AiThority Interview with Matthew Handler, CEO Security, Americas at NTT

Hi, Matthew. It’s a privilege to be chatting with you today. Could you tell us about your journey in technology and how you started at NTT Ltd?

My journey is a little different than many. Ironically, I graduated from a top Journalism university without a technical degree. But that background, and desire for exploring new ideas was a great foundation to my career in tech. I got my start in Sales and worked my way up to several Senior-level leadership positions with early stage growth private companies and large public companies like Hewlett-Packard, Juniper Networks and TIBCO Software. These opportunities led to becoming Vice-President of Sales and Alliances for Sumo Logic, where we built a best-in-class direct and channel global sales program.

In 2016, I joined WhiteHat Security as the Senior Vice-President of Global Sales and led a company-wide transformation to optimize Sales, Delivery, Alliances, Marketing, and Product Management initiatives, which led to my promotion to Chief Revenue Officer and a deep understanding of Application security. On June 1 of this year, I became the CEO Security, Americas for NTT Ltd. and was a member of the leadership team that managed the global NTT brand consolidation and integration that combined NTT Security, Dimension Data, and NTT Communications into NTT, Ltd. My cybersecurity background spans 25 years and the industry itself is rapidly becoming an integral part of every business and organization. I’m very excited to see what the power of a consolidated and focused NTT Ltd. Organization can accomplish in the future.

2019 proved to be a phenomenal year for NTT Ltd. Could you tell us about your mega-merger of 28 companies and how you are foreseeing the next 5 years of Operations and Staffing globally?

On July 1, NTT combined 40,000 people from brands including Dimension Data, NTT America and NTT Security into one company. These organizations already serve more than 14,000 clients around the world, in 57 countries including leading organizations in Financial Services, Pharmaceuticals, Telecommunications, Energy and Utilities, Manufacturing, Automotive, and Technology. This consolidation offers our clients an unparalleled range of skills and capabilities across many technologies—at a faster pace and an even larger scale.

Over the next five years, we expect the NTT Ltd. family to expand all of our core offerings. We have a $3.5 billion R&D budget that will fuel this innovation. Specific to America’s security, we will be using intelligence (Human, Machine Learning, AI) to make the biggest difference to our clients of the next five years. The threat landscape is changing as fast as our clients IT architecture and business models and priorities. With intelligence, we can help our clients to build a predictive, agile and where possible, automated cybersecurity posture in line with how much risk they are willing to accept. We will continue to hire the best and brightest security professionals to work on these high-value projects.

Read More: AiThority Interview with Robert Cruz, Senior Director of Information Governance at Smarsh

October was National Cybersecurity Awareness Month. How did you create awareness for your customers?

There are several things we did. For our existing clients who use some of our security services and technology, we leveraged the awareness month to drive risk reviews and assessments to give the clients the latest threat intel to use at their leadership/board meetings. For existing NTT Ltd. customers who don’t currently use our security services and technology, we worked with NTT Ltd. Client Managers to introduce our security teams to initiate those type of discussions. Finally, with regard to the external world, NTT Ltd. places a premium on how we brand ourselves in the marketplace and how we can help everyone think about intelligent cybersecurity and its impact on their company and customers. We’ve invested in proactive media outreach and thought leadership campaigns designed to introduce the best and brightest minds we have with our current—and future—clients. We used National Cybersecurity Awareness Month as a hook to entice positive coverage for cybersecurity best practices in a few unconventional and non-industry specific media outlets to raise awareness for all.

Do you think customers are ready for “Cybercrime Insurance”?

A key point for anyone looking to source such a policy is to first gather their requirements and discuss what type of coverage is required internally before going to the market place.

Historically, organizations started to seek cyber insurance as they became more aware of the loss of technology from an availability perspective. Today we’re seeing a much broader array of cyber insurance products or options that organizations can consider, which reflects today’s risk landscape and typical threats that organization’s face. Managing the organization’s cyber insurance needs to be a component of the crisis/incident management plan, as the insurers will need to be ready to support before any incident becomes irrecoverable.

Cybercriminals are continuously discovering new ways to exploit vulnerabilities and technology. Although researchers and companies are working hard to remain one step ahead of attackers, we will never prevent all potential attacks. We’re living in a world where threats are developing faster than the technologies we use every day. As a result, many organizations take out cyber insurance policies to transfer the financial risks associated with attacks, and insurers are challenged to underwrite these policies and provide recommendations.

As with all types of risk, organizations often look for ways to minimize their financial exposure should the worst happen – and cyber insurance policies seem a logical step. But insurers are becoming less likely to impose blanket t*******************. Instead, they will require a much fuller assessment of the policyholder’s vulnerabilities, processes, risk mitigation solutions, and response plans.

How do you see global IT and ITSM scenario evolving around cybersecurity protocols? How can training employees and partners improve security scenario?

