Andrew Nichols - Head of Solutions Architecture at Samsung | Protecting Mission-Critical Business Data

Welcome to success story the most useful podcasts in the world. I'm your host, Scott D. Clary. The success story podcast is part of the blue wire podcast network as well as the HubSpot podcast network, which has other great podcasts like social light hosted by Steph Taylor. Social light discusses all things online marketing Steph Taylor answers all your business marketing questions. She deep dies into the nitty gritty of online marketing content marketing social media marketing marketing strategy for business owners. If any of these topics resonate with you, you're going to love the show. You'll learn things like how to scale your brand on various different social media platforms, some of the biggest mistakes you can make with your launch of a new product or service. The importance of nurturing and engaging your audience consistently. The importance of having your audience fully understand the problem you're trying to solve and why it's important to solve right now as well as why growing audiences across all social platforms feels so hard in 2022. You can go listen to social light wherever you get your podcasts or at the HubSpot podcast network at HubSpot.com slash podcast network. My guest is Andrew Nichols now Andrew heads up all enterprise B2B sales engineering at Samsung. He's worked in sales engineering from mobile security at Boeing followed by an eight year plus stint at Samsung mobile security and the security industry has always been his forte. Now he has seen everything. He's seen the evolution of threats and security incidents over the past decade and he's dedicated his life to helping businesses better prepare for mobile security and security incidents. So we spoke about the evolution of the security industry. We spoke about how threats have evolved for businesses and what business owners have to be cognizant and aware of. We spoke about security solutions that now have to be implemented because of a work from home environment which sees employees using their own devices, working on unsecured networks, all absolute nightmares for companies that could be threats. So why and we went into why people are so unprepared. Some of the horror stories that he's seen working in the industry as well as some of the successful use cases of proper security implementation. So that you aren't compromised your employees aren't compromised and you don't unfortunately find yourself in an incredibly embarrassing costly and potentially legally damaging situation. So Andrew Nichols is the expert on all things security and mobile security. We're going to speak about how he's operated and work with some of the largest organizations in the world on how to improve and better protect themselves with his work at Samsung. You are going to get a master class in mobile security. This is Andrew Nichols. Sure. Yeah. So my name is Andrew Nichols. I have been born and raised in Washington state and I originally started out as a theater major. So when I was first going to college, I was doing directing, set design, acting, pretty much everything involved in theater. And when I was looking for a job, I got accepted into the University of Washington's IT department, even though I didn't know much about computers. And that was really kind of the genesis of my career, getting into computers, getting into technology. And I've always been a very curious person wanting to understand everything about technology and to be able to explain those concepts, you know, very complex concepts to people. So from that point, I got interested in information security. I worked at Boeing as a mobile security architect helping build out their mobile application and mobile device security strategy, helping them get iOS and Android devices into their environment. And after that short stint at Boeing, I've been working at Samsung for the last eight years as a pre-sales engineer. So my job is to go into big named accounts, Fortune 500 companies, most brands and labels that you've ever heard of I've worked with. And my job is to help them deploy Samsung mobile devices in a way that they trust. So when it comes to answering security type questions, not only do I have to know the entire platform, what are the current risks, what are the current threats. But I also help advise between our engineering teams and our customers on what new products, what new features can we develop and how to communicate those products and features to both sides. So I came from a completely different background in arts background and I've gone into the science and engineering sort of field, but I think it provides me with a little bit of multiple aspects to my whole career. Interesting career coming from liberal arts background, a little bit of left brain, right brain that allowed you to be successful. So when somebody looks at your career and where you're at right now, they would immediately think if they're coming from a liberal arts background, I definitely would at least I don't understand the pathway to get there. I don't have any formal education, formal training. It seems like they have very high level technical conversations about security in particular. That's not something that you can really screw around with. It does take something that I obviously haven't prep myself for. So how did you put you put yourself in that environment to some extent, but what was like the first job or first position that you held that allowed you to start learning and what was that learning curve like so that you could operate with some of the largest fortune 500 fortune 100 probably and advise them and consult them on security matters technical security matters. That's kind of that left brain right brain dichotomy really comes into play is just getting a nerd into a room isn't always enough to try to persuade or convince people. I think that's where sort of that arts degree that performing arts helps me be able to tell a story. Humans react really well to stories and when it comes to security, it's very hard to see the tangible benefits of why having something be secure is really beneficial. You just want to have the device be secure. You don't want to know all the buttons and switches. What is real time, kernel protection, what is defeat exploit. What are all these sorts of terms that an engineer would throw around. I think that some of the skill sets that I have helps customers understand the story that I'm trying to weave for them and how it integrates into their business. Why do these features benefit them? The first job that I really had that blended all this stuff together ironically was when I was 16 and I was working at GameStop and I had to be able to tell stories of why a customer should purchase a particular video game. I'm looking for this for my son, I'm looking for this game for my sister, what should I pick and I'd have to have an extensive knowledge on our entire catalog and be able to tell them this studio is good, this game is really well known, this game is popular. I think that's where those two skills came together is both the sales aspect which is what I do here at Samsung but is also telling that story and really selling the engineering. So this game's graphics are really great or the story in this game is amazing. I think that's really where I originally got my start and I had just always envisioned that I was going to go into theater. But after I had got a job in the tech industry, I really just started taking off from there. A lot of people get into the tech industry because they have a comp side background, they have an engineering background. They're really interested in making the next app or building something with microcontrollers or doing an electronics. And I really treasure co-workers, peers in those spaces. But I really, anytime that I can find someone that comes from an arts background that gets into the tech industry that works in an engineering type field, there's something that I gravitate towards that person who knows Shakespeare, art history, etc. It's just being, I always wanted to pride myself on being a renaissance man. So that's kind of having different skills that's I think is really impactful when it comes to being able to present a complex topic like security because it goes beyond just bullet points. Security is becoming an ever increasing aspect of our modern day lives as we worry about people's social media accounts getting hacked, people's contacts and privacy being compromised by apps that they have on the device. You know, this is just an ever increasing sort of thing as our lives become increasingly digital. And I think that people are not as prepared as they should because technology moves faster than the average person to keep up. If the average business has problems keeping up, then you can never even expect the average person to keep up. But I think the