Sep 18, 2024
Episode Description
In this episode of the Hands on CISO podcast, Adi interviews Korab Osmanaj, a seasoned information security expert and CISO at PriBank. Korab shares his unique journey into cybersecurity, detailing his diverse background and the evolution of his career. He discusses the dynamic responsibilities of a CISO, the importance of balancing security with usability, and the challenges of incident response. Korab emphasizes the significance of continuous learning, the human factor in security, and the future trends shaping the cybersecurity landscape. He concludes with valuable advice for those looking to enter or advance in the field of cybersecurity.
Watch On YouTube
0:08hi everyone and welcome to the Hands-On cesa podcast today I am talking to kab OS manai who is a season information0:16security expert with a wealth of experience across multiple Fields including it infrastructure design0:22network engineering web development and e-commerce currently he manages a small0:27expanding cyber security team and is focused on launch a Consulting business in information security corab is also a0:34participant in triathlons with his next competition set for October 2024 oh well0:40that's like very soon yeah yeah I'm preparing for that trying to0:46prepare amazing so how are you I'm fine I'm fine thank you for asking I'm fine0:52doing every everyday job which is Ever Changing as a see so tell us what you do0:59oh okay yes I'm um I'm a ciso in a financial institution called pre bank1:06it's a bank it's a startup bank and I was a part of I had I had I was very1:12lucky to be a part of a founding team not the founder but a founding team and1:18I had the chance to not say experiment but to do this1:24things from the beginning the way that I thought was the best approach amazing and how did you get to1:30that point how did you start in security well my journey into cyber1:36security has been quite unique and diverse I should say because I initially started my career in fields that may1:43seem unrelated at first glance such as as you said graphic design web design1:48social media e-commerce and such and each of these areas provided me with a different perspective on technology and1:55its application in various Industries so when I was working in web design I became fascinated but how the web2:03operates and the intricacies involved in uh making it both functional and the2:08appealing however it was also during that time that I began to notice the2:14inherent security vulnerabilities so for instance I saw firsthand how poorly2:19implemented security measures could lead to significant issues so from simple2:25website defacement to more serious data Braes you know and uh yeah these experiences sparked the Deep interest in2:32cyber security for me and I found myself increasingly drawn to understanding how to protect distal2:39aets and uh ensure safe online interactions so this curiosity also led2:45me to Pur for the education and certifications in cyber security such as2:50uh recently I had a chance to pass exams of Sis Sis and2:55sisa to build to build a strong foundation in this field so now looking back I realized that my diverse3:02background has been incred incredibly beneficial it has given me a holistic3:08view of how a cyber cyber security intersects with various aspects of3:13technology and business so I enabling me to develop more comprehensive security3:19strategies what was the first job that you did in security that like got you3:25in first the first job was as a network engine ER in a3:31company called 3 CIS where I had a chance to work for uh infrastructure in3:39uh in AT&T United States and also Vodafone in3:45UK so that was basically the beginning of my journey towards cyber security how3:53does your day-to-day look now uh well my day-to-day UH responsibilities as a c3:58are quite dynamic and uh each day brings new challenges and opportunities so4:05basically my morning start with reviewing any incidents of uh or any alerts that may have come in4:11overnight uh this could range from minor anomalies to potential threats that require an immediate attention after4:18addressing those uh any urgent matters I typically have a I should say series of4:25meetings small meetings with uh with cyber security team that we have to discuss ongoing projects uh any incident4:32response strategy or new security policies we also conduct regular threat4:37assessment and vulnerability scans to ensure our systems are secure so uh I also spent a significant amount4:45of time on strategic planning so this involves reviewing our current security posture uh identifying areas of4:52improvement and planning for any future initiatives is that the same thing you did when you were starting out4:59insecurity has the tasks and things you do changed a lot they change uh quite often they5:06change quite often uh as the name of the PO podcast series are called handson CIS5:13so we we wear many hats so we need to adjust to different scenarios and5:18different occurring through throughout the day so yeah cool5:23so what would you say is