Head of Cloud Security
Head of Cloud Security
Choose your preferred format
SS: Hello and welcome to Lørn. My name is Sylvia Seres and our topic today is cyber security. I'm very fortunate to have as a guest Monica Verma the head of cloud security at PWC. Welcome.
MV: Hi I thank you it’s a pleasure to be here.
SS: It’s great to have you here Monica. We've tried once before and we got messed up with our schedule and I really enjoy having technically very skilled ladies on the program because it's the best proof we can give to the rest of the world when they start saying that you know that there are too few women in technology. It's absolutely not true. So we'll talk about cyber security both from the organizational innovational point of view but also from a somewhat technical point of view.
MV: Yes absolutely.
SS: Before we do that can I ask you a few words about who you are and what you like?
MV: Yeah. Monica Verma as you have already mentioned I come from Germany. I moved to Norway around 2016 when I started working for an August Banking Investment Management now working in PWC. But apart from that very interesting thing I feel is the reason why I'm working in cybersecurity now is my love for technology and cybersecurity goes many years back. I remember I was 10 years old flying to the US with my father. I was lucky enough to be sitting in the front seats and the pilot came out of the cockpit and saw a kid and of course he asked him hey would you like to have a look at the cockpit.
SS: If II what! Hehehe
MV: Exactly and I'm like Yeah of course right. And then I step into the cockpit as a child and of course I'm amazed by the spectacular view. But more than that I was really amazed by the entire equipment, all the machinery, all the technology behind that keeps the entire plane airborne.
And that got me to like it. It showed me how it work exactly and how it works and how the few switches keep the entire flight airborne. As a kid it was a big thing for me. And then fast forward a couple of years I studied computer science and I started learning about programming. And of course you create programs to do things that they are intended to do. And then I started to realize that you can actually create programs to do things that they're not intended to do which later we call as hacking but that time I got really Internet security and that's the reason why I did my master's in information security. How would specialization be cryptography and application security? And that's where 10, 11 years fast forward today. I'm here and I've been working in information security since then.
SS: Help us learn a little bit about computer security. So it's a space that simply scares most people. They think you have to be this deep, reserved to you know having a white hat or a black hat doesn't matter. But there are some general principles that we can open up now.
MV: Yes I mean security is definitely as people say it's about the CIA and the confidentiality integrity and availability. But I feel security is really about mindset. And the reason I say yes is confidentiality, integrity and availability. Yes.
SS: So it shouldn't be dirty messy data. It shouldn't be data that's unavailable because then it doesn't matter that it’s insecure or not and confidentiality is that only people who should see it.
MV: Exactly right. And these are the three basic principles of security right. But I feel that more than that security is also about a mindset. And the reason I say that is because I've worked as a hacker in Germany for Siemens for around four or five years.
SS: How does one do that? Try to find the holes?
MV: Yes you try to find vulnerabilities which you call vulnerabilities in programs and operating systems and applications and products. Whatever tool either unauthorized access or some other means to open ports through reprogramming it can go from very simple as scanning applications to find openly available pages or ports that you can use for your own benefit to something as deep as creating programs that hook into the memory and into the whole assembly of the operating system and change that from bottom inside and create something known as backdoors what you can then use later for taking control of the entire.
SS: So you could find the way the program is to run.
SS: Inside another computer or?
MV: Applications yes.
SS: And then it could start multiplying itself or it could start reading things it should be reading or you could start using computational resources or…
MV: yes the different ways to do it like recently ransomware became like a very hot topic in the last decade. There’ve been lots of ransomware attacks.
SS: Ransomware I mean you steal something from people and then you ask for money back.
MV: Yes. So Ransomware is just like ransom but like a software that is used for ransom. It's called ransomware.
SS: How does it work?
MV: So basically you use some of these vulnerabilities. Right? With an application, you will get your wrists yourself in and then you use programs to encrypt all important data or files or applications that a company might need or used to work on a daily basis.
SS: You basically lock down the information.
MV: Exactly you lock with information and then you keep the keys to yourself.
SS: Unless they pay you.
SS: And have we seen this?
MV: We have seen many, we have seen a period that was basically devastating the whole world. The biggest example being MAERSK where.
SS: Basically it was in Ukraine.
SS: By an unnamed attacking nation perhaps.