other question that I have, which I find is very interesting to somebody purposefully went into the field that you went into, is you could have been, you could have been an end sales engineering for a variety of different technical widgets products, literally anything. And telling a story about a highly complex product is a great scale, but you chose the field that is like mission critical, like if you screw up your job, especially now at the level that you're doing it at, like shit hits the fan. So it is not good when you still how why why did you want to put this much pressure on yourself? Why was this something that you wanted to go into because you did it with Boeing, obviously you're doing with Sam something past eight, eight plus years. So it's a passion. Yeah, you know, honestly, I think when I was going through college 2008 through 2012, it was at that time that digital privacy was really starting to kick off. I mean, there was a lot that was happening in our daily lives where we're finding out that governments were surveilling on people that our information was being absorbed and sucked in by some of these services that we connect our lives into. And I wanted to understand how do I protect myself from that, you know, this is kind of the building of the castle walls, but just for myself that's really all I cared about is, you know, what can I do to protect myself? Well, all those learnings, all of that understanding that I've taken to under, you know, to really get to know how do attacks work. You know, how do you actually stay private in a digitally connected world? All of that stuff was my origin, you know, my passion drove me into this specific field and through experience through talking with much smarter people than myself. And I've really started to absorb a lot of this knowledge exactly what you're talking about is a mission critical aspect of running a business. But even for your own personal life, I teach classes in my community on how to stay private, how to stay secure, how to avoid getting scanned. And all of this sort of stuff that I try to take what I've learned and reeducate other people, and it just happens that my job that I do involves educating other people. I love it. And what is, okay, so let's, let's understand like the current state of enterprise and enterprise security and some of the things that you've seen evolve over your career because obviously you have a passion for it personally. This entire category has gotten more and more complex. And you hear about security threats and changing business environment. And I know that now with COVID, the entire landscape of how people do business is different. So when people do business differently, now there's even more security threats that probably have come to, you know, come to light over the past two, two and a half years. So what is the current environment for corporate security? What are people focusing on? What are people maybe ignorant to all the things that you probably are thinking through six months or a year ahead of everybody else? Yeah, so I'll give you a little bit of the history over the last decade, you know, RIM and Blackberry were kind of the defunct secure mobile device. If you were going to get something so your executives, your managers, et cetera, could have a secure mobile device. It was pretty easy. It was just Blackberry. But then 2007 came along and iPhone and Android came out. Now that it was this new exciting mobile operating system that focused on this app ecosystem. And so users could download stuff that they wanted net YouTube. I mean, it went beyond just a secure instant messenger, a secure email device. Now we were getting these things that we could do content consumption where it was reading books or watching videos or even content creation. And that's kind of, you know, where mobile devices sit nowadays is TikTok and Instagram. So, you know, the evolution over the last decade for mobile devices has gone from we're going to take your windows laptop experience and boil it down to a really small device. And now what we've gone to is almost the flip people want the mobile device experience for that work environment that they have. And so people want would rather work from their phone when possible. You know, this meeting could have been an email is like a very common sort of thing because you don't want to have to get on the phone or video when you don't want to. But as as the industry has kind of progressed towards this mobile first mindset in terms of like security world, we've seen the threats chase along with those mobile devices. We've seen that applications and malware that users can download becomes a lot more prevalent. And so there's a fear of is my user based downloading and installing stuff that they shouldn't does that expose my organization to risk. We see things like well, these devices have Bluetooth and GPS and Wi-Fi 6 and all of these other sorts of interconnected features to really make these powerful mobile pocket computers. Capable of doing a ton of different things that we would have never imagined even doing with just a computer and hauling that around. So as these devices becoming increasingly connected, then the fear is are the networks that they're connecting to safe. Is are there any vulnerabilities with the radios on those devices, the chipsets on those devices, you know, the threats have gone away from your outlook email worms of the 90s and have moved into malicious apps that take your contacts and calendar data and resell your information so they can make a quick buck. So, you know, the targets have changed, the threat actors have changed and it's all moved towards this super quick paste mobile development sort of ecosystem. And I'm just thinking now, mostly because of COVID, you have people, so everything has changed but because of COVID now, a lot of people want to work from home, a lot of people are either permanently at home or hybrid. And I know personally, like now my work devices and my phones all blend, right? Like they all seem to blend now. Whereas maybe five or even 10 years ago that wasn't really the status quo when it came to working, right? So, if you go into an office, you'd have a laptop there, or you'd have a tower there, a desktop there, and that's where you worked off of. So now, if I think about all the things that I do on my personal device, then all of a sudden that allows all these different threats and all these different apps and all these different technologies that obviously IT, the IT department wouldn't allow you to put on your work device. If you look at, if you look at some stats, because I know that stats are very, very interesting when it comes to looking at the hard numbers of how the last two and a half years have impacted how we do business. So 73% of employees want flexible work options, meaning that a significant portion of those will be working from home. 66% of businesses are interested in hybrid workspace solutions, and then there's a 30% increase in cloud security mobility solutions, probably to support those first two stats. So, when you have an entire workforce move home or a significant portion of it, that's an absolute nightmare. People are using one phone for work and business, people are using their computer at home for work and business, so everything is now blended, even though it shouldn't be. But I mean the reality is, if somebody can't answer an email on their home computer or their home phone or their cell phone, their personal cell phone, they do that. So, what does this mean for businesses? Let's walk through some of the threat actors and some of the risks that present themselves. I think that I want to really highlight if an employee is answering emails on their phone at home without even thinking, but it seems like a harmless activity. Like, no one's going to get hurt, but I'm sure you see a lot of people actually getting quite hurt because they don't really understand what the potential impact could be. Yeah, so when it comes to the post pandemic, I mean we're still in the pandemic, but from really the worst of it, that initial onset March 2020, when everything shut down, everyone had to go home, and for those that were able to that could continue working, they were working from home. There was this mass shift immediately to, we got to set up VPNs. We don't have enough licenses. We don't have enough seats. Well, okay, let's just open up our email to the internet. We're just going to have people connect to it that way. There was this huge shift to try to get business to continue as normal as possible, and the security aspect of it just needed to catch up. You know, before the pandemic, I was involved because I've been at Samsung for such a long time. I've been trying to convince companies to move to this work from home model. I've been trying to convince them that yes, you can do work from your mobile device. It's just that as soon