the biggest difference between cyber security now5:31and cyber security when you got started it changed a lot it changed a lot5:36because uh when I started some some nowaday Trends didn't exist such as U5:44internet of things that are real thing now and there's a vector of attack5:51through those devices uh also the human factor was not uh very the the f Fus at6:00the time now it is so it is we we try to6:06do security awareness and training for the staff constantly because we see that6:12the main threat you invest a lot in technology and all that stuff but the end of the day an employee who6:18intentionally or unintentionally makes a mistake or Falls a6:24victim it's really dangerous in that aspect interesting why do you think that in the6:31past the human part was not as focused on in the6:38past cyber security as a whole I believe was not companies did not focus a lot on6:44that aspect because the idea was to digitalize try to digitalize every6:50aspect of the business and to um develop their infrastructure so I6:57believe the cyber security was uh was lacking behind the focus on cyber7:02security and after there's some failures some breaches and we know we know all7:09the breaches that happen all the time um it brought the attention to7:16cyber security and companies are really I believe taking it seriously now cool7:23so you're actually the person in charge of making sure the company is safe do7:29you ever feel like a bad cop like you have to make sure no one's doing anything wrong and things like that yeah7:36absolutely yeah there are definitely times when I feel like the bad cop in7:42cyber security we often have to enforce strict policies and procedures that can sometimes be seen as obstacles by other7:49departments so for example when implementing multiactor authentication some employees7:55might seem it as an inconvenience um however it's ESS for uh protecting our8:01systems and data so balancing security and usability is always a challenge our8:07goal is to implement measures that Safeguard the organization without uh8:12hindering productivity so this sometimes means saying no to certain requests or8:18delaying projects until we can ensure they are uh secure so uh one instance uh that comes8:27to my mind is that we had to restrict certain applications from being used on company devices due to security8:33vulnerabilities and uh while this decision was uh met with resistance it8:38was necessary to protect our network from potential breaches so however8:45uh being the bad cup also means educating the and communicating uh the8:51reasons that uh behind that are behind those disci so when employees understand the risks and the potential impact of8:58security breaches they are more likely to cooperate and follow the guidelines so I try to foster a culture of security9:05awareness where everyone understands their role uh in protecting the9:12organization amazing how have you been able to do that what is the way that you9:17communicate to the employees and really make them see how important this is for9:23everyone and not just to you yes so we start from the onboarding process of9:29hiring new staff that's uh the starting point and uh we conduct regular training9:36and awareness programs to remind them how important is uh to protect the9:43information and to be be uh more careful on that side uh we9:51try different methods starting from the we also do the9:56we change their backgrounds wallpapers on computers group policies with the10:02quotes and with uh some parts of the policies that we have to remind them the10:09importance of those policies and those measures so also in uh in the hallways WE Post10:17posters uh with different quotes and different messages have you found any10:22specific thing to work better than another or is it really just about doing all these small things things that add10:30up no I should say different things different methodologies uh different10:35ways of implementing things they all add up I I I didn't find a formula single10:42formula to to if I could say inject the10:47responsibility to the staff so by constantly awaring them that's what10:52helps us a lot so there's no magic answer no no no no magic formula cyber11:01security okay so how do you balance between on the one11:07hand you do want to educate and teach your employees and make sure that they act the right ways but on the other hand11:14you also want to put certain blocks and technical things to make sure they can't11:21accidentally do anything like how much is actually education versus11:28implementing different solutions technically yeah yeah as I said we try to balance these two uh but if you ask11:36me it's a better save than Sor so we try to implement technical controls to limit11:43some taes that they don't need starting from the web pages11:49categorizing the web pages so the whole traffic even even if they work remote11:55the whole traffic comes for firewalls and that's where the filtering goes uh12:02also somehow removing the administrative privileges the devices so they can't12:08accidentally or unintentionally install