Andrew Nichols – Head of Solutions Architecture at Samsung | Protecting Mission-Critical Business Data

Like The Show? Leave A Rating: https://ratethispodcast.com/successstory

About The Guest

Talking Points

• 00:00 — Intro
• 03:07 — Andrew Nichols’s origin story
• 05:26 — What was the first job that allowed Andrew Nichols to start learning about what he’s doing now?
• 10:03 — Why did Andrew pursue a field that is mission critical?
• 12:45 — The current environment for corporate security
• 24:39 — Solving human problems regarding corporate security
• 31:57 — How do people get attacked and how is their security compromised in an organization?
• 42:40 — Some mobile security cases that weren’t set up properly
• 45:10 — Why did Samsung want to champion security?
• 49:10 — What differentiates Samsung Knox from other mobile security systems?
• 54:43 — What were some of the most interesting deployments made by Andrew Nichols?
• 1:00:39 — Some new things that will prevail in mobile security in the next 5 years
• 1:09:27 — Where can people connect with Andrew Nichols?
• 1:10:55 — What keeps Andrew up at night?
• 1:13:51 — The biggest challenge Andrew has ever faced in his life
• 1:16:51 — The most impactful person in Andrew’s life
• 1:19:15 — A book, podcast, or source to learn from recommended by Andrew Nichols

Show Links

• https://www.linkedin.com/in/seattleandrew/
• https://samsungknox.com/

Podcast & Newsletter Sponsors

• HUBSPOT – http://hubspot.com/successpod/

Watch on YouTube

What is the Success Story Podcast?

On this podcast, you’ll find interviews, Q&A, keynote presentations & conversations on sales, marketing, business, startups, and entrepreneurship.

The podcast is hosted by entrepreneur, business executive, author, educator & speaker, Scott D. Clary.

Scott will discuss some of the lessons he’s learned over his own career, as well as have candid interviews with execs, celebrities, notable figures, and politicians. All who have achieved success through both wins and losses, to learn more about their life, their ideas, and insights.

He sits down with leaders and mentors and unpacks their stories to help pass those lessons on to others through both experiences and tactical strategies for business professionals, entrepreneurs, and everyone in between.

Website: https://www.scottdclary.com

Host of the Success Story Podcast: https://www.successstorypodcast.com

YouTube: https://www.youtube.com/scottdclary

Instagram: https://www.instagram.com/scottdclary

Twitter: https://twitter.com/scottdclary

Facebook: https://facebook.com/scottdclarypage

LinkedIn: https://linkedin.com/in/scottdclary

Medium: https://medium.com/scott-d-clary

Newsletter: https://newsletter.scottdclary.com/

CEO/Founder of OnMi Patch: https://newsletter.scottdclary.com/

Write a Daily Business Newsletter to 40,000 People: https://newsletter.scottdclary.com/

Contact: Scott D. Clary MBA |416-522-5622 | scott@scottdclary.com

Machine Generated Transcript

SUMMARY KEYWORDS

device, Samsung Knox, people, security, Samsung, mobile devices, secure, business, protect, threats, mobile, learning, industry, attacks, work, Samsung devices, companies, enterprise, passwords, home

SPEAKERS

Scott, Scott D Clary, Andrew Nichols

 

