Michael Farnum, Set Solutions: “security tools add to your attack surface just like any other technology”

Threats abound in today's digital world, ranging from phishing to targeted attacks, all of which are perpetrated by highly advanced bad actors.

To help secure sensitive data and the workforce from cyber threats, every company requires a selection of IT security solutions, services, and specialists that can implement them. A cybersecurity system is not only about providing the employees with security tools like VPN connections but should also include a layered approach to securing the full attack surface.

Today, we are talking all things organizational cybersecurity with Michael Farnum, the CTO of Set Solutions, advanced cybersecurity consulting and procurement solutions company.

Let’s go back to the very beginning. How did it all start for Set Solutions?

Set Solutions started in Houston, Texas, in the early 1990s offering general IT and security solutions to companies in the Texas region. A lot of our customers back then were oil, gas, and energy companies, and we built a name for ourselves with those organizations quickly. We became solely focused on cybersecurity in the mid-2000s, with a focus on large enterprises, and we also started working on becoming more diversified in our customer base. We now work with all different industries (O&G, energy, healthcare, manufacturing, financial, high tech, and more).

Can you introduce us to what you do? What are your main fields of focus?

Set Solutions is a cybersecurity reseller and integrator. We offer personalized services and sell products to our customers to help them build and mature their cybersecurity programs.

Our pre-sales architects and account executives work with our customers to build out a plan for whatever cybersecurity issues our customers are experiencing. At the macro level, we work through our reference architecture and maturity model with the customer to help them identify gaps in people, processes, and technology. We then help them remediate those gaps through the placement of technology or offering remediation services.

Our professional services team can deliver services such as deeper gap assessments against compliance frameworks or regulations, offensive security, cloud security, identity, and access management services, general technology implementation, and others to help drive even more maturity for our customers.

We also offer personalized staffing services. We are changing the landscape of staffing and recruiting by delivering the most precise, qualified candidates available in an optimized search time.

How does ensuring cybersecurity differ for government entities versus businesses?

Set Solutions deals mostly with state and local governmental entities. We find that they work within tighter constraints in budget and timing than most businesses. Government regulations and processes require our customers in that space to plan around how they will acquire technology and services over long periods, which leaves them less flexible. They generally cannot react to threats as quickly as businesses, which means they must be able to anticipate threats so they can plan accordingly. If a threat arises that they didn’t anticipate – they can be exposed.

Do you think the recent global events will have an influence on the nature of cyberattacks? Have you noticed any new types of threats?

Absolutely. While there’s no doubt that state-sponsored attacks happened before the current situation in Ukraine, we expect that continued sanctions will drive retaliatory cyber-attacks. We also believe we’ll see even less of a desire by certain governments to curb attacks by ransomware gangs, with those groups being even more aggressive in double and triple ransom demands.

What security measures do you think are a must not only for companies but for average individuals nowadays?

The obvious answer is multi-factor authentication, but that needs to be strengthened with password management or vaulting solutions to make authentication and authorization less of a headache. Some of the drive in the identity and access management space toward a passwordless authentication mechanism feels promising and might allow organizations to move closer to a zero-trust model.

Individuals can also adopt MFA and password managers easily these days. Technology has massively improved in the last 2-3 years, and I recommend it to all my friends and family. It doesn’t have to be scary or difficult anymore.

With more companies adopting work-from-home policies, what issues can arise if the organizational security system is faulty or not in place at all?

Nothing that has always been the problem with working from home has changed. That is an unsecured home network. If you double that with a low-security maturity and posture in the company, the likelihood of breach through ransomware or general malware increases a lot. Family members are notorious for going to websites at home that (hopefully) most employees would not go to while at work. Bad actors know this and will take advantage of it. Even if they are not targeting an employee specifically, the chances of a drive-by infection of some kind or very high, and that will leak over to a corporate environment if the remote user’s access is not secured properly.

Despite all the new technology and solutions available nowadays, why do you think certain industries struggle with keeping their cybersecurity up to date?

Firstly, some companies in industries such as energy didn’t have their more critical infrastructures exposed to the Internet until fairly recently (approximately the last 10 years or less). This caused a lag in innovation in security from their primary device manufacturers and their networks.

Secondly, some companies operate on tight profit margins and that causes them to prioritize differently. Business decisions have been made over the last 20-30 years that have created massive technical debt, which has led to lower maturity in security. They’re now playing catchup, but they can’t do it in a short time frame.

Thirdly, while I’m not generally a fan of governmental intervention, some companies just don’t see the need to focus on security without the threat of regulation. This is apparent in some critical infrastructure companies that are now being forced by regulation and executive action to secure their environments.

How do you think cybercrime is going to evolve as organizations start to take cybersecurity more seriously?

Both innovation and adoption by attackers are generally quicker than defenders can build a response or create a new defensive measure. However, I feel like that gap is closing. I also see more focus in the industry on the development of products that address fundamental security issues (identity, asset management, and so on) that have been either largely missing or have had poor feature sets. Both of these are enabled by digital transformation (via cloud technology, DevOps, etc.)

That means attackers will need to go after the weaknesses of those fundamental building blocks of security. You’re seeing this today in supply chain attacks on Solarwinds, Kaseya, and others. Open Source is used in a lot of these tools, and attackers know this. A mantra that needs to be repeated more is that security tools add to your attack surface just like any other technology. Security vendors need to make sure they apply the same security standards that they preach to their customers.

And finally, what’s next for Set Solutions?

First and foremost, Set Solutions will continue to help our customers grow their security maturity by bringing in our highly experienced and talented people. As CTO at Set Solutions, one of my duties is to lead and develop our pre-sales solutions architecture (SA) team. I will continue to hire former security practitioners into our SA ranks to make sure we can empathize with our customers, as well as talk to our customers on both the business and technical levels.

We will continue to research the many cybersecurity vendors in the marketplace and help our customers determine the viability of their solutions and which ones fit best in their business.

The focus will also be on building out our digital content to make sure we’re educating our readers, listeners, and viewers on cybersecurity. While we do invite many of our vendor partners to join us in our digital marketing efforts, we always focus on putting out knowledge first, and I’m proud of our efforts there.

And as always, we’ll continue adding and improving our offerings in our professional services team. Jonathan Townsend, our VP of Engineering, has done a great job of building out our practice areas to create a wide array of services for our customers.