E253 - Priya Gnanasekaran, Senior Security Engineer at LAB3 (Australia)
[00:00] Debbie Reynolds: The personal views expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.
[00:12] Hello, my name is Debbie Reynolds. They call me the Data Diva. This is the Data Diva Talks Privacy podcast where we discuss data privacy issues with industry leaders around the world.
[00:23] What information the businesses need to know. Now I have a very special guest all the way from Melbourne,
[00:31] Priya Gnanasekaran. She is a Senior Security Engineer at Lab 3. Welcome.
[00:38] Priya Gnanasekaran: Thanks, it's a Pleasure to be here.
[00:41] Debbie Reynolds: Well, thank you so much for staying up late for being able to have this call with me. I really appreciate it.
[00:48] I really admire the work that you do and I would really love to get an idea of what your journey has been in the tech industry thus far and how you became a senior security engineer at LAN3.
[01:04] Priya Gnanasekaran: Thanks Loree. It's definitely likewise as well. I love the work that you do in the industry and seeing that there are only very few women as compared in cyber security as well.
[01:14] So I love the work that you're doing and your contribution to film.
[01:19] So a little about me I've started, I would say I'm in cybersecurity industry for around a decade now.
[01:26] So I've started my journey in computer science long ago because since childhood I always wanted to be a computer science engineer.
[01:35] And then slowly my interest and due to the innate curiosity I had,
[01:41] I navigated into cybersecurity.
[01:44] So I did my research in cybersecurity that was in BDOS protection using machine learning and prevention methods. So that is how I channelized myself into cybersecurity while I did my master's in the University of Melbourne.
[02:00] And so after that I started working in cybersecurity as a technologist in one of the major telecom companies here.
[02:10] And that is how my journey has been going and and working across multiple domains that would be in DevSecOps,
[02:21] security engineering,
[02:23] security operations.
[02:25] So those are the areas that I've worked across over a period over my last, I would say eight to 10 years now.
[02:33] So at the moment I'm working with Latory as a senior security engineer in the security operations.
[02:41] Debbie Reynolds: Very good.
[02:42] I know when you were talking about working at cybersecurity over different domains, I think one thing that I feel that people get wrong or don't understand about the cybersecurity area is that they think it's just one thing as opposed to many different things.
[02:59] I mean very different.
[03:01] It's like if someone is a doctor,
[03:03] people always ask them what type of doctor they are. They don't assume that you're like, everyone's a brain surgeon or whatever. But tell me a little bit about that misunderstanding, understanding in kind of the cybersecurity world.
[03:15] Priya Gnanasekaran: Right, I agree. Like you said, many people probably when they hear cybersecurity, they think we are all hackers or we are all pen testers or it's all only the main stereotypes or the notions all across the world.
[03:28] I would say mainly in terms of cybersecurity. But definitely there are a lot more to it.
[03:34] And if you think about it, it is an amalgamation of multiple domains or multiple disciplines. For example, networking or even software engineering put together. Right. And we have the blue team, red teams, and when we dive deeper into those, we have a lot more.
[03:53] So for me, I've been always in the blue team side of things.
[03:57] So in the defense side of things. So starting from DevSecOps to security engineering and to infrastructure. Security engineering as well.
[04:08] Security operations. So it is interesting because I did, I used to do software engineering previously. And when I came into security, I was able to connect those dots which I learned in software engineering and that I could bring to security as well.
[04:25] And that is why when I said it's an amalgamation. So I would say even a network engineer could learn security and dive deeper into security. Security.
[04:36] Debbie Reynolds: And then also I think there's a misunderstanding between traditional IT work and cyber security work. Can you tell us the difference between those two for people who don't understand that?
[04:48] Priya Gnanasekaran: That's right. That's right. And even in it,
[04:51] like how we say in cyber security, there are so many domains, even in it, there are so many domains as well. But again, cyber security comes at the forefront of protection.
[05:01] One thing I want to state is that security is not just an IT problem.