Scott D Clary  00:01

What do the federal funds rates and the price of a barrel of oil have to do with you being able to buy a house this year? How do you suppose corporate earnings reports affect your next vacation? Join marketplace host Kai Rizal as he untangles economic news and gives you context you can actually use because the more you know about the financial world, the better you can plan for what’s happening in your own world. Listen to marketplace wherever you get your podcasts. Welcome to success story, the most useful podcast in the world. I’m your host Scott D. Clary. This success story podcast is part of the blue wire podcast network as well as the HubSpot Podcast Network which has other great podcasts like socialite hosted by Steph Taylor socialite discusses all things online marketing, Steph Taylor answers all your business marketing questions. She deep dives into the nitty gritty of online marketing, content marketing, social media marketing marketing strategy for business owners. If any of these topics resonate with you, you’re gonna love the show, you’ll learn things like how to scale your brand on various different social media platforms, some of the biggest mistakes you can make with your launch of a new product or service, the importance of nurturing and engaging your audience consistently. The importance of having your audience fully understand the problem you’re trying to solve and why it’s important to solve right now, as well as why growing audiences across all social platforms feels so hard. In 2022. You can go listen to socialite wherever you get your podcast, or at the HubSpot Podcast Network at hubspot.com/podcast Network. Today, my guest is Andrew Nichols. Now, Andrew heads up all enterprise b2b sales engineering at Samsung. He’s worked in sales engineering from mobile security at Boeing, followed by an eight year plus stint at Samsung, mobile security and the security industry has always been his forte. Now he has seen everything he’s seen the evolution of threats and security incidents over the past decade. And He’s dedicated his life to helping businesses better prepare for mobile security and security incidents. So we spoke about the evolution of the security industry, we spoke about how threats have evolved for businesses, and what business owners have to be cognizant and aware of, we spoke about security solutions that now have to be implemented because of a work from home environment, which sees employees using their own devices, working on unsecured networks, all absolute nightmares, for companies that could be threats and why. And we went into why people are so unprepared. Some of the horror stories that he’s seen working in the industry, as well as some of the successful use cases of proper security implementation, so that you aren’t compromised, your employees aren’t compromised, and you don’t, unfortunately, find yourself in an incredibly embarrassing, costly and potentially legally damaging situation. So Andrew Nichols is the expert on all things security and mobile security. We’re going to speak about how he’s operated and worked with some of the largest organizations in the world on how to improve and better protect themselves with his work at Samsung. You are going to get a masterclass in mobile security. This is Andrew Nichols.

 

Andrew Nichols  03:36

Sure, yeah, so my name is Andrew Nichols. I have been born and raised in Washington State. And I originally started out as a theater majors. When I was first going to college. I was doing directing set design, acting, pretty much everything involved in theater. And when I was looking for a job, I got accepted into the University of Washington’s IT department, even though I didn’t know much about computers. And that was really kind of the genesis of my career, getting into computers getting into technology. And I’ve always been a very curious person wanting to understand everything about technology, and to be able to explain those concepts, you know, very complex concepts to people. So from that point, I got interested in information security. I worked at Boeing as a mobile security architect helping build out their mobile application and mobile device security strategy, helping them get iOS and Android devices into their environment. And after that short stint at Boeing, I’ve been working at Samsung for the last eight years as a pre sales engineer. So my job is to go into big named accounts fortune five 100 companies, most brands and labels that you’ve ever heard of I’ve worked with. And my job is to help them deploy Samsung mobile devices in a way that they trust. So when it comes to answering security type questions, not only do I have to know the entire platform, what are the current risks? What are the current threats, but I also help advise between our engineering teams and our customers on you know, what new products, what new features can we develop, and how to communicate those products and features, you know, to both sides. So, I came from a completely different background and arts background, and I’ve gone into the science and engineering sort of field. But I think it provides me with a little bit of multiple aspects to, to my whole career,

 

Scott D Clary  05:53

interesting career coming from liberal arts background, little bit of left brain, right brain that allowed you to be successful. So when somebody looks at your career, and where you’re at right now, they would immediately think if they’re coming from a liberal arts background, I definitely would at least I don’t understand the pathway to get there. I don’t have any formal education, formal training, it seems like to have very high level technical conversations about security in particular, that’s not something that you can really screw around with. It does take something that I obviously haven’t prepped myself for. So how did you, you put you put yourself in that environment to some extent, but what was like the first job or first position that you held that allowed you to start learning? And what was that learning curve, like so that you could operate with some of the largest fortune 500 fortune 100, probably, and advise them and consult them on security matters, technical security matters?