as 2020 hit, we needed to shift over that in order to keep things running. So some of the threats that I've seen in the post 2020 era has been and say really kind of two things. The first one is locking down the device itself. So as employees get mobile devices, you know, you can't afford laptops always for people laptops tend to be a little bit more expensive of a device. So employees were getting handed phones. You can still do video calls from it. You can still get your email. But making sure that that device is secure was really kind of one of the first areas of threats. Employees often will download whatever apps that they want. If this is a device that they're allowed to use to take pictures of their family to put in their own calendar appointments, it became really important to lock those devices down. So, you know, many companies utilize a software tool like enterprise mobility management or EMM. Sometimes it's also called MDM mobile device management. So those EMM tools really configured that device set up email, put down work apps, etc. So when it comes to these mobile devices, protecting that device itself was such an important aspect of it. You know, as employees are putting their lives on to these devices, they're taking family photos, they're putting in, you know, the kids soccer game into their calendar, you really needed to make sure that you didn't expose your organization to risk by a user accidentally downloading something. Now, the Google Play Store does really well on trying to protect against what they call PHA, potentially harmful applications, what most of the industry refers to as malware, but it may not necessarily be malicious. It may be trying to take your contacts so it can resell that information. It could be trying to take a calendar information to resell your information, you know, what sorts of activities are you doing, etc. So that risk that occurs on these mobile devices really stems from, are you preventing users from installing what are known as side loaded applications when they can go onto the internet and they say, oh, why pay five dollars for this game out of the Google Play Store when I can go download it for free. So that user doesn't realize is that version of the application that they're downloading has been changed, so some of that information gets taken, but some of that stuff is sensitive business information. If you let an application get access to your files and a user's downloading important things like your org chart, your financial numbers, etc. So who's to say where that information goes, especially if it's going from information broker to information broker, there's not really that control there. So that first risk that I was talking about protecting the device, you know, this post work from home environment is really trying to make sure that the device itself is locked down. Samsung's been doing a lot with our devices with our nox platform where out of the box, you're going to be protected from potentially harmful applications. In addition to the Google Play Store's scanning, if you download something that's trying to route your device or compromise your device to get access to information, it really shouldn't. Well, Samsung nox is protecting that device from the first time that you turn it on, it's got hardware in there that's making sure that applications can't get access to any more information than they're allowed to. So that's kind of that first threat. No, I was going to say I was going to mention one point on that. So it's interesting because I want to figure out so I want to keep going down this path, but I also want to I want to highlight for the business owner or the person who's thinking about how do I, you know, protect my mission critical business information. When you think about how to solve for a security problem and I alluded to it before, but you have to solve for the person problem too. So when that means that if you are a business, is there if you use Samsung nox or if you use some sort of is there some sort of tools that allow you to either let the person use their personal phone and or if not, then shut them off from the things they don't have access to so that the human problem because it most most security breaches right it's always the human problem. It's it's the fishing or it's the not paying attention downloading me at it's it's never really done maliciously you don't have a lot of people I mean it can happen, but you don't have a lot of hackers that are figuring out complex passwords unless the password is very simple, but I think there's a lot of human problems that are easier to hack than maybe complex passwords or tapping into somebody's Wi-Fi, which are all real problems as well, but how do you solve that human problem of somebody just saying I just want to use my device that I used to manage sales reps where I know for a fact they never purchased a personal phone because they said I'm a sales rep. I'm going to have a phone no matter what company I go to why would I go by my own phone. So you still want them to be able to use it to some extent, but you don't want. You know, you know what I mean. No, that's the I told I totally do it. And that's one of the reasons why I joined up with Samsung when I did eight years ago I saw Samsung nox initially talked about on the Galaxy S3, but it wasn't until the Galaxy S4 that it was officially launched, but that was the thing that I said. Ah ha, this is really cool. I want to be a part of this. So prior to iOS and Android, you know, people would carry around a personal cell phone and they'd carry around their blackberry work phone. You were not often mixing the two environments together. You wanted to keep your personal stuff separate from your work stuff and exactly that point that you're talking about, you know, I can have my phone here. I've got all of my personal apps, everything that I've downloaded and then I have a work section where it's got completely different apps or it may even be the same apps, but the data, you know, what information I actually save are compartmentalized. In the industry, we call it containers. So this is a containerized solution that's built into every single one of these Samsung devices and that container is not just protected by some encryption key that stored on the flash storage. Know that those keys that, you know, the thing that actually keeps that data separated is managed by software that's running on a different chipset than the operating system. So if something gets onto that flash storage, something gets into the operating system and wants to try to get to that work data, it can't because the keys and the actual software to manage and make sure that bad actors, malware, et cetera, can't get to that are on a different piece of silicon. And it's not easy to get to that piece of silicon, you know, we talk about it Samsung nox vault, which is this evolution, you know, I was talking about from the Galaxy S4 and we're now on the Galaxy S22 over eight years later. This nox vault is tamper resistant. So lab attacks when you're taking probes and an oscilloscope trying to figure out what the encryption key is based off of ones and zeros that are flowing through the wires. Well, the device can detect that the chipset can detect that if you try lowering the temperature of the device in order to get information off of the RAM because RAM is volatile once it loses power that information eventually goes away. So if you lower the temperature of the device, you can literally freeze that information on that chipset and nox vault also looks for, hey, are there temperature attacks, is there something going on with the temperature and it locks this stuff down. So for these organizations that, you know, just want something that they can make it really simple, they just hand device to someone who works in sales and says, sure, you can go download whatever apps that you want, you can, you know, take pictures of your family and stuff like that, but we're going to have a different section on on this device that has all of your work data. And so if you, if I go into my email application for work and I try sharing, you know that share context, then you will say Twitter, Facebook, Instagram, whatever. Well, on the work side, it will only show me the work apps that are in that container. If my work wanted to, they can apply a VPN that only applies to everything in that work container or they could even do it per app within that work container. So really, the way that Samsung knocks and the way that Android enterprise has evolved the mobile landscape has been to give you your cake and let you eat it too. You can have your work device while still protecting your own individual privacy, you know, everything that I keep on the personal side of my device. The MMM can't take a look at the photos, you know, some IT help desk person can't see what applications I have installed, et cetera. If I