Predictions for cybersecurity in 2022

Andrew Howard, CEO of Kudelski Security, returns to give us his cybersecurity predictions for 2022! How will cybersecurity protect the supply chain, why is quantum computing on all of his clients' minds, and how would Andrew rewrite security from the ground up if a genie granted him three wishes?

– Get your FREE cybersecurity training resources:
– View Cyber Work Podcast transcripts and additional episodes:

  • 0:00 - Intro
  • 3:00 - Getting into cybersecurity
  • 4:00 - How has the cloud evolved?
  • 6:46 - The past year in cybersecurity
  • 8:20 - The next cybersecurity innovation
  • 8:57 - Where quantum computing is going
  • 10:15 - Concerns about encryption data
  • 10:54 - The state of ransomware
  • 12:57 - Cybersecurity supply chain issues
  • 16:18 - Hybrid work cybersecurity
  • 18:42 - The year of cyber insurance
  • 20:35 - DOD directive to close security gaps
  • 22:15 - What would you change in cybersecurity?
  • 25:45 - What would put phishing out of mind?
  • 28:10 - Advice to 2022 cybersecurity students
  • 29:37 - Kudelski Security
  • 30:58 - Blockchain security in 2022
  • 31:57 - Learn more about Kudelski
  • 32:10 - Outro

[00:00:01] CS: Today on Cyber Work, Andrew Howard, CEO of Kudelski Security returns to give us his cybersecurity predictions for 2022. How do cybersecurity protect the supply chain, why is quantum computing on all his client’s minds and how would Andrew rewrite security from the ground up if a genie granted them three wishes? Find out today on Cyber Work.

[00:00:26] CS: Welcome to this week’s episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry. As the CEO for Kudelski Security, Andrew Howard leads the global cybersecurity business, focusing on the global expansion of the group’s cybersecurity activities, as well as broadening Kudelski Security solutions.

Andrew joined Kudelski Security in 2016 as the Chief Technology Officer, and that’s when we last saw him. He was on our podcast a couple years back. As CTO, Andrew lead Kudelski Security’s technical strategy, product development, engineering and research, overseeing in particular the launch of the group’s Internet of Things Security Center of Excellence, it’s Managed Security Services platform and the delivery of secure blueprint, the group’s Cyber Business Management platform.

In 2019, he was promoted to Chief Executive Officer to scale the business out of its build phase and into a leading global cybersecurity provider. Andrew is also a global futures council member for World Economic Forum and holds information security certificates from ISACA and ISC2. Last time Andrew was on the show, we talked about the security implications of the mass migrations into the cloud, which at that point was still something that a lot of people thought was a little bit down the road. Now obviously, we’ve gotten a lot further along, and Andrew has come back to talk to us a little bit about some of his predictions for 2022.

Andrew, welcome back to Cyber Work.

[00:02:01] AH: Hey, thanks for having me.

[00:02:02] CS: I don’t remember if I asked you that before, and certainly if people haven’t heard your episode, they should go back and listen to it. But can you give us your security journey? Where did you first get interested in computers and tech and what drew you to it?

[00:02:15] AH: It’s a good question. My mom has a photo on her desk when I was five or six taking apart a radio. So as a kid, I was taking things apart a lot and was kind of a fiddler, want to understand how things work. Then, sometime in the ’90s, I saw the movie Sneakers, Dan Aykroyd, Sidney Poitier, Robert Redford movie and that. I didn’t know what I was getting interested in at the time, but that movie definitely got me interested in the security space. Then ultimately, when I was at university, I took an internship with a US Army R&D organization. They needed help making sure these systems didn’t get accessed by people they shouldn’t be accessed by. At the time, they didn’t call it cybersecurity, but that’s what it is today and been ever since.

[00:03:07] CS: Okay. The last time you’re on the show, as I said, we discussed security issues related to migrations into the cloud. Obviously, lots and lots changed since then. Considering the changes in the world due to changing work environments and the need for an accelerated move into the cloud. How do you think the process has evolved? Where did you think you saw it back then and how has it been on kind of a global scale now?

