Raj Samani CTO EMEA Intel Security Exclusive Interview
Date: 2 February 2017
Cyber Management Alliance's CEO, Amar SIngh, exclusively interviews Raj Samani, CTO EMEA at Intel Security.
Amar Singh: Welcome to Insights with Cyber Leaders. I'm joined today by Raj Samani - Raj, thank you. Raj is the CTO of Intel security EMEA and a special advisor to the European Cybercrime Centre. Raj, thank you for joining me.
Raj Samani: Hey, not a problem.
Amar Singh: What do you, Raj, at the European Cybercrime Centre; bit more of what the job entails?
Raj Samani: Well, actually, it's an advisory role that I have but the European Cybercrime Centre is actually part of Europol, which is obviously the... I guess you would call it the liaison sort of the Centre for the twenty-eight member states but EC, the European Cybercrime Centre itself actually has within that the the JCAT - Joint Cybercrime Action Task Force. So, you actually have got agencies from all across the world coming in and really I think the intent is to try to have a degree of collaboration between agencies, and one of the things that I'm a really big believer in is public-private partnerships because I don't think we're ever going to combat cybercrime by working independently of one another. For example, I'm not going to get a badge and break doors down. So, really, the role is to provide advisory in terms of what we're seeing, but also where we can support operations as well; and you know, over the last couple of months you've seen a lot of operations which is to lead to the takedown of criminal infrastructure. Many of which, actually, we've had a sort of key part in supporting law enforcement with.
Amar Singh: Excellent. You're also the CTO of Intel EMEA and a lot of years came to understand, myself, too, is how do you... where have you started from and can you give a bit of insight into how you started, and how you got to the current position?
Raj Samani: Yeah. I mean it's a strange one because I think there really isn't a kind of career path forward for the role; I mean I've had, quite sadly, I've actually I'm just interested in. I love technology; I love security and I finished my Masters and, don't laugh, but it's thirty-five professional exams. You know, everything from sort of RSA, Checkpoint, Microsoft and so forth. My CCNA. I bought a Cisco 2500 router; it was real soon after I got married. You know, we barely went out; I would want to go out and I'd be like, no, I'm still studying, I'm still trying to learn things and I guess you know that passion for information is kind of still stays with me. And I haven't really applied for any particular jobs; I mean I was a CISO before this particular role and again, I got that role because of the work that I put say and I'm probably the worst person actually, not the worst person of playing politics, I think you are... But the how is the here, but there hasn't been a kind of ok, you know what, I'm going to apply for the CISO gigs or apply for the CTO. Gigs, it was kind of, I guess, just opportunities present themselves and I kind of cross from those opportunities but yeah, I've always been focused on getting more information, trying to learn more, trying to better myself and I think, I hope, I'd like to think that that sort of hard work has paid off.
Amar Singh: So, a key thing that comes out of here is passion and hunger for information, hunger for knowledge.
Raj Samani: It is, and I guess an inquisitive mind, and I mean, when we read about major breaches my first question is, well, how do they get in? What do they do? Who was it? What are they doing with the data? And the great thing actually about working in this company is, actually, we've got access to every organisation on the planet because everyone is an Intel customer, everybody... I mean peope say to me who are your customers and I go everyone, and I think that's the great thing is that it's such a big company that it's like... For example, we're doing some stuff in automotive and the guys are like, well, you know what we want to, we want to see whether we've got this, actually, we've got an idea whereby we can put separation between the informatics and the telematics system. So, we need to get access to a car where we can make a telephone call from one of the largest manufacturers, and say we need a car and we can do that, I couldn't do that in my last job. You know? And I couldn't do that before. And so, I think that's really what this company and what this job is, about being a CTO. Gives you a platform but that's all it does, it just gives you a platform. What you do with that platform after that is really down here.
Amar Singh: Again, one of the many questions many of the viewers are interested in is if someone is sitting in front of you for an interview, you know, what are you looking for in the interview? What key personality traits or technical trades, you know, who would you hire?