any any application that's not uh WID12:16listed in our company and uh yeah on the other side they trying to aware them as12:23as much as possible for the consequences not not being to not not trying to12:28punish them never we never do that it's not the idea to to make the environment that punish12:35you and you're not uh you're not uh you don't feel safe reporting them so the12:42idea is to do the to report any incident that they might think had happened so in12:50order for us to uh investigate it further great so without any name or12:59companies have you ever seen a really bad security13:06situation really bad I don't know really bad but yeah one of the most challenging13:11incidents I dealt um that I dealt with involved a sophisticated fishing attack which13:19targeted several high level Executives in our organization so these attackers used13:26social engineering tactics to craft High Li personalized emails that appeared to13:32come from uh trusted sources so these emails contain malicious links that when13:37clicked as you know installed malware on the executive devices so the initial13:43sign of the bridge were were subtle but we quick quickly noticed uh unusual13:48activity on the network and we immediately launched an investigation and discovered that um the malware was13:57uh designed to steal sensitive information including logging credentials and financial data so this14:02is done to required the coordinated response and uh we had to isolate and14:08the effective devices uh conduct also thorough forensic analysis to understand the14:14extent of the breach because inally you don't know what's the extent of it and14:20Implement measures to prevent further damage so communication was crucial during this time we had to inform the14:27effected uh execu provide them with the support and in they understood the steps that uh we14:35were taking to address this issue and one of the biggest challenges was yeah14:41to restore the trust so after the incident we conducted extensive security awareness training focusing on14:47recognizing fishing attempts and the importance of uh reporting suspicious14:53activities um so this is this incident uh underscore the importance of of14:59having a robust incident response plan and the need to continuous uh for15:04continuous uh education and vigilance it was a challenging experience but It ultimately led to a15:11stronger security posture for the organization well when something like that happens how do you react like what15:17is the first move first you have to stay calm and try to stay calm in order to15:23grasp the situation to understand what's going on and don't not to panic so we15:30have some incident response plans prepared for different types of attacks15:35or incident security incidents events and we we we gather as a team as15:42an incident response team and um try to understand what happened so to15:50in order to to react with a proper incident response plan what is the biggest15:57challenge that you see in cyber secur right now biggest challenge there are many challenges but uh the biggest16:03challenge I'm facing right now is managing the expansion of uh cyber security16:08team oh while still handling Hands-On duties so as our organization grows um16:16so does the complexity and scale of our security needs so we need more specialized skills to address the16:23increasing variety of threats and uh iner comprehensive coverage across16:29all our digital assets uh I believe one reason this uh16:35challenge is happening is the rapid Pace off technological advancement uh new technologies bring new vulnerabilities16:42and we need to stay ahead of uh potential threats so this this requires16:48not only expanding the team but also ensuring continuous education and upscaling uh for existing team members16:56so another factor is the competitive job market market for cyber Security Professionals uh finding uh top talent17:04is challenging especially when larger organizations with bigger budgets uh are17:10also vying for the same skill set we have to be creative in our approach and17:15uh offering attractive Career Development opportunities and fostering a supportive and Innovative work17:23environment interesting what are the different roles in a security team uh in17:29our organization we are a small team the roles in a cyber security team where you17:36can delegate the responsibilities to each specialized unit you need to have U17:44vulnerability uh management team uh pent testers uh sock team Security operation17:52center team is these are the thems I should say that you can uh it it it's17:59good to have in house but you can also Outsource some of these responsibilities to an Outsourcing companies such as18:06penetration testing uh Services you can hire from from the outside cool and it18:14sounds like the cyber security field is changing so much all the time and it's18:20already a pretty stressful job and you also have to learn a little things all the time so how do you even like when18:28you at your time how much of it is spent actually doing the work and how much is18:34really