The Actionable Futurist® Podcast

S3 Episode 7: Raj Samani from Rapid7 on Cybersecurity risks

December 17, 2021 The Actionable Futurist® Andrew Grill Season 3 Episode 7
The Actionable Futurist® Podcast
S3 Episode 7: Raj Samani from Rapid7 on Cybersecurity risks
Show Notes Transcript Chapter Markers

We know that cybersecurity presents a huge risk to us both personally and professionally, but what can we do to stay safe? To answer this question I spoke with cybersecurity expert Raj Samani, who at the time of recording was Chief Scientist at McAfee, and is now at Rapid7 on the Actionable Futurist Podcast®.

As an international cybercrime expert, Raj has assisted multiple law enforcement agencies in cybercrime cases, and is a special advisor to the European Cybercrime Centre and is on the advisory councils for Infosecurity Europe and Infosecurity Magazine.

Cybersecurity threats now have the potential to completely cripple companies and complete supply chains and my discussion with Raj is accessible to audiences of all types, and contains advice for a board of directors, right down to students considering their career options.

In this wide-ranging discussion, we covered topics including:

  • Cybercrime in a pandemic world
  • How cybercrime has evolved
  • How supply chains are now a target
  • The Log4j vulnerability and what it means
  • Are boards taking cyber threats seriously?
  • Making the board uncomfortable about the risks
  • Contextualising why cybersecurity matters
  • Can AI help fight cybercrime?
  • Actionable advice to keep safe
  • How much security do you need?
  • The industries most at risk
  • Nation-states running social media campaigns
  • What the FireEye acquisition means for McAfee 
  • Criminals now have R&D departments
  • IoT and APIs as the next threat areas?
  • Children's toys are getting hacked
  • Putting security at the heart of design
  • Bletchley Park's role in cybersecurity
  • The hot roles in cybersecurity
  • Top 3 cybersecurity trends
  • Do companies need a dedicated Chief Security Officer?
  • 3 things to do today to stay safe

Raj provides us with actionable and practical advice on what to do this week to reduce your exposure.

Make 2022 the year you lean forward and take cybersecurity seriously.

More on Raj

LinkedIn
Twitter
McAfee Enterprise
Raj's Blogs

Resources mentioned on the show

Have I Been Pwned? website
Speakers for Schools website
NoMoreRansom.org
The Cuckoo's Egg book
Applied Cyber Security and the Smart Grid book
Dave Grohl Biography
Bletchley Park

Your Host: Actionable Futurist® Andrew Grill
For more on Andrew - what he speaks about and replays of recent talks, please visit ActionableFuturist.com
follow @AndrewGrill on Twitter
or @andrew.grill on Instagram.

Intro:

Welcome to The Actionable Futurist Podcast a show all about the near term future with practical and actionable advice from a range of global experts to help you stay ahead of the curve. Every episode answers the question what's the future on with voices and opinions that need to be heard? Your host is international keynote speaker and Actionable Futurist Andrew Grill.

Andrew Grill:

Today's guest is Raj Samani, who is a McAfee fellow and chief scientist at McAfee. His prior roles include VP and Chief Technology Officer at Intel security McAfee, and Chief Information Security Officer for a large public sector organisation in the United Kingdom. As an international cybercrime expert, he has assisted multiple law enforcement agencies in cybercrime cases. And as a special adviser to the European Cybercrime Centre, and he's on the advisory councils for info security Europe, and info security magazine. Raj has published numerous security papers and is the author of applied cybersecurity and the smart grid. Welcome Raj.

Raj Samani:

Thank you for having me.

Andrew Grill:

I really hot topic at the moment and we're going to get into some details. So many of us we've come across McAfee by having antivirus protection on our PC. But I know you do so much more than this. So how would you describe what McAfee is doing today?

Raj Samani:

Without sharp tip of the spear, we need to understand what threat actors are doing and really integrate that intelligence into software into hardware to prevent those attacks from actually being realised. A lot of what we do as well is is not even published, whereby we will work with law enforcement to help identify criminals and actually get them arrested because sadly, there is this misconception that if you do cybercrime, then you're not going to get caught and so therefore it basically a free hit.