 

Andrew Nichols  06:51

That, you know, that’s kind of the left brain right? Brain dichotomy really comes into play is, you know, just getting a nerd into a room isn’t always enough to try to persuade or convince people. You know, I think that’s where sort of that arts degree that performing arts helps me be able to tell a story. You know, humans react really well to stories. And when it comes to security, it’s very hard to see the tangible benefits of why having something be secure is really beneficial. You just want to have the device be secure. You don’t want to know all the buttons and switches, what is, you know, real time kernel protection, what is defeat exploit? You know, what, what are all these sorts of terms that an engineer would throw around? You know, I think that some of the skill sets that I have helps customers understand the story that I’m trying to weave for them, and how it integrates into their business. Why did these features benefit them? You know, the first job that I really had that blended the oldest stuff together, ironically, was when I was 16. And I was working at GameStop. And I had to be able to tell stories of why a customer should purchase a particular video game, they’d come into the store and they’d say, you know, I’m looking for this for my son, I’m looking for this game for my sister, you know, what should I pick? And I’d have to have an extensive knowledge on our entire cast, blog, and be able to tell them, Okay, this studio is good, this game is really well known, this game is popular. And I think that’s where the those two skills kind of came together is both the sales aspect, which is what I do here at Samsung, but it’s also kind of like telling that story. And you know, really kind of selling the the engineering, oh, this games graphics are really great. Or the story in this game is amazing. I think that’s really where I originally got my start. And I had just always envisioned that I was going to go into theater. But after I had gotten a job in the tech industry, I really just started taking off from there. You know, a lot of people get into the tech industry, because they have a comp sci background. They have an engineering background, they’re really interested in making the next app or, you know, building something with microcontrollers, Arduino and electronics. And I really treasure co workers peers in those spaces. But I really anytime that I can find someone that comes from an arts background that gets into the tech industry that works in an engineering type field, there’s something that I gravitate towards that person who knows Shakespeare, art history, etc. It’s just being you know, I always wanted to pride myself on being a renaissance man. So that’s, that’s kind of the having different skill sets I think is really impactful when it it comes to being able to present a complex topic like security, because it goes beyond just bullet points. Security is becoming an ever increasing aspect of our modern day lives. As we worry about people’s social media accounts getting hacked people’s contacts and privacy being compromised by apps that they have on the device. You know, this is just an ever increasing sort of thing as our lives become increasingly digital.

 

Scott D Clary  10:30

And I think that people are not not as prepared as they should, because technology moves faster than the average person can keep up. If the average business has problems keeping up, then you can never even expect the average person to keep up. But I think the the other question that I have, which I find is very interesting to somebody purposely went into the field that you went into, is, you could have been in, you could have been in sales engineering for a variety of different technical widgets, products, literally anything and telling a story about a highly complex product is a great skill, but you chose the field. That is like mission critical. Like if if you screw up your job, especially now at the level that you’re doing it at, like, shit hits the fan. So it is not good. When you still how why? Why did you want to put as much pressure on yourself? Why was this something that you want it to go into? Because you did it with Boeing, obviously dealing with Samsung for the past eight, eight plus years? So it’s a passion?

 

Andrew Nichols  11:29

Yeah, you know, honestly, I think when I was going through college 2008 through 2012, it was at that time that digital privacy was really starting to kick off. I mean, there was a lot that was happening in our daily lives, where we’re finding out that governments were surveilling on people, that our information was being absorbed and sucked in by some of these services that we connect our lives into. And I wanted to understand how do I protect myself from that, you know, this is kind of the building of the castle walls. But just for myself, that’s really all I cared about is, you know, what, what can I do to protect myself? Well, all those learnings, all of that understanding that I’ve taken to under, you know, to really get to know, how do attacks work? You know, how do you actually stay private in a digitally connected world, all of that stuff was my origin, you know, my passion for drove me into this specific field. And through experience through talking with much smarter people than myself, I’ve really started to absorb a lot of this, this knowledge, exactly what you’re talking about. It is a mission critical aspect of running a business. But even for your own personal life, I teach classes in my community on how to stay private, how to stay secure, how to avoid getting scammed, it’s all of this sort of stuff that I try to take what I’ve learned and re educate other people. And it just happens that my job that I do involves educating other people.