were to download something delicious, let's just say, if I were to download some malware, that malware is only going to have exposure to the calendar context that I have on my personal side. I don't have any access to that data on the corporate side. So in this work from home environment, protecting this device really means enabling the user to use the device as they want. These are fantastic mobile devices, high quality cameras, great screens to watch video content on. But you also want it to do the things that you want for work, you need to be able to have access to your slack or instant messenger, you need your email and being able to enable both of those use cases in one piece of hardware means that users can carry around the device in their pocket. And it makes work from home a lot easier because if you're not leaving behind that blackberry back at home when you're at the grocery store, then you carry around the phone that you're already having with your grocery list on it, then when someone reaches out to you and says, hey, I need you to send me those files, you can do so from the work side of your phone. Okay, so we actually jumped ahead because I got excited about fixing this human problem and I appreciate that I want to go through and I want to highlight a few more of the ways that somebody can be compromised. So I want to so you were you're going down this path already, so I think it's important. The most prevalent ways that if you don't focus on security as an organization, how do people get attacked, all the different vectors, all the different threats, go through, go through the ones that you see the most. Yeah, so I talked about the first thing, which is protecting the device itself, protecting the end point. And so that gets done through enterprise mobility management, EMM software to say, here's what the policy is on the device, you need to have a pass code. Here's the email configuration, right? All of that stuff happens with the EMM. The second thing is protecting credentials. So trying to make sure that if you have passwords, if you have biometric data, your fingerprint when unlocking your device, you want to make sure that that stuff is protected as well. You know, when it comes to the mobile industry as a whole, this is something that the mobile industry has been constantly trying to outpace and beat itself on has been to provide kind of a passwordless environment. So you'll have things like UB key devices. You know, UB key is great. I love, I love their little tokens, their keys, but you can get a hardware key that provides, we call it multi factor authentication or two factor authentication. You'll often see this with your bank account when you're locking in says, this is an unfamiliar device. We're going to send you a code over SMS. You know, we're moving away from things like two factor in general, really great SMS codes being sent to you are probably the weakest version of it. And going towards something stronger like a hardware token is much better. So that's second thing that, you know, where are the threats coming from? This is leaked credentials. If someone's using the same password and let's be honest, we're all human, we don't like to have multiple passwords. You know, the solutions to this are using a password vault key pass last pass one pass dash lane. There are still many of these different types of services because it is such an essential function of our ever increasing life is walking down these credentials. People reuse passwords. So if a password gets leaked and it's associated with an email, it becomes really easy for information brokers on the dark web to be able to start attacking targets, especially if you find out that someone works for a government agency. You know, any of those sorts of things information leakage is real information and credential leakage is a big threat. So being able to trust that device with walking down that information, you know, on Samsung devices, the passwords are never stored in flash storage. Those passwords are also kept in that nox vault that separate piece of hardware. So if someone does download something malicious, they can't just find out what your pin is, what your screen lock pass code is, what your email credentials are because, you know, if someone could get your email credentials, someone else can log in from a completely different device. And if your organization is an employing quarantine or other types of controls to say, hey, this IP addresses from China, it's from Russia, it's from a different country than where the users based out of, then, you know, that becomes that source of information leakage. So that second point is securing the credentials. And then I'd say the third thing, you had, you had talked a little bit about this, but as we work from home, you know, when you're going into the office, you have network engineers who have built out the Cisco access points and the network controller to make sure that everything is really locked down. You're using radius and you've got a certificate on there. Man, you're doing the best in class strategy for protecting these wireless devices. And then the user goes home and then they have an open Wi-Fi network and they live in an apartment building with 40 other Wi-Fi networks right next to them. Who's to say that not only, you know, when you live and work from an environment like that, maybe you trust all of your neighbors, but do you trust all of your neighbors to update their devices and to lock down their security? Who's to say that they don't have a device that's infected on their network that is then probing and exploring out in that Wi-Fi space to say what's the next thing that I can hop to? All they want, you know, hackers, we see the depiction of hackers in media as these guys, of course, in a hoodie. They always have to be in a black hoodie and they're typing furiously. I love the NCIS meme of like, oh no, someone's hacking into the mainframe and two people hop on the keyboard at the same time, like that allows them to hack faster. We have this like romanticized vision that there's like an individual that is specifically targeting you and is trying to get in and it's a race against time. When in reality most hackers are looking on stack overflow, they've probably got, you know, a coffee and energy drink or something like that and they're coding out bots and scripts. They don't do this stuff in real time, not unless they're an advanced persistent threat, an APT. So a lot of this time it's just something that they've programmed that says go out into the world and start collecting, start scooping up this stuff. You know, we live in the world of big data and so you're not really trying to target one person. So if someone gets infected in your apartment complex, then the entire wireless network around them can be the next hop. And so if they can get onto your employees open Wi-Fi network, they can start attacking other devices. Do you have IoT devices, you know, do you have security cameras, etc. It's all that sort of stuff that becomes the next vulnerability. So the third point that I'm trying to make is securing the network. You can't always guarantee that someone's not using a router with known backdoors, known vulnerabilities. If someone can just reach that box from the internet, they've gotten into the home Wi-Fi network. VPNs, virtual private networks, become such an essential piece of the work from home equation, because it guarantees that everything that you're using, whether it's your email or some sort of business app, all of that data gets protected. And no one can kind of snoop as to, you know, are there any passwords that are going through the clear, can I do, you know, can I do a man in the middle attack, can I start to say, oh, I'm the person in this certificate chain, you should trust me. You know, any of those sorts of types of attacks become even more prevalent in a work from home environment. And do you see the largest targets being, you know, the Fortune 500, Fortune 100 enterprise, or do you actually see some of the targets being companies that are growing quickly but have not put enough thought into it yet, where they have zero infrastructure in place? I think it's more of the latter than the former. And that's simply because if you're going to develop attacks for those Fortune 500 companies, you're spending a lot of time and a lot of money trying to get something of value. And a lot of, you know, information security is, what's the lowest hanging fruit? And so you're going to want to target those companies who are becoming increasingly connected, increasingly mobile, but haven't thought about how to protect the device, how to protect credentials, how to protect the network. And so you want to try to pick off the lowest hanging fruit. You want to go for the easiest wins, the things that are going to get you a return on your money. It's those advanced persistent threats