Understand the risks facing your cloud & get recommendations to boost your cloud security posture.
logo

EN

Products +

Services +

Customers +

Partners +

Resources +

How Startups Can Overcome Limitations To Secure Their Business

Startups cannot afford to make the mistake of thinking of cybersecurity as an afterthought. Having a healthy, business-enabling cybersecurity posture from day one can be a daunting task given the limited budgetary and manpower resources, but not an impossible goal. How, then, can startups achieve that?

Anand Nirgudkar, CTO of CardUp, has accumulated years of experience working with startups and fully empathizes with startups on the limitations they face when it comes to achieving a healthy cybersecurity posture. In this episode, he shares several things that you can do to overcome your startup's budgetary and manpower constraints to keep your fledgling businesses safe as you pursue growth.

Tune in to this episode of Ask A CISO to hear:

  • Why Anand loves startups
  • What misconceptions do most startups have about cybersecurity
  • How Startups like yours can have a healthy cybersecurity posture from the get-go without expending limited resources
  • Why and how to inculcate a safety culture within your startup
  • What are the best tools and best practices as your startup grows

About The Guest: Anand Nirgudkar

Anand Nirgudkar is the CTO of CardUp, his third entrepreneurial venture.

Anand loves to solve problems and has spent the majority of his 20 years in the IT industry building systems from the ground up and providing highly available, real-time solutions for financial / payment systems.

He has worked alongside some of the best security and engineering teams in different parts of the world and launched systems across 5 continents.

Anand has worked as a vCISO, helped startups in building and training security teams, wrote policies, defined and maintained technical security architectures, performed threat modeling, and assisted departments to shape up security postures and GRC processes.

About The Host: Paul Hadjy

Paul Hadjy is co-founder and CEO of Horangi Cyber Security. 

Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.

Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific. 

He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams. 

He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking. 

Transcript

Paul

Alright, here we are starting our Ask A CISO podcast, and today with me I have Anand.

Anand is the CTO of CardUp, his third entrepreneurial venture. Anand loves to solve problems and has spent the majority of his 20 years in the IT industry building systems from the ground up, and providing highly available real-time solutions for financial payment systems.

He has worked alongside some of the best security and engineering teams in different parts of the world and launched systems across five continents. Anand has worked as a VCISO, helped startups in building and training security teams, wrote policies, defined and maintained technical security architectures, performed threat modeling, and assisted departments to shape up security postures and GRC processes.

Welcome, Anand, great to have you today!

Anand

Hey, thanks, Paul, thanks for the kind introduction, and great to be here talking to you today.

Paul

Yeah, great to have you as well. I think, you know, it's good to see you, it's been a while, but, yeah, how have things been, how's CardUp and how are you?

Anand

I'm great, and first of all, I should say congratulations and thanks for starting this podcast because as someone who has grown on listening to different podcasts or different variations of security podcasts over the years, I think we needed one in this region, correct? There are a lot of great stories, people with the experiences, people have built things from tranches, and lot of war stories that needs to be told and heard in the region, so I appreciate you taking this step and starting this up.

Paul

Yeah

Anand

And about CardUp, I mean, obviously, it's been another busy year so for the listeners, like, CardUp is a payment platform. We are on the mission to provide individuals and businesses a better way to pay and get paid, so our payment platform simplifies the lives of business owners, bringing both payments and collections in one easy-to-use digital platform, and we also have no-code solution which will improve the cash flow management, unlock exciting rewards, and save time through automation, right, with no software implementation or setup time at all.

So what, at our core we allow big expenses which were previously made by cash, check or bank transfer to be shifted on cards, and which includes expenses that traditionally have not accepted cards at all, correct? So what we observed in Southeast Asia, we have such a heterogeneous ecosystem, right, from whether you want to onboard process or distribute cards. So what you are building is a mode and starting with the use case of how to make these card payments faster, cheaper, and widely acceptable.