[05:06] It's more about.
[05:08] It's more about protecting people,
[05:10] their digital lives and the futures. That is how I look at it.
[05:15] Debbie Reynolds: I like the way you put that.
[05:17] So that's why privacy and security, they're not the same, but they have a symbiotic relationship because we're also aiming to protect people,
[05:27] but we're trying to protect people's rights around data.
[05:31] So what's happening in the world,
[05:33] just in general around technology or data, that concerns you most as it relates to cybersecurity?
[05:40] Priya Gnanasekaran: Well, I would say lately we are all aware of the AI revolutionizing everything.
[05:47] So that is one of the biggest threats at the moment related to personal privacy. I'd say definitely we do see the upside of it.
[05:57] Certain advantages. We have so many advantages with the narrow AI or agentic AI. A lot more. At the same time, what we need to be privy of is also about the threat status emerging.
[06:09] And if you look at the research papers that have been published,
[06:13] there are a lot more papers and researches are done on the amount of attacks or issues that it can occur. At the same time,
[06:22] only very less amount of papers are published about the defense mechanisms because we haven't understood AI completely yet and it is growing at a pace where it's hard to keep up to understand it completely or holistically.
[06:38] Debbie Reynolds: I agree with that.
[06:40] Your thoughts about something? I did a video about this a while ago and I call it shadow AI,
[06:47] where the corollary to that previously was shadow it, which was basically people using applications or doing things with enterprise data that they weren't supposed to be doing kind of under the radar.
[07:01] And I think having the cloud come into play made that harder for companies to manage because people can kind of go to any website and download app and start using it.
[07:10] But now we have this, this AI explosion all over the world and people are downloading and doing all types of wacky things with data within enterprise. And I always tell people you shouldn't put your private information into AI tools, you shouldn't put company proprietary information in those tools and people just do it anyway.
[07:32] But I want your thoughts just about that challenge because I feel like cyber security is already hard and so this just making it more difficult for people like me.
[07:43] Priya Gnanasekaran: I agree,
[07:44] I agree. And like when you touched upon cloud, I remember that when cloud was in place we had a lot of IoT devices as well because of the cloud improvements and technological improvements that we were having.
[07:57] And at that time IoT devices were.
[08:00] And even till date I would say they're not completely secure.
[08:05] Most of the IoT devices they have so much anomalies and we can. It's comparatively a lot more easier to attack as compared to other devices at this point. We are at a stage where these IoT devices are also using AI.
[08:20] So whether it be Alexa, Siri Go and all those.
[08:25] So it's even a lot more concerning if you think about it just adds up.
[08:30] And also now at the moment we are an agentic AI and we are going towards collective AI where they collaborate multiple agents and it's a collection of multiple agents and allows you to perform and a lot more research I would say happening in the AI forefront.
[08:51] So these things combined with IoT devices and if will be combined with quantum computing as well, which probably we will see in another two, three decades,
[09:03] it's a lot more frightening but at the same time,
[09:06] definitely, we can use AI to protect our system as well,
[09:13] because if attackers can use and leverage AI, why not defense can also do the same?
[09:19] So I would say we can't completely avoid it. Might as well use it to our favor and get it up to speed with the defense mechanisms as well.
[09:29] Debbie Reynolds: Yeah,
[09:30] I'm glad you touched on iot. That's an area that I work in quite a bit on the privacy tip. And I think it is concerning that these devices, they're becoming more sophisticated.
[09:42] They're not as secure as they should be. Before people went crazy about AI, I was always concerned with IoT,
[09:50] especially devices becoming more sophisticated so that they talk to one another. And so now we have AI, we have IoT devices, can talk to each other. Then you're adding in, like you say, our artificial intelligence that also talks to one another.
[10:08] And so that could definitely be a vulnerability, especially if people don't really understand those IoT devices.
[10:16] But I want to talk to you a little bit about. Let's talk about IOT a bit more.
