Chris Doman, CTO and Co-Founder of Cado Security: “I think threats generally don’t change as fast as some people like to claim”

It’s entirely possible you don’t recognise the name Chris Doman, CTO and Co-Founder of Cado Security, but there’s every chance you’ve seen him on TV talking cybersecurity. You may even have read his reports on the North Korean government’s cryptocurrency theft schemes or China’s attacks against dissident websites.

But he’s perhaps best known – within the cybersecurity world, at least – for building the popular threat intelligence portal ThreatCrowd, which subsequently merged into the AlienVault Open Threat Exchange. This was later acquired by AT&T.

Now, as the CTO of a company that responds to cybersecurity incidents in the cloud, Chris is in an excellent position to tell us about the latest trends and threats. And even has hard data to fall back upon thanks to a recent survey conducted by Cado Security.

“Nearly 90% of surveyed IT security decision-makers admitted that their organisation had suffered damage before containing and investigating incidents,” he told us. “Worryingly, 43% of organisations have experienced significant damage from a cloud incident alert that didn’t get investigated and 23% of cloud alerts are never investigated.”

Read on to discover the event that brought Chris into this industry, his advice for anyone considering a career in cybersecurity, but most of all threats currently facing any business that keeps its data in the cloud. Which, let’s face it, is almost all of us.

Recommended: Internet Explorer zero-day stealthily targets Windows 10 and 11 users

Could you please introduce yourself to our audience and share how you ended up working in cybersecurity?

Hi, I’m Chris, CTO and Co-Founder of Cado Security. I took a longer route to cybersecurity, working in a couple of different fields before winning a digital forensics competition that the US DoD was running. After that, I worked responding to incidents when clients were breached. Now, I’ve co-founded a company based around building software to help people respond to incidents in the cloud themselves.

What are some of the major trends in ransomware professionals need to be aware of?

Ransomware as a service is now pretty standard, there are plenty of attackers that no longer develop their own ransomware and that either lowers the barrier to entry or allows them to focus on the delivery and monetisation of the ransomware. This is related to the trend of ransomware operators with the funds to purchase novel vulnerabilities for exploitation.

The demands themselves continue to be extremely high for large organisations in critical infrastructure, and the trend of double extortion is still very much alive. The trend of ransomware operators targeting the supply chain is also a major concern, as it allows them to target multiple organisations through a single point of entry.

Worth a read: Sam Peters, Chief Product Officer at ISMS.online: “Due to deepfakes, businesses also risk falling foul of regulatory compliance”

What are the biggest cybersecurity challenges those in leadership roles are facing?

There are some pretty common themes we hear from cybersecurity leaders we work with. Often they’re coming to us off the back of a breach, so being able to prepare for the next incidents is front of mind.

In fact, findings from our recent research examining why “Organisations Require a New Approach to Handle Investigation and Response in the Cloud” revealed widespread shortcomings that leave organisations vulnerable to delays in resolving incidents. Nearly 90% of surveyed IT security decision-makers admitted that their organisation had suffered damage before containing and investigating incidents. The primary contributing factor is a lack of visibility and control over cloud environments.

Worryingly, 43% of organisations have experienced significant damage from a cloud incident alert that didn’t get investigated and 23% of cloud alerts are never investigated.

More generally, getting the right budget and deploying it correctly is a common challenge. This is often tied to the difficulty in demonstrating the ROI of cybersecurity investments. This is a challenge because it’s hard to measure the value of something that didn’t happen. Positively, 77% of the IT Decision Makers surveyed in our report expect the annual overall budget for cloud forensics and incident response specifically to increase in 2024 and 83% of organisations have a budget for cloud forensics.

The nature of the industry means it’s also changing often. I think threats generally don’t change as fast as some people like to claim – most of the attacks in 2024 look pretty similar to the attacks from 2020. However, in the cloud and container space, things do move fast. The regulatory landscape is also changing, with new laws from the SEC, EU and others coming into force. The legal frameworks are complex, and working out how to comply with them is a challenge.

What role do you think governments play when it comes to cybersecurity?

Different governments have chosen to take different roles over time. Here in the UK, the government has taken a more active role in recent years, opening up a point of contact to a more approachable agency than the Intelligence agencies prior. There is also a large focus on the private sector, with the government working with businesses to ensure that they are secure.

It also depends heavily upon the threat and the target – the role the government should play is very different between eg a nation-state espionage actor targeting a critical defence contractor, versus a criminal group stealing individuals’ banking credentials.

Worth a read: The rise of fincrime: how technology can better protect financial firms and their customers

What’s something that has drastically changed about cybersecurity since you first got started in the field?

Most of the data has moved to the cloud and containers, and attackers have followed.

Ten years ago, it was common to respond to an incident in a data centre that a large organisation owned. In the more extreme cases, you’d see an attacker hop between an employee’s laptop and the data centre. But now, the data is in the cloud, and the attacker can hop between the employee’s laptop and the cloud.

It’s very different to respond to an incident in the cloud. The cloud provider has a lot of control over the environment, and you have to work with them to get the data you need. You can’t just walk into the data centre and pull the plug on the server or pull a disk image and investigate. It’s also different when preventing or preparing for a breach – cloud environments are more homogeneous, and you can use automation to enforce security policies. But you also have to worry about the security of the cloud provider, and you have to trust them to do their job. You also have less flexibility in terms of how you can customise a cloud environment.

What advice do you have for aspiring professionals wanting to work in cybersecurity?

Real-world experience is key, but it can also be a chicken-and-egg problem of having the certifications to get that first experience. Many of the most experienced cybersecurity professionals I work with moved from an adjacent field such as software engineering or sales.