that are targeting DOD government agencies, Fortune 100, Fortune 500 companies, whether it's corporate espionage, whether it's stealing intellectual property. That's a lot harder to achieve, but it's got such a big payout, especially when we talk about things in this industry are moving so fast, you want to be first to market, you want to be the first to develop a feature or to take the lessons learned so you don't have to do all of that R&D yourself. We see this happening at more of a national scale where certain nations are, you know, have agencies within themselves that are targeting companies than we do with, you know, kind of those shops that are information brokers aren't necessarily targeting this Fortune 500 companies. I just want to take a second and thank the sponsor of today's episode HubSpot. Now running your own business means uncertainty is everywhere. So wouldn't it be nice to have a CRM platform that just works, a CRM platform that helps you provide a seamless, connected best in class customer experience for too long businesses have had to deal with managing point solutions that slow down their teams, frustrate customers and hit them with hidden fees. HubSpots all in one CRM platform has everything you need to do business, no hidden fees included with a connected platform that's easy to implement and use your teams have all the tools and data they need to spend more time on what matters most creating remarkable customer experiences. Learn how HubSpot can help your business grow better at HubSpot.com and in my experience. Yeah, no, that's fair. And I guess what what have some of the what have some of the worst case scenarios that you see maybe not exactly Samsung customers, but what are some of the things that maybe people have either seen in the news or not seen in the news where specifically this particular setup impacted the security. So work from home, mobile, not protected. What are some of the couple different case studies and never going to talk about some of the positive things that we've seen from proper mobile security, but some of the things where they weren't set up properly. Do you have any any stories, any horror stories I want to say. Yeah, you know, in terms of horror stories, I tend to catch customers that already have an established security organization that already have people that are harping on. Okay, we need to recycle passwords. We need to make sure that the mobile device itself has good policies and it's locked down. So most of the customers that I work with are already starting to practice these things that I'm talking about. It's those small to medium businesses, which are exposed to risk that don't even have the organizations to tell them that they have been compromised. That's the scary part is as they get increasingly connected, they may not even be aware that someone's already in their email server. They don't already know that someone has taken a device, has put information onto it because they stole some corporate potential from someone because the corporate credential was the exact same thing that someone was using for their LinkedIn profile. As we put information into the mobile space, it really matters on protecting credentials and making sure that this information is protected. So I don't have a lot of examples on small to medium businesses, probably because they may not know, they may not know either, right? If you're doing corporate espionage, it's not like a ransomware attack where you're definitely going to know it's going to be they have the documents that they want and they don't ever want you to know they have those documents. So I want to understand more about because obviously your baby and what you've brought to life is Samsung nox. Let's talk a little bit about that. Let's talk about first of all. I always like to ask why did Samsung want to take this product to market? Why did Samsung want to champion this? Why did they want to champion security? They do a lot of different things, obviously. So what was the raison d'être to take this to market and then how do you differentiate yourself against all the other security products? Why is this something that people have to think about? So I think when Samsung was first coming out with Android mobile devices, Samsung wanted to be top in line. This is something that's very built into Samsung DNA. I've gone to Korea a couple of times. I've worked with a lot of Korean co-workers and they're so absolutely driven by wanting to be first in every product category, TVs, refrigerators, mobile devices, whatever it is. Samsung nox became this answer to the question of there's a lot of businesses that exist out there. Blackberry is not doing well in this consumer competitive environment where users are electing for iPhones and Android over Blackberry devices. Lots of businesses were asking how do we secure this down? And so out of Samsung R&D or research and development are there were individuals that were saying, well, what can we do to make mobile devices even more secure than desktop traditional PC environments? And so we got this concept of sandboxing out of Android every application gets its own little data repository. All the information gets saved into there. If you want to try accessing some other apps data, you have to ask permission for that sort of stuff. If you want contacts, you have to ask permission from the user. That sort of concept was the start of it. But Samsung nox developed as I said back on the Galaxy S4 starting out with how do we separate work from personal data. So the Android enterprise concept that we see where personal and work data is separated was something that Samsung originated. This is something that we built into the, you know, the very core of this device. And all we've been doing every year after has been, well, what are the common vulnerabilities that we're seeing? What are the common ways to exploit these devices? And we've just been coming up with solution to really kind of meet this. So in the time that I've seen the product evolve, we were really trying to answer that question of how do you take a mobile device and make it incredibly simple to secure. You can just trust that as long as you have this device in your hand, it's already working to protect you. And then as you enable enterprise capabilities on it. So whether you're using this device as a consumer or you're utilizing this device as a business or an organization. There's extra features and functionality to help restrict and limit that threat service. So maybe Bluetooth doesn't have to be a risk because you've disabled Bluetooth or maybe you don't have to worry about the network on the device because it's got a VPN. We've been building these devices in collaboration with independent software vendors, ISVs. We've been working towards trying to provide lots of functionality and capability into these devices to really make it what you want, whether you're an end user or as an enterprise. And that's another thing too, like it can be scaled up, right? So I can get Samsung knocks if I just feel like this is something that I want to keep on my phone to make it more secure all the way through to I can deploy it for 10,000 devices across my organization. You've created so that it does have all these different use cases. And that brings you back to my question. So when you look at without it's always it's always, you know, I'm sort of giving you the the ability to differentiate yourself. You have to name the competitors because a lot of competitors now that are in the security space, but what what differentiates Samsung knocks because again, if I'm if I'm ignorant and I'm trying to figure something out, I'm going to probably go through four or five different providers that all claim to keep my devices secure help my employees work from home all these different things. Samsung, I've always found his best in class and most of everything they've done. And this is from the TVs that I purchased to the laptops that that they've they they do very good they create very good products. But what what is the main differentiator if you look at all the other enterprise management system security management systems that you can install devices that Samsung has brought to the table that currently you may not see in the market. The image that comes to mind is having a bicycle and if you've ever lived in the city, you know that if you're going to have a lock on your bicycle, you can't just do a master lock. You can't just do kind of a chain around the frame and the wheel. The image that comes to mind is someone who's got one of those you locks, you know the really heavy bolt ones and they put it on a baller just one of those poles that sticks straight up. And so the bike is really well secured to something that is inherently not a secured thing. One of the things that set Samsung apart from our competition is this is the point that we argue is from the hardware