[10:21] The thing that concerns me, I'm concerned a lot around iot. Right. But the thing that concerns me a lot is like. Like people using devices that are, like, at the end of life or they're no longer getting updates and things like that.
[10:35] And so it creates more vulnerability for the organization,
[10:39] for those things to operate within the organization. But I just want your thoughts about that.
[10:45] Priya Gnanasekaran: Absolutely. And it's not just from the software perspective that creates the vulnerability. Right.
[10:50] When IoT devices are made, there are not enough testing on the hardware side of things as well,
[10:56] whether it be firmware installations,
[10:59] and that's something which is important,
[11:02] and it needs to be supervised strictly a lot more than what is at the moment currently being followed at a wider range.
[11:13] So, yeah, so we have to. If only we find it from the hardware level, then we can focus on the software level of things for IoT devices.
[11:24] So, yeah, that would be my take on it. And like I said, it is harder to also detect those vulnerabilities in IoT devices as compared to the other systems that we are currently using.
[11:36] So.
[11:36] And there are a lot more IoT devices as well. With growing, for example, sensors or with vehicles, all the automated vehicle systems,
[11:47] a lot more things are happening in those areas,
[11:51] and we need to be up to date on that and as sophisticated as it gets, we need to get the defense mechanism up to the sophistication level as well.
[12:03] Debbie Reynolds: So what types of things that organizations really need to think about,
[12:08] maybe even they're emerging or maybe as I hear a lot of cybersecurity people, they kind of bang their head against the wall that they think companies aren't doing some basic things that they should be doing.
[12:20] But I want your thoughts.
[12:22] Priya Gnanasekaran: I would say start to most companies or most teams, even inside the companies think or look at cybersecurity as a blocker for their work to be done.
[12:32] Like whether it be a production release or a software release.
[12:36] So it would be nicer if teams collaborate and work together and rather than just focusing on doing security testing. In the end,
[12:48] it would be good if we can amalgamate security in every stage or every, each and every step of the production. And that is what even DevSecOps preaches or says. Right.
[13:01] So moving security to the left as in security focused production with, in terms of the creating the devices or even whether it be writing the software for it.
[13:15] So it's about not looking security as a blocker and trying to be more open and incorporating it in the day to day process.
[13:27] Debbie Reynolds: I feel like if you think cybersecurity is a blocker, you're doing it the wrong way.
[13:33] Priya Gnanasekaran: Yeah. The thing is people think it slows down the production,
[13:36] but it's not the,
[13:38] I mean it does because there is a one more extra layer or step that gets added to what the way it has been done before.
[13:46] But at the same time you, they have to also remember at what cost you're going to speed up the process and then the risks of it comes later.
[13:57] Debbie Reynolds: Yeah. And I think that's a problem we have with AI right now where we're seeing people say like let's forget about the guardrails and safety and let's just, you know, run towards AI and not,
[14:09] you know, think about issues later. And as you know,
[14:12] you know, a lot of harm can happen within organizations or people if you wait later. Sometimes there is no adequate way to solve a problem after the horse is out of the barn.
[14:27] I like, I like that you talked about shifting left in terms of being more proactive instead of being reactive.
[14:34] I always tell people, for some reason I think some organizations think about cybersecurity is like the fire department.
[14:42] It's like, okay, we don't think about it and then something bad happens and say, okay, we need your help now. And it just doesn't go that way. But I want your thoughts.
[14:51] Priya Gnanasekaran: Yeah, yeah, definitely. Right. That is what, that's what I've been telling that it's about being more accommodative to cybersecurity and probably it's also when you said do they think of it as a fire department or even some people think of it as like police,
[15:08] you know, you just call, even there is emergency.
[15:11] So shifting left, it definitely helps us from preventing a lot more. But then people don't look at it because they don't fully understand the risks that are involved by not taking proper meshes.
[15:27] So that is. And that begins with awareness training. Right.
[15:32] So it is important that people be aware of security and how important it is.
