Today, every cybersecurity expert around the globe is creating a wave by exposing and highlighting the importance of security for end-users, developers, CIOs and CTOs. Previously at Appknox, we shed light upon one of the cybersecurity experts from the US. Talking with security experts makes us realize how important security is in our life – be it from the Internet of Things, Mobile, Enterprise, Computers, Banks or any electronic device we are connected with.

We got in touch with one of the biggest cybersecurity expert – Rob Fuller and got a chance to ask few questions and it was an amazing experience. Apart from being a top cybersecurity expert, Rob Fuller has also been the technical advisor for HBO’s hit TV show Silicon Valley. The show is about four guys who develop an algorithm that can compress the media file of any format with a record-breaking Weissman score. It’s a classic tale of startups that many entrepreneurs can relate to.

Every time we interact with a cybersecurity expert, we definitely learn something new. Some insights from this conversation can be helpful for many CIOs and CTOs.


Q. You have worked across different kinds of companies – small-mid size, enterprise and also the government. Have you observed any difference in their attitude towards security?

Enterprises and Government are about the same. They fluctuate from time to time based on leadership but are generally on the same page. Small-mid sized companies are a completely different story. Because leadership is much more focused on single individuals, the gap between mindsets is enormous. I have seen small companies that spend more than huge enterprises, and ones that still think they could never be a target.


Q. We think security should be taken care of from day one. Do you think companies should look at security only after a certain stage? What things should companies keep in mind or take care of while they are small, medium and then large scale enterprises?

Security is impossible to be “taken care of” as it is always an on-going challenge and more of a feeling than a state. A business can’t be “secure” they can only feel secure, and where that line is up to debate. That is why there is such disparate level of security when that choice is down to small sets of individuals. With that said, and to answer your question more directly, yes, companies of all sizes should attempt to bake in as much security as possible from day one. Companies should stick to the basics, solve the huge, simple problems first, and then go after the complicated ones.

Companies should stick to the basics, solve the simple problems first, and then go after the complicated ones.

An example of this is passwords, it is relatively simple to set a company policy to mandate secure password use. Unfortunately, most companies don’t do this, or are afraid that a decent minimum requirement would “break too many things.”

Q. Many investors and companies are looking towards Asian countries for growth and expansion. We are quite far behind in terms of security implementation and laws compared to the West. Do you think it’s possible to catch up and even go ahead? If yes, how? If no, why?

Is it possible to catch up / surpass the West? Certainly, those with less “technical debt” are always the most nimble is making drastic/speedy changes.

Q. Out of RSA, DefCon, Phreaknic, and ShmooCon, which one is your favorite and why?

Conferences are what you make of them, there are good and bad parts of all the conferences you have listed. I would recommend people attend every conference that they can at least once until they find the one that fits their personal / professional goals and objectives.

Q: Our CTO Subho Halder asks: As a startup ourselves, we relate a lot to the Silicon Valley series, which brilliantly shows all possible problems a startup faces. Looking at which, a compression company with an innovative technology faces a lot of challenge raising money, with that context in mind, how do you think a Security company with similar innovative tech faces in raising money in today’s world compared to Hooli’s of Symantec and other security companies?

With the basics of economics’ supply and demand considered, it comes down to a few factors:

1) Perseverance/Grit – As they say, “Rome wasn’t built in a day” if you believe in the technology, you have to stick with it through the good and the bad. Just like the core team at Pied Piper.

2) Friction – How painful is your technology to deploy and manage day to day? (And just because you think it is easy, doesn’t mean it actually is). Is it meant for big companies or small? Does your technology scale to 10 systems? 500? 50,000? 5 million? Can you still answer the previous questions in the same way once it does? If your technology is designed to help companies that have enterprise level security problems but is too tough to scale to enterprise levels, you won’t get off the ground or stay there if you do.

3) Free / Open source – One of the most important pieces that the majority of security companies are starting to realize is the ROI (Return on Investment) of giving away pieces of the technology for free. If you get IT staff and programmers interested and using your technology for personal projects with zero budget, they will start bringing that requirement into the work projects. The extreme example of this is Metasploit. Their entire product is free, with the exception of support, services, and a web interface that adds amazing automation. Metasploit is a household name in the community because everyone can afford to learn it, and now everyone uses it.

4) Stand firm but soft – While this might seem like a Sun Tzu quote, it basically means that you should always listen to your customer’s suggestions on changes, features, and additions to your product, but never sacrifice the vision and intent of the product. I have seen products becoming completely useless due to ‘feature creep‘. Feature creep is when a product gains too many features to be able to scale, still be manageable and continues to do the job it was intended for. Stay simple, solve a real problem, and do it well.


Q. What advice would you like to give to enterprises, companies, and developers to keep their mobile applications more secure?

Look at iOS game developers. Their revenue is directly tied to the ability for people to cheat at their games. Go to a mobile game developer conference. When revenue is directly tied to security like it is in their world, they will be the foremost authority on what can be done better.


Q. People might want to reach out, follow you and interact with you. What is the best medium to get in touch with you (Email, Twitter, Facebook, LinkedIn etc.)

They can reach me on Twitter (@mubix), I have “DMs from everyone” allowed, or via email – mubix@hak5.org

Disclaimer : The above answers reflect cybersecurity expert Rob Fuller’s personal views and opinions and not necessarily align with the views and opinions of any other cybersecurity expert or Rob Fuller’s colleague(s).