructure perspective has always existed, but it wasn't something that people were thinking of oh, we're going to attack these particular systems and devices, but now they're online. There's more and more smart systems that are coming online. That makes it easy that has expanded its arc surface for hackers to have more of a room to basically take advantage of the vulnerabilities that are available. And then, if we think about some of these older systems as just a lack of or a debt around cyber threats, where there isn't really a look back and a strong stance on updating these older systems and making sure that these vulnerabilities are taken care of. So I think, with all of that, over time, what we're seeing is the landscape is getting bigger and bigger and also we're seeing that the attackers are getting smarter and smarter about the methods in which they attack these systems.

Speaker 1: 10:28

Yeah, it's a fine balance, isn't it? Like you said at the start there about getting things out fast, because you need to get things out fast, making sure they're secure, because, as you said, attackers are getting smarter, so that's quite a balance to ensure that you can get something out on time that is secure as well. Exactly, shashki, what, what, what do?

Speaker 3: 10:50

you think I completely agree. Um, like what mk was saying, is before, when we were designing things, it's like you take care of the basic stuff oh, I need to protect this person's data but you never, never think about where the attacks and how the attacks are coming from. So the increased attack surface there's insider threats now and very sophisticated phishing and social engineering attacks. So before, when we were our projects were like when we used to code, we were like, oh, let's just make sure all the PI data is encrypted. But that's no longer the case. We have to now think about where these things can originate, where the attacks can originate, and even insider, and then who gets access to what? That was never a concept before.

Speaker 3: 11:37

Like you know, it's like you know resources, and now with cloud and you know other things, and now with cloud and other things, we have to consider that every resource we're using in our architecture I call hop and layers, every layer and hop we're using has to have a strategy for protection. And then you take it holistically and that's what people like MK, you know their group does is that holistic view, whereas we and the app development engineering side, we go at the very minute detail. We take like the strategy given by them and we go, okay, what can we do to protect this? So that was not there before. Before it was like just protect your pi data and no one even thinks about getting attacked, right, yeah, so yeah, it has.

Speaker 1: 12:30

It has changed, like the way we used to do projects before and create solutions have definitely changed out of curiosity, um did you study any of this at school, or things just changed so much that you just all I knew was like different type of caching algorithms, encryption algorithms and like it's more very algorithm, big right, using algorithms to protect it.

Speaker 3: 12:58

You know encrypt uh, you know decrypt codes and stuff like that, but nothing like this we studied in school. I mean, maybe, maybe, but but I felt like it was the era also I studied which was a very long time ago now.

Speaker 3: 13:13

This is probably incorporated in software engineering principles and you know, like um, so before we used to have a cryptography department, but that that is very, very focused on algorithms, very like pure sciences and stuff like that. Now I think it's embedded in, you know, in computer science and it's embedded in engineering courses and software engineering courses, because they want, you know, the new programmers to be a bearer of this. So I believe this type of work has been, this type of educational material has been incorporated. But no to short answer. No, I didn't study any of these things. I actually didn't know what a director was until a few years ago.

Speaker 1: 14:03

Only a few years ago. That's what I mean In tech. It's wild that, you know, even we have a lot of guests on here at the moment talking about AI and that nobody was taught that in school and all of a sudden, people are finding themselves working in AI. It's like okay, that's completely new.

Speaker 3: 14:18

Yeah, we found AI way back. It was again a subject called artificial intelligence, but again more from an algorithm perspective, not a usage and the type of know how it is. It has grown, so it was very like theoretical, and I think mk would also agree on that.

Speaker 2: 14:39

I I definitely, yeah, I definitely agree, and I think when we're thinking about ai, um machine learning, folks are really thinking futuristic robots and things like that. And now we've seen, like the different segment related to AI. I don't think people imagine, in particular fields like the legal field or even, you know, hospitals, that this was going to become so included in the day-to-day of AI and it's expanding so fast. And I think, similar to keeping in mind with engineering or products, one of the key things around this is around the potential cyber threats. Right as a field. The thing that we're always doing in cybersecurity is trying to catch up to the vulnerabilities, and this is one of these things that people are putting out AI components and systems and applications so quickly that I don't think we've, like, truly stopped to think about what are some of the vulnerabilities that we're going to be fighting against as this field continues to grow and develop yes, yeah, definitely.

Speaker 1: 15:55

Um. I wanted to ask you a little bit about a crowd strike, um. How did the recent crowd strike incident highlight those vulnerabilities, um in engineering infrastructure, and what lessons can be learned from it?