itself from the chip set design. We make sure that these devices are secure. They've got always on encryption. So when you put and save data on the device, we never know what that encryption key is every single device, all the billions of Samsung devices. We don't know what the encryption key is for that. If we were to try to decrypt that device, we wouldn't even be able to. We'd have to defeat AES 256 bit encryption before we'd even be able to decrypt a Samsung device. So we start out from the hardware from the factories every single device is unique in the way that it protects itself and that hardware is that first step. The second thing is our supply chain. The devices that come through Samsung factories, whether it's in India, if it's in Korea, if it's in Vietnam, or any of the other factories that we have around the world, that supply chain is secure. There have been attacks on other vendors devices where even before it gets to the user or enterprises hands, there's someone in the gray market. There's some reseller that has taken those devices and started putting their own software onto them. So that supply chain that comes from Samsung devices is secure as well. So we start from the hardware, we go through the logistics up until the time that you turn on that device, then it's the software running on that thing. Our competitors will offer software solutions, which is that image that I'm describing. It's that really heavy, you lock bolt, but if you can't trust the device itself, everything else kind of falls apart. How do you trust the software running on a device if you don't even trust that the device is running the software it was intended to? So our devices have something called a Knox warranty bit. Really cool stuff. There's this electronic fuse in every single one of the Samsung devices in the S series, the Z series, etc. And in those devices, if someone roots the device, then that fuse gets permanently blown. So any corporate data, any work data, as a consumer, you can download an app called Secure Folder and that utilizes the exact same containerization technology that an enterprise would use, but as a consumer, now you can have two copies of the same app. You can have a different camera, different, you know, things like that, and you can keep it separate. So whether you're just like a small business running, contracting, consulting on the side, and you don't have an enterprise mobility management, you don't have all this stuff. You can still use the Secure Folder and yeah, so even on the consumer side, you can download Secure Folder, so that way you can, you know, if you're a small business, if you're a contractor, you can keep your business separate from your personal stuff on your phone. You know, we start out with the hardware, we do the supply chain, but even the software layer on top, we continuously try to protect this device. So what sets us apart from the competitors is the competitors are always trying to put icing on a cake. But if the cake itself isn't very tasty and if the cake isn't very well constructed, it doesn't matter how much icing that you put on it, it's still not going to be the cake that you want to eat. I love that. No, it's smart, and I love the analogy you used, and I want to walk through, even before we started recording, I think that when you deploy something at this level, it's exceptional some of the customers that you've worked with. I was looking at some of the, like in your career with Samsung, some of the, some of the deployments that you've done, like you're working with PepsiCo, you're working with Harley Davidson, you're working with probably a lot of people like government agencies that I don't even, I don't even know about, but walk me through some of the most interesting setups, the most interesting deployments, how it's benefited companies. And because if we can sort of learn from the best of the best that are doing this properly, then hopefully small and midsize can take some examples from how you set these companies up for success. You know, that's what's really great about this problem in particular is it doesn't matter the size of the company that you are, no one really wants to spend too much time talking or thinking about security. They just want it to work, it needs to work out of the box from the get go. So I've worked with government agencies, three letter agencies that have a lot of security experts in a room that are asking all these questions, how do you protect against this, how do you do this. And the Samsung knock story that we tell is the thing that not only convinces them that yes, they can get a Samsung devices, but in general, they weren't using mobile devices before. I've worked with police agencies who are using Samsung phones as body cams, you know, getting transparency to the public and being able to record officers interactions while also trying to make sure that officers are protected in man down sorts of situations. They need to be able to know that those audio and video recordings are stored securely on the device and when they do go into an evidence locker, a digital evidence locker, that that information is being transmitted in a secure way. You never want someone who is in sort of like a domestic abuse situation or if someone's undercover, you don't want that person to become exposed. So being able to trust the devices security is the essential thing to get someone to not only buy into a mobile device strategy, but also to pick Samsung knocks. We've worked with agencies that have deployed, if you if you didn't know about this feature, Samsung phone like the Z Fold 3 or the S series, they're capable of a feature called Samsung decks are desktop experience. You know, especially when on the question of work from home, I've had a lot of companies in manufacturing in retail in logistics that have wanted to replace purchasing that laptop with just getting a phone. But what if your phone could also be your laptop and that's one of the exciting things about Samsung decks is you can take a Samsung phone, you can plug it into a monitor with a keyboard and a mouse and all of your Android apps go on to the screen in windows just like you're used to on an actual laptop or a desktop. But it's just your same you can take a look at your messages, you can pull up an internet browser and you have tabs now, so you don't have to like go switch through all that stuff. It's the experience that you're already used to, but you know, there was this term that engage it had used many, many years ago of the ubiquitous device. One thing that you can carry around that is your phone, that is your tablet, that is your drawing pad, that is your computer, and we're getting really close to that. So organizations that want to secure down these devices, you know, some of the stuff that I've seen is they've taken these phones and they plug it into their car into the squad car for some police officers. They'll plug in a Samsung phone and they've got a little screen built into the dash with the keyboard and mouse. Now they don't need to carry around that extra laptop. Now their phone, they can go out, they can collect evidence, take all the pictures and stuff, they go into their squad car, and they upload all that stuff directly from their phone. There's no switching different devices, it's all the same sort of experience, it just changes that user interface to what they need. So some of those things that I've seen in my eight years career is not only convincing people on that Samsung story, the security story of Android and why protected by Android is such an important aspect to these mobile devices, but it's also about how you can utilize this stuff. I'm so incredibly excited about reducing the time it takes to do stuff, reducing the cost it takes, or reducing the complexity of this stuff. You don't need multiple things, you just really need to be simple, cheap, and quick. And that's what a lot of Samsung knocks has brought value to companies, even to the point that, you know, financial and finance vertical, we've got companies that are using Samsung devices. As I said before, logistics and retail, it's all part of that, every increasing trend of becoming more interconnected, becoming even more mobile, and having a device that you know that you can trust. And when you look at what you've built so far, which is incredible, but you see the future of knocks, you see the future of mobile security as an industry, what are the things that you want to accomplish with knocks and what are some of the things that you think will be prevalent in mobile security and or just security for corporations in the next five years. So security is never done in a vacuum security is this, you know, to be a really secure organization. For most people that have worked in network security or info sec, you know, the thing that that keeps coming up in that industry is it's whackable. There's no anyone who