Raj Samani: Yeah, it's a difficult question to answer because I think people expect me to say I'm looking for a person with this hard skill or this hard skill, or this particular certification or this particular standard. But I don't particularly care about any of that. You know, for me, the most important thing is that you've got to love what you're doing. I mean I'm expecting people to write blogs at eight o'clock in the evening; I'm expecting people to continue to do research over the weekends. You know, I spend time with the family. Absolutely. Any spare moment you have I'm expecting you to read that stuff because... Not because I expect you to do that, because you love it, because it's what I do, and I think people probably know this story but... We went to Legoland and I slept on the world's hardest bed but, so, I woke up at three in the morning and I checked my phone, and actually the story about Carbanak had just be broken. And so I spent, I think, like three in the morning, I was sitting there reading and perusing all of the information about this because that's what I wanted to do. And they say that you attract people similar to yourself in life. Right. So, our social networks are derived not a physical proximity but by people which we share common interests. And that's really what we're looking for when you go into a team. You're looking for somebody who has the same passion as you, somebody that has not the same outlook as you, may have a different opinion, but somebody that shares the same passion. I think this is... that is absolutely key and really you have to do that because I don't think there is an industry which moves as fast paced as the industry that we're in.
Amar Singh: Very much. You touched on certifications and I know what are going to say, but I'm going to still ask you. We've been discussing, obviously before, that there are so many certifications today; when you and I started off in our career, there were very limited certifications...
Raj Samani: There was, like one wasn't there...
Amar Singh: - But today there are so many certifications out there. What, and I keep getting asked the same question, I'm sure you do... What is the right certification to do? What are your thoughts on that?
Raj Samani: You know, I've used certifications but I've used them for actually two reasons. When I first started in the industry, I used certifications as a framework to learn more. So, for example, I wanted to learn about how to configure routers, for example. Well, I can buy a router and play around but, actually, it doesn't give me the structured framework and the logical framework for me to be able to learn. So, what I did was I got a router, I got some books, I self-taught myself and all of a sudden, I now know how to do this. You know, the ethical hacking is another example, right, or specific operating systems. And all of these various different certifications I used as a vehicle to improve my own knowledge and then I had an arbitrary certification to be able to validate or baseline my knowledge. So, I said, okay, this is the level that I know. And for me, that was incredibly powerful, incredibly useful. Now, did the certifications help me get a job? I think, maybe, probably one... one occasion they did but I think if certifications are being used to further one's own knowledge, then I think it's a fantastic thing to do. But then, you have the other side whereby you've got these brain dumps and you've got these people who may memorise that, and I often question, well, actually, what is the purpose of somebody doing a certification? Is it to further your knowledge? Then great. Or is it solely meant as a kind of arbitrary mark to determine your capability for a specific job, then I wouldn't call it particularly useful.
Amar Singh: On that note, I remember, I just remember interviewing a CCIE who had a CCIE - CISCO certified, just for the viewers.
Raj Samani: Yeah, the 'big one'.
Amar Singh: The 'big one'. And this gentleman did not know the difference between RFC 1918.
Raj Sumani: Oh, you mean the private addressing...
Amar Singh: Private address and public Internet address.
Raj Samani: Which is what? 10.X 172.16.X?
Amar Singh: Excellent, that's a pass.
Raj Samani: I passed.
Amar Singh: But it's interesting you mention that because this gentleman was a CCIE, but he did not know. And that was the time I said to myself I got worried about what's happening in the market.
Raj Samani: Yeah, but I mean I've always learnt not to judge people by my standards. So, you and I may see that it's unacceptable but by his standards that's acceptable. So, we just have to say, and I think that's what we have to do, is when we're hiring people we have to say, well, okay, we have to get to the nub of it. So, is that somebody that I would hire in my team? Probably not. Maybe, maybe I would, maybe there's other personality traits, but that's not the person I would... It's up to us to try to determine that type of person. I know so many people that have zero certifications; I mean, there's... I don't know if you know Lee Munson, actually; I really liked Lee and Lee was working in retail for supermarket, actually, and I was trying to get him into my team because he had a passion and a desire, and he had a hunger to work in the industry, and he wanted to learn, he wanted to know more and aside from the fact he was a Liverpool fan, he would have been perfect.
