The UPSTACK Podcast

Welcome to the Upstack podcast, an ever evolving conversation on all things digital infrastructure, giving tech leaders food for thought as they push to stay ahead of the technology curve. I'm Alex Cole, and with my co host and colleague, Greg Moss, we invite you to join us as we talk candidly about the latest technology infrastructure topics. Stay with us. Greg Moss, my friend, we're back for another episode of the Upstack podcast. Got a question for you, as always.

Ransomware, malware, smishing, phishing. What what comes to mind? Cybersecurity. Cybersecurity. That that's a hot topic.

I don't recommend googling cybersecurity and clicking on the the news tab because it's it's a little alarming. It's always good to be informed. But, I like to think I stay apprised of of many different things. And and cyber is obviously a very, very hot topic with so many different angles. So it's only right that that's the the focus of today's episode.

And who better to walk us through this ever expansive landscape than Ariel Pisetsky, VP of information technology and cyber at Tabula, who are good friends of of the Upstack podcast and Upstack in general. Ariel is also a a member, perhaps villager of of team eight, something that we're gonna find out more about momentarily. So, Ariel, bear with me here as I read all about you. For the past twenty five years, you've been working in all aspects of the IT world, including managing AS sixteen eighty, which I believe is one of the first I ISP networks in the world. You built data centers before the cloud era.

You've run all cloud native operations. You've seemingly seen and done it all, not to date you or age you by any means. Today, you'll lead a group of IT professionals implementing state of the art solutions from open source to homegrown to traditional enterprise software across Tbula's global infrastructure. You've held multiple positions, CIO, CISO, a role that we'll get more into momentarily for many web facing operations from startups to your public traded companies. You've also worked as cyber consultant for government agencies and the cyber defense sector.

We are very glad to have you with us today.

Thank you. It's really a joy to be here, and I hope I can say things that will be interesting for the listeners.

So tell us more about teammate.

Well, teammate is an extremely interesting organization, and the most interesting thing for me is the facilitation of the village, which is really, I'd call it a get together of over a 100 CSOs globally from anything in manufacturing to the the largest retailers to the energy sector, the food sector, banking, everything and everyone. And we work together to improve our collective cyber knowledge, cyber, I'd call it resilience, and really help each other through different events, coordinate in in cases of extreme Internet events that that happen from time to time.

I think that's amazing. I mean, village is probably the exact term you should be using, right, or even tribe. You're you're working as a collaborative effort to ensure everybody's safety. It's fantastic.

You read the industry news, specifically digital infrastructure and just national, international news, it feels like security, which we know is a very broad topic, is everywhere, and it's only becoming more prominent. And it begs a lot of questions, and hopefully, can tackle a number of those today with our our guests.

I mean, that's that's a really great comment. And, you know, I look at it as the Internet has existed for what, thirty years? Ariel, why does it seem like this is such a hot topic these days, cybersecurity? And and has it always been front and center, or are we just seeing it now?

So cybersecurity has been around for a very long time since the actual essence of the Internet, the I'd say from from conception was never built or engineered for security. And the moment the bad actors, let's call them, found this problem, it became bigger and bigger and bigger, and it continues to evolve all the time. There's a funny anecdote that we can look back to the eighties and actually president Reagan that is one of the first people in positions of, like, the top power position actually identify the problem with cybersecurity and to question if the Internet or what was back then the DARPANET is secure enough and if the military is secure enough back in the day. So the kind of idea of cybersecurity has been with us for a very long time. The last few years, we've seen shift, I'd say even a paradigm shift, where the crimes that are now committed are committed over the Internet.

And this is just because of the exponentiality of it, which is really hard to grasp. If you go and rob a bank and you want to make your living like that, you need to go bank after bank after bank, and it's a very linear endeavor. You have to go one at a time. When you're online, you can actually send out your attack, and it will metastasize from there. It will just multiply itself, and you can really parallel your attacks in such a way that they can be low level attacks, high level attacks, super sophisticated, and they can get a life of their own, continue to multiply as you move forward, and actually bring in a lot of

revenue. Wow. It's scary.

It is scary. And with the with the now invent or with the actual, like, big markets for, for cryptocurrency, it becomes even easier to transfer funds online from place to place, and that again is one of those, I'd say, additional fuels into this fire that is cybersecurity and cyber issues that we see all over the place.

If it the reach seems infinite of security or cybersecurity, seemingly touching every single corner of digital infrastructure, you know, being relatively being newer to the industry, I kind of compartmentalize it into a solutions vertical, but it actually it is across all the solutions that make up the backbone of of the internet. Exactly how far does that reach extent?

