Andres Andreu is the Chief Information Security Officer (CISO) at 2U, Inc and a Boardroom Certified Qualified Technology Expert (QTE). His career has spanned multiple industries, from federal government to the entrepreneurial journey in the cybersecurity product space. Andres is a mentor, an advisor to multiple start-ups, and a published author of a book, two patents and multiple magazine articles.
Andres served the USA in the field of Lawful Intercept Information Technology. He was the recipient of three U.S. Department of Justice awards. He spent a decade at Ogilvy & Mather, rising to become a partner and global Chief Application Architect. Andres then consulted for numerous high-profile organizations and eventually became a founding member, CISO and Chief Technology Officer, of Bayshore Networks (acquired by Opswat in 2021).
Andres is an industry veteran and recognized industry leader. In 2022 he was chosen as a Top 10 CISO (C-Level Focus), featured in “Cyber”, “Hispanic Executive” and “Secure Computing” magazines. He was also chosen as CISO/Leader of the week by the Cyber Startup Observatory in February 2019 and Computerworld voted him one of the Top 100 IT Leaders for 2009.
Andres is the sole author of “Professional Pen Testing Web Applications” (Wiley) as well as numerous magazine articles and an Internationally granted patent. Holding board seats on the boards of CIOs Without Borders and ARK Foundation USA, his advisory services and community engagement also expand to the Forgepoint Capital Cybersecurity Advisory Council, Team8 Village, and the Cybersecurity Collaboration Forum.
In a recent chat with Digital First Magazine, Andres Andreu sheds light on the evolution of IT security practices in the last 10 years, the emerging trends to watch out for in the future, challenges faced by him as a CISO leader, personal strengths, and a lot more. Following are the excerpts from the interview.
How have IT security practices changed in the last decade? What other security trends will impact the global business landscape in the near future?
In the last decade, there has been a large shift in protective focal areas from those that are network centric to those that are more core in nature. Networks have become more difficult to protect, perimeters have disappeared, data centers and co-locations facilities have shifted into cloud environments, virtualization and containerization have become production level players, and many employees are working remotely, in some cases on their own devices. To be successful security practices have adapted to these changes, but the secure enclaves of the past are gone. Now our challenge is to secure environments that are far more exposed than ever before.
One trend is that applications and Application Programming Interfaces (API) have become the foundations for entire businesses. These Layer 7 entities are unique in terms of what is needed to actively protect them. Another trend is that the humans (i.e., employees, executives, etc.) of a given organization now make up the easiest pathway for nefarious actors. Social engineering, against those human targets, has become the predominant first step for sophisticated attack campaigns. Of course, the sophisticated technical attacks come after, but the path of least resistance has become our co-workers.
Another major trend as of late is based on the realization that anything other than granular access control is no longer adequate. The technology to provide relief in this area is known as Zero Trust (ZT). Also known as Zero Trust Network Architecture (ZTNA) the core concept is to trust nothing and verify everything. This technology aims at protecting environments by using strong authentication, network segmentation, Layer 7 protections, and granular “least access” policies.
Having recorded experience as Global Cybersecurity Executive and Boardroom Certified Qualified Technology Expert, how would you describe cyber security trends and innovation?
The trends revolve around three major areas: humans becoming the initial targets of attacks, the use of intelligent systems, and the growing use of cloud technologies. Humans now represent the easiest path into target environments. So, attackers are migrating away from technical pathways because humans represent easier prey. The social engineering tactics, techniques and procedures of today are sophisticated combinations of technology with knowledge of human emotions/psychology.
The use of intelligent systems can add value to attackers in multiple ways. One example is the identification of patterns within software systems. These patterns can expose weaknesses allowing attackers to construct smart, subjective attacks against those discovered weaknesses.
Innovations are generally taking place around the creation of intelligent systems. The application of artificial intelligence, and machine learning techniques, to the security space is a large area of innovation. This is important because there is evidence of cyber criminals having these capabilities. Given that development, the defenders need the same kind of computing capabilities in order to keep pace. Thankfully there is innovation in this space and the chess game of cybersecurity continues.
Another area of innovation is in the protective technologies created for cloud technology stacks. The capabilities range from configuration analysis to permission analysis to providing a single pane of glass solution that provides a unified view of disparate cloud stacks.
A traditional security tool is ineffective against new and evolving threats. What is your take on this? How is application security different from a traditional one?
Traditional security tools reflected the original players in the information security (infosec) space. These players were generally network and/or system administrators that migrated into infosec. Those that came from networking naturally addressed things from a networking perspective as opposed to a core, code level perspective. Those original solutions made sense to these folks and generally revolved around the notion of letting traffic into an environment, or not. The catch was that they didn’t let the traffic in securely; they merely kept overt bad traffic out. This is why the early days of remote application exploiting were so easy for attackers, our original devices were not designed to stop them. The system administrators aimed at keeping operating systems patched, again often missing the intricacies of the applications themselves.
Over time more people from software engineering backgrounds got drawn into infosec or what that has evolved into, cybersecurity. That was my path. Application security (appsec) is a complex space, and to quote myself (https://andresandreu.tech/humble-appsec-perspective-from-an-old-school-practitioner/) on this subject: “Appsec is a journey. One that you either wholeheartedly embrace or don’t bother at all.” This journey spans secure coding, pen testing, code reviews, dynamic / static application security testing (DAST / SAST), Application Programming Interface (API) security, devsecops, and so many other facets. All of these areas that comprise a mature appsec program are radically different from the capabilities, and beyond the scope, of traditional security tools. It’s just a foreign world in comparison to the infosec traditions of the past.