[00:03:32] AH: I think the last time we talked, I think I told you that most companies are looking at the cloud and we’ll be there one day, I think was the –

[00:03:41] CS: Yeah. If you’re not there now, you’re on your way.

[00:03:43] AH: You’re on your way. I mean, at the time, I was meetin with CIOs, and it was certainly on their roadmap for where they were heading. Today, if I look across our client base, and all the CIOs I’ve met, I haven’t seen a board deck yet that doesn’t say, “We’re getting out of our data centers.” If we’re not all, being one. The second thing I think is true, is we see a lot more born in the cloud companies than ever before since. I will say, working with them is a very different challenge than working with a legacy company. They tend to move at much greater speed and velocity than the legacy player will, just because they’re dealing with the old and the new. The third thing I’ll say that I don’t know that I anticipated back then is that, everybody seems to be hybrid cloud, even if they don’t know it. I mean, they might tell you they’re all AWS or they’re all Azure. But what you find once you get in is that they’ve got things everywhere. I mean, Azure, Google Cloud, every SaaS platform you could think of. I think the story in 2017 was right, people are moving that direction. But the story today is, they are there and they’re expanding.

[00:04:49] CS: Yeah. Now, were you surprised at sort of how much dragging of the heels there was? I mean, it seems surprising that people are still like, at this point, considering whether or not to do the cloud or “Yeah. We’re on our way” or “This is the year where we go completely cloud.” Are you surprised at some of the outliers and the people sort of taking that?

[00:05:07] AH: I mean, I can tell you, we have 400 to 500 fairly active clients. We were doing a lot of work with them. There is certainly a percentage of them that desire to stay on premise for some component. It’s almost always driven by regulatory concerns. It’s not a desire or cost reason. They’re being forced to for one reason or another. I also think that environment is changing. I mean, as Azure and AWS have started to open regions and different countries, I mean, that removes some of that concern. But there are clients that are still kind of in the slow-moving atmosphere, but it’s a rarity.

[00:05:41] CS: Yeah, that’s why it’s a bell curve. There are always a couple of folks at the end.

[00:05:45] AH: Yeah. I would just say, the tails, it’s a one-sided tail bell curve, for sure.

[00:05:49] CS: Yeah. Okay. So for today’s episode, Andrew, as I said, wanted to discuss some predictions and opinions on trends for cybersecurity and 2022. But before we get into that, I wanted to ask you about this past year. I’m guessing you made predictions similarly at the start of 2021. How did the year shake out in terms of security compared to what you imagined?

[00:06:07] AH: What I love about this prediction spaces is that it’s easy. I mean, I can basically just take the predictions from any year, and just make them sound worse, and then apply them to the next year. That’s basically how this market works. They don’t change. I mean, the predictions we made last year were, ransomware is going to get worse, you’re going to see cryptocurrency-oriented attacks. We were right on those. I think we were wrong about what was going to happen in the OT space. I think we thought it’d be more kind of operational technology attacks there were. But overall, I think our predictions were pretty right. But I think, again, I think it’s a low target, because yeah, we’re out in cybersecurity market is, is that the attackers are getting better, and the defenders are only getting marginally better.

[00:06:55] CS: Right. Yeah. I was going to say, I’ve talked to a few guests who said that, like even more depressive, things haven’t really changed that much in 15 years, little in one year.

[00:07:04] AH: I mean, I can make a pretty good argument that there hasn’t been a major cybersecurity defensive innovation in 40 years, since [inaudible 00:07:13] public-key cryptography. Doesn’t mean we’re not doing a good job, and it doesn’t mean we’re not improving, but the attackers are financed well and are moving fast.

[00:07:24] CS: Can you see in your mind, whether it exists or not what that next huge innovation would even be or if it’s on the horizon?

