Cyber Defense: Siroui Mushegian of Barracuda Networks on the 5 Things Every American Business…

Cyber Defense: Siroui Mushegian of Barracuda Networks on the 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack

Prioritize your incident response plan. In other words, get very comfortable with the HOW of getting through an incident. Run tabletop exercises with all key stakeholders and leaders, and make sure everyone knows what part they may plan when an incident is in full swing. Pick a scenario that represents a real-world possibility, such as an account takeover where data might be compromised. Make sure every area is represented, and run through the mock incident all the way to resolution.

In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?

In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack,” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us. As a part of this series, I had the pleasure of interviewing Siroui Mushegian.

Siroui Mushegian is Chief Information Officer (CIO) at Barracuda Networks. Siroui joined Barracuda most recently from BlackLine, where she was responsible for all aspects of BlackLine’s internal corporate IT. Before BlackLine, she held executive IT leadership roles at PBS’s WNET New York Public Media, the National Basketball Association (NBA), Ralph Lauren, and Time Inc. Bringing more than 20 years of executive and IT leadership experience, Siroui has successfully built strong operational environments that eliminate technology silos, elevated the maturity and impact of technology within her enterprises and delivered measurable and scalable business outcomes.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Thank you for having me. I grew up in a fairly traditional home, the product of parents who valued education and intellectual curiosity. They also taught me to appreciate hard work, and while I always thought I would follow in my father’s footsteps with a career in finance, technology proved to be my calling when I found myself working for a small French software company in Manhattan. From there, I worked my way through several notable companies, including Time Inc., Ralph Lauren, and the NBA on my journey to Barracuda.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

The first time I noted information security was during my time at Time Inc. The Sarbanes Oxley (SOX) Act had just become part of my vernacular, and I was fascinated by the stewardship it enforced. One early event stands out for me as a pivotal point in my interest in cybersecurity. When I worked at the NBA, we hosted tabletop exercises for all of our major events — especially the All-Star Game. We would gather key stakeholders and representatives from across the event — the person who ran the center-hung scoreboard, the physical security team, members of our infrastructure teams, arena operators, and more — to run through a potential incident, such as the technology supporting the arena getting compromised or bad actors taking over the graphics displays in the arena and posting concerning messages. We looked at various worst-case scenarios and their potential impact, and no detail was too small. It’s a critical exercise that every organization should practice improving their incident response readiness.

Can you share the most interesting story that happened to you since you began this fascinating career?

I worked for Time Inc. (the magazine division of Time Warner at that time) during several pivotal periods in U.S. history, including 9/11. I always felt a real sense of pride for the editorial content we produced and the part I played in supporting that. It was during 9/11 where I observed some of the most heroic displays of editorial ingenuity. Knowing that technology was at the heart of supporting teams covering the tragic events helped me realize that every aspect of my job could be tied to the successful release of our magazines or updates to our websites.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

1. Honesty, first and foremost. I learned early on in my career that accepting responsibility for an error, no matter how big or small is actually an opportunity to build trust and closeness. One funny story comes to mind. Way back in the day, I was responsible for managing the distribution lists and sending corporate notifications for our corporate communications department. This was before distribution list automation and other advancements. I had to send outage notifications to a 15,000-person workforce, and I accidentally left some of the draft elements in the email that was sent company-wide — when you work with some of the brightest editorial minds, this kind of mistake is pretty embarrassing. I immediately emailed my boss and our CIO letting them know I was aware of the mistake, signing the note, “Yours in perfection, Siroui.” Everyone laughed, and I was able to make a stronger connection with those around me.
2. Dedication is next on the list. Dedication is a trait your teams can easily see. It’s a way to let those around you know that you can be relied upon in all circumstances. I recall a time in my career where we had to patch thousands of our point-of-sale systems, and some of the systems were not accepting the updates. This was during a part of the year when audits were about to be performed, and patch management was high up on the list of audit controls. Some of the readers might know how time-consuming it can be to resolve a patch issue when you have to review these problems system by system. We had some tight deadlines, but we worked together, making sure to follow the project through to the end, sitting side-by-side with the teams who were working around the clock. It was a ton of effort, but it brought us much closer as a team.
3. Courage rounds out my top three leadership traits that have been instrumental in my success. Making a tough decision can be pivotal to the way others see you in a corporate setting — actually, in all settings. Tough decisions can be unpopular, but they are necessary and take bravery and courage. I remember a specific time when a large, cross-departmental team I had been leading had spent over two years on a project. At the end of the two years, the project had become too expensive to continue without putting other systems and budgets at risk. Ultimately, I decided to stop the project in favor of moving on to higher-value work. It was a difficult decision to make given the time and effort of many, but it was the right one in the end.

Are you working on any exciting new projects now? How do you think that will help people?

Yes, many. In my current role at Barracuda, we have several exciting new projects in the works right now spanning everything from cybersecurity and business systems to data and business intelligence (BI). With regard to cyber initiatives, we are working on a layered defense posture involving our own products — these implementations will serve to provide greater protection and cybersecurity posture. Regarding our projects for business systems and data/BI, we’re advancing initiatives that will help strengthen our sales processes as well as the data we will use to make thoughtful business decisions.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of cybersecurity?

I have spent more than 25 years working in and around cybersecurity, way back when it was only referred to as information security. Working at a publicly traded company when SOX controls were first introduced was the foundation upon which my cybersecurity expertise was formed. During that time, I also worked with and around the teams who were focused on implementing the processes, tools, and infrastructure to protect our company. The rigor we used back in the early aughts was exemplary, even as a comparison to proper security measures that are benchmarked in today’s cybersecurity landscape. From those days to now, I have applied new knowledge and developed expertise over time in the myriad industries I’ve worked in.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page, let’s begin with some simple definitions. Can you tell our readers about the different forms of cyberattacks that we need to be cognizant of?

