A graduate of Moscow State Institute of Electronic Engineering with a master's degree in Applied Mathematics and holding a bachelor's degree in Business of The UK Open University, Natalya Kaspersky is an active participant of international business community life and actively invests in high-tech companies.
Natalya is a co-founder of Kaspersky Lab, one of the world's largest antivirus companies, and CEO of InfoWatch Group of Companies, working in the sphere of internal information security. During her 10-year tenure at Kaspersky Lab Natalya turned a small group of enthusiasts into a world-class international IT company with annual revenues of hundreds of millions USD.
Featured as a distinguished speaker at elite IT events across the world, Natalya welcomed my invitation to discuss about the current challenges and trends in the information security. With an elegant presence and an open attitude, she shares her thoughts and experience with us.
[Diana Ciorba] What is your motivation as an entrepreneur in the information security industry? Did it change over the years?
[Natalya Kaspersky] : Initially, my motivation was to make some money for the family. As my former husband was the expert in the development of the antivirus software, my role was that of the salesman, of packing the software and putting it on the market. In 1997, even if it was not an initial desire, circumstances were such that I became CEO of the Kaspersky Lab and held that role for 10 years. Since then, things and life changed; my motivation, now, is to invest in the areas of IT, IT security and artificial intelligence. I am involved in 7 companies, some have success and some are still at the start-up phase, but that is the natural life of an investor.
Based on your experience and expertise, what are the critical points that business owners should pay attention to when dealing with data in the current global landscape?
Natalya Kaspersky
[Natalya Kaspersky] It is important to understand that data in the modern world is not safe. Businesses hire professionals to secure data, yet there are two problems: firstly, the professionals may not have the knowledge to create full protection or may lack resources for this purpose; secondly, professionals are also human beings and they may overcome their responsibilities or get use of the infrastructure. That is why we divide threats in two categories: external for a company and internal. Threats coming from the inside are underestimated and there are very few tools available on the market to prevent them. In my view it is critical that business owners take the necessary time to analyze what they will do with their data and to acquire a generic understanding of the data security problem.
What are the main challenges when deploying a data protection system for a customer? How is InfoWatch Group addressing these challenges?
[Natalya Kaspersky] When we use the split between external and internal threats, we remark some crucial facts: External threats are more or less clear to identify - they may be viruses, general service attacks or hackers - therefore, protection against them is easier due to the wealthy knowledge base accumulated over the last 20 years. Internal threats though, are quite difficult to describe and detect. Many of our customers even find it difficult to describe what is confidential and what is not… Mainly because it is hard to explain. Therefore a task for prevention the confidential becomes impossible. If one doesn't know what he is looking for, no software can help him to find it.
At InfoWatch we produce and sell DLP (Data Leak Prevention) systems. The biggest question for us is "What information must be blocked or caught?" Otherwise we risk catching nothing or everything. I can tell you a story about that. One day I got a visit from our young competitor, a small company which also produced DLP systems. They boasted like they installed their product to a first customer and detected 14.000.000 leakages on the first day! I wasn't polite to give them my compliments, I simply said: "Do you understand that your software doesn't work?" Obviously the product detected all the traffic of this poor bank as a leakage.
Why did it happen? Because the developers did not work with the customer to differentiate confidential information from non-confidential. Our focus at InfoWatch was always to analyze the data first - it means to proceed with *categorization* of information. We do it with a help of another software tool, which we created especially for this person, and we call this stage - pre-DLP stage. To shorten the pre-DLP stage we build predefined linguistic structures for predefined industries. After having installed DLP systems at +300 clients, which are large enterprises from more than 13 industries, I can openly declare that a pre-DLP stage is mandatory in order to make sure that the system will effectively work.
What is the role of innovation in the solutions that you provide? How do you support its development and how do the stakeholders relate to it?
Natalya Kaspersky și Diana Ciorba
[Natalya Kaspersky] DLP is a new product category by itself. It has started approximately 10 years ago, and until recently we were still struggling to explain the necessity of a DLP system for enterprises and confront the more delicate issue of privacy.. Since we are a software development company, innovation is at home.
