11 minute read
EXECUTIVE BIO
from Cyber - March 2023
Puneet earned an undergraduate degree in Computer Science from HBTI, Kanpur and a masters degree in Computer Science from Rensselaer (RPI), NY.
“That's a huge number, which has been exacerbated by the COVID-19 situation and the lockdowns,” he adds. “So, the core mission is to get our care services available to as many people in the world as quickly as possible, so that we can build a happier, healthier world.”
Advertisement
By making services available to more people, organisations such as Headspace Health are helping dispel stigmas associated with mental health. Figures by the National Attitudes to Mental Illness Survey show that people’s willingness to have contact with someone with a mental health problem has improved by 11% since 2009, while attitudes towards people with mental health problems improved by 9.6% in the same period.
“The fact that we've been able to contribute a little bit towards removing the stigma or taboo associated with mental healthcare, by bringing this very accessible platform and the service that we have, is a proud moment for me,” explains Thapliyal. “We've been able to actually move the needle in the last several years, and a whole team has been part of that, the founding team of the company, the executive leadership team and everybody else in the company who has joined the company with this mission in mind.”
The importance of cybersecurity and data privacy
While cybersecurity is important for every company in the world today, it is even more important in the healthcare industry. Technology has transformed modern healthcare but bad actors mean that there are unique risks when it comes to virtual mental health services.
“Healthcare is one of those industries where cybersecurity and data security are extremely important,” comments Thapliyal.
in the healthcare industry. For example, the healthcare industry is being targeted by ransomware more than any other industry.
“On top of that, we are a single-purpose mental healthcare service provider, and in many of the regulations, including the Health Insurance Portability and Accountability Act (HIPAA) in the US, mental healthcare data is called out separately, from a security and privacy standpoint.
“We are highly aware of that, and we feel like that's a huge responsibility,” he explains.
“The company has always had an extremely strategic focus on cybersecurity from the very beginning. We have built a very mature programme, and now we are morphing it from just purely cybersecurity to a very privacy-focused programme as well.”
As Thapliyal explains, part of Headspace Health’s success from a cybersecurity standpoint is the creation of a culture where everyone is aware of the importance of security and privacy.
“Unlike many other companies and industries, mental healthcare is one of those domains where privacy is super important for everybody, including our patients, user members, and our clinicians and coaches. Everybody in the company is highly aware and sensitive about preserving privacy,” he describes.
“The whole cybersecurity industry is still learning how to build that culture of security, which permeates through the whole organisation and is not just limited to the InfoSec teams or the IT teams or engineering teams. It's a challenge, and it requires a thoughtful approach. When we onboard a brand new employee, for example, we focus on cybersecurity from day one. That's where the journey starts for a new employee, and then it has to continue throughout their time at the company.”
But, as Thapliyal explains, relying on training alone isn’t enough. Highly compliance-driven training can quickly become repetitive, so keeping everyone engaged is critical.
“We have a strategic plan in the InfoSec team to drive engagement within the company to spread awareness of cybersecurity,” he adds. “These are from the small little things, from having a shared Slack channel, which we fondly call the ‘tinfoil hats channel’, where everyone is able to voice cybersecurity or privacy concerns, to more mature programmes such as our Security Insiders Programme, which involves deeper engagement, where every department volunteers a couple of team members to engage with the InfoSec team.”
All of this is about instilling a culture of cybersecurity awareness at all levels of the organisation, Thapliyal comments.
“We have now built out a programme where we depend on some of these security insiders to fulfil InfoSec requirements and instil this culture of cybersecurity awareness in their respective teams,” he says. “Those are initiatives where we need to be focused, we need to put the right resources, we need to fund it, and that's how we've been able to achieve this sense of heightened awareness around cybersecurity in the company.”
According to research by Headspace Health, 32% of users benefit from a decrease in stress after 30 days of using the service. Meanwhile 22% of users show an increase in focus after one session, while 19% benefit from a decrease in anxiety symptoms after eight weeks.
Extra focus on third-party risk
Healthcare providers, along with businesses around the world, are increasingly relying on third-party vendors to carry out their dayto-day operations. But while working with vendors has a range of benefits, the practice can also introduce information security and vendor compliance risks.
Research by the Ponemon Institute has found that 54% of third-party respondents had at least one data breach involving protected health information (PHI) over the last two years, while 41% of third-party respondents had six or more data breaches during the same two-year time frame.
“Our third-party ecosystem is extremely important,” comments Thapliyal. “We are in a new world. We call our company a SaaS-first company, meaning given a problem business challenge, we first go and look for a SaaS service provider that can help solve that.