Amar Singh: But it goes back to this theme that you're talking about, and I strongly believe in also, is that if you don't have the passion then you may as not well be doing. You shouldn't be doing the job, especially today.
Raj Samani: It's a hard job. It's a really hard job. You know, I've been a CISO, you've been a CISO and that's a tough, that's a tough gig. I set myself a target and I used to do set career goals, and I said I want to be a CISO by the time I'm forty, and I think I was thirty-two when I did it and I remember getting the job and I thought, "That's it, I've made it." I think I might have even said to my wife, "That's it, I've made it," and three weeks later I turned around and I went, "Seriously, is this it?" I mean, you don't have the seniority within the business that you need and you can never answer one question.
Amar Singh: So, for the CISOs, is it a binary question?
Raj Samani: That's what the business wants to know. The business wants to know are we secure? Are we going to get hacked? Do I need to start brushing up my LinkedIn, right? The CEO wants to know that, and in security you can never answer that question.
Amar Singh: There is no yes or no.
Raj Samani: There is no yes or no. Every... You know, Brian? Brian's a good friend and we always laugh because the default answer to any question is, "Well, maybe," or "Tt depends," and it's such a difficult role because things can change in a heartbeat. I mean, all of a sudden you're kind of plodding along fairly happy and then, for some reason, the business makes an announcement and then you get the world's hacktivists at your door trying to break into your organisation. And who is the person that's held responsible for the lack of funding within the year in an organisation? The person that was asking for the budget. Well, that's not fair. You know, that's an unfair society. So, I've always said that as a CISO, it's career or so over because I mean, that three envelope story right?
Amar Singh: I know, yeah.
Raj Samani: You kind of walk in with this target on your back and you go well, okay, I got two to three years and then you move on and actually, I think that's... I think it's a very difficult job and I think it's a very difficult industry because things are changing all of the time, and a great example was we just did the 2016 threat predictions and I remember finishing it up; it was October, November when we wrote it and I wrote about critical infrastructure - I've written about five books now on the subject - and I said the vulnerability for critical infrastructure exists but the probability of attack is low because we've only got two known examples of cyber physical damage which was Iran 2010 in the steel mill, and we don't know enough about the steel mill to really talk about what happened. And then what happens on the 23rd of December? There was an attack on the Ukrainian grid, believed to be cyber related, and all of a sudden, literally a week after that attack, my predictions come out and I'm like alright... It was outright; I still stand by what I said. But that's just an example of the environment that we move in and it's that it's quick, and then that's the threats, but then you've got the business changing all of the time. I mean, you remember the Jericho guys, right? The Jericho guys came out and said perimeters are dead and it's all going to be, it's going to be sort of specific host out there. And everyone went no, no that's crazy. Where we now? They were right, by the way. Well done, guys.
Amar Singh: For the CISO, and I mean for anybody today, if there is no right answer - which both you and I agree - and you can all say yes or you can all say no, and both ways you're on the losing end of it; and as much as I know Brian also, you know, we all say maybe... How do you go to the business and then demonstrate and say that actually, someone is doing a good job?
Raj Samani: You know I was a big fan of when the Cabinet Office published the data handling review. They came up with the concept of a SIRO, Senior Information Risk Owner, and basically they said this person should be on the Board, preferably a CIO, and we've been taught this from day one. What is it controlling? One for the ISO £27,000, which is get buy-in from the business; welll that's fundamentally what this is. This is not a risk that is owned or born by the CISO, the risk is owned and born by the business and if the business is happy to go with something that is deemed as risky, then the business should hold themselves accountable for that. And so, I think there has to be this kind of mindset which is the CISO, yes, is a function of the business, but actually it's a consulting function of the business and will consultant and advise the business on what should or shouldn't happen; but ultimately, the acceptance of any particular risk needs to be born by the business. If you ever get a chance, have a look at the video that Jared Malik did on accepting the risk. He did a very amusing video with regards to it but there isn't, there is nothing particularly wrong with accepting risk. You know, if the risk has been considered, the due diligence has been undertaken and you can state why you're doing something and it's tolerated, it's a tolerable risk level, then there's nothing wrong with that.