Andrew Grill:

I've just finished a report that you published titled cybercrime in a pandemic world, the impact of COVID 19 very relevant. There are some pretty stark warnings in there. What surprised you about the report and what didn't?

Raj Samani:

It's been a bit of a car crash two years, to be honest. It was the 28th of February, I made the stupid decision of playing football with the kids ended up like tearing my Achilles ended up in hospital. And for about five months, I was just trying to walk again. What was interesting was, I got to ask this question when I was in the hospital, and the question was, are we seeing any attacks, leveraging and utilise the pandemic and actually strangely, at the end of February, there wasn't a lot and then round about the middle of March, that's when the floodgates opened. We saw every possible nutjob come out trying their best to steal money or instal spyware on your phone or spreading misinformation. since then there's been like a tsunami of not just volume, but also every possible variety of attack you can think of from really highly capable ransomware groups to individuals just sending emails pretending to be the CEO pretending to sell PPE.

Andrew Grill:

I'm sure that's the case of a lot of chief security officer then boards because they see that cybercrime is now becoming a real threat. And we'll talk about that in a minute. But just back to the report 81% increase in global organisations that experienced increased cyber threats, what do you think was behind that,

Raj Samani:

hopefully, being able to identify a lot of these attacks, but also we've got to acknowledge that cybercrime is in many ways, different to what it used to be maybe five to 10 years ago. What I mean by that was historically, if, for example, somebody was infected with malware, in many cases, they may not know about it, but now we're seeing really criminals becoming a lot more confrontational. When you think about something like ransomware, it really is waving the flag saying, You've been compromised. And unless you pay us millions of dollars, then you're not going to get your systems back or worse, still, we're going to publicly release all critical information to the whole world that you've basically been trying to protect. The way that cybercrime has changed is that it is a lot more confrontational. In fact, in many cases, criminals aren't necessarily interested in keeping it quiet. I mean, some of them have like Twitter feeds and pseudo PR departments advertising the fact that they've compromised major organisations, which is a complete shift to where we were a few years back.

Andrew Grill:

You mentioned before that the initial sort of attacks were centred around hiding behind COVID and trying to use that as a leverage. But now with the supply chain shortage, the everything shortages holiday season, you're saying this is creating a perfect catalyst for cyber threats to the supply chain e commerce and travel? Where are these new threats appearing? And how might they manifest and what should people look out for?

Raj Samani:

There's multiple ways that criminals will try to compromise an organisation I think, historically, it was predominantly over email. Whilst that might be a very common tactic. If we think of things like ransomware attacks, they use remote desktop protocol. So RDP is the ironically because of the pandemic. Everybody enabled RDP because they wanted to be able to access their systems remotely. In doing so they effectively kept the back door open. And it I can sit here and talk to you about some of the passwords that are being used by companies, which precipitates a lot of these attacks, of course, compromising vulnerable systems. And after a weekend of dealing with the log for J vulnerability, we've had major critical vulnerabilities becoming more publicly accessible, exploit code being published. And of course, there are those other vectors that may not be high in volume, but certainly are used. And you know, a good example of that is the use of social networks whereby criminals are actively creating personas and profiles on social networks in an attempt to appear credible and really interact with victims. And so I think you touched upon it pre call, which is that attack surfaces really, really far and very, very wide. And that allows criminals the opportunity to be able to kind of leverage any number of potential entry vectors,

Andrew Grill:

the route or router that's in the corner now, because people are in distributed environment, they've got their BT virgin insert name here router there, because there are so many of them criminals trying to hijack them. You mentioned for the log for J exploit. We're recording this in December 2021. Can you explain what that is, and why this is important,

Raj Samani:

fundamentally, why it's important is that it's a critical component used by multiple different products. Historically, when there is a major vulnerability that comes out, you could say, hey, look, you know, this impacts this particular product, what we're talking about here is a critical component used by multiple different products. And of course, we're only a couple of days into this. And already, we're seeing criminals actively leverage and exploit this. And so like, if you think about it, when a vulnerability is identified, that vulnerability becomes public, the next component of that is criminals will look to exploit that. So in other words, they'll look to use that vulnerability as a vehicle to compromise organised or compromised systems across the globe. What we have here really is a vulnerability that is applicable to multiple applications. And we will and we are anticipating to see many, many exploits come out. So of course, for those of us in the cybersecurity world, it becomes not only last weekend, but a couple of weeks trying to keep track of not only the vulnerabilities, but also how criminals are actively exploiting it. And of course, this is no different. There are reports that this particular vulnerability was being exploited at least over a week before it became publicly known. So the criminals knew about this, and they've been attacking organisations and systems for at least 1012 days so far.