“This is very different from how traditional healthcare companies operate, where they run their own data centres and maintain their own networks,” he explains. “Since we are operating in SaaS-first principles, that – by the very nature of it – means we are dealing with a lot of third parties. As a result, dealing with all these vendors and third parties requires us to put extra focus on third-party risk management (TPRM).
“We have a team which is helping in our third-party assessments on a continuous basis, not just at the beginning of the contract,” he adds. “We have deployed tools to help with that, making sure our TPRM team is well-equipped to perform the access reviews at scale. And then we also categorise our vendors to the sensitivity of what data we might be transacting with them. So we have an extra special focus on any vendor that might transact with our PHI or personal identifying information (PII).”
An important part of Headspace’s operations, the business is continuing to improve its TPRM processes through technology investments.
“One such vendor we recently onboarded is called Privado,” says Thapliyal. “They are really helping us with maturing our secure software development lifecycle (SSDLC) and making sure we are not, for example, unnecessarily tracking users on our websites or on our mobile apps, and that we're not sending any PII or PHI to unapproved third parties.
“There has recently been a lot of focus in the media on apps that are doing nefarious things. We don't want to be in that business at all – that's not where we are. But we need to still build the tools to prevent any accidental sharing or tracking. So that's where Privado comes in as a big partner, for us, structurally built into our SSDLC, and we're very excited about how our partnership will shape up in the future.”
Looking at the big picture in challenging economic times
Since tech startup Ginger and Headspace merged in 2021, there has been what Headspace Health CEO Russell Glass described as a ‘staggering’ increase in demand. Ginger reported demand for its services increased threefold during the pandemic. But what does the future look like for Headspace Health?
“To answer that, we have to take a step back and look at the big picture, what's happening in the industry today,” comments Thapliyal. “There are a lot of macroeconomic factors in play, within the US and other parts of the world. There is constant chatter around a slowdown in the economy and a recession, and then most recently in the US, we have seen companies take corrective actions to right-size their companies. A lot of layoffs have been announced by the likes of Facebook and Twitter and all the large companies.
“The general sense is that tough times are coming and we need to hunker down and prepare for that, and whoever does a better job in preparing for that will come out as a successful company on the other side.”
In a challenging economic environment, what is clear however is that the most important thing is to focus on the health and wellbeing of Headspace’s users.
“Given that broader context, our board and our executive team have given the directions to be very mindful,” Thapliyal explains. “We are trying to take this as an opportunity to refocus on doing less and doing better. So that's how we are changing our strategy as we go into 2023.
“What that means to the company as a whole is that we will continue to get better and offer more features and more services in the coming years,” he concludes. “The focus will be on what we call members first, meaning anything that we do should ultimately benefit our patients.”
WRITTEN BY: JOSEPHINE WALBANK
mid the current surge of technological innovation, businesses need to strike a careful balancing act.
It’s a case of adopting pioneering new technologies to keep pace with the rest of the industry, while still implementing the required security strategies to match. But how can businesses prepare themselves for threats that they are completely unfamiliar with?
Are mobile companies sufficiently prioritising cybersecurity?
According to the Equinix 2022 Global Tech Trends Survey – which interviewed 2,900 global IT decision-makers – 47% of global tech companies said they plan to use the cloud to facilitate their global expansion plans. Within the swathe of findings, the survey clearly demonstrates that 5G, XaaS models, and cloud storage remain at the forefront of expansion strategies.
72% of respondents said that their organisation is planning to expand in the next year, with 38% saying that their companies plan to expand into a new region entirely. Almost half (47%) of global respondents said they plan to facilitate global expansion plans by deploying the cloud.
Enabling
educators. Empowering students. Explore how we accelerate student discovery, learning and innovation with our Digital Education 3D Experience.
To achieve this planned expansion, digital transformation plays a pivotal role. Within this survey, 59% stated their intent to increase their investment in interconnection services, and 71% of respondents plan to move more business functions to the cloud. And, of those respondents, 50% plan to move more of their business-critical applications to the cloud.
Among the answers provided by respondents, significant concerns were raised about cybersecurity. In fact, 85% named improving cybersecurity as a key component of their digital-first strategies, while 83% expressed a need to future-proof their business. The most feared cybersecurity threats named were cyberattacks, security breaches and data leaks (all of which were expressed by 70% of respondents).
If we take a look at this on an industry-byindustry basis, it would seem that progress towards the required level of cybersecurity is slower than expected. For instance, a report from Capgemini revealed that 51% of industrial organisations predict that there will be an increase in smart factory cyberattacks within the next year. Despite this, almost half (47%) of organisations have yet to classify cybersecurity in smart factories as a C-level concern. In light of the fact that manufacturing overtook financial services as the most attacked sector last year, this slow response is both surprising and concerning.