There are many types and forms of cyberattacks. I urge the readers of this interview to subscribe to topical and relevant blogs and news outlets to stay abreast of the latest news — the Barracuda Blog is great!

Here are a few threat types that everyone should know:

• Ransomware: A malicious form of software. Ransomware is built to extort money from its victims by blocking access to files or to a computer system until a ransom is paid within a given timeframe. The most troubling part is that paying the ransom does not guarantee that the files will be returned.
• Malware: A general system-penetrating software designed to gain unauthorized access to a computer.
• Social engineering: A tactic used to persuade users to reveal critical information, such as financial logins or personal data. Social engineering is often used in coordination with another attack method to increase its efficacy.
• Phishing: The practice of creating false emails or websites so that they appear legitimate to unsuspecting users. The goal is to steal important information like credit card numbers or login information.

Who has to be most concerned about a cyberattack? Is it primarily businesses or even private individuals?

Every single person at work and home needs to be aware of cyberattacks. Sure, the attacks that happen in businesses are largely the ones that are written about in news articles, but private individuals are also prime targets for cyber attackers. It is everyone’s responsibility to maintain vigilance whether they are protecting their personal identity and data or if they are at work. Every place a person operates can be at risk — we must maintain awareness everywhere, every day.

Who should be called first after one is aware that they are the victim of a cyberattack? The local police? The FBI? A cybersecurity expert?

The answer is that it depends. If you are at work, contact your IT department immediately. If you are operating in your private life and you believe you are the victim of an attack, note the point of breach. If you have compromised your bank account, contact your bank or credit card issuer immediately. It would be helpful for private individuals to exercise additional precaution by enrolling in credit protection and monitoring services. When you have those services, you can also reach out to them if you find yourself in the midst of a cyberattack.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

This is a great question because mitigating these common mistakes is fairly easy to do. Common mistakes include allowing easy passwords, not using two-factor authentication, sharing passwords, not having strong physical security protecting office data closets and main office entry points, not having a strong employee training program, not using a strong spam filter or other email protection tools, and misconfiguring firewalls, to name a few.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

Enable the strongest cybersecurity program you can, given your resources, is the most important step in incident prevention. Cybersecurity frameworks and recommendations can be easily found on various government websites such as NIST.gov in the U.S. and many other sites globally. Leverage these free tools to help prioritize and protect what is most important for your business. Make sure you have an incident response plan documented and refreshed regularly, and practice tabletop exercises as often as you can — I would recommend at least once per year, but quarterly would be even better. The truth is that you never know when you will be the victim of an attack, but you can control how you react to, respond to, and remediate the incident.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)

It’s everyone’s responsibility to stay cyber-aware. As a business leader, maintaining awareness of cybersecurity vernacular, trends, breaches, and having a general sense of your enterprise’s cybersecurity posture is super important. Doing this will help when it comes time to deal with an attack and possible breach. In my experience, I have worked with leaders who understand general cybersecurity concepts and some who have little comprehension. Trying to educate executives and leaders during an incident can take time away from response and resolution.

Speaking of cybersecurity posture, it’s also important for business leaders to understand where the gaps in their plan exist. If your company is in need of certain tools or staff, make a plan to support a larger cybersecurity budget. If you are a smaller company, maybe you don’t want to hire a full-time cyber team, but then make sure to allocate budget to onboard a third party as a fractional CISO or a managed security service provider to help oversee your company’s cyber program.

Prioritize your incident response plan. In other words, get very comfortable with the HOW of getting through an incident. Run tabletop exercises with all key stakeholders and leaders, and make sure everyone knows what part they may plan when an incident is in full swing. Pick a scenario that represents a real-world possibility, such as an account takeover where data might be compromised. Make sure every area is represented, and run through the mock incident all the way to resolution. As I mentioned earlier, these exercises are quite eye-opening and can help surface gaps in your capability to withstand a breach.

Business continuity and disaster recovery planning may be a mouthful to say, but without it you leave your company at risk for incident recovery. It’s one thing to run through a tabletop exercise, and another to have plans in place to restore systems when the time comes. If a tabletop exercise is the belt, a solid business continuity and disaster recovery plan is the suspenders. Developing these plans takes effort and time, but the result is having documented, systematic approaches to bringing data and systems back to operational levels if they are compromised in any way.

Maintain proper vendor supply chain risk management. This includes a strong vendor review and onboarding program. Without this, your employees may decide to procure tools and apps that are unvetted and unknown to the IT team. Allowing any app in your environment will greatly increase your attack surface, especially since many of these apps integrate to other critical systems like your enterprise resource planning or customer relationship management tools, for example. If these unknown apps are not secured or managed, you have no control over their use or the data that may be stored in them, and you will not be able to reclaim accounts when employees leave your company. It may seem like a chore to inventory these tools, but you can’t protect what you don’t know.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂

What an awesome question! I would love to inspire a gratefulness movement. We all have different means, but the world we live in is awesome and there is so much to be grateful for. Even the tiny elements of one’s life can be something to be grateful for. Our friends, family, a green blade of grass, the air we breathe, a blue sky, a good book, even a good problem to solve. I believe if we spent more time being grateful and less time in frustration, the world would be a much kinder place.

How can our readers further follow your work online?

Please feel free to follow me on LinkedIn at https://www.linkedin.com/in/siroui-mushegian/ and subscribe to the Barracuda blog for the latest cybersecurity news and threat intelligence.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

Cyber Defense: Siroui Mushegian of Barracuda Networks on the 5 Things Every American Business… was originally published in Authority Magazine on Medium, where people are continuing the conversation by highlighting and responding to this story.