Andrew Grill:

Your report also said that 79% of organisations experienced downtime due to cybersecurity risk. So this has now got to reach the board where they're saying every board meeting has got to have an item around risk and cyber risk. Our boards taking this threat seriously.

Raj Samani:

I was talking to CSO for a large bank, and he said, I see the board and I briefed the board more than any other member within my organisation. Without a doubt, I think boards acknowledged the cyber risk, I think there are some more fundamental things that we have to kind of address which is first and foremost, I don't know of a single CSO that is ever become a CEO, CTO or a CIO. I think maybe there's two examples. The challenge that we face is, is that organisations perhaps don't realise or don't have knowledge that they're no longer in, for example, banking or in distribution. They are a tech company, and everybody is a tech company now. And of course, preserving the integrity, confidentiality and availability of systems that they need, I think requires a different approach to how we do things. And I think one of the things that we should be openly supporting is for CSOs to be part of that board or CSOs, for example, or CEOs to have had a security background. I don't want to spread fear, uncertainty and doubt. There's been so many examples whereby somebody opening an email has led to a company being unavailable for weeks upon end, we saw the queues for petrol. Just recently, we saw meatpacking companies we saw Health Organization's literally become crippled because of these types of issues and attacks. For me, the challenge becomes how do we accurately articulate the risk and demonstrate the opportunity that security has. So in my mind, companies that addressed security and privacy effectively will be the ones that will be the most successful in the future?

Andrew Grill:

You know, I'm really lucky in my line of work, I get to speak to the boards of directors of public and private sector companies. And I spoke to one I can't mention who they are last week. And I said to them, I hope what I've said is made you uncomfortable. And there's a little thing that I do I tell them to go to a website called have I been poned. It's run by Troy hunt, you probably know him. He's based in Australia. He's put together a database of about 5 billion passwords that have been exposed over the last five or six years. When I say go to this website, type your email address. What that does, though, a senior executive then says, Oh, my goodness, my email address has been leaked. Now you and I know that that's probably not the end of the world. But it finally brings security He feared to their palm and in their hand, he said, We don't need fear, uncertainty and doubt. Before the call, we're talking about how security is not really important until it happens until your house gets broken into you don't upgrade your security systems. Is there a way to sensitively educate at the board level to say, you are publicly known your name is on the website, they will potentially try social engineering to get the board papers from you and learn something about what's going on and then impact the company? Does it start with a board to make them a little bit more uncomfortable?

Raj Samani:

I want to share with you a story. So it was about a year ago, I received a phone call from a really large company. And they were like, Well, look, it looks like we've been hacked. And at that point, there was really not a huge amount of appetite. It was like, well, we've been hacked, but it's fine. It's just noise. We you know, it's another risk, we'll deal with it. And during the course of that investigation, we were able to identify the data that had been stolen. And we were talking about probably the most sensitive information that company held. And then we did some analysis, and we were able to determine the likely threat actor that had compromised the environment. And actually, it turned out to be a foreign government. And I think what was really key was we were able to contextualise the issue because I think like fundamentally, cybersecurity is kind of like the dark arts unless you had the book that was written by the Half Blood Prince, you're really kind of struggling to try and understand what it really means for you. And ultimately, that to me is the critical part which is missing, which is contextualising the issue so that whether it's a consumer, whether it's a CEO, they understand, hey, look, this is why it matters to me. And for me, that's the most important thing. And of course, it's challenging to do that, because we have this asymmetry of information whereby criminals have all of the advantages for us as defenders, if a company gets compromised, well, in some cases, you may not even know about it. In some cases, they don't even know about it. So the challenge becomes how do you contextualise this so that they can understand this is what it means to me. And this is why it's important to me. And then I think we'll begin to see some sea change, I believe

