In this episode of the DevReady Podcast, host Anthony Sapountzis sits down with Shantanu Bhattacharya, Founder and CEO of Siometrix, to explore the evolving landscape of cybersecurity. Shantanu shares his extensive expertise, covering his pioneering work on the TCP/IP stack and public key infrastructure technologies that shaped secure communications. Now based in Canberra, Shantanu provides cutting-edge cybersecurity consultancy to federal agencies and organisations, focusing on data-centric security and fortifying operating systems to combat today’s complex cyber threats.

Shantanu delves into the unique challenges posed by zero-day attacks, which exploit unknown vulnerabilities. Instead of playing the traditional "cat-and-mouse game" of reactive security measures, he advocates for proactive, data-centric solutions that include device and software authentication. This multi-layered approach, combined with low-level system monitoring through kernel-level software, ensures comprehensive protection. Shantanu also shares insights into obtaining code signing certification for such high-security software.

The conversation expands to the specific needs of small-to-medium businesses (SMBs) and government agencies. Shantanu highlights the challenges SMBs face, such as limited budgets and an overwhelming array of tools. He explains how Siometrix identifies vulnerabilities in IT systems, including risks from hybrid work setups and unregulated smart devices. Emphasising that effective cybersecurity is a blend of technology, secure processes, and human compliance, Shantanu provides practical advice on mitigating risks like weak passwords and unsecured networks.

Shantanu and Anthony discuss the security risks associated with IoT devices, particularly unregulated, low-cost products. They highlight how such devices can act as gateways for attackers to infiltrate broader networks. Segmenting IoT devices onto separate networks and maintaining vigilance over unexpected vulnerabilities, like home CCTVs, are key strategies for reducing risks. This discussion underscores the growing need for awareness and proactive measures in the face of expanding IoT usage.

The conversation also explores cloud-based security risks. Shantanu warns against blindly relying on cloud solutions without understanding the associated vulnerabilities, such as exposing sensitive data through poorly managed access. Comparing cloud environments to a house with multiple windows, Anthony stresses the importance of dedicated IT professionals to oversee network security. Together, they emphasise the need for businesses to map out where critical data is stored to protect it effectively.

Finally, Shantanu highlights the importance of appointing a Chief Information Security Officer (CISO) or delegating cybersecurity responsibilities to ensure robust processes are in place. He discusses the increasing accountability of company boards in managing cybersecurity risks and the dangers of oversharing personal information online. To address gaps in organisational security, he offers virtual CISO services, helping businesses implement measures like password management, network segmentation, and multi-factor authentication to fortify their defences against evolving threats.