Protecting Your Organization in Times of Crisis: A Conversation with BlackBerry Cyber CTO Shishir Singh

Given the dire warnings outlined by U.S. officials and security analysts in recent months concerning the potential for geopolitical conflicts to spill over into “malicious cyber activity against the U.S. homeland,” to quote CISA’s “Shields Up” initiative, I took the opportunity to sit down with Shishir Singh, the new CTO for the cybersecurity business at BlackBerry, to discuss the potential impact of overseas military actions on the cybersecurity of domestic organizations.

I was particularly interested in his advice for small and mid-size enterprises, who may feel overmatched by the possibility of being targeted by a nation-state adversary.

Click below to listen/watch the full interview.

As I stated in my introduction to the video podcast with Shishir, in my 20-plus years of covering technology as journalist and now as an embedded content editor with BlackBerry, I've never seen a period where the specter of cyber warfare was considered such a clear and present danger to so many organizations, both in the public and private sector.

Here are some highlights from our conversation.

Steve Kovsy: Cyberwarfare has never presented such a clear and present danger as it does today. What are some of the key implications for organizations?

Shishir Singh: The pandemic has proved the world is small and everybody’s connected. Cybersecurity is one of the ways countries and companies are going after each other because getting into the digital infrastructure through that connective tissue is very easy. People are now connecting from more locations, which creates holes attackers can use. So, it’s really important for every company to be aware of its digital assets and know how to protect them, and its users.

Steve Kovsky: What best practices can small to midsize businesses (SMBs) use to protect themselves?

Shishir Singh: SMBs often don’t have enough resources to respond to cybersecurity incidents. What they can do is run a health check of their infrastructure to make sure their patches are up to date. They can use multifactor authentication and authorize access to applications based on each user’s roles and responsibilities. They can guard all endpoints and devices, and encrypt their data – at rest and in transit – for safety and compliance. Most important, they can work with cybersecurity companies that will provide continuous monitoring and regular assessments to prevent attackers from exploiting any vulnerabilities.

Steve Kovsky: Companies of all sizes are relying increasingly on applications hosted in the cloud. While these apps may be highly secure when first deployed, modifications inevitably occur, often causing something known as “configuration drift.” What are the security implications?

Shishir Singh: Configuration drift is very common, and it can affect your control points, whether it's on your endpoint device, on the network, or in the cloud. Whenever you are developing new software and trying to host it in the cloud, you have to make sure that the configuration drift is accounted for and taken care of. You should be continuously monitoring those things to make sure that any vulnerabilities are eliminated so they can’t be exploited by attackers.

Steve Kovsky: Any final advice to companies afraid they could become a target or collateral damage?

Shishir Singh: A proactive way to protect your infrastructure from attack is to use a Zero Trust approach. A Zero Trust network secures access to all endpoints, managed or unmanaged devices and things like firewalls. It allows access only to authorized users for legitimate purposes, including the ‘last mile’ of SaaS applications in the cloud. It’s really important for any company to have the right network infrastructure design and control points to manage everything securely.

Interview Transcript

Steve Kovsky:
Hi, and welcome to this podcast. I'm Steve Kovsky, Editorial Director, and I'm very pleased to be sitting down with Shishir Singh, who is our new CTO for the cyber division. Shishir, would you talk a little bit about yourself? You're relatively new to BlackBerry, so why are you here? What convinced you that this was the right place to be, and what is your role?

Shishir Singh:
Thank you, Steve. And good morning, everyone. When I looked at BlackBerry, Steve, honestly speaking, I knew that Cylance was the company they acquired, but that was in my memory two years back. And when I started talking to people, I realized that the richness of the portfolio was so good, and I thought that this can really come together to solve customer use cases and the problems which the cybersecurity industry is facing. BlackBerry can bring the portfolio together to solve some of the complex problems we see in the industry.

Steve Kovsky:
You come to BlackBerry at an interesting time: We're on the heels of a global pandemic. We now have a major military conflict that has very high potential of impacting the security of organizations, both in the region – that's already occurred – and really throughout the world.

In my 20-plus years of covering technology as an analyst, and now as an embedded content editor for BlackBerry, I've never seen a period where cyber warfare was considered such a clear and present danger to so many organizations in the public and private sectors. I wonder if we could talk about what you see as some of the key implications for BlackBerry cyber security customers and organizations at large?

Shishir Singh:
It's very unfortunate what we are seeing in today's geopolitical situation. I hope everybody's staying safe in this current environment. And if you look at it, in the broader way, cybersecurity is definitely one of the ways countries, companies, and enterprises are going after each other, because this is one of the ways they can get into the digital infrastructure very easily. Now, it's really important to note that along with the companies who are there “in region,” the pandemic has proved the world is small. Everybody's connected to everyone. Everybody is part of the connecting tissue, across the board.