learning new things finding out what new ways I can be hacked in yes18:41the good thing is that you learn new things while doing the work you know you're constantly facing new issues18:49new new attacks new ways of attacks so you you develop your skills and skill18:55set while working also but apart of from the day-to-day19:01uh job we try to personally as I I I try to stay updated in cyber security by19:10employing a should say a multifaceted approach to I'm always on top of or try19:16to be on top of the latest developments uh firstly I'm an active19:22participant in Industry conferences and seminars uh these events are invaluable19:28for networking learning about emerging Trends and hearing from the thought leaders also I dedicate time19:38to continuous education as I said recently I had some certifications that19:43uh helped me a lot and those certifications require ongoing to keep those certifications require ongoing19:50education to maintain them which helps ensure that my knowledge remains U19:55current so also reading is another key component uh I subscribed to several20:02cyber security journals uh blogs and news sites and uh yes balancing all20:08those activities can be challenging but it's uh essential for staying ahead in such a f fastpaced field and I'm20:14assuming there's a lot of data floating around the internet a lot of things you can learn how do you know who to trust20:22in a way or where to put your attention uh your trust the source is20:28basically you trust U for example some website that I visit uh I I I trust them20:35because they have a a good reputation on offering in the information the20:41news but yeah you always have to verify them always because there's a lot of scam20:49around what do you mean there's a lot of scams around uh for example we we we know the20:55latest uh incident the major incident that happened lately uh with the crowd21:01strike they they they did a fantastic job they they um offered the solution21:07within an an an hour I'm correct uh the malicious actors21:14used that to offer from their side the the fixes which was really malicious so21:21people panicking uh can adopt those uh21:27those those Solutions and all get infected more in that in that sense interesting so you're saying that a lot21:33of the people who were affected thought they found a solution through something and it was actually oh wow yes yes how21:41do you what do you do after that happens you have two two21:47issues you have just got into a bigger issue21:52yes uh first as I said you need to verify you need to verify the sources21:58the sources that you believe most that you constantly get information22:05from and yeah be careful of the impact that those Solutions uh might bring in22:11you have to isolate the infrastructure and to test the solution within an uh22:18isolated environments to see if uh if it's fixing or it's uh doing the22:24contrary well yeah there are many many many approaches thing you said in the22:30beginning that you in a completely different field and then cyber security like attracted you to it what did you22:37like about cyber security that made you think huh I want to get into this stressful field uh yeah what was22:47it uh I wasn't um to tell you the truth I wasn't aiming cyber security from the22:54beginning you know I was always doing uh different aspect different jobs but uh23:01and different duties but all of them had the cyber security incorporated into them so all of those experiences led me23:10to this uh to to to this uh to this field and uh23:18reading uh books uh in information security uh gave me a interesting23:26perspective on this field so yeah there are different uh pieces of uh situations23:34that led me here so I I cannot uh pick one so there were a lot of different23:41things that just kind of Led You Yes to eventually get here interesting what is23:47a thing that you think um most cesos don't pay enough attention to they don't23:53pay attention um and in human factor I know it's uh I24:03I should say they don't pay attention the proper attention in human factor because human factor and security and24:09awareness programs are uh in every uh information security department24:15but I I believe that's one H significant spot that uh24:23cistos didn't uh didn't pay much attention so technical defenses are24:28essential definitely but uh strong security culture with organization and24:34human behavior of often poses the greatest risk so uh employees at all24:41levels need to understand their role in uh maintaining security and be actively engaged in protecting the organization's24:47assets so um investing in regular and comprehensive security awareness24:52training can make a substantial difference so many breaches occur due to simple human error such as falling for24:59fishing scams as we said or failing to follow security protocol so by educating25:05employees about latest threats and best practices uh we can significantly reduce25:11these risks another aspect as I said uh of security culture is encoura encouraging uh open communication so25:19employees should