Using Cybersecurity to Uncover Business Blind Spots With Bindu Sundaresan

Protecting billions of dollars of transactions, along with the terabytes of data flowing over an ocean of seemingly endlessly connected devices is another day on the job for Bindu Sundaresan, Director of AT&T Cybersecurity. Whether working with small manufacturers or developing enterprise strategies, Bindu joined the Left to Our Own Devices podcast to explore a sector that is fresh, always exciting, never mundane– cybersecurity. 

Shortly after taking up electric engineering, Bindu quickly discovered her knack for the newly emerging field of network and data security and took on a project to break down and digest large pools of data surrounding criminal justice in New York. 

She was shocked to realize that her project, which potentially included personal identifiable information, lacked proper security. Her work was so focused on analyzing and transmitting data that she hadn’t put in the time needed to secure her work. This was a time before security by design and when compliance surrounding these things were still not fully matured.

She has carried this reminder through her career as she helps organizations shift the way they see and manage security.

“Fundamentally, this is a human safety challenge. It’s a risk management challenge. It’s not just an IT problem that’s left for somebody to solve,”said Sundaresan. Cybersecurity is “applicable to all types of industries, to all types of customers, and it is relevant for the bottom line. IT is not a nice to have, it’s a must have.”

CPSOs and CISOs struggle to make a case for greater funding, since no news is good news from the cybersecurity department. However, when looking at mission-critical systems, a breach IS a safety issue, so we need to move the mindset away from a ‘tech issue’ for IT to figure out and towards a piece of proper product functionality. 

“Initially when we talk about cybersecurity, we would always have to talk about the ROI associated with it,” said Bindu. “If you think about it, as long as everything is going right, nobody’s talking about a security program, but the moment a breach happens, there is that race. A level of visibility has been exposed and suddenly it’s that security team’s problem.”

At the same time, careers are on the line since this is one of the rare instances where we actually flaunt and publicly criticize the victim instead of going after the perpetrator. It makes departments think twice when answering questions to the executive board, such as:

• What is the ROI?
• What will happen if we don’t invest?
• How will we measure success? 

These questions must be answered delicately and in-line with business needs, because without a breach no attention is paid. When a breach occurs, there will be some explaining to do.

With the prevalence of cyber attacks, as well as the revenue loss that comes with them, cybersecurity has moved into the spotlight. This allows important conversations to surround how cybersecurity is a built-in part of the product, not an afterthought or inconvenient expense. 

After all, it’s part of everything we do since the early days of COVID-19. Paying bills, purchasing personal items, and even tracking our health online is a given– and that’s exciting.

Since then, we’ve gone deeper and deeper into an exciting world of securing entire supply chains. This includes software developers, software suppliers, network security, architecture security, and even protecting the devices that run the programs. However, securing them doesn’t necessarily demand a whole new approach to security– it requires us to take the knowledge we have and apply it in a way that fits both the asset and the business.

“There are certain companies that are focused on innovation. There are certain companies that are risk averse. There are folks that view security as a checkbox exercise,” said Bindu. “I equate it to medicine where all our bodies are similar, yet different.” While much of the field involves continuously addressing the same challenges, it is never monotonous. Everyone is very much the same and everyone is very much different.

For example, a network operator like AT&T manages the movement of terabytes of data at a time. This demanded that Bindu and her team be able to go through large swaths of data to understand patterns and test it in real time- allowing for customers to remain secured. At the same time, other needs arise surrounding how data is managed and what devices can be trusted to begin with– all with limited resources.

No one is surprised to hear the line “it’s not if an attack occurs, but when”.
While that may feel like an overused line to some, it’s important to know that an attempt will be made, most likely in the near future. 

“It’s going to happen,” said Bindu. “When it does happen, all this planning that you’ve done, where you’ve done your tabletop, where you’ve reviewed your plan, where you’ve done the foundational fundamental elements of vulnerability management, patch management, making sure that you’ve tested your plan. Is going to go into action.”

The ability to include all relevant teams, from HR to legal and procurement, cuts down response times and get the organization back on track with minimal damage. 

From medium size manufacturing to large-scale healthcare enterprises, they all need a different type of cybersecurity setup, but they have a common business-driven outcome.

So, when asked about resilience and identifying where vulnerabilities are most likely to be found, it became clear that much of the trouble doesn’t only come from zero days, but publicly known vulnerabilities that were never addressed. At some point throughout production, whether it be from development, testing, or another, security by design was not taken into account and the vulnerability was kicked down the road. Even worse, there is no accountability to understand who slipped up and failed to implement propers security procedures. 

Key questions raised in the interview were “Is it the user’s job to make sure it is fixed? How about OT and visibility issues?”

With all the rush to get a product out the door and to market, each touchpoint along the value chain must also update their software bills of materials (SBOM) so each person can understand software components, architecture, dependencies, and begin understanding the full vulnerability landscape.

“We can’t hide behind contracts or check boxes when it comes to third-party risk management,” said Bindu. Everyone is thinking that they want to shift-left their security to the point of it going out the door to the supply chain. Unfortunately, that requires us to still review SBOMs and check that safety is up to internal standards

With all of Bindu Sundaresan’s experience and her understanding the way various organizations function, there is one takeaway that is critical in understanding how we protect ourselves. “Most of the breached organizations that I have worked with don’t have a lack of tools,” she said, however having unutilized tools comes with its own risk. 

“So you have tools, but you are not actively monitoring or doing anything with the data. Or you’ll have tools that don’t feed data to give you an integrated risk view. You’ll have logs that don’t feed into the SIEM. You’ll have alerts from the SIEM that are not actionable.”

Having systems that lack visibility into their cybersecurity posture, software versioning, and patching status is a recipe for disaster. Hackers are not only clicking on the things you patched. They will check all assets, backups, hidden links, and others. 

“Make sure you test your backups. Make sure you have a vulnerability management program in place. At least get an annual penetration testing done across the full organization and don’t skimp on the scope.”