And so far after launching in three regions and planning for more regions to roll out in more regions in this year, we've been good!

Paul

Yeah, great, thanks for the shout-out for the podcast definitely. Notice the same thing as you in terms of the ecosystem and the region not having much so, yeah, definitely wanted to start it and Isaiah who runs podcasts has been working hard on getting great sort of guests like yourself he's been doing a pretty good job so far so we have quite an exciting lineup including yours.

Yeah, and awesome to hear about CardUp. I've been seeing you guys around a lot more and the solution is quite cool and have used it a bit personally myself, so excited about that.

Yeah, so with you, of course, you have extensive kind of experience in startups. What kind of excites you most about them, and, you know, what's it like being a repeat entrepreneur?

Anand

I mean, great question, right, like working with startups is like drinking water from a fire hose that is how I would describe it. Like, it definitely widens your horizon and you may end up learning five, six years of worth of experience, getting it in two years, right? And it also gives an opportunity to, I think, think differently because there is a lot of constrained environment when you are starting different ventures from ground up or building them from ground up and which provides an opportunity to innovate at speed, right?

It always takes me back to this famous 1997 Apple information, right? It's here to the crazy ones, the misfits, the rebels, and troublemakers. No matter, I mean, all the startup founders are ... they share the same gene, right, and then that information captures it proper, I think. That's the perfect way to describe everyone who has started a startup, whether it has gone to big one or not and it doesn't matter, right, so that taking that risk and being able to create something from ground up so that's been exciting and obviously at the end of the day, you get to work with the like-minded people who are as crazy and as hustlers as you are, if not less. So's that's a bonus always.

Paul

Yeah, it's definitely exciting. Uh, can be daunting at times, but you know, definitely, you know, I think worth it at the end of the day. You learn so much I think which can be understated uh as well. Even if you've done it multiple times, you face different hurdles every time, I'm sure as you have, so it's never boring to say the least.

Anand

Yeah, yeah.

Paul

Cool, so maybe tell us ... you kind of gave us an overview of Cardup, but tell us a bit about the journey of the company, right? It's been around for a while now so curious to hear more.

Anand

Yeah, I've been ... interesting. So I met Nicki who is our CEO and Founder back in probably late 2015 and this started hashing out, talking about this idea of leveraging the credit cards, and how to make it more available or accepted in the different areas so that kind of instantly drawn me to the idea and the person and say, okay, sounds good and let's start building this together.

So since then, obviously the journey has been exciting there was a lot of education that we had to do in the market initially because there was apprehension about what we are trying to do exactly? Are we trying to compete with banks or are we complementary with the banks? Where we exactly fit in? And then after we have gone and then even for the payment networks accepting the model, there have been challenges obviously, initially, but now I think we have crossed that bridge and we have been working with lot of, almost all the banks into the region as a complementary product.

And which can increase the spends on the card product so that has been great and now we are working closely with the banks as I said to build that mode, to provide this payment solutions, and having some great VCs on the board, overall process has been also helped, like we had SeedPlus team, Sequoia they have been very helpful throughout the journey so that has been great as well.

Paul

Awesome, yeah, exciting to work with great VCs. Think they can be helpful kind of guiding you along the journey so that's awesome, yeah, excited to hear that journey as well, alright. Horangi's been around 2016 so a similar age so it's definitely been an exciting experience for both of us.

So today we're going to tap a bit on your expertise in cyber and kind of the startups as well so like for the first question, why don't we kind of start off with some of the known limitations for startups when it comes to cybersecurity?

Anand

I think, great! So probably the reason why we would like to also talk about why we are talking about startups and security, correct? Probably let me dwell a bit on that and then we can get into the ... along with that we can get in the limitations. So, first of all, are startups too small to worry about security? That's the question probably everyone should ask to themselves who are in the startup world, correct?