[00:07:33] AH: I think it’s this quantum computing topic. Five or six years ago, and even a year ago, we were saying, it’s coming someday. I mean, it’s been something that we’ve been hearing about, We are getting to the point that it’s more real. I mean, we have clients that are in the more regulated space that are starting to worry about it. I mean, NIST is about to publish their quantum algorithms. I think it’s time to start paying attention. I don’t know that it’s time to start getting worried.

[00:07:59] CS: Can you talk a little more about that? I don’t know if I actually add the question in my question set. But what are your thoughts on where quantum computing is going and what’s the end – not end point, but what’s sort of terminus point of this working?

[00:08:14] AH: Most cryptography today is based on hard math, typically around factorization, number factorization. A quantum computer, if large enough and in existence, can theoretically crack these factorial based algorithms very quickly, such that all current encryption could be at risk. There are quantum safe algorithms out there. They have tradeoffs. That quantum computer doesn’t exist yet. Theoretically, it does in some form, but not a big enough size that we’re aware of to a crack current cryptography. The concern right now is that, and what I would be worried about if I was a regular regulated entity would be, is the data that I’m creating today, which is being encrypted with current algorithms being stored somewhere for later decryption once this computer is available. I’ll also say that this computer will probably be available to those who need it to do the various things well, before the public knows about it. It’s coming. We’re probably not there yet. If you’ll get the latest and greatest research five to seven years away, my guess is a little sooner.

[00:09:18] CS: What are the concerns that you said your clients are concerned about? Are they just concerned that they’re not ready to – is it the cost element or whatever?

[00:09:29] AH: They’re concerned about the safety of the data that they’re encrypting today. Is it going to be stored, put offline, brought back online and decrypted? They’re also worried about the future of their communication algorithms, it’s theoretic. I mean, as a general statement, trading out your cryptography is not something you want to do, especially at large scale. It’s time to start thinking about it, not necessarily take action.

[00:09:54] CS: Okay. My previous guest last week was InfoSec instructor and Chief Security Researcher, Keatron Evans. We talked about some of the major breaches that happened this year. I mean, some were hack, some originated in social engineering. We’ve got quite a lot of ransomware out there in the world. Where do you see the ransomware, threat vectors coming from next? What’s the state of ransomware right now?

[00:10:15] AH: Ransomware is the money-making tool of choice today. I would say that it is a symptom of the problem, not necessarily the problem. Ransomware has allowed bad actors to do is to monetize their threats. In the past, they would have just deployed malware, take systems down, steal intellectual property, threaten to steal intellectual property or take systems down. Today, they’re just using ransomware to extract payments. They found a way to make money in a fairly straightforward manner. I will say that the bigger issue is how the ransomware is getting in. Which is today, typically through email. So bad attachments, bad links and malicious links.

One of our predictions for 2021, start of 2022 is that ransomware will double, if not triple. I think that’s a pretty safe bet, just to be honest. I probably could have said that last year, but I do think that for the time being, this is the threat of choice. If companies haven’t gotten their act together around this topic, it is time to get your act together.

[00:11:18] CS: What recommendations you have along those lines?

[00:11:21] AH: It requires a holistic approach for sure. I mean, there’s no silver bullet here. We have clients who just want to buy a solution, that’s tough.

[00:11:30] CS: Yes. They just want you to make it go away for them.

[00:11:32] AH: Make it go away for them. I mean, there are easy things you can do, but it requires a holistic approach. It’s going to require backup solutions, strong security identity solutions. We would probably recommend that incident response retainer with a firm that can respond. They’re also just straightforward things that can be done that can limit your risks, such as deploy some kind of endpoint technology tool. But it’s not one thing. It’s tends to be variety of things.

[00:11:59] CS: Okay. By the time this episode airs in early January, we’ll be through the end of the end of your holiday season. Certainly, the two big words that hung over everything were supply chain. We were told to buy gifts early because of the supply chain, stock up on supplies because of the supply chain. Prepare for inevitable disruptions of all types due to the supply chain. Can you speak about supply chain issues from a security perspective? What improved security can do to either ease the bottleneck around it or how we can move into whatever the next phase of delivery of goods and services?