So I I need to kind of pause for a moment and I Greg, I think Alex just called us old. Beyond that beyond that problem or or statement, let's call it a statement, then the fact that that cybersecurity is now feeling, I'd say, more far reaching, it it really is because we have computers, computerized, I'd say, or or digitization of everything. If you go back, let's let's look at the Washington Monument. Not that it has been hacked or I have any cyber intentions or anything funny to say about that. There was an extremely old elevator in that monument.

It was there for years. It was very analog. It broke down when it was rebuilt. It was already built with today's technology, and that means that every new thing that is built or any anything that is kind of taken out and then refurbished, rebuilt is built on some type of digital component. Those digital components are getting stronger, bigger.

And when I mean bigger, I don't mean in physical size. I mean in compute power. And that means that they can now be, individually connected to the Internet, what we refer to as as IoT. And from there, we really have this explosion of of sensors and of devices that are connected everywhere that are hard to fix, hard to patch, hard to defend, and for just the economics of it need to be accessible many times in a remote fashion. And this remote fashion is exactly where the world of cyber comes into play.

Because if you think of, again, the the good old, good old, the bad old, world of of crime, then it was very physical and kinetic. You had to be up close and personal. In the cyber world, everything is remote. So if you have something that is totally disconnected, it is extremely hard to penetrate. But when you have the world of the Internet connectivity happening and everything is cross connected, then you multiply the problem, like, in in the extreme.

At the risk of oversimplification, are you saying if it's connected, it can be hacked?

If it is connected, then there is a higher potential of hacking it, and it's, usually only a question of of time, effort, and ingenuity. So the the fact that something is connected creates a door and now the the question is how determined is the opponent? How determined is that malicious actor that wishes to walk through that door?

It's it begs the question, Greg, and and Ariel around, okay. You have a number of doors potentially in your environment, personal or on the business side as well. Does one big lock suffice, or do you need different types of locks based on the types of connections you have?

So so to elaborate on that, Ariel, let's take a real use case. Right? A lot of these small and medium sized businesses, mostly due to compliance and regulatory issues these days, are forced to find a CISO like person. And a lot of them are defaulting to their local MSP or the person who's been supporting their, you know, network infrastructure. Now, are they qualified?

Probably. Are they really qualified? We're not sure. So we'd like to kinda hear from you and better understand, you know, is a weak lock obviously better no lock, or do you go with a pure play security vendor for each segment of security?

So that's that's a wonderful question. And I'd say it's almost a theological question. A lock any lock is better than no lock. That's for sure. A weak lock is, of course, a problem because you want to be as good as you can at everything.

You cannot be as good as you can at everything. And then the the question really is how much time, how much effort, how much capital do you want to invest, and where will you get the most return on that investment. So it's okay to go with one vendor for all or it's and it's wonderful to go with best of breed for each one of the things that you want to protect. If it's end user protection, if it's firewalls, if it's VPNs, if it's authentication, if it's encryption, if it's, anti malware, if it's backups, are a whole lot of things in security that you want to be looking at. Having said all that, let's go back to the weak lock.

Eventually, the problems or the the cyber attack comes in at the weakest link. So it is more important to be good at as many things that you can than being really good or amazing at one thing and then maybe forgetting the others. So I would say that having a weak lock is better than having no lock, but having an amazing lock and then maybe not having locks or having very weak locks on other things is also a problem. So you want to be as good as you can as that many fields within information security and IT security that you can, and then that will probably bring you the most return on your investment.

It's a lot to keep tabs on. I mean, trends integrate in the industry at large, but also specific to cybersecurity. We've talked about how expansive it is. Greg, you mentioned the CISO, chief information security officer. It it sure, large enterprises have CISOs, but what about the smaller and medium sized businesses out there?

There there seems to be a, a lack thereof of this role. If you don't have someone focused on security and information security day in, day out, what does a business do?

So we're actually, Alex brings up another great point. Seeing a lot of large organizations not only, you know, have the ability to afford a CCELL, right? These are expensive full time employees, but also be able to give them the work, the full time workload. But in the smaller companies, know, when you think CSO, they don't have the money and they don't have the amount of work that a large organization has. So so do you see the supply and demand shifting here?

Because right now we don't see nearly enough CSOs to support the demand in the market.

True. True. The lack of, I I'd say, personnel or the the ability to bring in the the different levels of talent that is needed is hard. And that does allow for a market of external CSOs or or virtual CSOs where you have people that divide their attention on a few organizations, which is a good solution when you can't find someone full time or when you need, advice at a certain point in time. So any anything is better than doing nothing, and the wider the coverage, then, again, the better the coverage is when, you can also think of reducing, risk or I'd say, maybe eliminating the attack surface or reducing the attack surface.