 

Scott D Clary  13:12

I love it. And what is Okay, so let’s, let’s understand, like the current state of enterprise and enterprise security and some of the things that you’ve seen evolve over your career, because, obviously, you have a passion for it personally. But this entire category has gotten more and more complex, and you hear about security threats and changing business environment. And I know that now with COVID, the entire landscape of how people do business is different. So when people do business differently, now there’s even more security threats that probably have come to, you know, come to light over the past two and a half years. So what is the current environment for for corporate security? What are people focusing on? What are people maybe ignorant to all the things that you probably are thinking through six months or a year ahead of everybody else?

 

Andrew Nichols  14:05

Yeah, so I’ll give you a little bit of the history over the last decade. You know, rim and blackberry, were kind of the defunct secure mobile device, if you’re going to get something so your executives, your jurors, etc, could have a secure mobile device, it was pretty easy. It was just Blackberry. But then 2007 came along and iPhone and Android came out. Now there was this new exciting mobile operating system that focused on this app ecosystem. And so users could download stuff that they wanted. Net, YouTube, I mean, it went beyond just a secure Instant Messenger, a secure email device. Now we were getting these things that we could do content consumption, or it was reading books or watching videos or or even content creation. And that’s kind of, you know, where mobile devices sit nowadays is Tiktok, and Instagram. So, you know, the evolution over the last decade for mobile devices has gone from, we’re going to take your Windows laptop experience, and boil it down to a really small device. And now what we’ve gotten to is almost the flip people want the mobile device experience for that, that work environment that they have. And so people want would rather work from their phone when possible, you know, this meeting could have been an email is like a very common sort of thing, because you don’t, you don’t want to have to get on the phone or video when you don’t want to. But as as the industry has kind of progressed towards this mobile first mindset. In terms of like, security world, we’ve seen the threats, Chase along with those mobile devices, we’ve seen that applications and malware that users can download becomes a lot more prevalent. And so there’s a fear of is my user base downloading and installing stuff that they shouldn’t does that expose my organization to risk, we see things like, well, these devices have Bluetooth, and GPS, and Wi Fi, six, and all of these other sorts of interconnected features, to really make these powerful mobile pocket computers, capable of doing a ton of different things that we would have never imagined even doing with just a computer and hauling that around. So as these devices become increasingly connected, then the fear is, or the networks that they’re connecting to safe is are there any vulnerabilities with the radios on those devices, the chipsets on those devices? You know, the threats have gone away from your outlook, email worms of the 90s and have moved into Milan malicious apps that take your contacts and calendar data and resell your information so they can make a quick buck. So you know, the targets have changed. The threat actors have changed. And it’s all moved towards this super quick paced, mobile development sort of ecosystem.

 

Scott D Clary  17:32

And I’m just thinking now, mostly because of COVID, you have people, all these so everything has changed, but because of COVID. Now, a lot of people want to work from home, a lot of people are either permanently at home or hybrid. And I know personally like, now my my work devices, and my phones all blend, right like they all seem to blend now. Whereas maybe five or even 10 years ago, that wasn’t really the status quo. When it came to working, right, you go into an office, you’d have a laptop there, you’d have, or you’d have a tower there a desktop there. And that’s where you worked off of. So now, if I think about all the things I do on my personal device, then all of a sudden, that allows all these different threats and all these different, all these different apps and all these different technologies that obviously it the IT department wouldn’t allow you to put on your work device. So if you look at if you look at some stats, because I know that stats are very, very interesting when it comes to looking at the heart numbers of how the last two and a half years have impacted how we do business. So 73% of employees want flexible work options, meaning that a significant portion of those will be working from home 66% of businesses are interested in hybrid workspace solutions. And then there’s a 30% increase in cloud security, mobility solutions probably to do to support those two first two stats. So when you have an entire work force move home or a significant portion of it. That’s an absolute, that’s an absolute nightmare, that like people are using one phone for work and business people are using their computer at home for work in business. So everything is now blended, even though it shouldn’t be but I mean, the reality is, if somebody can’t answer an email on their home computer or their home phone, or their or their cell phone numbers or cell phone, they do that. So what does this what does this mean for businesses? What does this actually look like? Let’s walk through some of the some of the threat actors and some of the and some of the risks that present themselves like I think that I want to really highlight. If an employee is answering emails on their phone at home, without even thinking about it seems like a harmless activity, like no one’s gonna get hurt. But I’m sure you see a lot of people actually getting quite hurt because they don’t really understand what the potential impact could be.

