What was your idea behind establishing Panaseer? How has been the journey so far?
Cybersecurity has become a big priority for enterprises, and rightly so given the challenges we face protecting our people and information. But what struck me, and the reason I founded the company, was that the people responsible for securing our data in the enterprise – the CISOs – didn’t have answers to the most fundamental questions of cybersecurity – What assets are we defending? How well controlled are they? How are they most vulnerable? As a result they were suffering a lack of confidence and control over cybersecurity risk, and this was starting to be recognised by the Boards of these companies.
CISOs don’t have the luxury of relying on gut instincts anymore, it’s just not acceptable or feasible given the scrutiny they’re under. Like other functions in any enterprise, they need trusted data to drive their decisions and to justify their decisions.
The problem was how they could approach this, because it’s a complex and problem to solve, very manual and time consuming, and requires the analysis of many different systems.
I knew that, together with my co-founders, we had the know-how to develop a platform that could finally help organisations establish the ground of a company’s security posture – using real data which could be trusted and automated to give them live insight. We met with security chiefs of some of the world’s biggest financial organisations during the inception of Panaseer to make sure that we were addressing exactly what it was they were finding hard to achieve.
The journey so far has been incredibly exciting and dauting in equal measure. We are going head to head with the Silicon Valley tech giants – it’s David and Goliath. And just like the parable we have the innovation edge and focus, and our platinum brand clients are proof that this is what the market is looking for. This has created real investor confidence, which led us through a successful Series A funding round earlier this year, with Cisco joining our mission.
It is widely believed that Big Data Analytics plays an important role in preventing cyber-threats. How true is that assumption?
Big data analytics as a cyber discipline is certainly still in its infancy. To date it has been confined to the ‘threat detection’ space. It’s easy to understand how identification of bad things happening is appealing, but this misses the bigger, and more effective opportunity of prevention in the first place.
There are many opportunities for CISOs to use data to be more proactive in preventing threats from taking hold. For example, using data to raise the general cyber hygiene of an organisation is an underserved use case. An automated metrics and measurement programme can tell you a lot about how well your control infrastructure is deployed, configured and managed. Many organisations currently use point in time assessments, conducted manually or via questionnaires to assess their control status. No modern organisation can genuinely believe this is a sufficient frequency or fidelity of measurement to feel confident that a control infrastructure is operating as expected or needed (particularly considering regulatory reporting needs). This is exactly the space that Panaseer is leading.
Are machine learning and automation the future of cybersecurity?
Robust, data driven automation is absolutely the future and many forward-thinking CISOs are embracing it today. The main opportunity is the automation of risk decisions (decisions can be made at the speed of data and IT processes not spreadsheets and manual analysis) meaning higher return on investment from time-limited cybersecurity professionals.
I would put machine learning in the AI camp. It certainly has exciting potential, but the jury is still out on how much. The fact is that the market has seen a glut of security data analytics products that use maths to quickly identify the bad guys that are “inevitably” in your network and increase Security Operations Centre efficiency all through the use of Machine Learning or Artificial Intelligence (AI). It’s a problem that is ripe for data analysis innovation, but the realities are more challenging than advertised. The major factor here is that 90% of the effort required to make ML effective is in the sourcing, cleaning and organisation of the underlying raw data. This is why our product focusses on these aspects rather than the algorithms at this stage.
AI is largely marketing hype applied to a small subset of machine learning techniques so don’t be fooled by how a product is branded. At best, the algorithms embedded in products perform highly specialised analysis in a single field and have been trained on large volumes of data. This is a far cry from general AI, which is a system that can perform any generalised task and answer questions across multiple domains – we are a long way near that.
How has GDPR changed the landscape of the businesses in Europe? Was transition post GDPR easy?
GDPR needs to be looked at in two parts. The first phase was the market panic of the last two years by organisations that worried about becoming complaint – there was a huge wave in activity in going through the various processes to achieve compliance before the deadline.
We are now in the second stage, post GDPR, where organisations are sitting in wait to see how it will be implemented – how harsh the penalties will be for non-compliance and whether they need to reinforce defences to avoid the likelihood of being breached.
Unfortunately, when it comes to data breaches, it’s not a case of if but when, so the overriding priority for the CISO must be ensuring they are diligent, not negligent in protecting the organisation. For years industry doctrine has advised a layered approach to security – think of the many layers of onion skin protecting the core. However, many companies end up focusing their efforts on the outside layer of defence, meaning their security network is more like an egg – hard on the outside and soft and mushy on the inside.
As a young company, what is your organization doing with regards to cybersecurity awareness among employees?
We have a really open culture, so awareness is discussed every day. There are some simple things we do – fostering a culture of openness so we can discuss it and having it as an agenda point in all hands and leadership team meetings. We also ensure all new recruits are trained on a simple set of standards, such the Cyber Essentials. We also have a Slack channel dedicated to reporting suspicious activity, such as the many phishing emails we receive.
Where do you think cybersecurity as an industry is going in 2019?
It’s going to need to go back to basics and refocus on doing the fundamentals well, as that’s ultimately what delivers ROI. As no company can be 100% secure, there must be clarity on acceptable levels of risk and investment in the fundamentals of cybersecurity. Knowing, on any day, what assets you’re protecting, how they’re controlled, and how they’re vulnerable – in a robust, automated, data driven way – will crucially help protect against the vast majority of attacks.