Because obviously startups have limited resources, shorter runways, and they have formidable competition, and the teams always consistently drive themselves relentlessly to find that product-market fit, or create or engineer those compelling customer experiences, right? So naturally, for startups, this security investment are typically deferred investment, or even in cyber security that which can wait, right? I mean that can be looked at as an indulgence. I mean even with lot of bigger companies security is always an afterthought, so ...

And then there is a maybe there is a feeling that, hey, who is going to bother attacking a startup anyway, correct? And which is where I think that is the naive way of looking at it because the cyberspace has changed a lot over the years and now it touches and threatens at the same time every online business irrespective of the size whether you are big or small.

And then startup now uses the same cloud infrastructure which is used by the mature companies so ... and then startup end up gathering quickly gathering large amount of user data and maybe even personal data and payment credentials if you are working in that space or maybe even the e-commerce space and any malware infestation, for example, which are crawling the web, they are not really going to, they are just kind of scouring through the long tail of targets, they are not really looking at, oh this endpoint belongs to a Fortune 500 or maybe a startup, correct?

And that is what people should understand because there are some increasingly common cyberattacks that we observe, or maybe even the DDoS extortion schemes which are specifically targeted to smaller and vulnerable businesses, and probably that is where a maturity to understand from a security point of view come through the picture like, for example, if you look at the attacks, obviously you may feel that okay nobody is going to target you and probably no one is.

There won't be targeted attacks but most of the times a lot of attackers or hackers are scanning for the vulnerable devices, right? Servers, expired certs, exposed or misconfigured endpoints. So maybe like somebody using, I'm going to throw some names here, somebody is using Shoden or running Nuclei or Census or ZoomEye is going to scan all the endpoints and they are not going to differentiate between which that endpoint belongs to.

They are just going, OK, I found this and then trying to launch the payloads, correct?

So then, so that's one of the problems. So the attacks are not going to differentiate or discriminate depending upon the size of the company because that does not exist.

Second, and then we are all using the same rails, same cloud infrastructure. Second, when it comes to data protection, small businesses can be less prepared, right? Because they have less to invest in getting it right off the go. They don't have compliance team or data protection officers, but they end up processing lot of personal data, and the reputation and liability risks are just as real, so that's, I think, that's the problem - the kind of attacks that you have, targeted attacks to the small, on the small businesses, the data that you are processing, and so what is the solution, right?

Then, for example, then can I just throw some tools at the problems? Let's say you are running a startup and say, can I just buy some tools off the shelf and try to mitigate all the attacks? Even that is not easier because if you see the target market for vendors or the tools, they focus on top three to five percent companies worldwide, correct? And that you know that as well like. If you are a company which is like less than 500 or even 100 users or endpoints, nobody is going to pick up your call, nobody is going to entertain you.

And as a result, 90 percent or upward businesses worldwide do not get access to these tools, correct?

So which means you are not using the tools, you may not have expertise to configure the tools that you have, and you do not have those right set of expertise in-house, probably. You don't have the larger security teams, so this becomes then a combined recipe for a potential disaster when some attacks come through. Nowadays, the whole security world has, or the whole attack vectors have grown so much like, for example, let's say you are doing everything right, but then there are supply chain attacks which are becoming very common, and they are not always targeted at enterprises, right?

For example, in July (2021), in recent terms, in July, that has happened, right? A popular IT solution provider for MSPs faced an attack and their clientele included MSPs, which means a lot of smaller businesses have been caught up in this incident, right? So which means you are in this connected economy, you are no longer isolated from any such type of attacks.

And then maybe startups in the early days tend to trade security for convenience which leads to all the issues so ... so these are the various issues that startups face, right? And then why the security for startup is important? Because security is no longer just peripheral, it is a business-critical function, right? So to recognize and act quickly on threats is ... It will determine whether a company can operate efficiently if a company can stay in the business or it will go out.

So ... so I think ... I always use this, probably, analogy within the presentations that I have been giving. Like security is like locking your door or locking your car. Obviously, it is not going to stop the bad guys, but at least if it is good enough, they will move on to next target, correct?