 

Andrew Nichols  19:52

Yeah, so when when it comes to the post pandemic, I mean, we’re still in the pandemic but from you really the worst of it that initial onset March 2020. When everything shut down, everyone had to go home. And for those that were able to that could continue working. They were working from home. There was this mass shift immediately to, we got to set up VPNs. We don’t have enough licenses. We don’t have enough seats. Well, okay, let’s just open up our email to the internet. We’re just gonna.

 

Scott D Clary  20:30

What did the federal funds rates and the price of a barrel of oil have to do with you being able to buy a house this year? How do you suppose corporate earnings reports affect your next vacation, join marketplace host Kai Rizal as he untangles economic news, and gives you context you can actually use because the more you know about the financial world, the better you can plan for what’s happening in your own world, listen to marketplace, wherever you get your podcasts,

 

Andrew Nichols  20:57

to have people connect to it that way, there was this huge shift to try to get business to continue as as normal as possible. And the security aspect of it just needed to catch up. You know, before the pandemic, I was involved, because I’ve been at Samsung for such a long time, I’ve been trying to convince companies to move to this work from home model, I’ve been trying to convince them that yes, you can do work from your mobile device, it’s just that as soon as 2020 hit, we needed to shift over that, in order to keep things running. So some of the threats that I’ve seen in the post 2020 era has been, I’d say really kind of two things. The first one is locking down the device itself. So as employees get mobile devices, you know, you can’t afford laptops, always for people, laptops tend to be a little bit more expensive of a device. So employees were getting handed phones, you can still do video calls from it, you can still get your emails. But making sure that that device is secure, was really kind of one of the first areas of threats. Employees often will download whatever apps that they want. If this is a device that they’re allowed to use to take pictures of their family, it to put in their own calendar appointments, it became really important to lock those devices down. So you know, many companies utilize a software tool like Enterprise Mobility Management, or Amm. Sometimes it’s also called MDM, mobile device management. So those mmm tools, really configure that device, set up email, put down work apps, et cetera. So when it comes to these mobile devices, protecting that device itself was such an important aspect of it. You know, as employees are putting their lives onto these devices, they’re taking family photos, they’re putting in, you know, the kids soccer game into their calendar, you really needed to make sure that you didn’t expose your organization to risk by a user accidentally downloading something. Now, the Google Play store does really well on trying to protect against what they call p h, a potentially harmful applications. What most of the industry refers to as malware, but it may not necessarily be malicious. It may be trying to take your contacts so it can resell that information. It could be trying to take a calendar information to resell your information, you know, what sorts of activities are you doing, etc. You know, that risk that occurs on these mobile devices really stems from? Are you preventing users from installing what are known as side loaded applications when they can go onto the internet? And they say, Oh, why pay $5 for this game out of the Google Play Store, when I can go download it for free? Well, what that user doesn’t realize is that version of the application that they’re downloading has been changed. So some of that information gets taken, but some of that stuff is sensitive business information. If you let an application, get access to your files, and a user’s downloading important things like your org chart, your financial numbers, et cetera, you know, who’s to say where are they information goes, especially if it’s going from information broker to information broker. There’s there’s not really that that control there. So that first risk that I was talking about protecting the device, you know, this post work from home environment is really trying to make sure that the device itself is locked down. Samsung has been doing a lot with our devices. Whether or not it’s a platform where out of the box, you’re going to be protected from potentially harmful applications. You know, in addition to the Google Play stores scanning, if you download something that’s trying to root your device or compromise your device to get access to information, it really shouldn’t. Well, Samsung KNOX is protecting that device, you know, from the the first time that you turn it on, it’s got hardware in there that’s making sure that applications can’t get access to any more information than they’re allowed to. So that’s kind of that first threat.