Speaker 3: 16:10

I mean, there's a lot of lessons we can learn and but my pet peeve is how come we really were dependent on one company to have this type of patch, like it is, you know, and then it's, it's the, it's the. You have one company and another company using it. So crowd CrowdStrike had these patch-critical vulnerabilities and then Microsoft, which again we rely on one system, used that and as a result of their updates going some issues with their updates going to Microsoft, and then everyone uses Microsoft. You see the dependency of just using one, one system, one solution, and how where the entire world was impacted. So my my thing is we have to be creative and there has to be more companies like CrowdStrike number one. And even if you go with CrowdStrike, we have to have, like, different strategies of releasing critical patches. Like I'm not sure if they tested. You know they have to have different stages of testing something critical and if Microsoft is dependent on that, they have to have their own critical stage in testing. So how they release the release management process was, I think, not very well handled the detection and better, like even when you're releasing it. They should have been. Hey, you know, I'm detecting something weird, so let's fall back to a failover plan. So I don't know if that really happened, like everyone was trying to go back and fix things, um, again.

Speaker 3: 17:56

So I felt that two main things I learned. First, just dependency on one product and you know, dependency on a product and a solution and, um, the release management and the fail management were lacking. So if these things could have, it's definitely a good lesson learned and I'm hoping that, even like my company was not affected, because Capco isn't affected we didn't use some of the parts of the products that they were using, but there were other companies they were using, but there were other companies. So even people who are buying products, they have to think about, okay, what you know. Yes, I'm buying a Microsoft, I'm buying this, but what are their patch management, release management strategy? Maybe should I diversify for certain cases, should I have a failover plan? So those kinds of things are. I would say what I learned from the CrowdStrike issue and hopefully, when at least my company's in a position for doing, you know, purchasing or considering a vendor, we would consider these kind of things most, take it more seriously yes, yes, I agree, mk.

Speaker 1: 19:05

I can see you nodding along there. I was actually depending on one system. What are your thoughts on what lessons can be learned from CrowdStrike?

Speaker 2: 19:14

Yeah, I think I'm. So I'm in agreement with everything you said, and what does harken back is just to basic resiliency planning. It is boring, but it is such a useful tool. It is boring but it is such a useful tool. I think you know. Thinking through this just again the rigorousness with making sure you have proper update management in place, ensuring that you, if you're rolling out a new update, that is done in the face approach, thinking about the considerations for you know all of these environments but from a continuity standpoint, the dependency on one vendor is a single point of failure. So I know people are always thinking about cost effectiveness, but also knowing that you have a potential backup in case of a major incident.

Speaker 2: 20:06

And this particular incident kind of put the world on pause. It's sort of like when we went through the solar winds. That was massive right and stopped a lot of people in their tracks. So some of the basic things around this lesson learned is just do you have continuous monitoring in place? You know, are you thinking about your incident response and training? Are you making sure that the business and our security folks are communicating and collaborating? A cyber strategy is something that is critical to lend itself to this type of like incident that takes place systematically. That's actually talking about what you need to do, but then there's the aspect of the response to that particular incident. I would say, in this case, from the response perspective, crowdstrike as a vendor did move fairly quickly in responding and putting this out. But then again, even it being out there is like the companies that this impacted, were they also prepared and ready to respond to this level of incident?

Speaker 1: 21:26

yeah, and even those that weren't affected. It would have been a good wake-up call for people to think, like you said, do, do we have a backup plan? And we weren't affected this time around, but, um, perhaps this is a good time to uh just review, actually, what is in place for us in case that did happen, um to us in the future. Um, but, yeah, lots of lessons learned from that. We touched upon this earlier a little bit about, you know, having to sometimes get things out at speed. So I wanted to ask you about that balance. So how can teams balance the need for innovation and security when designing a new uh, when designing new engineering systems, um or products, um mk? We touched upon that earlier about that balance of getting something out fast and still making sure, um, that it works. So how do you balance that with innovation and security?

Speaker 2: 22:25

right.