[00:12:29] AH: Sure. I’m going to take this question from two different viewpoints. When we talk about supply chain, the first thing people talk about typically is chips and product manufacturing. I mean, that’s what most people mean. This is the new frontier in security. We have matured greatly on the IT side of the equation. I mean, the average enterprise is a lot more secure today than they were a year ago. And the high-end companies with big revenues who are spending a lot of money are much more protected than they’ve ever been. However, the operational technology environment, plant production lines, elevators, manufacturing equipment, vehicles, IoT, IIoT, all these topics, I mean, this is the new horizon in security because these environments have typically been avoided from a security perspective. They’ve typically been disconnected from the internet. That is no longer the case.

Third, they’re hard to make improvements in because they didn’t have big uptime requirements, which slows security professionals down. I think this is the new frontier from security and there’s a lot of opportunity out there for both nefarious actors, but also for improvement. You can also look at this problem from an access or a data management perspective. Meaning that, we’ve seen a lot more attackers move up the chain. And instead of attacking an end customer, instead attack their software providers, or their data providers, or their ISPs, or their MSPs. Because why attack one customer when I can go attack an MSP or a software provider, and attack just them and get access to 1000 of their clients? I also think this is another, not just emerging, but area requiring a lot of focus. It is impacting the supply chain topics and companies need to be aware of their reliance on third parties and the potential risks they’re inheriting.

[00:14:26] CS: Hmm. Now, you said that there’s a lot of opportunities opening not just for bad actors, but for us to improve things. Is this an area – I mean, obviously, all security is area of growth. Is this area of growth for people who are always looking for opportunities, for people just getting started in their security journey to look for new career directions? Is this strengthening the supply chain? Is that something that people can start looking towards as a future career?

[00:14:51] AH: I think so. I would probably categorize it more as physical device security.

[00:14:55] CS: Okay.

[00:14:57] AH: I think there’s a super need for young talent on the traditional IT side of the equation. There is about to be equally large need on the kind of manufacturing side of the equation as well, because it’s not just your laptop anymore. It’s all your IoT devices, it’s your thermostats and it’s also nuclear plants, so there’s opportunity.

[00:15:21] CS: Yeah. Now, a great deal of the questions addressed above, especially supply chain pertain also to the 900-pound gorilla in the room, COVID-19 and the way it’s changed society, and including work and the way everything sort of travels. Looking from this vantage point that for the time being at least hybrid work, you’re working some days in the office and others from home is here to stay. How will these new trends in the way, in the places we work change the cybersecurity landscape if at all?

[00:15:49] AH: We’ve been in this pandemic for 18 months now, 20 months now. The first six months, absolutely, it was remote system access. Employees were not in the office anymore. Now, they’re home. All the remote systems are potentially vulnerable. I mean, that is where all the attention was early. Now, I don’t see that as the biggest issue. I think the most pervasive issue at this point is employee trust. As we now, lots of companies have employees that they’ve never seen in person and employees that are not in the office might have a more transactional relationship with their employer. I think this is where cybersecurity issues are being generated. It’s harder to keep track of employees. There’s a less of a trust relationship between the employee and the employer. I think this is leading to a lot of challenges from the overworked, if you’ve read about that to – and just people making things that used to happen in person from a cybersecurity perspective are no longer in person. Trust to me is the new issue. But I mean, I don’t see the situation getting any better, I’m just saying.

[00:16:57] CS: Yeah. Okay. While we get to know our new remote employees, are there other sort of mitigating things that we can do in the meantime? Is this like an access control issue or what can you do if you’re like I’m not sure — these people are here — do you like give them more limited access to things and hope for the best until they sort of prove themselves or what do you think?

[00:17:19] AH: We have a surprising number of clients reaching out to us on insider threat programs, as well as access control programs to more carefully distributed access rights. I will tell you, these programs are not easy to put together. I mean, I’ve been working in [inaudible 00:17:35] personally for a long time and these programs are difficult and complicated. But they’re necessary now, more so than ever before just because of the remote work.

