Nabil Hannan is the Field CISO (Chief Information Security Officer) at NetSPI. He leads the company’s advisory consulting practice, focusing on helping clients solve their cyber security assessment and threat andvulnerability management needs. His background is in building and improving effective software security initiatives, with deep expertise in the financial services sector.
NetSPI is a proactive security solution designed to discover, prioritize, and remediate the most critical security vulnerabilities. It helps organizations protect what matters most to their business by enabling a proactive approach to cybersecurity with greater clarity, speed, and scale than ever before.
Can you share a bit about your journey in cybersecurity and what led you to join NetSPI?
I’ve been programming since I was seven years old. Technology has always excited me because I wanted to know how things worked, which consequently led me to take a lot of things apart and learn how to put them back together at a young age.
While studying computer science in college, I began my career at Blackberry, where I worked as a product manager for the Blackberry Messenger Platform and became interested in hardware design. From there, I was recruited to join a small company in the application security domain – I was so passionate about it that I was willing to move to a new country to get the job.
When I consider my journey in cybersecurity, it started from the bottom up. I began as an associate consultant doing penetration testing, code review, threat modeling, hardware testing, and whatever else my bosses threw my way. Eventually, I worked my way up to building a penetration testing service for Cigital, which later got acquired by Synopsys. All of this led me to NetSPI to help support its growth trajectory in the proactive security space.
How has your experience in the financial services sector shaped your approach to cybersecurity?
While working at Synopsys, I helped build the strategy for selling security services and products to the financial services industry. So, while I wasn’t directly working in financial services, I was responsible for building strategies for that sector, which required diving deep into that vertical to understand its drivers and pain points.
Growing up in the technology space, I spent quite a bit of time working with large financial services organizations across the globe. Having that background, I focused my time and skills on developing a strategy for targeting and building services tailored to the financial services industry as a whole.
The biggest thing I’ve learned from exposure to the financial services sector is that hackers go where the money is. Hackers are not in this just for fun; it’s their source of income. They go where there’s the most financial impact – whether it be actually stealing money in some form or causing financial harm to an organization. That mindset has helped shape my understanding of cybersecurity and led me to be successful in my current role as a Field CISO.
With cyber threats evolving rapidly, what do you see as the biggest cybersecurity challenges organizations face today?
The biggest challenge today is the speed at which every organization needs to operate to combat evolving threats and keep pace with emerging technology, like AI. Historically, there was a waterfall methodology for building software, which wasn’t necessarily a fast process compared to how quickly software is deployed today. Now, we have a much more agile methodology, where organizations are trying to build software and release it to production as fast as possible and do more bite-sized implementations.
The last 10 years have shown rapid change and acceleration in the security ecosystem. This is causing many issues for large organizations, like shadow IT, making it harder to gain insight into their attack surface and assets. You can’t protect what you can’t see.
Cloud adoption adds to this fire – the more people adapt, adopt, and migrate to the cloud, the more elastic the software systems and assets become. The ability to scale software and hardware up and down in an elastic way makes change even more difficult to manage. As systems are built with elastic potential, you cause challenges where assets change ownership more frequently and create opportunities for bad actors to find ways into an organization.
How do you think the cybersecurity landscape will change over the next five years?
The need for greater visibility into both external and internal assets will continue to be important over the next five years and change how customers work with vendors. It’s already an area we’re heavily focused on at NetSPI. In June, we acquired a cyber asset attack surface management (CAASM) and cybersecurity posture management solution called Hubble Technology. Adding CAASM to our established external attack surface management (EASM) capabilities enables our customers to continuously identify new assets and risks, remediate security control blind spots, and gain a holistic view of their security posture by providing an accurate inventory of cyber assets, both external and internal – something that was missing in the industry up until this point.
Merging our EASM and CAASM capabilities into The NetSPI Platform allows us to provide customers with the tools they need to address ongoing visibility challenges. This also enhances the ability to accurately prioritize risks associated with assets and vulnerabilities. Additionally, it helps security leaders assess the exposure of their most important assets in relation to these risks.