tells you this product is secure and it will forever be secure or probably lying out of their teeth or they just don't know what they're talking about. In the threat landscape where I see the future of this stuff is that we fix problems faster and we start learning from how those problems occur and try to architect new chips, new designs, etc. that even replace the need to do the patching for that. I go to Black Hat, I go to Defcon, I participate and I talk to the researchers, the speakers, etc. and I always try to keep up to date on what is the state of art, what is academia talking about and learning, what are the security companies talking about and learning. And one of the things that I really like about Samsung because we have such a close knit relationship with the research community when there's something that comes out we're quick to fix it where we talk about that with our customers. So one of the things I lead is I do all of our technical write-ups for our B2B customers on any vulnerability that comes out. I tell them what the vulnerability is, which devices it affects, how it can get patched, etc. So all of this really comes down to the future where I see Samsung Nox is being closely connected with the larger community of security researchers, threat developers, etc. and just trying to keep pace with it. It's going to be impossible for anyone to be ahead of that curve and say, we're secure, we'll never be attacked. iOS devices get attacked, Windows devices get attacked, Android devices get attacked, it's just part of it. But being able to have products like Nox eFoda or enterprise firmware over the air, customers can push down firmware to the device on their schedule. If they're not ready to go for an OS upgrade from OS 12 to 13, they don't have to, they can lock down all their devices and prevent them from going there. But as soon as they are ready, let's say that there's a major security vulnerability on Bluetooth and Samsung's come up with a patch for it within 30 days. As series devices and many of our other devices get monthly patches. So as soon as something does come out less than three days later, we've got to fix for it. Well, when something like that does happen, our customers need to be able to push out that software immediately. And for other devices and other software solutions, it's kind of a let the user decide, they'll get to pick when they need to update. But for Samsung devices with eFoda, you're able to just push that down, you're able to say, well, I want all 1000 of my devices in this location to update at 2 a.m. Don't even prompt the user, just go ahead and update. Or hey, we've got several updates that we need to. So we're going to have the device go through every single one of those updates until it gets to the patch that we need. So the future where I see this stuff is it's impossible to build a perfectly secure platform. Now you can get pretty close and I think that Samsung knocks gets right there, gets really close to a very secure solution, especially coming from that out of the box. But the future where I see this is being very fast at coming up with these fixes and learning these lessons to see academia has learned to see what advanced persistent threats have been doing to try to innovate and build on that. So you can rest assured that when you buy one of these devices, it's already using the state of art technology to protect you against the most common types of threats. I want to wrap this up and I want to go into some quick rapid fire to close it out, but I want to just point people in the right direction as well. So floor is yours closing thoughts that if there's anything we didn't go into about any of the topics, I think we did a pretty good job going to most everything. But I was sort of like a masterclass for people that are trying to get a better understanding of mobile security and security in general in the entire landscape. But any closing thoughts that I forgot to ask you because you are definitely way more well versed in this than I am, so I appreciate it. But then also where do people connect with you, where do people go to find out more about Samsung knocks, all of that. Yeah, so closing thoughts, I'll just reiterate on some of the lessons that I've learned that whether you're a small medium business or you're not your enterprise and you're responsible for the mobile devices or the security of these things, really reiterating this three points, secure the device, secure the credentials, secure the network. If you can do those three things, you're really taking out some of the biggest threats that you've got. Everything else that kind of comes out in the mobile security landscape are going to be things that someone needs physical access to your device. That's advanced persistent threat territory where someone stealing your device and is trying to like hook up electronic probes to it to try to get data and information out of it. By default, Samsung devices are really secure. They've got always on encryption, they've got knocks, the platform in general, but on like our S series devices, they have that knocks vault where all that information is stored separately in a tamper resistant chip. The hardware design of it is really important. So when you are selecting a device, it may not just be enough to say what is our mobile strategy, which mobile devices are we going to allow. It may be the consideration that you have to have of which devices can I trust. Is it Google Pixel? Is it Motorola? Is it any generic Android device or are we going to pick on Samsung? You know, Gartner is an organization that evaluates the industry as a whole. And for multiple years, Samsung and Samsung's knocks platform has been rated as one of the top, if not the top security platform or secure mobile operating system and platform in the industry. We've been keeping state of the art through many years, as I had said from the Galaxy S4. So, you know, some of those things that I just want to reiterate is making sure that you pick the right device and making sure that you do some of those basic simple things to protect the most common ways that an organization is going to, you know, get attacked is they have services that are exposed to the general internet because they're not utilizing a VPN. They have credentials that users are reusing because they don't store things in like a password vault or they don't store things into a secure environment on the device itself. And making sure that the device is protected from potentially harmful applications by utilizing that containerization separating personal from work. Your employees want to carry around these devices. They're fantastic, great screens, great cameras. So, you know, let them use those devices the way that they'd like to without compromising on that security for your data, for your work documents, your contacts, your organizations, information. So, that's kind of the first thing that I'd say you had a second part to the question I just need a little reminding of. Oh, it was it was really just where do people, where do people find out more information? Where do people connect with you? Where do people go to find more about Samsung nox? So, you can find me on LinkedIn. So, Andrew Nichols, that's my name. You'll find me as an employee of Samsung Electronics America. I'd say if you're going to try to reach out to me professionally, that's where you're going to find me, not on social media otherwise. So, you won't be able to find me from any other links. But if you want to find out more about Samsung nox, really simple, you can either go to Samsung nox.com. If you want to get in contact with someone from my team, there's a little email box where you can say talk to a sales person for a little bit more. Well, I work with all of our sales engineers, so that's one of the ways that you'd be able to get in contact with me from a professional standpoint. But, you know, I do the training for all of the sales engineers. So, all the stuff that I know, I try to disseminate it out to the, you know, overview members of my team. So, it's something that I'm happy to help talk this stuff over. If you have concerns, if you have questions, if you just want to talk about, you know, what is the state of the art? What is, where is this industry going? That's all stuff that I'm very interested in talking about. So, yeah, that Samsung nox.com. Okay, perfect. Alright, let's do a couple rapid fire just to pull some last insights from you. Obviously, a very successful career. You've worked your way up and now you're building products with one of the largest organizations in the world. So, I want to pull some last thoughts for people that are listening that sort of want to get some inspiration from your career. So, in your professional life, what keeps you up at night now? And it could be related to your personal professional life, like where you are in your career, or could be