[15:38] And these days most of our time we spend in digital environment. If you look at our phones or computer you can see that they our day to day life is involved around devices.
[15:49] And if we don't even know what are the risks and vulnerabilities or malware or all the threats that we are facing in digital devices,
[15:58] if you're not even aware of it, how are we supposed to stay safe moving forward?
[16:05] And also in the last decade we have seen change so far the fastest in the history.
[16:13] The change at which the technology is growing and it is,
[16:18] it is admiring at the same time it's frightening as well.
[16:22] Debbie Reynolds: I agree with that.
[16:24] As a technologist, I'm always excited to see innovation but you have to have a critical eye toward it too. So I think technology is like a sword that double edged swords both ways.
[16:36] Priya Gnanasekaran: Yeah, it definitely is a double edged sword.
[16:41] Debbie Reynolds: I want your thoughts about insider threats.
[16:44] So this is a topic that it kind of makes me giggle when I think about it because a lot of times when I hear people think about insider threats, they're thinking about Mission Impossible with Tom Cruise hanging from the ceiling.
[16:58] And I tell people a lot of insider threats aren't malicious. Right, but. And so they don't understand that. But I want your thoughts there.
[17:05] Priya Gnanasekaran: Yeah, insider threats, definitely something that shouldn't be overlooked because and also working in security operations we deal with preventing a lot of insider threats and we also detect.
[17:19] So it's like you said, it is not as cool as Mission Impossible or all those hefty missions. But it is more about it could be as simple as collecting sensitive data in your usb.
[17:32] So those things are also inside the threads. Right. And all and otherwise publishing sensitive data to DarkFit or any other websites publicly.
[17:43] So those things could also be insider threats. And it is important to again this thing comes down to the awareness part of awareness side of things.
[17:55] So however we need to detect it. But it's also important to train the people and employees about what should be done and what is ethical and what is non ethical to do and they need to be aware of the,
[18:12] I would say, consequences that they will have to face after they are being caught or after they are being found to be a person who did the insider threat.
[18:24] So I would say if people are aware of that,
[18:28] there will be less people involved in insider threat because most of them don't know the consequences.
[18:36] And the law,
[18:37] I would say it's pretty strict then, so there could be pretty hefty fines and even penalization of jail terms and all those as well.
[18:47] So it's pretty dangerous if people commit inside the threats.
[18:51] Debbie Reynolds: Oh it is.
[18:52] So a lot of times it can be something as simple as someone,
[18:57] let's say a new person coming into a new company and they may not get the proper awareness training until let's say three months after they got within the organization or something.
[19:08] Right. So you don't know what they were doing for those three months and they didn't have the proper information. And so that can create an insider threat in and of itself.
[19:17] Now tell me your your thoughts. Now you're a meal. Warren spoke.
[19:22] What are you seeing any like regional differences in your work in cybersecurity that you think is different based on your location or where certain companies operate?
[19:33] Priya Gnanasekaran: I would say location based,
[19:36] we don't see location based differences in threats or definitely the numbers would differ as countries but definitely there would be difference in the culture of how the cybersecurity is being adopted and that differs.
[19:53] We are lately or recently we have been focusing as Australia as a country has been focusing a lot more on cybersecurity and they have strategies published and they're also collaborating with other countries to strengthen the cybersecurity.
[20:12] But apart from that, as organizations,
[20:15] I would say we are all wanting to incorporate security in our day to day operations and I would say even whether it be other teams releasing something or whether it be patches or fixes, we are trying to progress and incorporate cybersecurity faster.
[20:36] Debbie Reynolds: Do you feel like where you are there's more collaboration between companies and government, like maybe more information sharing about cybersecurity or,
[20:47] or more helpful, supportive things that government can do for private industry?
[20:53] Priya Gnanasekaran: Definitely there are a lot more government initiatives that they've been publishing as well. And lately like I said, Australia as a country has been progressing in terms of cyber security.
[21:05] So there's a lot more funding capabilities and initiatives that the government is taking in order for the people to be more secure and also strengthening their digital forefront.