Andrew Grill:

you make a good point because sometimes they don't know they've been compromised. I did a talk a few years ago to a well known organisation. I had to go under NDA to stay in the meeting after my presentation because I wanted to hear what he had to say to his execs. And the seaso said, We got contacted by the National Crime authority, who said there was a well known actor that was in our network for three months. And we had no idea that that person was there. But the National Crime authority, we're tracking them. And he said, This is how scary it's become. The bad actors have become so intelligent, they are keeping ahead of what's going on. So my question is, Can AI actually help here? But then my follow up? Question is what happens when the bad guys and gals also start using AI?

Raj Samani:

So I don't think the threat actors have that good. In my time. And I've been doing this for a fair bit. There's only really a couple of threat groups that I would say that really caused me real concern by and large, even this nation state. I mean, they were noisy, they left bread crumbs all over the place. I mean, quite frankly, wasn't that difficult to find out what they'd done and what they'd stolen. It was perpetuated by the fact that actually they'd been inside the environment for seven years. And of course, they've managed to compromise pretty much everything you can find. Fundamentally, the challenge that we face is organisations and certainly IT departments are overwhelmed by just the volume of systems and alerts and events that they have inside the environment. And of course, AI can help but equally Soken static based controls, the challenge becomes how you're going to be able to respond to an issue. A really great example was I mean, there was an investigation we did where an organisation had been compromised. And they said, Well, really, the technology should have stopped it. And I said, well, but the technology did stop it. In fact, the technology stopped it five times. But you ignored every single one of those alerts. At that point, the threat actors are still inside your environment, and you didn't do anything about it. With the kids, we've been watching Lord of the Rings. So every analogy is either rocky or Lord of the Rings. But if you kind of imagine the walls that Helm's Deep, if the orcs come with a ladder, and that particular ladder isn't high enough to go over the wall, guess what they'll do, they'll bring a bigger ladder. But if you're constantly ignoring every single attempt, then eventually they're going to find a ladder tall enough to be able to breach your defences. That fundamentally is the root cause of the issues that we're dealing with. We can talk about AI and we can talk about zero trust. And we can talk about all of these approaches or these technologies that can help fundamentally if you have a password of 123456, and you ignore every single alert that's happening, well, ultimately, the threat actors are going to get through so we've got to make it just slightly more difficult for them, then I think we'll begin to address some of the widescale issues that we're dealing with.

Andrew Grill:

This is the actionable futures podcast, I want to look at some actionable things that people can do today tomorrow. Now I'll talk about my own public service announcements that I make to my audiences. One is get a password manager and I've had one for 1213 years I explained that I I actually use one password because it connects into have I been poned. And I did a threat analysis. And I found the first time I did it, I had 702, reuse passwords. And I've got that down to about four. So I actually have a unique password for every single website I use. I don't know my Amazon password, I don't know my Twitter password, my password manager does. The question that always comes up. How do you protect that, of course, I have to factor on top of that. The really simple things are, first of all, turn on two factor on everything and have a password manager is that enough to just make it a bit harder to have that more secure bike lock on my bike rather than your bike.

Raj Samani:

So for me, I think the challenge becomes we've got to determine reasonable controls. So in the UK, the Data Protection Act talks about reasonableness, I think principle seven talks about reasonable controls. And again, the same thing should apply to our daily lives for yourself. For myself, for example, having two factor authentication, having encrypted communications, the level of security that we need to deploy will probably be higher than most for others who may not necessarily require that level of security, perhaps we can talk about well, okay, what we do is we have a password manager. And we have perhaps two factor authentication, but maybe they don't need things like signal and, and encrypted communications. And so I think it's more a case of, we need to be open and honest for ourselves as they were, what level of security do I actually need to have, and thereafter, apply the right controls based upon the security I need. The same should be applied to your work life in your professional life as well. If you're a defence and security contractor, then you're probably going to need considerably more controls and say, for example, the hairdresser down the street. And I know this sounds ridiculously, like common sense. But for me, that's kind of what we need, which is we discussed security is this kind of commodity or panacea, but actually very grey with regards to how much security you actually need? And trying to determine that I think is the answer. So I think the terminology we would use is risk appetite, determine your risk appetite, and then apply controls to address the risk that you're uncomfortable with.