Speaker 2: 22:25

Um, from my role and from my perspective, I think sometimes we come across as the stopper of fun, because I think the engineering team are like oh, this is going to be fantastic, this is going to one support the business, the effectiveness of the business and the services that they're trying to provide. On the other hand, how do we make sure that we continue to be security smart and a security aware culture and the security-aware culture? So I think, in developing new products and services, when working with engineers to do this and managing this and thinking about the strategy is really around the approach of security first, because if we're considering this approach of security first and baking that into the design, what you can talk to engineers about is then we don't have to come back later on and try to lay your security on if we have that in the beginning of the development of this work. So the best way to get people excited and thinking about security is like, let's do this now so that we're not facing a big headache when we get to rolling this out and, I think, making the efficient part of it, perhaps breaking this up into a smaller components of a project and testing it out and then trying to deploy and testing your dev environment before pushing this out to the larger population testing it with a subset and see how it's functioning within the environment, and making sure that the product that you're designing has controls so cybersecurity controls attached to it. So all of that is baked in um in your development of this particular tool chashi, do you agree with that?

Speaker 1: 24:36

do you? Do you think of security first instead of layering it? And?

Speaker 3: 24:39

yeah, I was going to say yeah because usually never like when we're designing things, typically you design it and then you go through a security and cyber review and security review, but really it should be when we're collecting the functionals. We should also have the security team involved to understand. They should hear from the first hand as to what this application does, what's the type of data, who can access it, all that stuff. So the collaboration should really happen at the earliest stage, so it's not a surprise for us. Another thing is sometimes people who are on the engineering side and we have to use certain, like I said, the resources. We're not aware of how to protect those resources, and so it would be really good again at the beginning is, as we're talking through and designing things, hey, we're thinking also. I would say, hey, I want to use a storage resource on the cloud, or I want to use an S3 bucket, I want to use this, I want to use a storage resource on the cloud, or I want to use an S3 bucket, I want to use this, I want to use that.

Speaker 3: 25:54

You know, not a lot of people might know what some of the vulnerabilities or some of the issues are. So it'd be good at the beginning, while we're designing, for people to point out saying maybe that's a good idea, maybe that's not a good idea, not the fact, after we put our design together and saying these are the 10 resources I'm using, come back and say no, no, yes, no, yes, because that education is the education is also important, but we don't have the in-depth education that that maybe a security team might have. So getting them involved first, um, is good, and to make it you, at the end of the day, we are trying to protect our client and their assets. So that is the number one priority. Actually, before you're functional, what uses your functional application is you can't even protect it. So I think that mindset has to change and it has to change even from the people who are developing the product, saying security is their highest number one priority, and then the functionality.

Speaker 3: 27:05

So it's the mindset. You know, secure by design. It's the mindset of, like, I'm developing, I'm creating a product that is to use for our clients and we need to make sure that we, you know, give them this. But at the same time, security is also one of the most important priority and then, when we start from there, everything sort of flows through and it doesn't become like a chore, a check mark, a burden, etc yeah, because otherwise then you get mk stopping the fun if you don't think of that first.

Speaker 1: 27:39

We touched upon ai a little bit earlier um and I just wanted to um dip into that a little bit earlier and I just wanted to dip into that a little bit more. What role do you see AI playing in both enhancing cybersecurity and posing new challenges for engineering projects? Mk, you touched upon it because you were saying you know people previously were thinking it was going to be robots. It's not being used. Actually, how people think it's going to be used. How do you see AI enhancing cybersecurity?

Speaker 2: 28:20

I think it can be supportive in quite a few different ways, and I was just laughing about this with someone I think you know AF has this large language model really mining some of the data that we as humans have created, right, so, really thinking through, what have we created and is it of quality for AI to mine and provide some information to us? But I think specifically what I touched on earlier was resiliency, right, I think AI can be very supportive in threat detection and response. If you think about organizations where cybersecurity and security specialists is in high demand and more and more folks are working on the small shoestring budget with staff to do their security-related work, what are some areas within the industry that AI could potentially support Like? One of this would be threat detection making sure that they're analyzing large amounts of data of vulnerability to present alerts to the team that they can then go through and figure out what to action on, so that cuts down some of the work significantly. Thinking through potential automation, right? I think while we're in the realm of security and technology, a lot of people quickly think that everything is automated. In some cases, there is a lot that is still manual, so how can AI better support us in automating some of these routine tasks so we can focus on some of our big you know, larger brain activities.

Speaker 2: 30:04

But on the other side, I think that's specifically from a strategy perspective, with thinking through data and I stated there's a lot of data that AI can mine from. But on the other side of it, the challenges that it's posing is really our data and security privacy. You know, what type of information is it? The ability to potentially access information that is like overly sensitive or too sensitive? We're thinking about non-public information or PII information, hipaa information. What are the regulatory concerns associated with that? It's like, yes, ai can support engineers in doing their work and building things faster, but, as Sesha was stating, even in some of the other questions related to data and what people have access to, we also have to think about what machines have access to and potentially, if there's any exposure coming from AI, what the implications could be for an organization. Right, so it's both the good and the benefits of it, but then the potential risks that it poses, making sure that we are solving for both sides of it.