So that is how you should look at it. Like am I doing basics enough to protect myself, irrespective of whether I have an old beaten-up car or I have a swanky sports car. Doesn't matter.

Paul

Yeah, I think you're right, and, like, there's something I always like to say too, which is, like, you know, especially in B2B security is kind of a sales enabler, right? Because obviously us being a security company we're like SOC 2 certified, but like that going through procurement is like a differentiator for us from our competitors because we do have a SOC 2 certification for both our product and services businesses, and especially large customers will look at that and value that as part of their decision making process and choosing a vendor to work with.

I think that's really important in B2B and then if you're in Fintech, of course, like you're regulated in most cases so you have to have certain security requirements and largely, I think even much more recently like customers actually care about it, right? They care about how their data is being protected. They care about what information they're putting into the system et cetera, and what that company is doing for security, because, yeah, ultimately like they're sharing their data and they care about it being protected and I would say that that's changed quite a lot over the past years because people have really been through data breaches with their personal information have started to realize how painful it can be.

So I think they're starting to monitor the companies that they share their data with and look at security as a benefactor as to why I might use one service over another, which I think is important and why startups should invest in it.

Anand

And those data breaches are like double-edged swords, right? When it is happening to everyone maybe everybody is going back and relaxing hey it's happening with everyone but rather I would look it at, oh, which means it can happen to any, correct?

That is where you need to change your perspective and look at it from that manner, which means it can happen to anyone.

Paul

Yeah, exactly. And what do you kind of think are some of the guiding principles for startups when it comes to cyber?

Anand

I think when if I have to look, I mean ... let's say we ... if I had to run a mental list and I would say I will probably answer this in two ways. One is what is the quick list that I can put for, say, these are the principles and I will elaborate on that.

The first one is cyber hygiene, so that's the first thing because as startups, we ... startups may not have luxury of having the bigger teams so what basics they can get right? So first is cyber hygiene and in Singapore, i think MS has done a great job of putting out the cyber hygiene and what does that mean and what company should do.

Second is cyber hygiene before anything else, correct? So first is follow the cyber hygiene, second is follow cyber hygiene before anything else because you need to get those basics right. So what do I mean by cyber hygiene, like probably you need to know what devices, what technology assets, what is your asset inventory, what is your critical data, how you are tracking it?

Maybe you are following the Principle of Least Privilege and trying to give people access to what they need for the role and not have everything widespread, and maybe documenting and communicating expectations of how people are going to use your devices, or within your company, within your organization, within your startup, right?

And then training. Then probably because you are still small as a startup you should use that size as an advantage because your attack surface is smaller so you can use that to start getting things right from day one. Invest into the culture and definitely, we will talk about culture more as a part of today's discussion because that's so important in getting things right over anything else, and I would say multiply the effectiveness because maybe you don't have those expertise but there are a lot of vendors out there like yourself who are building products focused on startup who have teams and services focused on startup so companies can leverage these mature tools and processes or even expertise, as I would like to always call it as a hive mind, right?

Because when you engage, you're engaging a company like yourself, you are not just engaging one consultant but you get that entire hive mind, the brains of all the people who have been working in the field day in day out, they are seeing what happening into the region and elsewhere, right? So that multiplying the effectiveness factor is very important so early, especially when you are constrained with the resources.

So that would be the first of all, I would say, a short quick checklist, but if you have to dive deeper into the guiding principles like, for example, securing digital assets is a daunting challenge, correct? It doesn't matter whether you are a small company or a large corporation and because there are so many vulnerabilities and then defenses, it is hard to know from where to start, correct? So at the one line is start, security starts as asset inventory and that's popular. You should always start with asset inventory so what does it ... once you know what you need to secure, then you can plan and it starts with enumeration of all the risks at a business level.

So that is the first process you should do. Like when you are starting a startup, you would say, OK, I want to start in this country in this city because of ... this is my cost-benefit analysis.

