Cybersecurity is not just about technology; it must also address people, process, management and governance within a company or an enterprise, according to Cyrus Salesse, CEO, KRYPTON. In an interview with Telecom Review, Salesse focused on KRYPTON’s role in helping customers prevent security attacks through an innovative approach.
The KRYPTON CEO spoke about the importance of adopting the right security strategy that will immunize companies against any type of security threats. He also highlighted the importance of strengthening cybersecurity in the 5G era.
In the digital era which has brought forward new cyber threats, how does KRYPTON help companies prevent security attacks?
KRYPTON was established in 2013, so it is our sixth year serving our customers. Initially, many of the services associated with “cybersecurity” were limited to penetration testing. However, with the rapid changes in technology, regulations and the sophistication of the threats, this industry has had to mature quickly. Therefore, the way we work today with our customer is to actually combine three different disciplines together, which are:
- Technical security expertise
- Management consulting
- Program management
We have established this innovative approach and combined it with an information security framework which we have developed, making it a unique offering from KRYPTON. The reason for such an approach is that cybersecurity is not just about technology; it must also address people, process, management and governance within a company or an enterprise. The benefit of the above approach for our customers is that we engage with them on a long-term basis to assist them to develop and increase their operational maturity when it comes to “information security” (InfoSec), which for us, is different than “IT security”.
5G is set to introduce more mission-critical services and applications. In your opinion, what security approach is required to prevent cyberattacks?
A fundamentally good approach to InfoSec is not so much, or at least should not be, dependent on the technology – faster, better, cheaper, etc. However, in the case of 5G, because it can have an “uberzation” effect on some processes and services, it is critically important to ensure that good security is incorporated at all stages.
In today’s environment, given the older/current generations of technology, security teams within the telecom operators, companies, banks, etc. are always [kind of] running behind to try to catch up to secure the environments and services, often post-implementation. This would be a monumentally difficult task within an IoT model, running on top of a 5G platform, since the proliferation of such devices and potential lack of ability to update them will make life extremely difficult for all involved. So, I think we need to think about this at various levels and stages, namely:
- Technology developers (i.e. vendors) must design and implement communication protocols and develop equipment with a “security baked-in” approach, for example, by using stronger authentication and encryption mechanisms;
- On the other hand, the network operators should identify the “trusted” vs. “untrusted” security zones within as well as outside of their environments in order to address each with appropriate measures;
- Finally, the customers should recognize that security threats are real. Therefore, they should use trusted applications and where possible use available security services.
Some experts consider that there are still some gaps in telcos’ security strategies. Do you agree?
I think there is no such a thing as a perfectly secure environment today. It is a continuous cat and mouse game between the attackers and the targets! Furthermore, and by the nature of services that the telecom operators and telecom companies provide, they are [have been] more focused on operational performance rather than security, as such. Of course, this is quite understandable, since if/when there is a service disruption, everyone is impacted and knows about it. So, it is justified to focus on the operational aspects, but security can no longer be ignored since a breach could be the cause for a disruption.
All of this to say that security has had to take a backseat to operational performance and with some telecom operators, we have witnessed that security does not even have a seat at the table! This needs to change; security is a critical part of the operations and it must have the required strategy, which to us means the required allocation of management focus as well as resources.
In addition to providing information security advisory, what other services do you offer to your clients? And what types of companies do you target?
Our target industry segments are primarily telecom operators and financial services in the Middle East region. This is where most of our customers come from, but this does not mean that we are not working with companies in other sectors such as retail, information technology [developers], insurance and even health. However, the lack of regulations or the enforcement of information security and privacy laws in the region make some sectors more ready and willing than others
Apart from the approach that I described earlier, KRYPTON is not only a PCI-DSS QSA for the payment card industry (Visa, MasterCard, Amex, etc.), but also a swift security partner for the banking sector. We provide consultancy services for our customers to devise and to implement ISO 27xxx, and more recently GDPR.
The latest trends and customer requests are coming from those who require assistance in the [proper] implementation of a SIEM, including the development of use cases. Others are asking us for support to build a security operations center (SOC) and more recently, discussions are trending regarding how to become an MSSP.
On the more technical side, we continue to provide expertise and services for social engineering, penetration testing of telecom core networks and IT networks, applications, etc. Finally, and when required, we have partnered with a few reputable companies to deliver security-related solutions (e.g. vulnerability management, SIEM, and telecom core network monitoring, among others.)
KRYPTON organizes training sessions mostly related to information security. Is there a unified message that you convey to all the teams you train regardless of the theme of the training?
As mentioned earlier, “people” are important and one of the key aspects of InfoSec. As such, training and awareness are an integral part of the programs that we work on with our customers. While we do not provide public training courses, we develop highly customized curricula for our customers and assist them in their delivery to ensure the right material reaches the right target audience.
Furthermore, security awareness is a critical element within InfoSec, which often does not get the required attention or resources. Specifically, one could secure a company from a technology point of view; however, it is sufficient for an employee to click on a link and the door would become wide open! So, we are focused on delivering high-value, effective yet efficient security awareness with a partner using a security awareness platform.
To respond to your question, if there is a common message, it would be that not only that all the teams must collaborate, but also you must tackle all aspects of InfoSec – all at the same time – in order to succeed. That it takes time to build the right level of security and more importantly, the required maturity.