Speaker 2: 31:20

And then I think one thing that I would say folks were really thinking about, and this was the scare around college campuses and institutions. When AI first came out, everybody's like, oh my God, the kids are going to start writing all of their reports using AI and everybody's cheating. Now, all of a sudden, there's a move to have AI in all of these campuses. But I say that to say really like the over-reliance on it. Right, it is meant to be a supplement to our work, to provide efficiency for what we're doing, versus an over-reliance on it. So if it's ensuring that is a supplement and providing us more space to think and do better work, let's utilize it in that way, versus becoming fully dependent on it. So I'm going to pause there because there's a lot of things I have on the other side.

Speaker 1: 32:14

There's a lot of layers to that, I agree. Especially when you said on a shoestring budget, I was thinking, yes, those that can just free up their time for other things. But yeah, it is that balance between the good and the bad and making sure that those challenges are seen and addressed as well. Shashi, I can see you nodding along. I take it you agree. There is that, as MK was saying as well, that over-reliance on AI is going to be a challenge as well.

Speaker 3: 32:46

Yes, these two ends right. You've got AI that can help you now with threat detections, responses, monitoring that. But then you also have AI, which is the adversarial AI that could now figure out what are some of the loopholes based on your system right, and then figure out how to manipulate those loopholes.

Speaker 3: 33:07

So you've got AI using for good and then, you can also have AI using for bad. So and in cybersecurity, you know someone. I mean, the good is proactively monitoring and alerting you, but the bad is trying to figure out how to, you know, detect loopholes in your systems and what strategies it can to go through it. So it's going to be very interesting finding something that can also talk about the adversarial AI, because you have to be. That's why you've got these. You have people employ hackers to think like a hacker, to figure out how you can, what are the potential ways. So now we have to figure out some kind of AI that can figure out an adversarial AI so that we can protect against.

Speaker 2: 34:03

Yes, that is so funny and I'm so glad that you brought that up, sashi, because AI driven cyber attacks. As much as we're thinking about utilizing this tool for good, you also have hackers that are utilizing this tool for the work that they do, to aid them in pushing out more sophisticated attacks, and some of the things that traditionally we used to think about even for phishing or phishing scams and all of these other scams that people were considering is more sophisticated now. I think when we used to talk about phishing, there was a lot of oh, look for grammatical errors, look for issues within the email, like something that doesn't quite quite make sense. A sentence is like stringing along. Now the tools have the capability to address that, so people be extra vigilant um around around these. You know particular areas, so we have to think to put two mindsets of one the good and and and the bad side of it, and how can we?

Speaker 1: 35:14

um cover the vulnerabilities associated with it yeah, and on on that topic of challenges and ai, um, I wanted to ask you what steps can companies then attempt to take to prepare for future cyber security challenges in engineering? Because what with ai moving so fast and other areas of technology, what can companies do? What steps can companies take to prepare for that?

Speaker 3: 35:42

I would say you know, do more pen testing, vulnerability assessments those are more important. You know, again, when you're designing things, think about multi-layered security architecture, um, and then training and awareness. No matter what, you know, you have one person who clicks on the wrong email and it compromises your entire network and infrastructure. So I would say those three things are most and I'm pretty sure mk has um other stuff that you talk about, but from an engineering perspective, those three yeah, I think that is, you know, from an engineering perspective, that is, um, very concise and what is needed.

Speaker 2: 36:23

And I think, yeah, overall, from a cyber governance perspective, that is that's what is needed. Um, you know, think high level there needs to be really at a company level. What is your security strategy, thinking about your overall cybersecurity framework, right, what are some of these critical, robust frameworks that you're adopting to support you in enhancing your security posture? Like Sashi stated, the continuous training and alertness around the potential threats that you will be facing in these areas. I think one of the things is the strengthening of supply chain, of the supply chain. There is such a reliance. This ties back to a self-invented crowd check. There's such a reliance on vendors. If you're bringing a vendor into your environment, are you ensuring that you're conducting your appropriate security check application, security check, vendor assessments? Are you looking at their SAC1, sac2 reports to ensure that they are moving with a security-first mindset before you're bringing them into your environment and attaching them to some of your critical systems? Because we know that not only are companies facing attacks internally, but then their attack surface become expansive, given the fact that you have third-party suppliers and now we're also thinking about the realm of fourth-party suppliers and the threat that that can pose to the environment.