The discrepancy between technology’s adoption, and the industry’s current data-security skills
New technology – enabled by 5G – is being adopted at a rapid pace. “About 55% of the CEOs that we talk with say that, by 2026, well over 50% of their business will be new products that they don’t actually have today,” commented Inderpal Bhandari, the Global Chief Data Officer of IBM.
“Pre-pandemic, when we talked with CEOs, there was just a small percentage that thought of digital transformation as important. Then the pandemic hit and, over the course of about a year, we saw (in our customers at IBM) that the awareness at the CEO-level went through the roof. And we’ve probably had as much digitisation in the last year, year and a half, as we’ve had in the previous 10.”
While this will open up a wealth of opportunities for the sector – and enable businesses to expand across the globe more seamlessly than ever before – there are a number of obstacles in the way. And, if these are not overcome first, there is the risk that businesses will be vulnerable to serious cybersecurity risks.
The Capgemini report identified that internal disconnect and poor collaboration are key blockades to stronger cybersecurity measures. In fact, 53% of respondents mentioned a disconnect between the C-suite and smart factory leaders, saying that the lack of collaboration between smart-factory leaders and CSOs is hindering the organisations’ ability to detect cyberattacks early.
Another is the cybersecurity skills gap –a growing concern that is being felt across a number of areas in the industry. There is a limited amount of upskilling within cybersecurity teams, who will need to quickly develop their knowledge to manage these new types of threats.
Mitigating the unknown – how can companies successfully prepare themselves for the next wave of data security risks?
Firstly, if a business is implementing a 5G mobile network, then the architecture and infrastructure will need to be designed with cybersecurity in mind. It’s a case of adopting a security mindset, right from the outset.
“Securing a 5G network starts with securing the servers. Security needs to be built-in, not bolted on after the fact. This includes at the hardware and firmware level by leveraging an immutable Root-of-Trust that can be used to verify subsequent operations within the server. Building-in security in this way goes a long way to helping keep the broader 5G network secure when one location is breached,” advises Sonya Mathieu, the UK
Resilience at Dell Technologies.
“Like all other industries, Telecom providers are under a constant barrage of cyberattacks. This means it’s a question of when, not if, a breach occurs.
“Isolating and securing an organisation’s data to protect against these threats is essential to any network strategy. To do this, providers should take advantage of the security provided by an air-gapped data vault that duplicates data behind a secured interface. Data with an air-gapped data vault is literally and wholly isolated accessible when needed. This solution allows operators to protect themselves when the worst happens and restore operations quickly.”
The knowledge that these attacks could very well (and do) happen is a widespread theme.
James Blake, the CISO at Rubrik, stresses how important it is that businesses also give recovery strategies equal attention. “Ransomware has driven collaboration between IT and security, in more of a resiliency-focused mindset.
“WE NEED TO FOCUS ON IMPACT, BECAUSE WE ARE LOSING THE PREVENTIONAND-DETECTION BATTLE. BUT THAT DOESN'T MEAN WE NEED TO LOSE THE OVERALL BATTLE”
“WE NEED TO FOCUS ON IMPACT, BECAUSE WE ARE LOSING THE PREVENTIONAND-DETECTION BATTLE. BUT THAT DOESN'T MEAN WE NEED TO LOSE THE OVERALL BATTLE”
“We need to focus not just on recovery, because recovery is rebuilding from rubble. Resilience is the ability to withstand that attack at a degraded level yet still be able to continue serving business.”
According to Blake, there is an intrinsic flaw with the way that businesses currently perceive, and mitigate, the risk of cyberattacks.
“This is the security model we're all used to – walls and moats. And we build the walls higher and we build the moat wider, but the adversary has the first-mover advantage.”
“We can only learn what they're doing after they've done it. Right? So, if they think of a new way of doing things, there's always a lag. There's always a period where our defensive and protective controls won't work properly. And, as soon as we build those walls higher and the moats wider, they build better boats or Trojan horses.”
To overcome this cyberattack cycle, Blake recommends that businesses divert their budgets appropriately and intuitively, so that they are prepared for the worst-case scenario and equip their business with the foundations to recover from it.
“We spend on average 85–95% of our budgets on likelihood reduction, but we spend about 5–10% of our budgets on impact reduction.”
“So, the way I look at it is, it’s like a cardboard tank: we're spending all this money on likelihood reduction, and all we're doing is making the tank slightly faster, slightly harder to hit. But when you hit it, it’s completely destroyed and causes unbelievable amounts of damage.
“We need to focus on impact, because we are losing the preventionand-detection battle. But that doesn't mean we need to lose the overall battle,” Blake finishes