Supply chain attacks were another big example where shortcomings in security impacted almost everybody. Looking at that, and given the cloud transformation we saw in the last couple of years, that has given a humongous opportunity for the bad guys to target anybody's infrastructure, where they can exploit vulnerabilities and get to the digital infrastructure very, very easily.

I would say that it's really important for the large enterprise, as well as for the small enterprise, to be aware of their digital assets – where they are and how to protect them. Also, it is important that we protect our people. People, the users, along with the assets and the applications, are everywhere. People are connecting from any place, any location, to get access to their applications, and that's creating a lot of holes where the hackers can get to you pretty easily.

Steve Kovsky:
BlackBerry published a blog recently that was based on an interview with you, talking about what small to midsize businesses should be concerned about right now.

In many cases, SMBs don't realize that they could potentially be targeted by a nation state. They're not as prepared for it as a large organization and they're vulnerable.

The other thing is, they're often connected to large organizations. They may be part of the supply chain of a large organization, perhaps in the critical infrastructure of a company or a nation. And that is a weak link and a potential vector by which an actor could target and try to have impact at even a societal level.

Could you talk about the challenge for SMBs and some of the best practices that they could be using right now to protect themselves?

Shishir Singh:
That's a great question, Steve, especially for SMBs and smaller organizations where they're trying to deal with resource issues, because they may have a really important asset or business to deal with, but they don't have enough resources from the cybersecurity point of view. They may not be in a position where they can go and do incident response, or do a tech health check of their environment or infrastructure to make sure their patches are up to date, so they know exactly what the vulnerabilities are out there in the field.

What makes it more difficult for these SMBs is that they don't have any security operations center (SOC) environment, because they don't understand all the alerts coming from the infrastructure, from all the control points they have. It is important for them to depend on partners, like cybersecurity companies, where they can go and ask for help.

There are a few things they should be really taking care of. One is regularly making sure they have got the current patches applied in their environment. I would also say that there are often some weak links where you put your old machines with the old software, which is not completely up to date, and that becomes a weak link for attackers to get into your environment. This requires continuously monitoring, and making sure you get help from your cybersecurity vendor to do assessments on a regular basis.

There are a few other common practices you can adopt. For example, authentication and authorization are often used interchangeably. So make sure that your authentication is proper, and that you've got the multifactor authentication in place. But also, make sure you are taking care of the authorization part, where the user is actually authorized to access applications based on their roles and responsibilities.

The third thing I would say is that with some of the control points – whether it's on your endpoint device or in the network or in the cloud – there is a very common thing that happens: the configuration “drifts.” Whenever you are developing new software and trying to host it in the cloud, you have to make sure the “configuration drift” is taken care of. You do this by continuously monitoring those things, to make sure vulnerabilities are not exploited by the attackers.

Steve Kovsky:
Encryption is another thing that you mentioned, encrypting all your assets. Could you talk about that a little bit?

Shishir Singh:
It's really important to do encryption of your important assets, not just from the compliance standpoint, but from the safety standpoint. We have modern encryption algorithms, whether your data is at rest, in motion or in transit. Make sure that it is all encrypted in a way that attackers have the least access to the assets that they're after.

Steve Kovsky:
This is very helpful, Shishir. Any final words of advice to companies that are perhaps fearful they could become a target – or collateral damage – in this conflict?

Shishir Singh:
One of the things I would suggest is Zero Trust network access. Zero Trust is a proactive way of making sure that your infrastructure is designed in a way where it is less exposed to attackers who are out there looking for the weaker links.

Zero Trust network access has multiple parts. One is with your control points, whether it's your endpoints, managed or unmanaged devices, or control points like firewalls or IPSes. All of them are trying to connect to the cloud. ZTNA makes sure that access is completely secure, and also that access to each asset is actually authorized by the IT admins, and that it has the right security postures and policy engines in place.

And the last mile I would say is your SaaS applications, sanctioned applications, or long-tail SaaS applications, or if you are developing new software into the PaaS environment. All of that is going through this zero trust network access, which has the right micro segmentations, app segmentations, geo segmentations, and all of that.

It's really important – even for the SMBs – to make sure that they have the right network or zero trust network infrastructure in place, and that they have the right control points to manage all these things.

Steve Kovsky:
That's a fantastic checklist, and a place for people to start. Shishir, I want to thank you so much for joining us and discussing this topic.

Shishir Singh:
Thank you so much for having me, Steve.

About Steve Kovsky

Steve Kovsky is former Editorial Director at BlackBerry.

Back