At Nasdaq, we are continually innovating the industry to keep our markets, employees and partners protected. We interviewed Nasdaq leaders to learn more about how they ensure the privacy of data and the security of our products and services while informing us of ways to identify, protect, detect, respond and recover from a cyberattack.
Tomas Šiaulys, a Lead Information Security Engineer at Nasdaq, discusses the top vulnerabilities that put digital users at risk.
Talk to us about your role at Nasdaq as a Lead Information Security Engineer in Vilnius. What does it entail, and how did you become involved in the industry?
As an Information Security engineer, I work with my colleagues at Nasdaq in Information Security and other tech departments to evaluate, implement and maintain security controls and tooling. That might range from deploying an actual security tool to advising different teams on secure processes and ways to deploy or develop various systems.
I believe my first interaction with computers was at a gaming venue on a soviet ZX Spectrum clone with a game loaded from an audio cassette. The moment I was able to press a button and that was reflected on screen, I was hooked for life. What started as purely gaming naturally progressed from there - fiddling with personal projects, Computer Science studies, working as an IT Service Desk representative, Systems Administrator and Network Engineer. Somewhere along the way, I got interested in the security aspect of IT and have been working on it ever since.
What are current cybersecurity trends in the space to watch out for?
Not necessarily new, but definitely current trends are implications of remote work and continuation of ransomware attacks. Lately, there have been a few high-profile supply chain attacks, so we currently see significant attention to that too. From a tooling/technology perspective, more and more systems are moving to cloud and dynamic workloads. Security tooling is evolving to accommodate that - DevOps pipelines become DevSecOps pipelines, tools get integrated into container-based systems and other new types of workloads.
As a key role of your job is vulnerability scanning, what is a digital action that puts users at immediate risk?
Specifically related to vulnerabilities, not updating software or using end-of-life (EOL) products. As mundane as it sounds, many of the high-profile breaches happen because of either a user error (e.g., phishing) or having an out-of-date product somewhere. Regularly updating computer and mobile device operating systems along with any software used should be a part of a cyber hygiene routine.
Talk to us about how Nasdaq promotes advancements in the cybersecurity space. Is there a specific launch or campaign you are most proud of?
I am happy to be working with brilliant colleagues, both inside and outside of Information Security. I can see a lot of us being involved in training sessions, external events, conferences and day-to-day interactions with vendors and clients - all being great venues to share best practices and advancements. This is a two-way street and helps information flow both to and from Nasdaq. I cannot single out a specific project or launch, but in general, I am proud of how security is getting integrated into more and more places.
How can daily tech users practice safe use of technology and defend themselves from hackers?
What definitely helps is proactively thinking and learning about security. Regularly update the software you are using. Use strong passwords and avoid reusing them (e.g., use password managers). Enable multi-factor authentication (MFA) where possible, for example, using authenticator apps, physical tokens and SMS. Make backups (offline, if possible) - in case something does go wrong. While these actions do not eliminate the risk completely, they do reduce it significantly and are low-hanging fruits.
What is your advice for young professionals looking to get into the industry?
Easier said than done, but stay curious and constantly learn. The industry is changing very fast and is definitely demanding. However, if that is your cup of tea, you will definitely be a good fit, and it can be very rewarding. There are a lot of free or inexpensive online courses available. If you are into the technical aspect of Information Security, doing Capture The Flag (CTF) challenges is a fun way to gain knowledge. Getting involved in security-related open source projects is another great way to gain experience and visibility as it involves working in teams and with people from different backgrounds. Podcasts, Information Security news sites, social media are great sources of news and insights in the field. If you have the opportunity to get certified that is also helpful.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.