Speaker 2: 38:05

So, as you talked about your vulnerability assessment, your penetration testing. Penetration testing, I think, is so critical because you have organizations or securities that are coming in, or maybe even in-house staff that can act as the hackers and try to break into the system. So you understand what you need to solve for to make sure that your overall security posture is stronger. And then having I can't say this enough, but having a comprehensive resiliency response plan. I don't say incident response, because incident definitely focuses on security. There needs to be a cognizant approach to this and thinking about how do we bring the business in so that they are thinking about their way, that they're going to respond to a cyber threat that is going to impact them and that we're going to be supporting them. And so making sure you have a robust incident response plan that definitely considers the need of the business is so critical.

Speaker 1: 39:21

Yes, definitely, and that is a great point from a company level on what you should be thinking about. I wanted to ask you quick ladies about what about on an individual level as well? What should you be thinking about? Do you have any advice that you would give to engineers and project managers who are just beginning to integrate cyber security considerations into their work? So any advice you would give them, um, when, when they're thinking about their projects?

Speaker 3: 39:45

yeah, like, um, I would say when I initially started I wasn't aware of all the different types of threats and trends. So now I have this website that I go through saying, hey, what are some of those known vulnerabilities and threats? So stay updated with the latest cyber security threats, especially for engineers and PMs, and then get, like I said, foster the mindset of always having security first. Another thing that I like, that I try to get our engineers and PMs to think about, is least privilege is when and who and what resource needs access to what and at what time. So that's important. Access to what and at what time so that's important.

Speaker 3: 40:35

Secure coding practices, like you know, don't leave any easy loopholes so things can get in. So that's important. Make sure we do like as part of DevOps, make sure we include the like so every package or utility we use also could have like what MK was saying is because we're using vendors and the vendors could be using other vendors and so, like you're really multiplying your tax surface because you're relying on other products. But even when we code, we use a lot of libraries Could be open source to be bought by other vendors, and those could also have vulnerabilities. So make sure that we are doing all this code scanning and also understanding what their vulnerabilities are. So going into an open source forum to say, hey, was there a vulnerability or an attack on this utility that we're using? So getting updated on that is important. I would say, yeah, those are the main things. Advice I would give for the PMs and engineers.

Speaker 1: 41:43

Yeah, yeah, that is brilliant advice. I could see MK you smiling, along with the mention of less privilege there. I think that's something in your mindset as well, and advice you'd give for engineers and project managers.

Speaker 2: 42:00

Yeah, absolutely. I think people move from the mindset of give me access to everything, right, because I want to know what is happening. I think the asset of leading with least privilege is the best way to go. It's like what exactly do you need access to to conduct your work, versus providing you with access across the organization. That can lead to exposure. And, true and true, I'm a cyber risk practitioner, so I'm always thinking about the exposures of organization and the implications of that.

Speaker 2: 42:39

Sashi, I really liked what you said about keeping your ears to the ground. So making sure that you're visiting these forums, learning from those chat groups, asking questions within that, but also having a mind of skepticism Not everything that everyone says is what you take as gospel like making sure that you're validating that information. I think you know the common vulnerability scoring system. That group does a really good job of keeping us up to date of, like, what are the latest vulnerabilities that is out there that you need to look at. It's not only that, but they score it and also provide you with detailed information around, like how to respond to the patching that is available. So making sure that you keep your pulse on these critical resources that are available that you can use One thing that I forgot to talk about when we were talking about how can companies also software?

Speaker 2: 43:41

This is not being insular in your approach to cybersecurity, but also being expansive and trying to understand. What are your peers doing? What has ISICA put out? What has ISICA put out? What has CISA put out? What is the FBI considering around cybersecurity? I think making sure that you understand not only your environment, but also externally, what is happening within the cyber security space is really useful, not only for an organization, but also useful for an individual and building and learning and understanding how to respond to this ever-growing landscape and threats that we're facing.

Speaker 1: 44:28

Yes, definitely, and that is brilliant advice. Advice, ladies, I could keep talking to you, uh, for another episode on this topic, um, but we are already out of time. Thank you so much, both for coming on and having a chat, and so timely, and for sharing what you do. Thank you so much, ladies, been an absolute pleasure. Thank you, thank you. This was wonderful thank you for everybody listening, as always. Thank you for joining us and we hope to see you again next time.