 

Scott D Clary  25:36

No, I was gonna say, I was just gonna mention one, one point on that. So it’s interesting, because I want to, I want to figure out, so I want to keep going down this path. But I also want to, I want to highlight for the business owner, or the person who’s thinking about how do I, you know, protect my mission critical business information? When you think about how to solve for a security problem, and I alluded to it before, but you have to solve for the person problem, too. So when that means that if you are a business, is there if you use Samsung Knox? Or if you use some sort of is there some sort of tools that allow you to either let the person use their personal phone? And or if not, then shut them off, and the things they don’t have access to? So that the human problem because most most security breaches, right? It’s always the human problem. It’s the phishing or it’s the not paying attention downloaded me, it’s, it’s never really done maliciously, you don’t have a lot of people. I mean, it can happen. But you don’t have a lot of hackers that are figuring out complex passwords, unless the password is very simple. But I think there’s a lot of human problems that are easier to hack than then maybe complex passwords or tapping into somebody’s Wi Fi, which are all real problems as well. But how do you solve that human problem of somebody just saying, I just want to use my device. And I used to manage sales reps, where I know for a fact they never purchased a personal phone? Because they said, I’m a sales rep, I’m going to have a phone no matter what company I go to, why would I go buy my own phone? So you still want them to be able to use it to some extent, but you don’t want anyways? You know, you know what I mean?

 

Andrew Nichols  27:16

No, that’s the I don’t, I totally do it. And that’s one of the reasons why I joined up with Samsung when I did eight years ago, I saw Samsung KNOX initially talked about on the Galaxy S three. But it wasn’t until the Galaxy S four that it was officially launched. But that was the thing that I said, aha, this is really cool. I want to be a part of this. So prior to iOS and Android, you know, people would carry around a personal cell phone and they’d carry around their BlackBerry work phone, you were not often mixing the two environments together, you wanted to keep your personal stuff separate from your work stuff. And exactly that point that you’re talking about, you know, I can have my phone here, I’ve got all of my personal apps, everything that I’ve downloaded, and I have a work section where it’s got completely different apps, or it may even be the same apps, but the data, you know, what information I actually save are compartmentalized in the industry, we call it containers. So this is a containerized solution that’s built into every single one of these Samsung devices. And that container is not just protected by some encryption key that’s stored on the flash storage, know that those keys that you know, the thing that actually keeps that data separated, is managed by software that’s running on a different chipset than the operating system. So if something gets on to that flash storage, something gets into the operating system, and wants to try to get to that work data. It can’t because the keys and the the actual software to manage and make sure that bad actors malware, etc. Can’t get to that are on a different piece of silicon. And it’s not easy to get to that piece of silicon. You know, we talked about Samsung KNOX Vault, which is this evolution, you know, I was talking about from the Galaxy S four, and we’re now on the Galaxy S 22. Over eight years later. This this Knox vault is tamper resistant. So lab attacks when you’re taking probes and an oscilloscope trying to figure out what the encryption key is based off of the ones and zeros that are flowing through the wires. Well, the device can detect that the chipset can detect that if you try lowering the temperature of the device in order to get information off of the ram because RAM is volatile. Once it loses power, that information eventually goes away. So if you lower the temperature of the device, you can literally freeze that information on that chipset. it and Knox vault also looks for, hey, are there temperature attacks is there something going on with the temperature, and it locks this stuff down. So for these organizations that, you know, just want something that they can make it really simple, they just handed device to someone who works in sales and says, Sure, you can go download whatever apps that you want, you can, you know, take pictures of your family and stuff like that. But we’re going to have a different section on on this device that has all of your work data. And so if you if I go into my email application for work, and I try sharing, you know, that shared context menu will say, Twitter, Facebook, Instagram, whatever, well, on the worksite, it will only show me the work apps that are in that container, if my work wanted to, they can apply a VPN, that only applies to everything in that work container, or they could even do it per app within that container. So really, the way that Samsung Knox and the way the Android enterprise has evolved, the mobile landscape has been to give you your cake and let you eat it too. You can have your work device, while still protecting your own individual privacy. You know, everything that I keep on the personal side of my device. Mmm, can’t take a look at the photos, you know, some IT Helpdesk person can’t see what applications I haven’t called, etc. If I were to download something malicious, let’s just say if I were to download some malware, that malware is only going to have exposure to the calendar contacts that I have. On my personal side, it won’t have any access to that data on the corporate side. So in this work from home environment, protecting this device really means enabling the user to use the device as they want. These are fantastic mobile devices, high quality cameras, great screens to watch video content on. But you also want it to do the things that you want for work, you need to be able to have access to your Slack or instant messenger you need your email. And being able to enable both of those use cases in one piece of hardware means that users can carry around the device in their pocket. And it makes work from home a lot easier. Because if you’re not leaving behind that Blackberry, back at home, when you’re at the grocery store, then you carry around the phone that you’re already having with your grocery list on it. Then when someone reaches out to you and says, Hey, I need you to send me those files you can do so from the work side of your phone.