Andrew Grill:

It's probably been 10 years since banks started giving out dongles or two factor token so that when you actually do your banking, you have to have another thing in front of you. I think people are now quite comfortable with that, actually, in some banking applications is built into an app, if you want to protect your money should also protect your data. Is there a particular industry that's most at risk?

Raj Samani:

Well, the sad reality is, by and large criminals don't necessarily target. In most cases, it is an attack, which is opportunistic at best. I talked about RDP earlier, but ransomware groups have been using RDP now for some time. And the way that they actually pick their victims is based upon the credentials that they managed to acquire. So for example, they'll walk into a criminal shop and they'll say, hey, how many credentials can I buy to breach a particular organisation, and you'll be surprised the number of companies whose credentials are openly available for sale, they don't cost very much at all. They'll buy those credentials. And then they'll just breach those companies based upon the company or that particular organization's amount of money that they have, or you know, the value of that particular company. They'll then set for example, a ransom accordingly. By and large, this is a crime of opportunity, as opposed to specifically targeting, I get asked this question, which is, which is the most targeted sectors? Well, kind of all of them, when we did a scan of RDP, before lockdown, I think it was 1.5 million open RDP systems. By March of the same year, it was 3.5 million. There's a lot of low hanging fruit out there. And I know we talk about AI and stuff. But quite frankly, that low hanging fruit means that criminals don't necessarily have to invest considerable amounts of money, because they can just do very easily.

Andrew Grill:

So you mentioned the pandemic has opened up the threat vectors or the opportunity to get hacked. Now, we're probably moving to a always on distributed remote environment where we're in the office sometimes, or we can lock things down and half the time we're at home. Talk to me about how that changes the dynamic in terms of protecting a global organisation when you've got some people at home on gear that you can't control.

Raj Samani:

A really good example of that was and I think I touched on earlier, which is the social media perspective, we actually found a campaign being run by a nation state. And what they did was they actually created profiles of recruiters. And these are really convincing. They were actually based upon legitimate recruiters. And they were targeting people over LinkedIn, telling them that there was a job opportunity in their sector. And of course, when people open that particular email app, there was a technique called template injection, where they downloaded malware onto the onto those computers. And of course, that in turn, bridged over to the corporate world because the same computers were connecting to the VPN, which in turn introduced the vulnerability into the environment. And of course, that's just the tip of the iceberg. There's like 100 other examples, but that, of course, is the challenges that are facing organisations today, which is we no longer have this kind of perimeters approach where we kind of say, well, everybody behind the castle walls is safe, and everybody outside the castle walls or not, we really do live in a world of zero trust whereby everything connection Every system has to be assessed and determined whether we should allow them to be able to access corporate resources. But this absolutely is the challenge facing organisations, I believe

Andrew Grill:

you've just acquired FireEye. What do they do and how will McAfee's capabilities be enhanced by this acquisition,

Raj Samani:

integrating with fire, I think is a really exciting opportunity. We became McAfee enterprise earlier this year. And now integrating with fire I think, for me fundamentally gives us the opportunity to be able to kind of get access to their systems, but also get access to their data get access to their people, their teams, their intelligence, really to build up this enterprise company, which understands the threat better than anybody else. And to be able to demonstrate that and integrate that into our products. That's what we're about as a company. We are a company that understands threat landscape today, but also how the threat landscape is evolving and having access to their systems to their data to their to the really talented people there, I think really gives us that opportunity to address the security challenges facing organisations, not just today, but actually how they're evolving because criminals have research and development departments. When the gandcrab crew claimed to have made $2 billion dollars, we saw innovation within their arsenal of tools. We've got more people that we're integrating with, but really, really smart people there. So very positive kind of direction for us.

Andrew Grill:

So another area that we haven't touched on is that of the Internet of Things, or IoT, a lot of work on IoT. And I saw on some of your reporting, also, we're seeing more threats in that area, especially around API's. So talk to me about how IoT and API's application programming interfaces could become the next area of attack.

