Interview: Culture and cloud - the battle for cybersecurity
Above: Chillisoft CEO Alex Teh, ESET CTO Juraj Malcho, ESET CEO Richard Marko, Chillisoft founder and MD Geoff Cossey, and ESET APAC COO Lukas Raska - in Queenstown, New Zealand for the ESET APAC conference
There is something oddly familiar about ESET CTO Juraj Malcho’s manner as we sit down to talk at Chillisoft’s CybersecCon last Friday.
I noticed it first when he was speaking on stage about AI and ML in the cyber threat landscape - a certain frankness that is not often seen in the C-suite of multinational corporations.
Later, as I speak to Malcho generally about life and living, it begins to fall into place - he is from a small country, population around five million, began tinkering with tech in his garage, and soon found himself working for a company punching well above its weight, globally.
His story is not that far from that of many Kiwis that I have met, and his manner is not too far either.
This Slovakian company understands that a country is not defined by the size of the market, evidenced by the CEO himself making his way to the ESET APAC conference in Queenstown this week.
Perhaps this is why when the topic of how to ensure employees are cybersecurity savvy comes up, Malcho’s response revolves largely around culture.
“You need to practice what you preach, basically,” is his advice to any executive in charge of cybersecurity.
“One thing that is really important when you talk about people understanding what phishing is, is what types of attacks and why someone might be attacking your company. Explain to people what the value is and what the motivation is, and what happens if they fall for the trick.
“Our philosophy has always been that you don't just want to have an army of soldiers and someone's going to tell them what to do... Our philosophy is: make everyone an expert. As I inherited our philosophy, gradually it's going to get into everyone.”
The rising global importance of corporate culture is one that companies from small countries have a head start on and, when it comes to tech, ESET is also working to stay ahead of the game.
In Gartner’s 2018 Endpoint Detection and Response Magic Quadrant, ESET was named as a Challenger, a strong position, but missed out on the coveted Leader title primarily due to “its limited cloud management capabilities.”
This is a message that has been heard loud and clear.
“The first question is always cloud,” Malcho says.
“We have responded to this, we released our cloud-based console for SMBs (250 seats) last year. We removed a bunch of things that an SMB wouldn't use and overcomplicate the product. The MSP market is also interested, but they actually want to have the large console because they want to manage all their customers from one spot. This will also be the enterprise version because enterprises are also going to cloud.
“The largest part of our developer resources are working on cloudification. We're working hard on cloudifying our large console that we call the Security Management Center.”
Despite the cybersecurity risks that cloud technology brings, it is an inevitability. However, even the smallest organisations can keep themselves safe with a little strategic thought.
“Identify your valuables and what can be done specifically in terms of attack base,” Malcho suggests.
“That’s where you need to start. You don’t just want to grab a random product and say ‘because I have a budget of X, I can look at these four products.’ Does that make sense? Maybe you don't need any of those?
“We even see it in enterprise-grade customers. One problem here is compliance - companies will go after a check mark in some internal process, but maybe they never even set it up. It's quite common that people eventually don't use the products or services correctly. It’s the worst thing - you pay for something, you have a fake sense of security, and eventually, you get nastily surprised."
Tapping into the rising presence of managed service providers is a way that a smaller organisation can stay secure, making the most of the cloud’s remote capabilities.
However, Malcho warns that although it is worth finding these companies to help, you still need to be thoughtful in your relationship with them.
“Generally I will say that if you're not able to run your infrastructure properly, it's probably better to go to a provider. The only risk is that you might be you might become an unexpected victim of an attack, which was not against you, but the higher profile targets sitting on the same infrastructure.
“MSPs and MSSPs are growing everywhere like mushrooms, but you need to look out for some of these garage MSSP's - what do you know about them? It's always a gamble and of course, not all of these companies are super professionals.”
Despite his vantage point, Malcho says he still believes there are more good people than bad and that if we work together and stay vigilant we can keep ourselves safe.
But in a game that is always changing the most important thing to remember is that there is no perfect, just the best we can do.
“There is no Golden Rule. The whole name of the game is mitigating the risk.”