Every week, Casey Cammilleri interviews an expert leading the charge on empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.

In our latest edition, we dive into our interview with Konrad Fellmann, VP of IT Infrastructure and CISO at Cubic Corporation. Here are the top takeaways from the interview.

#1: Assume That Your Data Is Already Out There

“It starts with our customers, right? And the contracts that we have, we review those very thoroughly with our legal team and contracts team and everybody else to make sure we're only doing what it states in that contract. We're not using that information for anything else.

“I mean, we have millions of riders going through these systems every year. I mean, every day there's millions of riders passing through. Whether you're tapping with Apple Pay or using your contactless credit card or buying a ticket or whatever it may be. The reason you're using it, you just need to get from point A to point B. You shouldn't have to worry about what information is going in the system, what's happening to it. And that's the way I look at it when we talk to our team, is we make sure that you only have the least privilege access that you need for that system.

“We do continual access reviews to make sure people only have what they need and are only doing what we need. They're supposed to be doing, you know, looking at where our data is flowing, where it's going, making sure it's staying where it's supposed to be and not being exfiltrated, whether by a user thinking they're trying to make their own life easier or through other more malicious ways. But keeping a continual eye on that to ensure it's only staying where it's supposed to be and only being used for what it's supposed to be used for.

“Different things come into play. Encryption and hashing and everything else it could do to try and anonymize things as much as possible. But for our systems, mostly, you have to have that data so you know who the person was, charge them for where they're going. So you can't really anonymize everything. You do have to have the information. So you're properly billing people and things like that.”

Actionable Takeaway: Understand that your personal data is likely already on the dark web. Protect the critical data you still control and, if managing others’ data, handle it with care and responsibility, just as if it were your own. Trust and verify who you share your data with.

#2: Build Trust Through Rigorous Data Security Measures

“I wouldn't be where I am today if all I ever did in that first job was just what the job description said. I like to get out, learn different things, figure out how different projects work or different products work, figuring out on my own how to configure that firewall or that exchange server or harden that Windows system, whatever it might be.

“I like the people that know how to Google. Google is your friend. Get out there, all you gotta do is go search. If you're somebody that gets in a rut, gets to a place that I can't figure this out, and you give up or all you do is send a bunch of questions to somebody else on the team, how do you do this, without ever trying to figure it out? That's not what I need.”

Actionable Takeaway: Customer data must be handled according to strict contractual terms. Limit access to only what's necessary, ensuring continual monitoring and encryption to secure sensitive information. This guarantees that data is used appropriately, fostering trust and compliance with privacy obligations.

#3: Embrace Curiosity in Your Career

“We're insurance is what we are, but we're not generating revenue for the organization unless you're in a security consulting company or something like that. But here we don't generate revenue, right. We're there to provide that insurance, make the customers feel happy and comfortable, that we understand what we're doing and we're protecting that data and those environments.

“It's when folks come up and they have an issue because maybe they got blocked on the firewall with something or some email is not making it through all the security controls that they really need. It's listening to what they're saying. You might not be able to do exactly what they're asking from their request. Like, I need you to whitelist this IP address or whitelist this domain or this email address in the security tool so I get all these messages. You might not be able to do that, but you can figure out what they need and why they need it and come up with the workaround.

“Because we have to make the business successful if we're going to continue to drive revenue and do well as a company and protect our customers. So I think that's where the mindset has to be, is that we can't just block everything. We can't just not do things. We can't just implement every single security control and tool that exists or the business will come to a screeching halt and won't be productive and won't deliver on time and won't be able to meet SLAs that our customers expect. So you have to be able to be pragmatic about it, listen, understand what they're asking for and come up with that solution that helps them do what they need to do.”

Actionable Takeaway: Career growth comes from going beyond the job description. Proactively learn new skills and solve challenges independently using resources like Google. Developing a problem-solving mindset and initiative is key to standing out and advancing in your career.

Listen to full episodes out now:

For more information about Ahead of the Breach, please visit www.sprocketsecurity.com/aob-podcast. Episodes are available on all major podcast platforms.

Apple

Spotify

YouTube

We look forward to bringing you more conversations with actionable insights that help in your pursuit to protect your most valuable assets — and help clients do the same!