[00:17:46] CS: Yeah. Moving on to another prediction for 2022. Cyber insurance has been a big topic this year. Although I know it predates this year, this seems like kind of a year zero in terms of tracking its effectiveness, its issues and specifically things like the regulation of it, and the why and how of payouts and who pays the money when someone calls in a problem that they have? Do you think that cyber insurance as an industry will be able to work out the kinks and be a viable backup when the worst occurs? And if not, how would you change it?

[00:18:17] AH: My answer is no, as a general statement. I think cybersecurity insurance is part of the bigger picture and part of a program, but much similar to other topics, not the panacea. Most companies are trying to get cybersecurity insurance, it’s probably a good idea. It is getting more difficult to get it, because I think the underwriters are getting smarter about what the real risks are. Also companies need to go read the fine print, because often, the exclusions will eliminate the purpose of the insurance altogether. A lot of insurance policies are now starting to exclude ransomware, but that’s problematic.

[00:18:56] CS: Yeah. Is it because it’s so easy to get in or because it’s, I mean, it’s such a gnarly payout? Oh, okay.

[00:19:02] AH: The other issue is, these policies are rarely large enough to really deal with the ultimate problem. I also think that there is going to get more and more complicated to get because again, I think, people are just waking up.

[00:19:14] CS: Yeah. I mean, it does. I’m sure there’s a point where it’ll will itself out, but it does feel sort of like buying magic beans at this point.

[00:19:23] AH: My advice is to most clients is go get it for sure. You need to read the fine print.

[00:19:28] CS: Yeah. And still don’t lean on it. Can you speak about President Biden’s directives on immediately addressing and patching vulnerabilities in federal and government servers? I mean, we’ve had guests speak a lot this year about the importance of prioritizing vulnerabilities and the ones that are actually exploitable, rather than just working around the clock to close everything that can’t be exploited anyway. What do you think about the implications of this directive to go close to close gaps?

[00:19:55] AH: I’m not surprised that the Department of Defense and government systems have vulnerabilities. That is to be expected. I think the overall theme of the exec order makes sense. I mean, the government should priority the cybersecurity topics. I don’t think there’s anything new here. To be honest, I think it’s not a surprise that an enterprise as big as the US government has issues. And I think the executive and the CEO, for all intents and purposes is putting pressure to close holes. It’s [inaudible 00:20:23].

[00:20:24] CS: Are their legacy issues involved in that as well? Is there a large hierarchy of very old systems versus or recent stuff?

[00:20:31] AH: Not only that, they’re unbelievably complicated. In many cases, the US government don’t even know who built the system, because it’s so old.

[00:20:40] CS: Yeah. Or you can’t take things down long enough to update it, I imagine.

[00:20:44] AH: Right. I mean, this is a complex environment. I mean, like I said, I mean, the US government is just a big enterprise. It’s just a heck of a lot bigger than anybody else out there.

[00:20:54] CS: Yeah. I mean, do you see it being – GDPR was a good idea, but it seems like it’s been implemented oddly. I mean, do you think if this is a good idea, do you think that it’s going to do what it intends to do?

[00:21:06] AH: I think it will have marginal improvement. I mean, you’re going to get a lot more benefit out of having the right leaders in place driving these programs, then you are of any executive order.

[00:21:16] CS: Got it. Here’s the part of the show where I hand you the magic wand or the genie with three wishes and let you make the pie in the sky changes to the cybersecurity industry that you’d like to see. Where do you start?

[00:21:28] AH: First thing I would do is get my DeLorean Back to the Future reference.

[00:21:33] CS: Yeah, absolutely. Get the flux capacitor going.