Raj Samani:

I think it's already an area of attack with Mariah, for example, we had considerable amount of these devices that were being actively used to carry out attacks against other systems, then I think you've got for me, one of the other challenges, which is security and privacy issues that you have about introducing those devices into your home or into your workplace and then think of something like these baby monitors that were compromised. And we've done a lot of research within my team, we run the Advanced Research Division, we've managed to compromise. I think it was coffeemakers heating, ventilation and air conditioning systems, internet connected padlocks. And then of course, you've got privacy considerations as well. I personally won't have always on connected microphones in my home. I know there's been issues around with ring, for example. So I mean, it's actually quite dizzying. When you think about the way that we're moving towards in society. We're moving towards automated vehicles, we're moving towards always on devices, we're talking about cameras inside the homes, microphones always on maybe this is the paranoid person in me. But we just need to take a just take a breath and say, Well, hang on, look, do I need to have this always on in my house? Do I need to have this camera on in my home, I saw just the other day there was a fairy camera that people will put inside their children's rooms in order to be able to monitor and watch their children in their bedrooms. Well, when you're buying these devices, is anybody kind of saying well, do you really need to do that? And actually, if you aren't going to put that in your home is that device got the necessary security controls in order to prevent third parties being able to eavesdrop? I mean, it is frightening how we've just accepted the fact that we can be surveilled at all times. And I know this is not security. This is me just ranting a bit. But it's just madness that we accept the fact that we're going to be putting these devices in or we're going to be dependent on these technologies without any consideration around the security or the vulnerabilities about it. I mean, when you go to Amazon and you buy these cameras, typically you look at the rating and the rating is based upon functionality never on security. For me, security is probably the most important thing. If you're going to be putting these devices in your home. Don't you want to know the fact that actually this company has a vulnerability disclosure policy. I mean, we recently found vulnerabilities in infusion pumps, for example. And those infusion pumps could be compromised and we can manipulate the readings on that particular infusion pump. So it says, for example, Hey, we've managed to put 50 milligrammes of medication in your bloodstream, whereas actually 120 or 150, we've got to collectively make sure that security is front and centre, because you are going to be dependent on these devices, literally, to put medication into your bloodstream or to drive your family at 80 miles an hour. Let's put security at the heart of it. And certainly privacy as well. I apologise. As you could tell, there must be a 19th century person living in the 21st century sometimes,

Andrew Grill:

no, I don't want you and apologise. I want people to hear your message. And it's not a rant. I think unless you contextualise it unless you take it down to the fact that you have something looking at your children that can be hacked. People don't realise this because they plug it in. And they haven't done a cybersecurity course they don't run their own systems. I say to my audiences to get digital, you've got to be digital. So we talked off camera about my Wi Fi setup. It is commercial grade security software with VPN and all sorts of things. But I know what I'm doing and so what scares me is that even my friends that have problems with their iPhones or their Wi Fi it's so complicated when it's just simple, and you just scan a barcode, and you put the theory camera in your child's room, and away you go. They don't think about this. And probably when it was designed, they didn't think about it either. So I don't think you should apologise. I think it's actually your role and my role to wherever we can. And I mentioned before about my public service announcements say that of my 45 minute talks, when I do these to a range of organisations, the one thing that gets talked about in the coffee break is all I didn't know about the need for a password manager, or have I been poned, or two factor that never occurred to me. So that seems to cut through, and I don't think you're scaring people, you're just bringing reality to them. I think everyone should be aware of that. In fact, I think everyone should do some sort of basic Cybersecurity Awareness. Unless you actually make it real people aren't understanding the incredible risk they're putting themselves through.