[21:17] Debbie Reynolds: I think that's really important.
[21:18] In the US we, it's kind of like a fragmented Type of thing where sort of like the private industry,
[21:27] government is more like, okay, you all do your own thing or we're only going to enforce something, something like really, really bad happens. But there, unfortunately, in my view, there isn't enough of that data sharing or collaboration that happens between private and private sector and government.
[21:47] Because I think that a lot of times,
[21:51] for whatever reason,
[21:52] people think of it unfortunately as, as reactive. Right. So it's like, okay, bad thing happened, so then now we're going to all jump in and help out.
[22:01] But the threats are becoming fast and furious towards us and I think just that reactive approach isn't going to be sustainable for the long term. So being able to, like you say, like educate people,
[22:16] have those types of collaborations,
[22:18] being able to make sure that the public is educated. Because I know another thing about awareness training is that people, they use technology or they use devices even at home.
[22:30] Right. So they're not yet educated on how to protect themselves at work.
[22:35] It'll be hard for them to do that at home as well. And that can have a impact on their work as well.
[22:43] Priya Gnanasekaran: Exactly, exactly. I do agree with you.
[22:46] They do see it in a reactive way. That is what. I'll be serious, I'll be super happy if people stop looking. Cybersecurity is just a technology thing,
[22:59] but rather more like a way of living because that is how digital devices are incorporated in our life on a day to day basis.
[23:09] So it's more like how we lock our doors without thinking twice.
[23:14] It should be like that when we are taking protective measures in our, with our digital devices as well. It should be a second nature.
[23:22] Debbie Reynolds: I love it because. Right. We don't say with our door, well, maybe I'll lock it there. Maybe I'll, maybe I'll close my door today. Or maybe I won't. Right? Or yeah, maybe I just store my keys.
[23:33] Priya Gnanasekaran: Yeah, yeah. And we don't close the door after the thief enters the house. We close it so that nobody enters the house.
[23:41] Yes. That is how it should be for security as well.
[23:45] Debbie Reynolds: I love that analogy. Oh my gosh.
[23:48] Well, if it were the world according to you, we did everything you said. What would be your wish for data or security or cyber anywhere in the world? Whether that be regulation,
[24:00] human behavior or technology.
[24:02] Priya Gnanasekaran: Like I said, Debbie, I'll be,
[24:05] I'll be really happy if everyone adopted cybersecurity as a way of living rather than just looking at it as a technical thing or just technology domain.
[24:17] Because moving forward it is important to protect our digital security.
[24:23] And these days privacy is more of a concern at which at a pace that we are growing.
[24:31] So it is important to be mindful of what we post online, what we share online, and how we keep our passwords strong. And those things matter.
[24:40] And the risks involved a lot more. And there are even cases where lives are being impacted.
[24:49] So that is why it is important to incorporate cybersecurity,
[24:53] as I would say, as a part of your lifestyle.
[24:57] Debbie Reynolds: Yeah, I love the human part of it. I think a lot of times we do forget that.
[25:03] That it really is about humans and it's about protecting humans, even if it has a digital element.
[25:10] Priya Gnanasekaran: Exactly, exactly. And like I said, these days we spend more of our time with devices than with other humans.
[25:18] Debbie Reynolds: That's so true.
[25:20] Well, thank you so much. This is so great. And thank you for staying up late to be able to have this conversation with me. I'm sure the audience will love it as much as I do.
[25:29] Priya Gnanasekaran: Oh, thank you so much, jb. Thanks for having me as a guest in the podcast as well.
[25:35] Debbie Reynolds: Excellent. And I'm sure we'll be able to. Hopefully we'll be able to have opportunity to collaborate in the future.
[25:42] Priya Gnanasekaran: Definitely. Definitely. Looking forward to it.
[25:45] Debbie Reynolds: All right, talk to you soon.
[25:47] Priya Gnanasekaran: You take care. Cheers. Bye.