ITSM and Security in some iteration have lived side-by-side for as long as I have been in IT. In my experience they have worked independently, driving the day-to-day needs of those areas. But, as the world changes and business models adapt to be more software-centric and agile, we need to adapt and change that model. We need to have integrated people, processes and technologies built around cybersecurity and ITSM.

I see this coming in Automation, IT Service catalogs to the business, and IT self-service. All need to have security baked into them. We can use Automation is a quick example to go a little deeper. As we automate change approval process in ITSM, we also need to integrate best-security practices, including ITIL, ITAR, PCI, etc. They need to be integrated and integral to the automated workflow.

According to you, which technologies would become absolutely necessary to survive in the next era of digital economy?

Technologies that will be vital to surviving the transformation to a digital economy in the next era include AI-driven initiatives designed to create intelligent and responsive organizations. Another key area is the creation and implementation of software that can deliver innovative services and personalized customer experiences at-scale. Lastly, organizations must evolve to design new workflow models that draw upon the advantages of digital business platforms. That said, every internal and external application must be secure by design. Security of hybrid architecture is critical, but securing the application code itself is just as important.

Read More: AiThority Interview with Jason Braverman, Chief Technology Officer at SkyX Systems Corp.

What kind of preparedness do you provide against Dark Web Monitoring? How much has the threat landscape evolved with the arrival of Blockchain, and Autonomous Monitoring systems?

“Some of the most recent — and most advanced — cyber threats are sold and discussed on the dark web. Monitoring those spaces can greatly assist security researchers to stay ahead of the ever-changing threat landscape and help us figure out the best way to thwart a threat actors’ plans. We routinely ask, what malicious tools are available and most popular? What are the newest toolkits? What are the newest exploits? If you can learn about the tools and techniques threat actors are using, you have the opportunity to use that information to improve your own practices and controls and mitigate the potential impact of an attack. Simply being on the sites, observing the chatter, and recognizing the trends provides value in the view of the threat landscape.

Yet, you also bring up a great point in the evolution of threats driven by Blockchain. In our just-released Future Disrupted 2020 report, NTT Ltd. reveals that organizations can no longer rely on a traditional proactive approach with their clients. With the tools at our disposal, including AI and Blockchain technologies, we’re quickly evolving to a predictive analytics approach. Threats and attacks are now occurring at machine—not human—speed and we have to adapt to meet this new challenge.”

Would you agree that AI can successfully fill in for the “cybersecurity gap” in the industry?

Yes, and we’re counting on it. To use an old metaphor, we have to fight fire with fire. We have some of the best and brightest cybersecurity and threat intelligence minds working for NTT Ltd. But they’re also human. I believe that AI-driven technology will greatly enhance our capabilities to predict—and react—to the threats of tomorrow. That said, AI must be fed with human-created algorithms, models, and data. Humans will always be critical to this process, but we want our humans to be focused and working on the highest value projects to feed that Machine Learning.

What are your observations about trends in North America versus that in Asia, particularly focusing on the US, Canada versus China and India?

Increasingly, our world view is becoming more global. As consumers, we interact with non-domestic entities every day, and in many cases don’t even know it. For example, the call center for our water company may very well be in India—mirroring the way consumers and companies themselves interact with global entities. Trends are not necessarily nationalized in the same way we view economies, for examples. Rather, these threats are global and I don’t believe there are hyper-specific trends that only apply to USA or Americas.

What lessons can US companies learn from Chinese competitors? And, vice versa (if that applies).

I think the Chinese do a very good job of operationalizing technologies and IP. They are very good at GTM and optimization. Not to borrow a cliché, but the key for both sides is to create your own IP and avoid using one another’s without a license.

As a tech leader, what industries you think would be fastest to adopting phishing simulations and integrated Threat Analytic solutions?

Our client base spans multiple industry sectors. The social engineering services for both phishing and vishing are often sought after by Financial, Healthcare and Local government verticals. I can foresee these three industries adopting additional threat analytics, to have a solid example of where employees may fail. Analytics can help provide a percentage on who opens phishing emails, clicks on links or interacts with the campaign – which could include anything from form submissions (requesting passwords) to executing “malicious” payloads embedded in attachments or URLs.

What are the new emerging markets for these technology markets?

I can say that there are several providers out there who deal with phishing simulation and campaigns. However, it’s important to note that these campaigns should go beyond a generic analysis of interaction from the phishing target(s) and services. Rather, the campaigns should include several social engineering attack vectors, thereby providing a more comprehensive understanding of any security awareness shortcomings. Security awareness training should also be included as a means to remediate these risks.

Tag the one person in the industry whose answers to these questions you would love to read

I’ve worked a lot with Robert Herjavec and I like his POV on a lot of these discussions and conversations. Most know him as a judge from the show, ‘Shark Tank’, but he also founded one of the largest security and IT companies in Canada and is quite knowledgeable on these industry topics.

Read More: AiThority Interview with Thomas Hatch, CTO and Co-Founder at SaltStack

Thank you, Matthew! That was fun and hope to see you back on AiThority soon.