[00:21:37] AH: Get the flux capacitor rocking and go back with Marty McFly to the late 1980s, when all these protocols have been written, FTP, HTTP, and basically slap them in the face and say, “Don’t build any of these that have security built in.” I think that kind of underlying protocol model of the internet has been foundationally broken for a long time. A lot of the issues we see today, less so today, maybe than five years ago, because a lot of the secure protocols have taken over. But that would have saved us a lot of bad heartache. I think secondly, I would go if I could do a magic wand, I would fix the authentication behind email. Email is where a lot of our challenges come from today. It’s driven by a lack of authentication on the other side of the equation. It’s not that the technology doesn’t exist, it just isn’t usable. My mom can’t figure out how to send an encrypted email and it just isn’t going to work.

[00:22:40] CS: Yeah, absolutely.

[00:22:42] AH: Then probably, third, I would really – if I could go fix anything, it would be, I would really encourage organizations to not rely on security, training, awareness so much. I visit with a lot of clients where their solution to all problems is security, training and awareness. My view on that is, there’s a place for security, awareness and training, but it is a last line of defense, not first line of defense type solution. Most security problems are the fault of people like me. I mean, there needs to be – I blame security practitioners for not creating good usable solutions to a lot of problems. A good example would be phishing. This is just a place that security practitioners have failed. I mean, flat out. We should not be counting on anti-phishing programs or phishing training programs in companies to solve this problem. I mean, this needs to be a technology solution that takes it out of the hands of accounting, or HR, or an admin or an IT person. It’s a fallacy that is created by our profession and it needs to be resolved.

[00:23:52] CS: Do you feel like that’s something that the security industry has sort of kicked that can down the street by putting it into the laps of the end users?

[00:24:01] AH: Yes. I’m a big believer in not blaming the end user.

[00:24:06] CS: Yeah. Me too.

[00:24:08] AH: An end user goes and clicks on an email, and that leads to a breach. Is that the end users’ fault or is that the security leader’ fault? The answer is, the security leader’s fault. The security research world and the security practitioners, we have to go give organizations the tools to not blame the end user. I see lots of companies taking action on employees who make a stupid move on their computer that leads to data exposure. I just think that’s probably the wrong way to think about it. That’s why I don’t like these phishing programs as much as maybe someone might think I would.

[00:24:48] CS: Can you see sort of – what does the technology look like, that would sort of put phishing completely out of mind for an end user? Does it exist in the world? Is it something that’s yet to be built? Or is it just the will to implement it?

[00:25:06] AH: I think it’s a complex problem, I mean. It requires the right email solutions, the right authentication and the right data analytics to go do it. But there’s, in my mind, theoretically, I mean, obviously I would have built this myself right the second if I knew the solution. I think we as security practitioners, this is one area that we have definitely failed. I mean, there is opportunity for improvement here, and most security practitioners will tell you that email is their biggest threat vector. This is something that needs to be resolved. By the way, that’s been true for 15 years.

[00:25:44] CS: Yeah. It’s more true than ever.

[00:25:47] AH: Can I make one comment on the phishing thing?

[00:25:49] CS: Please. Running an phishing campaign where you measure how many people click the phishing email. I think that’s just a mistake, because I think you’re running after the wrong metric. What I would much rather see organizations do is, instead of tracking who clicks on the email, go track who reported it. Okay? You deploy a training email around phishing, and 15% of your employees reported it as phishing to security. That is amazing. You’ve just increased the number of people in your sensor network, helping defend the network by 15% of your employee base. I would much rather focus on who recognized it and didn’t click on it, then who didn’t recognize it and did click on it. Because I think in that instance, training is only going to get you so far.

[00:26:37] CS: Yeah. Does that mean that there’s more of an issue for people who maybe recognized it but didn’t do that extra step of reporting it?

[00:26:45] AH: Yeah. I mean, I think there’s a need for people to report it. I also say that the people writing these phishing emails today are very good. They’re very good.

[00:26:54] CS: Stunningly so.

[00:26:55] AH: This is part of my issue with this, with only counting on the click metrics is, with time and energy, I can write an email that everyone in your company will click on. Just how much energy does it take? I would rather put my energy into defenses than necessarily identifying it.

[00:27:13] CS: Right. Speaking from a work perspective, what advice would you give cybersecurity students who are getting their knowledge and experience in 2022? What trends or innovation should be they be watching for in the new year?