feel comfortable reporting suspicious activities or potential vulnerabilities without fear25:26you know of ref also creating an environment that doesn't involve punishment or security concerns are25:34taken seriously and addressed prly can lead to earlier detection and resolution of25:39issues so how is managing well actually not25:45managing but what is the difference of when you have to be a ceso in a relatively smaller company and you maybe25:53even know most of the people by name or by face versus when you have to when25:58you're a ciso in a very big company and you kind of have to make sure other26:04people enforce that culture for you uh now having a small team has uh its26:11advantages has its advantages because you can uh communicate directly to them26:17and have uh have a frequent uh discussions about the topics and uh26:22faster decision making but on the other side you have to wear different hats for26:28different purposes and uh we have to be check of all trades and uh being in a larger26:35organization we have special you have specialized teams but that lacks some kind of26:42agility I should say and so both both of them have their advantages and26:48disadvantages that's a good answer what do you tell people who think cyber security is just like just don't26:56click on links clicking links yeah uh I encountered this uh yeah I27:04often encountered this misconception know that cyber Security's primary role27:10is to warn people about fishing emils so yeah while preventing fishing attacks is27:16indeed The crucial aspect of our work the scope of cyber security is much broader and more comprehensive if27:22fishing emails were the only thing that we had to worry about I might actually get a good nice sleep no so yes cyber27:29security encompasses a wide range of activities such as threat detection and27:35response so beyond fishing we constantly monitor for various types of threats27:41such as malware ransomware and advanced persistent threats uh vulnerability27:47management also we regularly conduct uh assessments and penetration testing to identify and mitigate weaknesses in our27:54systems so this proactive approach helps us fix potential issues before28:01they can be exploited by attackers it's like playing a walkal with hackers28:06except the molds have phds in computer science in this case also incident response and Recovery28:13it's another aspect that we deal with uh when a security incident occurs our role28:19is to is extends to incident response and recovery so this includes containing28:26the threat investigating the bridge and restoring normal operations and another28:31important aspect that many don't uh are not prepared before entering in28:40cyber security is the compliance and governance you know ensuring compliance28:45with various regulations and standards such as gdpr in Europe hipop for healthcare or ISO28:522701 27,000 And1 is a significant part of our work our work so yeah it involves29:00implementing policies and procedures that aligns with these regulations and conduct regular audits to ensure in29:06goinging compliance I liked your um metaphor of uh29:12wacka how do you manage the it sounds like Security Professionals in general29:19but spe specifically cesos have to be very on all the time have to be very29:25aware very ready for any change anything can happen does that take a toll on you in29:32terms of stress does it do you find yourself you know staying up at night thinking about how do I solve this or29:40stuff like that yeah sure yes as a cyber security professional there are29:47definitely a few things that keep me up at night so and I'm I'm not just I'm not29:52just talking about the endless cups of coffee so the nature of the field means29:57that there are always new threats and challenging uh or challenges that are30:03emerging and staying ahead of them is a constant battle uh one of the biggest concerns is the sophistication of cyber30:10attacks because cyber criminals are getting smarter more organized and more resourceful we're nor we are no longer30:18dealing with loan hackers in their basements uh the script kit is many30:23attacks are carried out by highly skilled well found funded troops uh30:30including uh state sponsored actors so the complexity and scale of these30:36threats uh can be dating it's like playing an endless game of chess where30:42your opponent uh keeps coming up with new moves you've never seen before and30:47yeah another worry is the possibility of Insider threat that's uh that's a big30:54big threat while we often focus on external threat the real is that someone within the organization can cause a31:01significant damage either intentionally or unintentionally so this could be due31:06to a dis frontal employee someone being uh careless with their credentials31:12or uh even someone being manipulated by external attackers so human factor is31:19unpredictable and that's what makes it so challenging to to manage also data31:25bases are concerned the thought of Sensi information being compromised uh whether31:31it's personal data of our customers or