Amar Singh: I mean, on that note, I'm sure you've met people - a lot of my headache - is a lot of the time you never... people don't understand risk and many times people sign-off on the risk way above their pay grade.
Raj Samani: Yeah, but that's up to the business to put in. Yeah, but I think it's... and I think if you look at the cabin office's advice, you have information asset owners. Those Information Asset owners are the people who are determined to have, who are owning that particular risk for particular environment. So, if you have an HR system about to go live and these are all of the associated risks with that, then the IAO may well be hearing from HR director. But the HR director is not going to understand SQL injection, for example. So, that's why the CISO needs to come in and say well, actually, these are the issues that that would occur and this is what I would recommend doing; this is the cost to implement a solution to mitigate that risk but ultimately it's your decision.
Amar Singh: And here's the impact if we don't.
Raj Samani: Yeah, well, and that's a funny thing. We never talk about the concept of impact because we talked about an ISP, for example, just recently having lost X number of customers. We never talk about what is the impact of a breach because an impact of a breach could well be loss of jobs, the loss of reinvestment into R&D. What we always focus on is which country did it? Which country did it?
Amar Singh: Who was the attacker?
Raj Samani: And that's, that's really hard to answer. I mean, trying to determine motivation, it's near upon impossible in a forensic investigation. You have to get that person, put those lights on, shine in their face and then try to interview people.
Amar Singh: It's fascinating you mention that because people are spending too much time on attribution.
Raj Samani: Because it's sexy, right? It sells because...
Amar Singh: I want to know who did it rather than I want to know what's the impact of brand reputation, damage to loss of customers, the recent attacks we have seen... We were just discussing, without taking the name of the company, a massive drop in profits, loss of customers. But they still want to know who did it.
Raj Samani: Well, I mean, we know it was a 15 year old...
Amar Singh: In this case we know it was a 15 year old...
Raj Samani: Yeah, but that's what this is about. What happens when your customers lose trust in you? What is the impact to your business? And it's a very difficult question to answer. And I think the other thing that we haven't really addressed is what about the intangibles? What happens if your intellectual property is stolen and somebody else gets to market before you? What is the lost opportunity for you as a business? It's a very difficult question to answer which is why I say I genuinely believe that we are doing an incredibly difficult job in an environment which is moving and changing all of the time, with threat actors who are making hundreds of millions of dollars. I mean, we did the research into cryptowall, for example, version 3, and analysis into Bitcoin wallets suggest that they made $325million.
Amar Singh: Lets repeat that again - Cryptowall 3, that made $325million with that one particular ransomware. What can you say? On impact, if I may just... What worries you into the future? I mean now, yes, we've had three instances of cyber...
Raj Samani: I mean, are you asking me as a professional or as personally? Because I think they differ.
Amar Singh: Let's hear both, if you don't mind. So, just a recap, we've talked about three physical cyber, impacting physical, Iran, Ukraine.
Raj Samani: I think, well, I guess I'll try to answer both of them, both professionally and personally. But every single thing is connected and we're moving headlong, head first into this world of every single thing connected all of the time, collecting data about each and every single one of us and are bad guys the ones I worry about? To an extent, are people worried about nation state issues? Well, I mean, of course, to an extent. But we're giving away our data to companies and we just clicking away our lives. I mean, you saw the research into smart watches. I think there was an analysis to determine that majority of smart watches on the market are sending data out in the clear, or there are no levels of control there. Well, that's the world that we're moving into. We've already seen imbedded medical devices having vulnerabilities associated with them. What about my car? What about my... And all of a sudden we're moving into this world where everything is connected all of the time. We're clicking away every part of our lives and what we give away is buried into a Terms of Service, and now it's determined as explicit consent but explicit consent buried into a Terms of Service is not informed consent. And we have no transparency about what happens to any of our data. I mean, I see your phone there. How many apps do you have?
Amar Singh: Too many.
Raj Samani: Okay, but of any one of those apps can you tell me what data it collects?
Amar Singh: Some of them, yes, but most of them I have no clue and I think as you rightly point out...
