Q & A Round with David Colombo (Chief Executive Officer & Founder Colombo Technology)

What is the hot topic of the year in the current cyber landscape?

I think you can’t boil it down to only one topic as there are multiple really interesting ones this year, including Cloud Security (as a lot of enterprises are in the process of migrating to the Cloud), Securing the Software Development Lifecycle (SDLC) Infrastructure, and Cyber-Physical (IT/OT) Systems.

What are some of the biggest threats, that are not being talked about enough?

If we take a look at major breaches like SolarWinds and the effects of attacks on the Software Supply Chain, it is definitely securing the SDLC Infrastructure.

How do you react to constantly changing threats in the market?

It’s really important to keep a close eye on where the threat actors are moving to and what they are attacking in order to be able to focus on those areas before the threat actor tries to attack our organization.

How do you quantify risk?

That is a difficult, but really important questions. We, as a whole industry, need to be able to clearly communicate risk with various stakeholders, but this still presents a major challenge today and I can’t give you a final answer on that unfortunately.

What are some of your favorite "new" technologies or tools?

Since we are moving to modern cloud environments we are able to proof value of and utilize SaaS security solutions really fast and integrate them seamlessly and agent-less into our infrastructure.

What are some of the key components to succeeding as a CISO in today’s business environment?

Understanding the fundamental concepts of the drastically changing landscape of modern enterprises and the upcoming threats.
The methods we used to secure infrastructure 10 years ago don’t work anymore and we need to know how hackers think today.

What are the three things that you as CISO look at first to assess an organization’s cybersecurity readiness?

- Does the organization have visibility into all of their assets across different categories? (You can’t secure what you can’t see)
- How mature is the current protection status of those different assets? (How fast can you detect and close security issues)
- Is the organization prepared to detect and respond to threat actors? (100% security doesn’t exist, we need to be prepared)

If you had a time machine, what advice would you give yourself at the beginning of your career in cyber?

Hackers don’t care about an organisation's security certifications and checklists, that's why we should focus more on actionable security rather than only focusing on compliance.

You are set to the stage at Black Hat MEA this November, what can our audience expect from your session, and what are you most excited about?

The audience will hear about a few interesting topics from me including my own background of how I got into hacking at a very young age, the details about how the Tesla hack unfolded earlier this year and briefly about what major challenges I see coming up from a hacker's perspective.