Q & A on Cyber Risks and Rethinking Software Production
Discussing Splashtop' Security Advisory Council, Cyber Risks and Rethinking Software Production with Cybersecurity Expert Sebastian Goodwin
By Mark Lee, CEO, and Co-Founder, Splashtop
Splashtop recently made public an addition to our Security Advisory Council, which we announced in December 2020: Sebastian Goodwin. Sebastian is a cybersecurity researcher, keynote speaker, corporate advisor, adjunct professor at UC Berkeley’s School of Information, and Chief Information Security Officer (CISO) at Nutanix. He has more than 20 years of experience helping Global 2000 companies to manage cyber risk at scale.
Sebastian recently talked with Splashtop CEO Mark Lee about the reasons he joined the Splashtop Security Advisory Council, why he’s passionate about security issues, and how he sees the security landscape unfolding in this era of increased ransomware attacks and other cybersecurity threats.
Mark Lee: Sebastian, we’re so pleased you’re part of our Security Advisory Council. I believe you first found out about Splashtop through one of our investors, correct?
Sebastian Goodwin: Yes, that’s right. He knew about my background and that Splashtop was looking for security advisors, so it made sense to bring us together.
Mark: You have tremendous professional experience in cybersecurity, with your current roles as CISO at Nutanix and board member of SADA, a Google Cloud Premier Partner and solutions provider, as well as your past security-related leadership positions at Palo Alto Networks, Robert Half, PeopleSoft, and IBM, among others. You have a bird’s-eye view of how companies address cyber risk. In general, how well do you think organizations are approaching security these days?
Sebastian: Businesses today face unprecedented cybersecurity risks. As recent news reports have highlighted, ransomware is a huge threat. Attackers have realized that they can gain leverage by attacking software that’s widely used across different industries and markets. Companies need to rethink how they produce software to better maintain security and retain customers’ trust.
Mark: Can you say more about how companies need to “rethink” how they produce software?
Sebastian: Sure. Rethinking means finding the right balance along the spectrum between security at one end and business agility at the other. Investing heavily on rapidly delivering new products and features to customers can mean less to invest in security. But investing in security takes time and can decrease agility and the ability to remain competitive.
The key is to find the right spot along the spectrum where you’re able to serve your customers with the improved products and features they demand, while at the same time making your products as secure as possible.
Mark: Customers have come to expect that they’ll get the latest and greatest features, fast—but they might not be aware of the risks of using software that hasn’t been thoroughly vetted. Do you see that changing?
Sebastian: It’s all part of a larger shift in awareness of cyber risks. Clearly, any company or individual that has experienced an attack first-hand understands the importance of good cybersecurity practices, even if they come to that realization too late to be spared the impact of an attack. Those who haven’t yet experienced a cyber attack fall into one of two categories: Either they’re committed to proactively protecting themselves and their companies, or they’re making themselves an easy target. An attack can cost them their business.
Mark: What are some things that software companies like ours can do to help protect our customers from becoming cybersecurity victims?
Sebastian: It starts with being very thoughtful about security, and designing software products that are secure by default. For instance, make two-factor authentication a default for authenticating to your services over public networks.
Adopt a zero trust posture, which means not trusting anyone or anything. Assume that everything will be breached eventually, and work to limit your blast radius—the security industry term that describes how far a given attack ripples out. As an example, make it so that if one user on a network has a compromised device, the malware can’t spread beyond that user to infect any other devices on the network.
Mark: You’re committed to teaching companies how to improve their cybersecurity practices. Can you talk a bit about that aspect of your work?
Sebastian: I think it’s crucial that organizations be able to effectively measure and manage their cyber risk so they can proactively protect their business. One way I help is as an independent cybersecurity speaker and advisor to CEOs and boards. Serving on your Security Advisory Council is an example of this role. I also teach a graduate-level course that I created for UC Berkeley, where I help future technology and business leaders become more adept in assessing and managing cyber risks from both the executive and board levels.
Mark: You’re clearly passionate about managing cyber risks. Where does that passion come from?
Sebastian: Well, I’ve been interested in computers for as long as I remember. I taught myself programming when I was pretty young, during the days of 2400-baud modems and the dawn of the worldwide web. I’ve always been fascinated by hackers and the creativity and skill involved in hacking. Think about it. You have to first deeply understand how a system has been built to work in a certain way, and then you have to figure out ways to make that system do things it was not designed to do.
It is a fascinating puzzle and a challenge. One funny story: In high school I was almost expelled when I was able to bypass the computer department’s newly deployed full-disk encryption software. The only thing that saved me was that one of my teachers had casually issued a challenge to “any student who could hack the unbreakable encryption.” Thankfully, I escaped expulsion.
Mark: We’re glad you decided to keep working to prevent attacks rather than joining the dark side of harmful hacking!
Sebastian: Me too! But I think having appreciation for the skill level of hackers is important. When I hire security people for my teams, I make sure that they understand the full technology stack. A recent college grad who is great at writing code requires lots of training to get to the point where they can comprehend all the ways that the software they’re building can be circumvented. It is an endless challenge, but it’s also endlessly fascinating.
Mark: Thanks so much for this conversation, Sebastian. And thank you for joining our Security Advisory Council to help Splashtop continually improve the security of the products we deliver.
Sebastian: I appreciate Splashtop’s security attitude. Like my current company, Nutanix, Splashtop is committed to looking ahead and being proactive about security risks. That’s the only responsible starting point for figuring out how to build the most secure solutions for our customers.