Why machine learning is ‘a double-edged sword’ for cybersecurity


12 Nov 2021

Sam Rehman. Image: Epam Systems

Epam Systems CISO Sam Rehman discusses how machine learning can change the cybersecurity landscape for the better, but how it also comes with challenges.

Sam Rehman is chief information security officer and head of cybersecurity at Epam Systems, an enterprise software company based in the US.

The company was founded in 1993 and has gradually built out its consultancy and software services with several acquisitions over the past number of years, most recently Emakina Group, a digital agency headquartered in Belgium.

Rehman has more than 30 years of experience in software product engineering and security. Prior to his current role, he held a number of leadership positions including head of digital engineering at Cognizant, CTO of Arxan and several engineering executive roles at Oracle’s Server Technology Group.

As the CISO and head of cybersecurity services at Epam, Rehman is responsible for both Epam’s security and its clients’ security. Currently, his team is expanding the company’s zero-trust initiatives.

‘It’s necessary to train employees to play defence’
– SAM REHMAN

What are your thoughts on digital transformation?

Right now, everyone is talking about digital transformation along with the new normal of hybrid work, which has subsequently brought cybersecurity threats to a new level.

We help a lot of our clients with their digital transformation and, while innovation is critical, it’s important to understand how to transform securely. Security must get embedded in the design – that is central to prevention.

From the onset, integrate security into software development, along with cloud infrastructure and business systems holistically. It’s also ideal to begin digital transformation with a data strategy. People must get out of the mindset that data is merely a byproduct of a business process; data is inseparable from decision making.

What big tech trends do you believe are changing the world and your industry specifically?

New network, data and cloud models. The cloud will cause tremendous disruptive transformation, totally changing the way we look at security. I know we have been saying this for a long time, but the networking model is rapidly changing and this is mostly driven by the cloud.

A cloud-specific data security strategy is essential now that most data lives in the cloud. Businesses will need to account for everything from fluctuations in physical control and access to more fluid network boundaries. Data classification, encryption strategies and a robust disaster recovery plan will all be vital to cloud security moving forward.

[Another trend is] machine learning on user behaviour, especially isolating good versus nefarious actions in a large system.

Machine learning will also help cybersecurity systems analyse patterns, learn from past attacks, and make teams more proactive. Like artificial intelligence in automation, machine learning in cybersecurity can reduce wasted time for employees who typically use it on routine and mundane tasks, allowing them to use their skills elsewhere.

However, machine learning is a double-edged sword, as it can assist bad actors as much as enterprises. Already, we’ve seen online retail targeted due to the rise in online shopping.

In terms of security, what are your thoughts on how we can better protect data?

To begin, start with knowing what is critical to you. Inventory and classify your data, understand what is important to you and then put the right and practical controls in place – with practicality and efficiency being the key.

Make sure to put in a strong data loss prevention programme, including strong offline backup and integrity controls and don’t forget your endpoint protection and shadow IT assets. Likewise, when it comes to physical access control, businesses must ensure rigorous measures to prevent unauthorised access to data processing systems.

At Epam, only authorised persons, based on their job duties, can access our data centre and only when using multifactor authentication such as proxy card and PIN code. Management evaluates these access rights monthly and if an employee is dismissed or changes positions, their access gets revoked immediately. Additionally, user access to information is shared selectively to maintain a ‘minimum necessary’ and ‘need-to-know’ basis.

Training is invaluable. It’s not obvious to non-security folks what is risk and what is not sometimes. It’s necessary to train employees to play defence and educate them on the current state of the market. Your employees need to be educated and supported. Epam, for example, has an active IT security awareness training programme that employees must complete on an annual basis.

Nevertheless, it is the responsibility of management to routinely follow up with employees to make sure they have done the training and to answer any questions they might have.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.