How does NetSPI’s approach to vulnerability management differ from other companies in the industry?
Recently, we unveiled a new unified proactive security platform, which marries our Penetration Testing as a Service (PTaaS), External Attack Surface Management (EASM), Cyber Asset Attack Surface Management (CAASM), and Breach and Attack Simulation (BAS) technologies together in a single solution. With The NetSPI Platform, customers can take a proactive approach to cybersecurity with more clarity, speed, and scale than ever before. This new proactive approach mirrors trends we’re seeing in the industry, and the shift away from disparate point solutions, and toward the rapid adoption of more holistic, end-to-end platform services.
How is AI being used to enhance cybersecurity measures at NetSPI?
Like any cybersecurity leader will tell you, AI has the potential to catalyze business success, but it also has the potential to feed adversarial attacks. At NetSPI, we’re trying to help our customers stay ahead of the curve by implementing AI/ML penetration testing models, which ensures security is considered from ideation to implementation by identifying, analyzing, and mitigating the risks associated with adversarial attacks on ML systems, with an emphasis on LLMs. In cybersecurity, AI capabilities have enhanced and adopted our ability to monitor and remediate threats in real time.
What are the potential risks associated with AI in cybersecurity, and how can they be mitigated?
Based on conversations I’m having with other cybersecurity leaders, the biggest AI risk is organizations’ lack of basic data and cybersecurity hygiene. As we know, AI solutions are only as effective as the data the models are trained on. If organizations don’t have a firm grasp on data inventory and classification, then there’s a risk that their models will suffer and be prone to security gaps.
When people see the word “intelligence” in AI, they mistake it for being “inherently intelligent” or even having some type of sentience. But that is not the case. Security practitioners still need to program AI models to make them understand what assets are personal, private, public, and so on. Without those mechanisms, AI can descend into chaos. That, in my opinion, is the biggest concern among CISOs right now.
Can you elaborate on how NetSPI’s Penetration Testing as a Service (PTaaS) helps organizations maintain robust security?
Penetration testing is critical to an organization’s overall cybersecurity posture because it gives teams greater context into vulnerabilities specific to their business.
Penetration testing is also a great litmus test to see how effective other security controls, like code review, threat modeling, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), and others that you may have implemented previously, are.
Regular penetration testing fosters real-time collaboration with security experts which can bring another perspective that adds more depth to data. At the end of a successful pentest, organizations will have better insight into which parts of their IT environment are more susceptible to breaches. When a pentest detects vulnerabilities, they will often highlight gaps in controls earlier in the lifecycle or controls that are missing altogether. They’ll also understand how to achieve compliance, where to focus remediation efforts, and how IT and security teams can work together to stay on top of potential business implications.
By working with vendors that specialize in PTaaS to supplement a robust security posture, organizations can be more prepared to proactively prevent security incidents.
How do you integrate both technology and human expertise to provide comprehensive security solutions?
NetSPI believes you need both technology and humans to provide a sound strategy to stay ahead of known and unknown threats. Humans must be in the loop to validate, prioritize, and contextualize the outputs that tools generate. We’re not in the business of giving people false positives or generating noise, leading them to spend more time figuring out what really matters. In other words, you can have great technology, but you need someone to actually use it and interrupt it to be successful.
There are a lot of mundane tasks that AI can do faster and more accurately than humans. If technology can be built in a trustworthy manner, then that will allow us to automate certain tasks and free up time for security teams to turn their attention to more creative thinking and critical problem-solving that AI simply can’t replace.
What strategic advice do you typically offer clients to strengthen their cybersecurity posture?
A common trap people fall into is investing in things they understand. For example, a company may bring in a leader with a cloud security background. Naturally, they then focus on building out a cloud security team, instead of, say, compliance, network security, application security, and so on, where the organization might actually need the support.
It’s better to have a more well-rounded program that focuses on everything holistically. Then, you start building defense in depth and have controls that mitigate other failures you might have in different parts of the organization. Building a well-rounded program is better than investing more time, effort, and tooling into one particular sector.
Thank you for the great interview, readers who wish to learn more should visit NetSPI.