proprietary business information it's a nightmare31:37scenario but at the end of the day cyber security is a field where things are high and uh landscape is constantly31:45shifting but with a strong team continuous learning and proactive approach we can navigate these31:50challenges and uh stay on on one step ahead of uh the bad guys it's a cool way31:56to put it what do you think this field is going to look like in five years 10 years what is32:03going to change no uh predicting the future of cyber32:11security is uh it's very difficult you know it's like trying to predict the32:18next blot twist in a thriller novel you know it's coming but the details can be32:23surprising so that said there are a few Trends uh and developments that we can32:29reasonably expect to see in the next few years for example Ai and machine32:34learning will become even more prevalent in cyber security and these technologies have already started uh revolutionizing32:43how we can uh detect and respond to threats in the future AI May and uh32:50machine learning also will help us um predict and prevent attacks with greater32:56accuracy also the the rise of quantum Computing is going to be a game Cher33:03while we are still uh a few years away from mainstream Quantum Computing uh its development is pro33:11progressing rapidly you know the quantum Computing uh Pro promises immense33:17processing power which could uh challenge definitely cyber security you33:24know on on on the one hand it will enable us to create stronger inry methods but on the other hand uh it33:31could potentially break the encryption standards we rely on today so33:37yeah also the the trends in that are increasing on33:43importance of privacy with more data breaches and privacy scandals this is uh33:48there is uh growing awareness and demand for stronger privacy protections you33:54know regulations like gdpr and CCPA are which is the beginning and we can expect34:00more stringent regulations worldwide you know ping organizations to adopt better34:05data protection practices also internet of things that34:11yeah many many wow so many so how much34:16does AI worry you today is it in the focus of what you think can harm the34:25company no I don't I don't look at that that way uh I see AI as an enhancer in34:33our uh jobs no I don't see it as a replacement for humans no but uh it will34:41enhance our jobs definitely I constantly use it34:47constantly use it and it helps me a lot know in terms of productivity and uh34:53delegating some I should say boring stuff to the AI and focusing on more things that I34:59see as attractive for me interesting do you think a lot of um cisos know how to35:07use AI to their best Advantage like really using it to help security um when35:16when we have some Gatherings and seminars and you know conferences when I35:22meet some of them I see there's a resistance in in some cases I should35:29say most of SOS already Incorporated Ai and their workflow but um in some cases35:35I see the resistance and I I I don't really understand that35:41approach Okay so we've come to our last question first of all thank you so much35:46that was so interesting I feel like you you have a lot of knowledge in on35:53the different things that are happening like a lot of every a bit of everything35:58so it's very interesting to hear and also it relates to the next question which is what would you advise someone36:05who is getting started in security or looking to advance in the field one one advice that I would give to N1 starting36:13a career cyber security is to develop a hobby or skill that has absolutely36:20nothing to do with technology you know yes right you heard36:25me right whether it's painting or playing a musical instrument or mountain36:31biking or whatever it is uh find something you enjoy that it takes you36:36completely away from screens and uh code and everything cyber security is an36:41intense field that Demands a lot of mental energy and focus uh it's uh easy36:48to get consumed by the constant learning uh the never ending threat landscape and36:53the pressure to stay ahead of the Cyber criminals so having a hob or skill36:58that's completely unrelated to technology can provide a much needed mental break and help you recharge for37:06instance I love mountain biking and uh when I'm out on the trails F focusing on37:11navigating the terrain and uh enjoying the natural scenery is like a mental37:17reset so it allows me to clear my mind relieve stress and come back to work37:23with a frh prospective plus mountain biking is is also a lot of is also a lot37:29like cyber security because you need to stay alert anticipate obstacles and make37:35quick decisions but without the risk of data breach if you have a wrong37:40turn yeah wow that's a good a good analogy and by the way I don't know this37:47might not surprise you but I was surprised that a lot of cesos have these um hobbies that they do specifically37:53even with biking I've spoken to a few that like cycling I mean so yeah thank38:00you for having me here ad I really enjoyed it38:10[Music]English (auto-generated)