An organization’s cyber security threats need to be identified, analyzed, evaluated, and addressed as part of cyber risk management. What challenges do you face when heading and being a part of a management team?
One challenge generally revolves around getting people, who are typically focused on revenue and business, to synchronize with us around cybersecurity no longer being a technology centric issue. Once cybersecurity is seen as a business issue, whether from the perspective of enablement or that of revenue protection, we can jointly work towards organizational success. This brings along with it a lot of debt due to years of security being seen purely as a technology issue. Change of this type takes time.
Another challenge is that of translating cyber/technical risk into business risk. Management, the C-Suite and/or the board do not speak cyber risk. This puts the onus of translating, and mapping, cyber risks to a vernacular that those business centric entities can understand and relate to. As part of the management team, I have the challenge of fiduciary responsibility and need to ensure that dollars are being sent appropriately addressing and mitigating subjective areas of risk. By subjective I clearly mean threat and risk areas that are real to the environment I am protecting.
Your impressive career has been marked by learning and security. What are your strengths in assisting high-quality online education and services ranging from free courses to degree programs?
My strength is the fact that I am holistically responsible for security at edX / 2U. Today, as a 2U, Inc. company (Nasdaq: TWOU), edX connects over 46 million ambitious learners with the skills, knowledge, and support to achieve their goals. Together with the world’s leading universities and companies, edX offers thousands of free and open courses, professional certificates, boot camps, credit-bearing micro credentials and undergraduate and graduate degrees.
Tell us about the network of professionals and partners you have created. Can you shed some light on a few initiatives or techniques you are incorporating?
The cybersecurity industry is fueled by partnerships and our respective networks of professionals. This field is very difficult to navigate without a solid network of professionals and their respective perspectives, advice, and knowledge. My philosophy is that being humble is paramount and seeking out advice from competent professionals is not something that should be frowned upon. I find that effective paths towards building these relationships are getting involved with start-up focused venture capital firms as well as becoming a contributing member of professional organizations
I am personally very involved with Forgepoint Capital’s Cybersecurity Advisory Council, Team 8’s Village, the Cybersecurity Collaborative, Evanta’s NY/DC CISO communities, and multiple other organizations where I regularly participate in panel discussions. Each one of these entities provides for a bi-directional exchange of perspectives, advice, and ideas. This is truly about creating relationships that give and take. My peers provide amazing insights that truly guide me in my professional endeavors. I try my best to reciprocate and add value to their endeavors.
What are the different verticals that you have worked with so far? How do you stay abreast of the periodic technological and industry changes in a constantly evolving world?
My career started in the federal government in the USA. I have also worked in the global marketing/advertisement industry, consulted globally for a NGO, lived the startup to exit journey with a cybersecurity product company, and now work in the education technology space. One of the realities about cybersecurity is that it is for the most part a vertical agnostic practice. As such knowledge gained in one vertical is most likely very applicable in another vertical.
Constant education, and challenging myself, is simply a way of life. Staying on top of industry trends and forward-looking patterns is a daily routine. For me to keep my organization safe I have to ensure my team(s) are always adapting to real world threats. Challenging myself to constantly grow as a professional keeps me sharp. This may come in the form of pursuing a relevant certification, speaking publicly, writing industry relevant content in my blog, etc. The sharper I am the more in tune with events I am, and in turn my teams are. Protecting our students, partners and employees is mission number one and we hold ourselves accountable to stay on that course.
As a successful business leader, what would your advice be to youngsters aspiring to become business leaders and entrepreneurs in the future?
Specialize, focus, and make sure there is a real market for that which you are inventing/building/selling. Too often start-ups pursue great ideas based on the “cool” factor, but this may not equate to something customers want or need. Ensuring that your vision and solution target real problems will provide you a healthy runway to build your business or organization. This is not only applicable to the entrepreneurial/start-up journey but in the corporate/business space as well. In this arena it is imperative that you ensure strategies and objectives are aligned with the subjective goals, and direction, of the business. This alignment should give you a solid sense of where to focus your efforts.
Another piece of advice is that maturity matters in the modern world. Very often entrepreneurs and start-ups do not concern themselves with compliance efforts (ISO 27001, SOC-2, PCI DSS, UK Cyber Essentials, etc.) that provide externally validated proof of maturity. They see these efforts are applicable only to large organizations or those heavily regulated. But the modern world is coming around to the value of mature cybersecurity postures. If you have no proof of such maturity, you may not be eligible to even bid for certain business opportunities.
What projects or goals are you working on or leading currently?
In my current role we are always innovating for the sake of providing the safest experience for our learners, instructors, and partners. Automation and proactivity play key roles in our forward-looking goals. Automation on multiple fronts (attack detection, event analysis, etc.) allows us to scale effectively, especially in triaging and incident response exercises. Proactive protective measures (web applications firewalls, API gateways, etc.) minimize the attack surface on our customer facing solutions, essentially creating the safest environments for our students to learn and teachers to teach.