SS: They locked files. How did they manage to get into so many companies?
MV: Yeah because they use programs and multiply. They have the similar vulnerabilities that they use to attack and they usually go and target everybody so then they find wherever the vulnerabilities are that they get hooked. So there are these attacks that are targeted there is attacks that are basically going out in the wild trying to search for vulnerabilities and when you find these vulnerabilities and you look to them you basically encrypt or lock down these files and data and keep the keys to yourself and then you also use programs to multiply to go through networks to go through different channels to multiply themselves or the entire organization or to also other. Imagine there is another vendor that's using your systems or are you using a vendor’s systems and your vendor gets basically ransomware you that matter. Then they can multiply to your organization as well and that's why the duplicate and replicate over to the different networks because all of these are somehow connected with each other and that's what you also definitely think about when you think about security is that you think of the entire supply chain. You have to think of what resources are you using that are either third party developed or how your risk today is not just your own risk portfolio it's not your own risk profile it basically depends on the risk profile of everybody that's involved in your entire supply chain and that basically shows you the entire.
SS: because people just open their emails that they supply you with code.
MV: Just as an example if you use for example a cloud service provider. And they have the purpose of using cloud services that you're sharing certain resources between different tenants of different companies right.
Say you're using certain computing power or operating system from a service provider and they get hacked right and their credentials get stolen by some hacker. Right? Then these credentials can be used to replicate these shared resources into your systems and into your organization and find some more credentials. And this is how attacks and all set up to get to the entire supply chain into your organization.
SS: So how do you protect yourself?
MV: Well you have to, there are a lot of different ways to do that. And of course you have to think of creating the right security program and the right security program basically starts with thinking of your business risks and basically defining your security risks or your operating risks that you can that can lead to these business risks. Another ways to do that is when you create a security program you have to think of developing security that is embedded into the business platform. There are various companies who start doing the low hanging fruits and which is really good and great because when you have a lot of low hanging fruit starting to fix that's good and fine. That is what I call reactive security when you've found that you've gotten hacked, that you fix something and that's really fine. But I feel we need to focus more and more on the proactive security thinking of how we're going to build an entire security management program which is based on business risks and not just operational risks but tying your security risk to these business risks. So basically you see and you're able to understand what is important. Let's give you that. Let's take a very simple example: let's see and think that a company has a business goal of making profit. Which many companies usually do right? As always the overall goal of making profit but to make profit they want to build customer trust with the products that they're providing to customers. Right? When you want to build customer trust. How do you build the customer trust if he if the data if the customer gets leaked if a data customer gets hacked. How do you build trust when you have programs or applications or functions that are not having the right value or the right amount and that the customers basically have a look and then see a bill that's not integral. The integrity is missing there right. So to be able to build that customer trust you have to think about a lot of different aspects of security which at the current time might not be causing your loss in revenue but in the long term cause your loss in the customer trust was built and indirectly a lot of loss of revenue.
SS: I think it's really important to think about. I think we all think about cybersecurity as a very costly necessity but very few people think about it as a means of value creation. But what you are trying to say is actually that's what it is.
SS: Long term necessity but also maybe they decide that you are more trustworthy or than the competition that will be one of the really important reasons for choosing you.
SS: As a provider.
MV: I can give an example. So when MERSK had the ransomware attack they had a lot of millions of dollars. I don't have the exact numbers in my head but up Equifax.
SS: Did they lock the customer data?
MV:No. it was production. So basically it's an example because the MAERSK ransomware attack basically caused around 800 ships to just stop functioning. They were in the middle of the ocean and they were just stopped. The production just came to a halt. Right? And there they saw a loss of revenue immediately. Right? because that's the production coming to a cease fire. But then if you compare it to an indirect attack where a lot of customer data gets lost Equifax right Equifax and MAERSK got hacked the same year. So Equifax the attack was different. So they had someone regulating their Apache program that they were using that cost them not only personal sensitive information but also passport numbers, credit card numbers of all the customers and Equifax in 2019. Not End of 2018. They released their annual report, their financial report which showed basically the amount of money they had to spend on fixing and cleaning up the mess that happened because of this sensitive data loss was a way much more than what MAERSK had to pay for that production stock. And it's you who see that in. You see that much later in time but there are very real various examples that basically show you if you're customer realizes they lost today not only do you lose trust of your customer but you also lose a lot of revenue. So it's just smart sense and basic sense to just invest into security in the beginning.