Similarly, when you are starting to build product or when you start to even buying the first devices within your company, start doing that risk analysis or business analysis. Business risks analysis, whatever you want to call it as. I am not going to go into the lot of framework details or ... because that would be overkill, but what is the purpose here, right? The purpose is to develop a ... it's not to develop a plan to eliminate all the risks. It is not going to happen, but rather to identify, let's say quantify and then maybe prioritize the risks that we should and can mitigate with the minimal distraction from our core focus.

I think that's important and only then we can make the decision about the defense and how to structure or lay our defenses and confidently assess our state of the readiness, so we should know that plan - how to eliminate the risk periodically and then have a probably decision about the defense, correct? So obviously there are well-established models like NIST are available, but these frameworks when you are starting out are overkill for understaffed startups, right? So the simpler order we just focus on creating this risk analysis consisting of your, what is the threatscape, and what is my defense plan.

And I'm not even talking about threat modeling, not STRIDE, DREAD, PASTA, any of these, just plain threat analysis which can be a simple spreadsheet where you say this is my threat, this is the likelihood of that threat, which is like number of maybe expected incidents per year. This is my dollar value or full dollar loss per incident and then if you do a ... calculate it cumulatively then what is my expected loss?

Because once you put it out there, that is the only way to get the entire company centered, and they understand what is the cost of that risk, and then they can put their efforts behind it, unless or until you convert it to a dollar value, it is difficult for many people to drive the efforts at organization level behind that activity, because that has been one of the common problem in onboarding any type of security initiatives in most of the companies, right?

And then, obviously, you can independently estimate the likelihood and loss of each threat because obviously, all the businesses will face similar threat, but their impact will be, or it will vary greatly from one type of business to another.

Like, for example, a credit card processing company like so, CardUp, which will care more about the fraud and chargebacks, and maybe there is a tech service provider company which will care more about DDoS, or maybe there is a deep tech company which will care more about IP, correct? So the threat are going to be similar against all these companies but their impact will vary based on how they operate and what type of business they are.

And once the business grows, the risk and damage from each threat will change and then analysis needs to be, let us say, like a living document. I think that is important because most of the time, what I have found, that people start with the analysis, people say, oh we have done the risk analysis, but that is in-point analysis, right? And then that is like certification, you cannot have it in-point, it needs to be a living document.

It needs to be a continual process which needs to be reviewed and obviously ultimately owned by the founder or the CEO because the tone has to be set from the top. Again it can be a good, probably team-building exercise to talk within the team and say, hey what do you think about, and what collectively we think about the risk, and what steps we can take to prevent them?

Paul

Yeah, and I think one thing you mentioned is that I 100 percent agreed with is like culture or I think it's basically a free thing that any company can implement to really increase their security posture - just having the whole company think about the types of risk they face and when they make decisions. Like are they thinking about cyber security in general?

And the other thing you mentioned I really agree with is like executive buy-in, I mean in both of our companies I think it's very easy for that since we're security professionals but I think for the executive buy-in is an important part of, kind of, being successful in addressing security challenges.

That, and kind of the culture thing I think are two things that are relatively cheap but also have a big impact.

Anand

So I mean I will definitely talk about culture a bit because traditionally what has happened is security has been an unnecessary labor. I mean, maybe initially like the concept of security was, OK, I am going to throw in some firewalls and then put everything in front of network and then you are blocked from doing this. So the traditional concept has been, oh, security which means blocker. I am prevented from doing x things because of security, which not true, right?

So at the end of the day, security is more like adding right amount of guardrails so, hey, you do things within these boundaries, and if you fail we are there. Our guardrails are there to take care of you and if, but then if that doesn't happen then probably then these are the threats and these are the risks which are going to impact our business, or maybe the existing core business.

I think that message should be driven across the organization, correct? So because any secure organization I believe will start from top, maybe CEO and founders but it demands the team effort, as we would say that security is everyone's responsibility it should be probably added as a job description for everyone. So then that is how you can start training people.