Raj Samani:

You did a lot of work with Bletchley Park, which by the way, I have to say, for a PSA, if you've never been to Bletchley Park, make that number one on your list, I would put it ahead of Harry Potter World, I actually would give talks there regularly. And I always try to do this once a month, I'll always try and go to a school to talk about careers in cyber. I had a group of parents come in. So it was like, hey, look, we're going to do a career talk. And we had parents come in with their children to listen to me speak about having their kids come into the industry. But one of the questions I asked at the time was, well, how many of you have devices like from a company called V tech, and you may remember, V. Tech is kind of connected teddy bears and cameras and stuff. And many of the parents put their hands up and I said, Well, how many of you are aware that this company got breached just recently, and every hand goes down? And I said, and were you aware that when the breach became came to light, this company said they absolve themselves of the responsibility to protect the data in the event that it comes into the hands of third parties. In other words, we take no responsibility if we get hacked, and I remember the Information Commissioner went crazy at that particular response. But again, it kind of touches upon a fundamental issue, which is people are going and buying these devices where kids are interacting with it. They're sharing their innermost thoughts that photos, videos and themselves. And that data is now in the hands of criminals. But of course, the parents have no idea about that. And so for me that just seemed incredulous. And I remember when Sonos did something around their privacy policy, they made changes often. And I remember writing blogs about it, because I was so incensed with their response. There is this kind of gap between the cybersecurity world that people watch on TV or in Hollywood, and how it actually impacts them. And I think that's the challenge that we face like all of us face today, which is how do we bridge that gap so people can understand and make better decisions rather than buying a fairy camera because it's pink.

Andrew Grill:

So just a few things there. Bletchley Park, I have to absolutely echo you need to go there. Now. I was very fortunate. Dr. Su black ran a campaign to save Bletchley Park. And I was there the day that Matt Britton from Google said, we are going to save Bletchley, we're going to donate some money to do that. And I'm just getting goosebumps thinking about it now, because that institution saved millions of lives and helped the early end of the Second World War. So everyone should go there and understand how back in the 40s, they would so smart to do the codebreaking. So absolutely do that as well. Other thing I should do as another PSA, you may be in this organisation already, speakers for schools is an organisation set up by Robert Peston to charity. And it actually is a structured way to go and give talks to schools I'm involved with that I do about three or four a year. And if you're not involved with them, they will help match you with schools that can actually benefit from your advice. You touched on careers. So for those looking at cybersecurity as a career, what are the hot roles right now? And why would you encourage people to look into cybersecurity.

Raj Samani:

That's the beauty of this industry is that There literally is any possible role you can think of, I mean, from people with deep technical skills to individuals that are creative. So if you think about some of the awareness courses, like companies that know before are doing such great work around awareness, there are people that are psychologists, there are privacy industry, I mean, There literally is something for everybody and and why I would encourage a career in this industry is is that it's so exciting. I mean, there's so many things happening all the time. I remember when I started in my career, I think I ended up doing 25 professional certifications, my must have written 200 articles, written three to three books and just constantly changes so much. And so it's exciting. There are opportunities, ridiculous number of opportunities. A number of companies hiring today is dizzying. It's a really good community of people. And this is where I began my career. This is where I continue my career. I don't think there is an opportunity for me to be a teacher at Hogwarts, so therefore it's probably where I'm going to retire. This is something that I think everybody should be considering and really get rid of that stereotype that you need to be a coder to be in this industry because you don't have to be a coder in by any stretch of the imagination. What you need to do. I think fundamentally, the most important thing is you need a thirst for knowledge and if you're constantly learning and constantly trying to improve yourself. And I think this could be the career for you.

Andrew Grill:

So looking to the future, what are the top three cybersecurity trends? We should be aware of?

Raj Samani:

More Great question, there will always continue to be cyber related crime. That's to be expected. So I remember in 2013, the FBI wrote that physical bank robbery is on the decrease, because people are using more digital means, fundamentally, I think we are going to continue to see criminal evolution or nation state evolution to extract information and money from victims, the supply of bad things is always going to be there, we are going to become even more dependent upon technology. If you think about self driving vehicles, well, you know, within 10 years time, we will see them kind of certainly more ubiquitous across the globe, as we move towards smart cities, we are going to become more dependent. Our dependency upon manual intervention, I think will decrease for example. So we'll see less people actually taking their driving test, for example, and certainly more people dependent upon these automated vehicles. For me, I think that's going to be a really exciting trend. And for me, maybe the third one, and I'll kind of take it up a level, which is we are going to have to discuss and debate some of the more esoterical questions that our society will have to contend with as we adopt more technology. And that's going to be policy based discussion and a policy based decision. I mean, a really great example is we're in the midst of this discussion now, which is the role of social networking companies as it pertains to our broader adoption of of elected leaders. What about insurance? And when we think about car insurance today, well, we have liability, what about when it's automated vehicles. And so it really is becoming a considerably exciting planet to live on. But we've got to start to kind of wrestle with some of these huge challenges and these questions, which is, is it right for a social media company to have this much control? And what do you do, for example, if you get breached by somebody that's never set foot in that country before? These are some of the challenges that I think we need to wrestle with as a collective society?