Because if you think about cybersecurity, there eventually, it's I I don't wanna say a game of risks, but it it it comes out of risk management. And risks, you can or totally avoid. You can accept, which means you accept the the risk that something will happen and all the things that can potentially bad happen to your organization. You can transfer the risk to an insurer, and you can reduce the risk. So that is like the best thing, usually when we look at information security is to reduce the risk as much as possible, and then we try to play on the other vectors as well.

Reducing the risk can also be the reduction in attack surface. So there's this great example of, I think it was a hotel chain in in Europe that was hit by a by a malware attack. All of their, infrastructure was was encrypted, which is a crippling attack, really. And they were able to bounce back very fast with the move from a standard operating system to a secure operating system. In this instance, it was Chrome OS.

So they shifted the whole organization into a read only, browser only operating system that is much simpler to manage. They had they had their trust back in their client infrastructure. That means they knew that their client infrastructure, their laptops don't have a malware in them anymore, so they could connect them to their network, to their VPN, and they could bounce back and and go back into operations. We can probably share the name of the of the of the hotel chain because this is a public story. It's a use case on on Google.

I believe that was the Nordic Choice Hotels.

Correct? Yes.

Thank you. So they were they were so they were breached and innovated. They were able to innovate probably a more dynamic, more robust solution even after their their walls were were breached and that whatever locks they may have had in place failed. Interesting. Exactly.

Okay.

And that's a great kind of tip for anyone out there that the client side compute that that that is used within the organization is if it is a 100% browser based, why do you need a full operating system? If you can move to something more secure, you really reduce the risk on that client, and you totally kind of move into a world where security is much, much easier on a whole level of or on on a whole playing field of, of different security risks from from malware to, to patch management to local encryption and and so on and so forth.

So so Upstack, I mean, Upstack, for our audience, Ariel, you know, we we we help companies navigate the murky waters of vendor selection, through the use of data, lots and lots of data, particularly in some of the most innovative areas, right? So let's call it, you know, data center, cloud, unified communications, security, etcetera. These areas in particular are constantly innovating. And with innovation comes security concerns, right? Because every new release, you know, may show a vulnerability.

So when we're talking to our customers, how do we, best suggest they stay on top of the innovation, as it relates to security? Do they rely on their vendors to do this, or do they rely on their internal staff or a combination?

So I would say that it's absolutely a combination. Having the ability to do everything internal is a huge undertaking. We constantly kind of reach out to other organizations, be it Upstack or be it other peer organizations where we utilize the experience that others have already found in the market. And the idea is really to, a, reduce the the amount of talent that I need in house, and b, make sure that I utilize the data, the information of of people out there that have already invested time and effort in understanding the problem and found different solutions. So it can be in the world of of cloud.

It can be in the world of SaaS. It can be in the world of of data centers. There is kind of a lot to to grasp. There's a lot of different things, a lot of different, kind of tweaks that you can have to be more secure, less secure, or to manage cost, to manage other parameters of of such a deal. And any use of external help is is wonderful.

On top of that, user groups, that's, one of the best ways to really get information that is out there. And last but not least, there is for the world of cyber specifically, there is cyber intelligence, which is the ability of a third party to kind of scan the Internet and really give specific intelligence that is relevant for said organization in a in a specific time frame. So it looks at, a, any breach that has been detected and is being talked out on the dark web, or, b, look at the technology and the technology stack held by the organization and tailor the alerts for that technology stack, be it Oracle, be it Microsoft, be it Apple, be it, SAP, other software vendors. If any of those has an alert and and, you know, you you probably have a 100 different providers within your organization, if not more, you want to keep tabs on those. So if you can have a curated, weekly alert list, that really helps.

Very cool.

Yeah. Ariel, with with the Upstack podcast, we like to leave our listeners with some action items, maybe some to dos, not homework listeners, but things that we might find helpful based on the conversation that you've you've heard today. You touched on a few of them, mentioning malware and other topics, and we talked about how expansive the landscape is as it relates to security, but what would you say are some of the hottest topics right now that listeners should be should be aware of and and that companies should be be studying up to make sure that they are prepared for the next wave of of innovation or even threat?

So the number one thing by far is backups. And and why backups? And I'll I'll elaborate on that in in in a second because backups, it sounds simple. Oh, I have backups. So it's we'll talk about I have backups of that answer in a moment.

The reason is it an incident isn't a question of if. It's a question of when. It was one of the former FBI directors that said there are two types of organizations. I'll find the name of the FBI director in a moment. There are two types of organizations, those that have been breached and those that don't know that they've been breached.

It's it's not even those that have been and will be. It's like really almost those that have been and that just don't know it. So it really isn't a question of when, I'm sorry. It's not a question of if, it's a question of when. So when you look at it from that perspective, backups suddenly become so so much more important.