in the grand scheme of security and threats. Yeah, so the joke answer is it's Korea. They're on a different time zone. So, anytime that I have to meet with Korea, they're the thing that's keeping me up at night. The little bit more serious of an answer is it's fine, you know, as the industry has been patching security vulnerabilities and has been learning from academia. The thing that's really starting to scare me is that the tax are getting much more sophisticated and are happening at the chip level. It's finding vulnerabilities within firmware that's not even part of the Android operating system anymore. Making sure that customers select a mobile device manufacturer that is selecting good components is such an essential part of that security model. That's the thing that really scares me is I'm not seeing email worms anymore. Now I'm seeing applications that are vacuuming and harvesting data in mass. I'm seeing Bluetooth attacks that can rewrite the firmware on the Bluetooth chip that the Android operating system doesn't even have exposure to. And then all of a sudden that gives a foothold for the next sort of attack. It's those sorts of things that are keeping me up at night. And I think the last thing that's keeping me up at night are protocol attacks. These are things that even if we've open sourced the code, even if plenty of people have reviewed it. Partly was one of those major things that was really scaring the industry because we trusted SSL for a long time. We trusted the ability to do secure connections over the internet with it. And if it turns out that the protocol can be attacked, well then we have to do a new protocol and we have to move everything over in software. And that takes a long time when not every organization is keeping up to date on those updates. So it's also important to make sure that when you do get the prompt to update your device, you should be doing that as quickly as possible. By doing so, you make it much harder for the bad guys to get money. If it's hard for them to get paid, they're going to want to go try to find different work. We're going to go after different targets. Don't be the lowest hanging fruit. What's the biggest challenge you've had to overcome in your career? I think the biggest challenge I've had to overcome has been fanboyism. I know there's probably not, you know, it's people that have an attachment towards a particular device or a brand and aren't able to justify that logically. I like to tell stories because stories appeal to the emotional aspect, but I'm also an engineer, so I like to talk about the logical aspect of it as well. Being too entrenched in a particular brand or product and not being able to justify it has been one of the hardest challenges for me to overcome because it's still not something that I know how to tackle and change. In the industry, we know that certain competitors of ours have messaging clients that are specific to them and the younger generations, teenagers, are utilizing these devices and they get bullied unless they don't use that device. So if they're not on that messaging client, they're being excluded. So that's definitely a real sort of fear of mine is that people are going to be so entrenched into just one brand that they're not willing to consider another. And they also don't, you know, they rest on those laurels. They don't really try to say, well, is this really secure for me? I can't utilize a personal side and a work side on this particular device, but it's the thing that they've grown up using. You know, I utilize Linux, Windows, Apple, etc. I try to use everything that I can because I care about the state of the industry, I care about the technology itself. And so I want to keep on learning what's new and what's good. I don't, you know, I don't want to just stick, even though I work for Samsung, I don't want to just stick within one shop. It's really important to be able to explore out. And so that's the hardest thing I've had to deal with is convincing people who don't want to be convinced. I mean, that's a good, that's a very valid point, but I think that's something that actually education can solve for and hopefully, especially at a corporate level. I mean, if an individual is compromised in terms of their device, it's very unfortunate, but it would not have the same impact that it could have when a large organization. So I think that education across individuals and organizations is important, but that's always where it starts. Like even just having the conversation today, I learned stuff and I consider myself relatively technical, but I mean, I learned stuff that I never knew before either. So it's just about having more conversations, I think, and being able to, you know, find those conversations and get them in front of the right people, but I think that's very, very good point. If you had to pick a person, and I usually ask a mentor of yourself, and you can mention somebody who's been impactful in your career, or you can also mention somebody that in security and mobile security is sort of on the forefront of thought leadership. You can go either direction, but I think it'd be interesting for you to pick some person that's been impactful in your life. Everything that I've learned has always been from someone else, whether it was through college, my career at Boeing and Samsung, everything that I've learned has been through a larger sort of body of knowledge. And I've had people who have been kind enough to take their time to really educate me on some of these complex topics. When I ask them, you know, what is a man in the middle attack? Well, why does encryption protect against this? Well, how do you protect against that sort of thing? I've had people that have taught me, so I don't know if I can name one individual, but really be kind to other people. You know, if you know something and you're willing to be an educator, someone's new within your organization and is just trying to learn what is that technology, I was that person. I came from an arts background, and I had to learn all about computers, et cetera. You know, even though my dad worked for a tech company, I didn't know all this stuff. I wasn't a programmer, et cetera. You know, I still even struggle with programming. It's tough for me, even though I love to do it, I'm not great at it. I always have to rely on a body of knowledge. I wouldn't name an individual person, but it may be you. It may be the person listening to this. Think about, can you help educate someone? Can you help inspire them to be that person that is the educator, that person that is speaking about these topics? Because what really drives me or passion is our passionate people. And so being able to meet someone and talk with someone that is passionate about it and teaches me something, I haven't been able to do this alone. I'm not self-taught. I just absorb a lot of knowledge and I'm able to regurgitate it. I love it, dude. That's a really good lesson. That's a very, very good lesson. If you had to pick a book or a podcast, obviously not this one, another podcast or some book that you would recommend people go check out, what would it be? Gosh, so I'm an avid reader, but I read the internet a lot. The last book that I read was The Jungle by Upton Sinclair. I just read that over the summer. Gosh, wait and put me on the spot with something. I don't even listen to podcasts either. No, no, it's fine. Okay, so I think it's so, I mean, no, I mean The Jungle is fine. I mean, I guess let's pivot and ask a question differently. If somebody wants to learn more about security and somebody is liberal arts degree, somebody is trying to start their career off, what are the forums? I don't give a shit if it's if it's stack overflow or I don't care. Where do you send people to learn more? That's the most useful information. So XDA developers is a really great source for that. I really love Reddit. That is probably the only social media that I use. But our netsec network security shortened down to netsec. That subreddit is really great. People post white papers, people post blog posts from Zimperium Esper. Esper is really great. Their blog talks about it. You know, this industry is constantly changing. So someone that was doing really great before might suddenly vanish. And so there's a little bit more archived and historical. But the only thing that I can tell people is read, read, read, read as much as you can. Because getting more of these stories, understanding this architecture, because it's complex, understanding an entire operating system and all the threats that go along with it. But being able to read that body of knowledge, seeing what other researchers have found online has good resources. Like I said, from Reddit, from netsec, from XDA developers, from Zimperium's blog Esper.io. Those are really great places to get started with learning about the mobile ecosystem and what threats occur on them. .