SS: I don't think any of us understood how likely this problem is
SS: And now with the cloud it's even bigger.
MV: Yes. Because now you have different parties involved you have different service providers on board your surface area for attack has increased your risk portfolio keeps on changing based on other people's risk portfolio as well.
SS: How do people manage this risk? What is your main advice?
MV: To start with managing risk is as I said most importantly you have to understand what the business risks are. The first and foremost step
SS: Polls on the material stuff.
MV: Yes. First and foremost is important to understand how your security posture stand or profile can affect your business and can lead to business risks when you're able to do that mapping you're better able to show your management how important it is to invest in security you're better able to even do reporting on what security metrics are how you say KPIs for example better reporting to the management of when they are investing into security is paying off. This is what you call a return on security investment like instead of RY it's RSI. But you need this kind of mapping between the security and operation risks to the business risk. That's the first and foremost to understand why investing in a security.
SS: And where should one go? Oh by the way before we have my final questions about where to learn and what to do now. But before we do that you have a really interesting parallel. We talked about Formula 1 versus security.
SS: Would you mind telling us about that.
MV: Yes. So I mean all the different aspects of digitalisation moving to cloud automation and innovation. This is not something new. This is what we have been seeing now but it's of course gaining more and more momentum and we're going faster and faster. One of the biggest challenges in security is that security as you know is seen as a hindrance, is seen as an obstacle. It's seen as a necessary evil but not many people are really happy about having security in place because of a lot of reasons why there are a lot of CSOs in the world. Overall there was a survey that was done that 77 percent of CSOs have to choose between security and productivity. And I see it as Formula 1. So when a Formula 1 race is happening right the driver comes to the pit stop at the pit stop. They probably just have a second or two to basically the pit crew has a second or two to basically fix the tires and everything else the pressure and all the things that have to check and make sure that the car is still secure and good to go for the next lapses.
Right? If you ever notice the guy in the front of the car is the guy with the front Jack right. He is the first one to go in and the last one to get out and there is always a backup for the front shack as well. The reason being he has to secure before anything it's supposed to happen at a very fast speed within two seconds and the last one to get out to make sure that no accidents or injuries or anything happen. And this is what we need to think about security today. Security needs to be embedded and integrated into the business platform so that it is seamless.
SS: Security first and security last.
MV: Exactly. That it starts with security and security but it enables innovation. It enables the fast speed it enables the driver to go to the further lapses and then be the first one.
SS: I ask you to recommend the book and you recommended one which I think is very cool. Say a little bit about it “click here. Kill everybody.
SS: By Bruce Schneier.
MV: Yes I really think it's a very interesting book to read. It's not a novice book. It's not something that talks about some greatly invention but it mostly talks about how the premise has been so far in the last year and how moving forward more and more government institutions need to come in and need to help look into these cybersecurity aspect and the programs and what's going on within cybersecurity has to be more fundamental from a government perspective. And we see a lot of examples of multiple institutions that are when some big attacks happen like Facebook Scandal happens or some other incidents happen to Microsoft or big organizations. Then we tried to get them to look into the aspects of hey what happened to my data. Right? And even after trying so many times it's not like the change or the shift that has to happen happens very soon. And Bruce Schneier talks about how we need more and more technologists who understand technology as policymakers and how we need more and more policy makers to embrace technology. And this is what's really important going forward.
SS: These multilingual collaborations.
MV: yes absolutely!
SS: Would you like to leave? Oh by the way you also recommended hacking exposure.
MV: Yeah. There are a lot of their series . Hacking Exposed series. If you would like to get an understanding of how hacking happens well you can start with a lot of it.
SS: Can you give me a concrete analysis of a case or
MV: Yeah the different examples in there the different lab examples so you can use some lab examples and you can read through the theory of it but also that they're different. What do you call it? Capture the Flag or CTF environments lab environments online that one can go to and then just hack safely without it being illegal. Yeah exactly. Because hacking is illegal. So please don't do that illegally.
SS: Don't do this alone at home. Only when you do it in the sandboxes
MV: sandbox is exactly the playground. Absolutely.
SS: So there is a security festival?