And if you continue down that line of logic, another thing comes up, and that is how attached are you to a specific server, to a specific service, to a specific, monolith of of data? And if there is anything that you can do to reduce that, dependency and have services that are totally independent or totally stateless, that would be wonderful. Now we all hold data. Therefore, we can never be fully stateless. But the the the amount of servers and services that we hold that can be stateless, if we grow that, then that is wonderful.

And going back to bay to backups. Backups need to be immutable. Backups need to be such that even if the attacker is 100% within your walls, within your organization, sitting with you on your admin laptop, with your credentials, they cannot delete the backups. One option is, of course, to use, offline backups, but those tend to be really slow and hard to return from. So cloud backups.

And then you're going, okay, I have a cloud backup, but I can always delete. I'm the admin. I can always delete it. So remember, most clouds, the big ones for sure, most clouds have today immutable storage where even if you're an admin, you cannot delete the data for a given amount of time that you predefine when creating that bucket. So if you create a bucket with a sixty day, ninety day, a hundred, whatever the amount of day years, whatever you want, you incur cost.

There's an issue of cost because whatever you write there, you can never delete. But you gain the force of an offline like backup that cannot be deleted with the power of fast restoration because it is not on on tapes. So those old tapes that 50% of the time don't work, and they take so long to store from, and all the other problems associated with them, you suddenly get the power of offline at the speed of cloud. So that is super important, and that is really the thing that will help protect from malware, protect from other types of disaster, allow buy more time for the organization. So I'd say that's the top concern, and I added a few a little bit of seasoning around that.

The second thing would be incident response. Make sure you know who to call. So we can make jokes about who you gonna call back from the eighties or or some other fun pop culture reference. But it other than than that, it doesn't have to be a company that you pay for incident response. It doesn't have to be something super elaborate.

Just know who you need to call. If it's the legal team, if it's the PR team, if it's your, provider, if it's your friends in AppStack, whoever you need, that's your that's your best answer. Make sure you have the phones. Other people know those, pieces of information, and just be at a certain level prepared.

That's incredible. I mean, is is sound advice coming from an expert. Back to your your comment on pop culture.

Yes.

I think that I've heard rumblings of the origination of cybersecurity actually being modeled after a movie. Is this is this accurate?

Yeah. So we spoke about Reagan just for a moment, and this is this is a true story. President Reagan saw the movie War Games. And within the movie War Games, there was the whole story of of the movie is of a kid that war dials, which means uses a modem to dial number after number until he finds a computer that answers. And he does this for his fun, and and he encounters a computer that is actually a military computer and hacks it and was able to cause some mayhem, within that system.

And the president actually in the in the briefing the following week asked the chief of staff, can this happen in our in the real world? Is this just a Hollywood story? Now this happened a few months after the Star Wars initiative, and people were kind of, you know, cynical about another remark, another movie remark. Where where are we going here? But, lo and behold, a week or two later, the chief of staff came back and said, this is actually a possibility and we need to improve and that was the first cyber directive that came out of the executive branch and really one of the first regulations to deal with cybersecurity and we all have been learning and improving ever since.

Regulation has picked up and and other things have happened. So, like, everyone has has upped the game since that moment in in time.

I just want to make sure I have this this straight. So, the the concept of cybersecurity and maybe even the name was spawned from the 1984 film War Game starring Matthew Broderick. Did I get that right?

The the name cybersecurity came was coined just a just a a tad later. But, yes, the the idea of dealing with with security within the government, within the army, within the military, different branches at all started then. There is also a great book. If I recall, it's the cuckoo's egg or the cuckoo's nest. I need to look that one up.

And that one is also all around the first security breach that was civilian kind of vigilante style caught and how hard it was back then to talk to the FBI and say, okay, we had a computer breach, and they're going back in the eighties like, okay. But what crime was committed? Because there's no federal crime, with with computer breaches and and so on. So it's it's really it's really been an evolving an evolving field back from the eighties and and pop culture from the eighties. Yes.

Alex, who would have thought Ferris Bueller invented cybersecurity. Right?

I I was gonna say I thought that was Broderick's greatest film, but maybe I need to go back and watch war games. Put it put it on the list. That and and The

name of the book is the coo the cuckoo's egg, tracking a spy through the maze of computer espionage.

Wow.

Written by Clifford Stall.

Very cool. We we've added something to the listener's watch list, their reading list, and some other to dos in terms of cybersecurity trends to to keep apprised of, and also how to make sure the locks in all your various doors are are good enough. You want that consistency, at least good enough across the board. At the risk of understatement, we could go on and on and on on the topic and certainly take up more of your time, Ariel. But we we thank you for joining us today and, of course, thank our listeners for spending more time with us.

This has been the Upstack podcast. We'll see you next time. Thank you for listening to the Upstack podcast. Don't forget to like or subscribe to the show wherever you get your podcasts. We'll see you next time.