They would start understanding why secret is important and probably for the listeners today, I am wearing t-shirt which says "Trust No One", I think that's the whole ... it's from this famous game, right? "Among Us", I think. It's a good take on the insider threat so that message is very much relevant like if you try to understand that everything can be a risk and then try to eliminate it, then that is the best way of doing that.

So which brings us to the defense plans, right? So you had done the risk analysis then what kind of defense plan that you will have? So, defense plan are nothing but, let's say, maybe you have the risk analysis, you have ranked the risk based on expected loss, and you are, then you should know that against every risk, how I am going to protect, prevent myself, correct? And then you know it need not to be a IT/IS-specific incident response plan. It can be simply, hey, what is the preventive measures against this threat? What is the detection measure?

Then what is the pre-remediation or post-remediation? And then, in case the, maybe the attack frequency is going to be increased, what is the revised forecast and revised loss per incident? So if you just start with that what is my preventive measure? Detective, detection measure? And uh for maybe who am I going to contact? Do I know who to contact if anything happens? Do I have that expertise? I think that is going to be important to have that defense plan and then you can start putting solution in place like: this is how I am going to do it myself.

This is where I am going to probably hire someone else to do it, or maybe I am going to implement a tool which is going to monitor my security posture, and then it is also important to talk about the tools because we started with saying how it is difficult to procure the right tools for startups, so as a part of the defense plan, you should always look out for the tools which are going to give you enough hand holding without spending lot of your time in figuring out what action to take. So the tools are which are going to check for your security posture all the time, let's say, or your device, probably device management, it is going to give you actionable insight and remediation measures. And maybe if you are a part of, let us say, a regulated entity, it is going to say okay you measure this way against all the known compliances into the region that will be icing on the cake, right?

And then I am sure probably what I've seen, you have Warden, correct?

Paul

Yeah

Anand

Which does on the same line, so maybe that can be tools like that should be the part of this defense plan. That is what I believe, especially early days when you don't have, you're understaffed so ...

Paul

Yeah, yeah, definitely. Like a lot of startups use our product to help with both compliance as well as just kind of understanding the risks that are in their infrastructure and then monitoring and iterating on it to make sure that they're kind of managing it as they continue to develop, which I think it's important to have a security tool that does that, especially if you're a cloud-first company 'cause usually your greatest risk is going to be in your cloud infrastructure, so important to take that piece of the security seriously at least, right?

But into the next question, last question as well. Like, what are some of the items, like given with COVID, and obviously all of us are working remote or have been working a mix of remote hybrid for two years, over two years now, it presents a lot of security challenges and what are some of the items that you kind of recommend to be on companies' checklists with a new sort of normal with most companies being somewhat remote?

Anand

Oh, okay, great question because I think there is very pertinent question and probably a lot of people are losing their sleep or security people losing their own sleep over oh, where this device is going to be used and how people are going to use their devices, correct?

So I think it starts from, first of all, do you have an acceptable usage policy and you are training people enough, and is there a culture that you have developed within the company where you are going to train people and then you are going to continuously, kind of, create an environment where people will find it probably easier to say, or maybe give them guidance that how to deal with such threats because at the end of the day, this trust no one or being a little bit suspicious is important because you need to be suspicious because a large number of attacks are going to rely on simple social engineering, and it is true when you are not within the office, you are working alone, or you are working from maybe, I don't know maybe a coffee shop or anywhere in the world, so we should ask ourselves next time we receive an email, oh, am I really going to win an iPad or receive a FedEx package or receive fax with whatever multi-million dollar check inside or whatnot, or is my CEO going to ask me to, let's say, wire the x amount of money immediately so that's something ... so, and then it has evolved, right? It's not easily identifiable by poor grammar or spelling mistakes, correct?