MV: Yes. So in August there is going to be one of the biggest security conferences in Norway at Lillehammer where...
SS: The international conference.
MV: Yeah well there are a lot of different organizations within Norway itself that are doing. There's some people coming from internationally as well but a lot of security communities within Norway like ISAF, SACA, cloud security alliance, DND, Muses all of them instead of having exactly. Instead of having different security events they're gathering to do a very large one. So I really recommend everybody to go there.
SS: You have a quote that you would like to leave to our listeners.
MV: Yes absolutely. There are a lot of things within security where the saying never reinvent the wheel makes a lot of sense right. Like talking about cryptography, do not reinvent the wheel.
SS: It works.
MV: Yes. But as we say in today's world with the changing landscape with innovation and digitization the lot of other areas within security where it doesn't make sense anymore where we need to think outside the box and to know that difference is basically creating security and privacy and embedding them seamlessly into a business platform.
SS: Think new even with security especially.
MV: Absolutely. We really need to think outside the box and really think beyond.
SS: We didn't have time to talk about your pilot dream.
MV: Oh yeah sure. I'm hoping I'll get a pilot license somewhere in the future. Absolutely.
SS: Can I tell you my story. I do too. I was two thirds complete with my pilot training then I got pregnant.
MV: Oh. That's good news.
SS: I never thought I had the courage.
MV: But maybe we can take up on this journey together. Absolutely.
SS: I actually agree now is to escape kids for a while. Laurie now Go go do it some funny colors will go fly.
MV: Let's do that.
SS: If People should remember one thing from our conversation. What should it be?
MV: Security should be seen as a business enablement. Security should be seen as something that creates and supports enabling business platforms and digitalization and innovation. And we need a mindset shift in the mindset to build that. And we need to work together on this.
SS: New mindset but still much collaboration.
SS: I'm really glad that people like you and company companies like PWC are working in such a good nerdy way with these things because I really think we've had some excellent help by the way from PWC in similar related areas and some of the other companies I'm working with and I think it's really important to have the understanding of this process structure all the finances and then all these techie stuff and that's where the magic really happens.
MV: Absolutely. I'm proud to be a techie.
SS: Monica Verma the head of cloud security at PWC. Thank you so much for coming here and teaching us about cyber security.
MV: It was my pleasure. Thank you.
SS: Thank you for listening.
Who are you and how did you become interested in cyber security?
Since I was 17, I had two big dreams: to get a pilot’s licence and to work in what we now call information security or cyber security. I always had a special place in my heart for computers and technology.
What is the most important aspect of your work?
We help secure Norway’s digital world/business.
What areas of cyber security do you focus on?
I work on security governance and DevOps adapted to the business risks and aligned to the business strategy. I also help customers migrate to and operate securely within a cloud computing environment.
Why is this exciting?
Digitalisation, cloud computing and innovation have played – and will continue to play – a role in how technology and businesses are evolving rapidly to support their customers in better and more secure and innovate ways.
What do you think are the most interesting controversies ?
Companies want to innovate and outperform their competitors, but very few are willing to change the way they do things.
What are your own favourite examples of, or projects linked to cyber security?
Our main projects include:
- Building DevSecOps-based (i.e. product and development integrated) security governance and risk management
- Building a risk assessment framework for cloud migrations
- Helping customers with digital identity transformations and governance across the entire organisation
- Co-authoring CSA guidelines to help all Norwegian companies move to cloud, with better minimum security baseline standards in place.
Can you name any other good examples?
Cybersec has been at the heart of various significant events in recent times, such as the IoT hacks against critical infrastructure like the US power grid and a Norwegian aluminium plant, and Facebook’s struggle with a rapid drop in customer trust and stock prices.
What do you think is the most relevant knowledge for the future?
- How to build security and privacy by design and default to enable business
- How to better invest in protecting operation technology (OT) and critical infrastructure
- How to use cloud security for enabling business and innovation
Is there anything unique about what we do in this field here in Norway?
Digitalisation. The security aspect of this digitalisation has also gained a lot of attention here.
What do you think is the most important takeaway from our conversation?
Security is more than just “restricting things”. It is about enabling business, innovation and more importantly customer trust and experience. Security is needed more and more, to enable businesses do things today that they couldn’t do yesterday.