In the DLP sector there are three main innovation drivers:
The customers - They are very innovative and have imaginative requests, but unfortunately not everything is technologically possible. We try to choose some possible relevant tasks and to build that specific tool or technology.
Trends of the IT industry - Each new version of available operating systems on the market attracts an update of our software too. New devices, new forms of IT bring new challenges for the IT-security companies. That is why the IT security sector is always one step behind the IT industry. We need to analyze the new software and hardware before building the protection tools for them.
The threats and the compliance requirements - Each new threat engenders innovation from our side. On top of that, the legal aspects on the protection of personal data determine us to always find the tools to be in compliance with the specific laws (FISA, Basel II, Basel III, PCI DSS, etc.)
Considering all the above, as a provider of DLP systems we have to move forward with our own understanding of data security problems. We must decide what can be addressed and how can we best do that.
Could you depict the main foreseeable industry changes for the upcoming years?
[Natalya Kaspersky] IT security is currently evolving in two major directions: a) localization rather than globalization - businesses and governments tend to choose domestic data security providers. This trend is clearly seen in Europe; and b) the rising of defined targets with the specific methods -Targeted attacks are relatively new and you do not know from which side they will be led, therefore they are a big challenge for the industry. Take for example the case of the Stuxnet virus, which was designed to attack infrastructural objects of Iran and stayed in the wild for more than 3 years, unnoticed by antivirus companies!
Are there any new roles emerging in the information security related professions?
[Natalya Kaspersky]: Actually, there is a big discussion about the CISO's role. The Chief Information Security Officer has a difficult and sensitive position. Due to the fact that CISOs ought to focus on many aspects related to the overall business security it is expected that the holder of the position is a fine psychologist, security expert and astute marketer. And this is something what is very hard to reach within one person. Alternatively, this role could be split among multiple persons. There are big discussions within the IT-security industry about the future of this role.
In terms of educating the new generations (both of users and professionals), which would be the pillars of a safe privacy system?
[Natalya Kaspersky]: Truth to be told, most people underestimate security. They simply do not think about it! Take as an example social networks, where people leave their sensitive pictures and other info about themselves. They got in contact with strangers and then surprised why somebody robbed or insulted them. The only way to change it, is to implement education about IT-security for all the age groups - from babies to adults. IT systems change too fast, whereas the educational systems are really inertial. The pillars of a safe environment are the principles of conduct in the digital world. The message for each aging group is the same "Internet is dangerous, but, if we learn to follow the simple rules, you can be safe", but should be adjusted for a different level of understanding. And yes, we should start teaching the rules and principles since early kindergarten years.
A special message for Romania's ICT community?
[Natalya Kaspersky] I value Romania for very well educated people, especially in engineering and information technology. At Kaspersky Lab we had a successful experience with the Romanian team who developed the Linux version of Kaspersky Anti-virus. Good, talented and very qualified guys. I remember them with a good heart. Romania has its own antivirus software and that is something that must be appreciated. Personally, I think that the country should use its technical superiority for creating more software products and solutions. I wish best of luck to Romanian ICT community and may we cooperate well in the future!
Graduated from Moscow State Institute of Electronic Engineering with a master's degree in Applied Mathematics, and has a bachelor's degree in Business of The UK Open University. Natalya Kaspersky is an active participant of international business community life and actively invests in high-tech companies. Natalya is a co-founder of Kaspersky Lab, one of the world's largest antivirus companies, and CEO of InfoWatch Group of Companies, working in the sphere of internal information security. During her 10-year tenure at Kaspersky Lab Natalya turned a small group of enthusiasts into a world-class international IT company with annual revenues of hundreds millions USD.
Natalya holds multiple awards in Russian and International Business and IT:
Bronze medalist of "Top-100 most influential Russian women in business" rating.
"Russian Business Leader of the Year 2012" award honoring her remarkable contribution to the progress of the Russian IT community, according to Horasis, the Global visions community.
Leader of "Top-1000 highest Russian managers of 2013" in IT according to Kommersant leading Russian business daily and Association of Russian managers.
Best Technology Business Entrepreneur, Women in Technology MEA 2014 awards, Dubai.
by Ovidiu Mățan
by Ștefan Bălan
by Ioana Varga , Ioana Costea
by Oana Călugar