There is a lot of sophisticated social engineering attacks that happen and then how to prevent that? It starts with training correct so, for example, first of all, as an organization are we should share all the risk openly with the team members so they understand and they get invested into the whole, then we schedule the periodic training session and then which actually, which founders and everyone should attend because most of the time it becomes an exercise where there is some videos going on and people are attending and then they are doing something else, so if you make it that as a joint effort then that is only, it is going to be successful. So that is very important.

Again, setting the tone from this top and then that is how you are going to improve the culture. Like maybe then is there any reporting mechanism or are you creating that culture of reporting, not shaming anybody? Reward the detectives. That is important so then it does not matter whether those people are in the office or working remotely because that is getting ingrained into their working habits. So creating that habit and creating, let us say, maybe you have an email address where employees can post the different issues or mails or suspicions that they have, or maybe you are using some collaborative communication channel, create a channel for such discussions. And even if, and then founders initially what they should do is they should start posting all such experiences, different news in there.

And then at CardUp also, we have been doing that, and what you have found that eventually, other people have also started doing that. They started noticing it. They started noticing, I mean, this has helped us.

It is not always going to help you. It's not going to prevent but that creates a culture like, for example, we were doing a phishing test and we were hoping that nobody will identify but some of us, like, within the half an hour of phishing test said, hey, looks like this is a scam email and then nobody actually opened it and our objective in a way was met, but then I mean that's good, right? That's good to see that people are learning from that environment.

And then maybe adopt a platform which will help you to do single sign-on or password management, use those two standards. Obviously, one more important thing is creating the security champions within your organization, so find, identify the people who are interested or who can act as a security, and then I think multiple people, they talk about it. I'm not sure if you have heard about We Hack Purple? It is from Tanya Janca, and then she has great material on it and then a great course on how to create these security champions, so if, and then it targeted towards obviously startups and companies and small businesses so I would definitely recommend it to the listeners that go ahead and check that out.

And one more important thing is schedule penetration test or vulnerability test on a regular basis. Because that is the part of your posturing as, very especially when everybody is working remotely so you should be absolutely sure when things are getting pushed in, and if you do not have that entire, what they call it as DevSecOps process or a lot of automated tools, at least you are doing vulnerability scanning, network scanning every year, or depending upon the frequency suggested for your industry, or depending upon the regulation. And engage, obviously, third-party partners in doing that. That's very important, I guess.

Paul

Yeah, I totally agree and I think great advice across the different questions that we've asked today, and thank you so much for sort of attending the podcast and giving all the listeners your great advice. Any last sort of things to shout out to them or pieces of advice?

Anand

Yeah, hey, thanks! I mean it was great talking to you about it - a topic which is very close to my heart. I would say my take on why we should care about security is it's very analogous to, just as a driver who are driving on the road, doesn't matter which lane you are driving into, fast lane, slow lane, pickup lane, but we share as a driver's responsibility for safety, right? And we all share the same responsibility on a road, correct? And that is why the traffic will move smoothly. So if you analogously consider this whole internet or this whole global network as where we are the drivers, so then we must regard computer security as a necessary social responsibility, correct? And that's very important. So if you ...

because then you will realize anyone is unwilling to take the simple security precaution can become an active part of the problem. So it's everyone's responsibility. We are all equally on the same road so if we don't do our part, the ...

I would say the effect of it, or the ripple effect will be faced by everyone. So start at home, and then be little paranoid, maybe trust no one is taking care too much but then I think maybe be a little paranoid. Think of security as the necessary social responsibility in today's world, and then take all the basic steps and go forward.

Paul

Awesome! Well, thanks for that, Anand, and thanks for attending the podcast today! Great advice and look forward to having you with us on the show!

Anand

Yep, thanks for having me and it was great talking to you as well!

Paul

Thanks, Anand.

Paul Hadjy
Paul Hadjy

Paul is a technology visionary working across the US, Middle East, Singapore, Korea, and New Zealand to build business in both the private and public sectors. Paul spent over 6 years at Palantir and was the Head of Information Security at Grab.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.