Andrew Grill:

So time for one more big question. Do all companies need a dedicated chief security officer,

Raj Samani:

not necessarily a dedicated security officer, but I think all companies need to have access to some resources or people or some assistance from a from a not not, you know, a mate on speed dial, but actually somebody to help them navigate through this world, some small businesses may not have that opportunity, but you need to make sure that your IT supplier is at the very least keeping on top of the types of trends and some of the issues that you're going to deal with. I spoken to so many business business owners, whether they're CEOs of multi billion dollar companies, or like even my local hairdresser, for example, you know, who have a digital system to manage all bookings for haircut, you are dependent on technology, no matter how manual you think you are, and just having some resource that you can leverage or you can use, I think, for me is essential.

Andrew Grill:

So I always like to run my guests for a quick fire round, so we get to know a little bit more about you. So some quick answers to these quick questions. iPhone or Android iPhone, always window or aisle aisle. Biggest hope for 2020 to

Raj Samani:

sleep, lots of sleep.

Andrew Grill:

What's the app you use most on your phone? Twitter?

Raj Samani:

What are you reading at the moment? Dave Grohl the autobiography? How do you want to be remembered as somebody that was kind and always gave his time for other people?

Andrew Grill:

So as this is the actionable Futurist podcast, let's finish with three things that I listened should do today, when it comes to protecting themselves and their company from cyber attacks.

Raj Samani:

Number one, go to your browser, go to no more ransom.org We co founded with law enforcement and other security companies to give you free decryption tools in the event of a ransomware attack. Please number one, add that to your favourites. It is absolutely essential. Number two, please read the cuckoo's egg by Cliff Stoll. It is the book that got me into this industry. For me, it's up there as one of the important books of my life. Number three, no matter what you do, whether you're in security or any other career, just take the opportunity to go into a local school, contact the school and offer your knowledge about your career. Kids today need to be influenced positively by all of us. We don't need to have role models that we have today, promoting vanity through social media platforms. For me, the most important thing is just take some time, it is no more than maybe 45 minutes, you have no idea the impact that it could have to young kids.

Andrew Grill:

That's really great advice. And I'll put all the links to those websites and books in the show notes as well for people listening. So finally, how can people find out more about you and your work?

Raj Samani:

I'm on LinkedIn and Twitter as well. So at Raj underscore Somani, my DMs are open so I welcome positive feedback.

Andrew Grill:

Write a great discussion today with some great tips. Thank you so much for your time.

Raj Samani:

Thank you for inviting me.

Outro:

Thank you for listening to The Actionable Futurist Podcast, you can find all of our previous shows as actionable futurist.com. And if you like what you've heard on the show, please consider subscribing via your favourite podcast app so you never miss an episode. You can find out more about Andrew and how he helps corporates navigate a disruptive digital world with keynote speeches and C-suite workshops delivered in person or virtually at actionable futurist.com. Until next time, this has been The Actionable Futurist Podcast

What does McAfee do?
Cybercrime in a pandemic world
How cybercrime has evolved
How supply chains are now a target
The Log4j vulnerability
Are boards taking cyber threats seriously?
Making the board uncomfortable about the risks
Contextualising why cybersecurity matters
Can AI help fight cybercrime?
How much security do you need?
Industries most at risk
Nation states running social media campaigns
McAfee + FireEye
Criminals have R&D departments
IoT and APIs as the next threat areas?
Children's toys are getting hacked
Putting security at the heart of design
Bletchley Park's role in cybersecurity
The hot roles in cybersecurity
Top 3 cybersecurity trends
Do companies need a dedicated Chiefs Security Officer?
Quick fire round
3 things to do today to stay safe
Contacting Raj @raj_samani