Raj Samani: Okay, so you pick out an app that you know, where does it send the data? How does it send the data? Can you tell me who they share that data with? Any one of the apps. You can't. And yet you're a security professional, I'm a security professional and we've installed software that's given access into our digital life, right? So, you might be doing online banking on there, you may even be opening your front door of your car, front door of your house. And you've given third party developers access into that life of yours, you're letting them collect data of which we don't know what they're collecting and sending it to God knows where, and they're sharing that with third party that you have no visibility of.
Amar Singh: What do you do?
Raj Samani: This is up to us. This is our industry. We are the ones - and I'm looking everyone in the camera here - this is our role. It is our role as an industry to help ensure that we have those safeguards in place. It is our role not only to make sure that we've got the technical safeguards in place, but to articulate those issues in a way that every single person would understand such that the market will equally drive better behaviour. That is our job, that is our function. Whether we're techies try identifying vulnerabilities, whether we're policymakers advising governments with regards to putting those safeguards in place, no matter what job we do this is our role as an industry, which is what I'm saying. It is not an easy industry to be in.
Amar Singh: Definitely. What excites you then - that's what's the impact - what excites you in the next five, ten years? I mean, Intel's doing some great stuff.
Raj Samani: We got some great - I mean like even in the next twelve months - there's some amazing stuff happening but to me it's the opportunity that's there in front of us. I mean, you can work anywhere in the world, you can work in any particular space, and every single thing there's a cyber component to it. Every single element requires security and privacy built into it and I think that's probably the most exciting thing there is. I started off, I remember, I started off determining do I go into security because I love it? But actually, do I do a CCIE because that's where the money is? And I went you know, what I'm going to do what I love and I remember my wife saying well, we're not going to earn as much but it's fine, we can get by. It's funny, I still remember the conversation. And now the industry that we work in is in Hollywood, it's everywhere and that's the really great thing is that we have this amazing industry, this amazing environment where we can do anything, work anywhere. Everything that gets switched on now has a security and privacy component of it. So, I'm excited about the opportunities that it brings and you look at every single industry, every single vertical. We've seen digital disruption right across the board right? So, whether we look at digital oilfields in oil and gas, whether we look at automated substations, whether we look at my ability to be able to switch on my heating from my phone and all of these things is just so exciting.
Amar Singh: Raj, you've written many books; what's the latest one you're writing? Or have you finished writing it?
Raj Samani: So, I just finished this morning actually. I'm contributing to a chapter in a book called 'Beyond Convergence' and actually, they've got a number of people writing specifically around, I guess, the modern take on crime and I've done that, the chapter on cybercrime. But, to be honest, I think this is it for me now, in terms of writing books, that is. I mean, I've really enjoyed writing technical books. I did Applied Cybersecurity in the Smart Grid, did the CSA Guide to Cloud Computing. I did Cyber Security for Decision Makers, then this one, and then I was a technical editor for Industrial Network Security. But I have to question whether it's actually making the world a better place. I think we sold a couple of thousand copies which is great and I really appreciate the fantastic feedback, but the challenge that we face is that we're having these security and privacy issues coming up into the mainstream, into the general public. And really since, what was it, Cliff Stoll's The Cuckoo's Egg? Has there really been any books within our industry that have kind of gone into the mainstream society? And you could even argue that Cliff Stoll's book didn't get into mainstream society. It was one of our Bibles, right? So, I think what I want to try to do now is write books that are for the general public. I want people to understand what we're doing, why we do things and what they need to be aware of, but also what the opportunities are. I gave a talk at a local school, for example, and I went to a careers day; it was like the most soul destroying, depressing day I've ever had in my life. And I want people to know, actually, this is what the opportunities are in technology and these are the things you need to be aware of. So, yes, at the moment I'm talking to a couple of mainstream publishers about writing books around social networks, what they are, what they mean. I want to do books around privacy, but not privacy and in terms of the stuff that we work in, but what happens when you download an app? What are the concerns you need to worry about and stuff. So, we've seen, we've seen things like economics, like Freakonomics and books come into mainstream society. Why can't we have books around what we do?
Amar Singh: Right. I mean, this is probably off the record for now, but...
Raj Samani: No, no. I think it's a fair question to ask on record.