[00:27:26] AH: What I see happening in the security environment is security as code. I mean, this is basically the trend. It’s driven by the earlier conversation around the cloud. The security leaders of tomorrow are software developers today. I mean, I’m pretty sure of that. Because what I see all of our clients doing is trying to automate the security process, and they’re doing it because they can’t find enough people. Plus, they want better efficacy. By automating, they could have more confidence in their mitigations, more confidence in their controls. It’s faster, better, smarter. Well, that puts a huge amount of demand on people that understand how to automate and how to take a complex problem and turn it into a simple solution that can be done over, and over and over again. I mean, what I tell more junior people that are interested in getting into space, problem solving is requirement number one. That you get interested in solving the problem. And then two is some data analytics skills, and some scripting, automation programming skills, even if it’s just basic Perl and Python are super valuable to the average employer.

[00:28:40] CS: Nice. As we wrap up today, Andrew, could you please tell our listeners about Kudelski Security, and some of the projects and productions you’re excited to about going into the new year?

[00:28:50] AH: Sure. We’re a Swiss-based, as you can see in the background.

[00:28:54] CS: There you are. Live from Switzerland.

[00:28:57] AH: [Inaudible 00:28:57] cybersecurity firm. We focus on enterprises, big and small. We have been on the market since 2013 with major presence in Europe and the US. We help enterprises get ready for the attack that is inevitably coming. We provide advice on how to protect your network. We provide evaluation of your network and your controls that protect that network. And then we’ll secure the network on your behalf, either secure it and let you run it or secure it, let us run it. In addition, we work in a lot of spaces to develop strong security solutions, everything from blockchain, which is a fast-moving market, you have a lot of security demands. To operational technology, and how that space is evolving and what tools are required. We like to think of ourselves as a partner to our clients as they move their business. We like to protect their business models. We’d appreciate the opportunity to talk to anyone that has needs.

[00:30:01] CS: I was just about to wrap up here, but you mentioned blockchain security. Can you talk about that at all going in 2022? What are the concerns going around that right now?

[00:30:09] AH: This is our fastest growing business segment [inaudible 00:30:12]. Our company historically has been engaged in cryptography. There’s a lot of cryptographers on staff and they’re in hot demand in the blockchain space. That is the amount of venture capital being moved into the blockchain space to develop decentralized finance apps and exchanges, new cryptocurrencies is at a pace like I’ve never seen before. I mean, the number of apps being developed, is at a crazy, crazy pace. All those apps have security vulnerabilities that need to be mitigated. All those exchanges want to be secured. All those crypto algorithms underneath the new chains and currencies require validation. That’s where we play. We partner with companies that are developing those technologies and help them secure their business models.

[00:30:59] CS: All right. One last question for all the marbles. If our listeners want to learn more about Andrew Howard or Kudelski, where can they go online?

[00:31:06] AH: Company website’s always the best,

[00:31:14] CS: Great. Andrew, thank you for joining me today and talking us through your predictions for the near future. It’s been a lot of fun.

[00:31:18] AH: Thank you very much.


[00:31:20] CS: As always, thanks to everyone who is listening and supporting the show. New episodes of the Cyber Work podcast are available every Monday at 1:00 PM Central both on video at our YouTube page, and on audio wherever you find podcasts are downloaded.

I’m also excited to announce that our Infosec Skills platform will be releasing a new challenge every month with three hands-on labs to put your cyber skills to the test. Each month, you’ll build a new skill ranging from secure coding, to penetration testing, to advanced persistent threats and everything in between. Plus, we’re giving away more than $1,000 worth of prizes each month if you solve the puzzles and let us now. Just go to and get started right now.

Thanks very much again to Andrew Howard and thank you all for listening and watching. We will speak to you next week.

Join the cybersecurity workforce

Are you a cybersecurity beginner looking to transform your career? With our new Cybersecurity Foundations Immersive Boot Camp, you can be prepared for your first cybersecurity job in as little as 26 weeks.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.