Amar Singh: I mean, people are giving away data to Facebook, to LinkedIn, Twitter - that's all valuable data.
Raj Samani: It's valuable to you because you can articulate and determine the value of that data, but for somebody that doesn't perceive any value in that data...
Amar Singh: The general public.
Raj Samani: But listen, but they are getting a return? When you sign up to a social network, you're getting access to that service. You are then getting paid by access to that service for your data. So, you are getting a trade. The question becomes is that a trade that is fair? Well, but if you don't understand the value of your data, the answer is yes. Like, for example, I look at loyalty cards, right? So, I went to the cinema to go and watch, we want to watch Despicable Me 2 with the kids...
Amar Singh: A beautiful, great movie.
Raj Samani: You know, I didn't like it.
Amar Singh: My kids loved it.
Raj Samani: I closed my eyes and had a half-hour nap - it was nice. But when we were there, the lady said to me, do you want to join our loyalty program in the cinema? And I said well, I said wel,l what do I get? And cinema tickets are expensive by the way, shocking. And it was like £35 with nachos and drinks, and stuff. So I said, "Well, what do we get? And she said, "Well, you'll get a free ticket." And I went, "Alright, I'll join." She said to me, "well, that's going to be £25 for the membership to join." And I said, "But hang on, I'm already paying you with my personal data." Which she said, "No, no, no, no." And I said, "Will anybody else pay - has anybody else paid for this? This is ridiculous." And she said, "Yeah, we've got two hundred thousand members." Right? So, what that meant was there were two hundred thousand people that contributed their personal data as to having zero value, which in my mind is incorrect. So, that becomes the issue which is how do we get people to understand the value of their data and such that they can then turn round, like me, and say, "Well, I'm sorry, I think that my data has value and I refuse to pay the £25 surcharge for the loyalty program." If they did that then the cinema company will say, "Well, hang on people, understand the perceived value of data and will no longer charge for the loyalty program." And that's what I think - and that's the challenge that we face in our industry is to get people to understand the value of their data because if they don't determine any value in data at all, then why are they going to give a monkey's about plugging the USB sticks in in the office and so everything is all connected.
Amar Singh: For all the CISOs, head of security, head of networking, cyber incident planning in response, what's one thing that you would highlight?
Raj Samani: Practice, practice and practice. I experienced incidents, and no matter how, no matter how you think you're going to respond, something will happen which will go completely outside one of the scenarios you tested. The question becomes, do you have those roles and definitions clearly defined? Do you have the people around you that have the ability to be able to adapt accordingly? I mean, when you get hit with an incident, it's not going to happen at three o'clock on the Tuesday afternoon when everybody's all in the same office together. It's going to happen... I remember one; I ended up taking, I was taking three weeks off vacation - I use Americanisms now right. That's the one thing about working in a US company, I used to like Americanisms a lot - and it was the night before we're flying out, and it's 11.30 at night, and you get a phone call saying there's a problem. And that's when these things happen. So, you know practice, practice, practice, practice. And make sure that you are comfortable and happy with the people that you have to find to have specific roles to be able to address this, and always consider what if this person is not around? What if this person is not here? But making sure that it's not shelfware; it is absolutely imperative.
Amar Singh: So, Raj, final thoughts?
Raj Samani: I'm not a cyber leader. Yeah, okay, I've written lots of stuff and I think it's got a fair bit of exposure, but I'm just like a guy that just likes tech. And I am fortunate enough to work in an industry that is interesting, that has great people. And I think it's easy for us to focus on the negatives like all of these cyber crime instances, and all these bad things happening but, listen, let's not lose sight of the fact that we work in a really vibrant, exciting industry. There are some really great people and all of us are trying to do good. And I always say to people you can work in any industry and you could probably earn more money in other industries, right? But are you really going to be have that sense of I actually did something remarkable and something that hopefully going to safeguard my children, and my children's children, and that's, that's the exciting thing about working in this industry. So, it's an opportunity but like I said... Look, I'm not a leader, everyone watching this, we are world leaders, I think, in our own way.
Amar Singh: Raj Samani. Thank you so much.
Raj Samani: Thank you.