 

Scott D Clary  32:54

Okay, so we actually we actually jumped ahead because I got excited about fixing this this human problem. And I appreciate but I want to go through and I want to highlight a few more of like the ways that somebody can be compromised. So I want to so you, you’re going down this path already. So I think it’s important. The most prevalent ways that if you don’t focus on security as an organization, how do people get attacked all the different vectors, all the different threats? Go through go through the ones that you see the most?

 

Andrew Nichols  33:26

Yeah, so I talked about the first thing which is protecting the device itself protecting the endpoint. And so that gets done through Enterprise Mobility Management, mmm software to say, here’s what the policy is on the device, you need to have a passcode here’s the email configuration, right? All that stuff happens with mmm, the second thing is protecting credentials. So trying to make sure that if you have passwords, if you have biometric data, your fingerprint when unlocking your device, you want to make sure that that stuff is protected as well. You know, when it comes to the the mobile industry as a whole, this is something that the mobile industry has been constantly trying to outpace and beat itself on, has been to provide kind of a password list environment. So you’ll have things like UB key devices, you know, YubiKey is great, I love I love their little tokens, their keys, but you can get a hardware key that provides a we call it multi factor authentication or two factor authentication. You’ll often see this with your bank account. When you’re logging in says this is an unfamiliar device. We’re going to send you a code over SMS. You know we’re moving away from things like two factor in general, really great. SMS codes being sent to you are probably the weakest version of it and going towards something stronger Like a hardware token is much better. So that second thing that, you know, where are the threats coming from? This is leaked credentials if someone’s using the same password, and let’s be honest, we’re all human, we don’t like to have multiple passwords. Now, the solutions to this are using a password vault, key pass, last pass one pass Dashlane, there are so many of these different types of services. Because it is such an essential function of our ever increasing life is locking down these credentials, people reuse passwords. So if a password gets leaked, and it’s associated with an email, it becomes really easy for information brokers on the dark web to be able to start attacking targets, especially if you find out that someone works for a government agency, they work for a highly targeted, highly prolific company, you know, any of those sorts of things. information leakage is real information. And credential leakage is a big threat. So being able to trust that device with locking down that information. You know, on Samsung devices, the passwords are never stored in flash storage, those passwords are also kept in that Knox vault, that separate piece of hardware. So if someone does download something malicious, they can’t just find out what your pin is, what your screen lock passcode is what your email credentials are. Because, you know, if someone could get your email credentials, someone else can log in from a completely different device. And if your organization isn’t employing quarantine, or other types of controls to say, hey, this IP addresses from China, it’s from Russia, it’s from a different country than where the user is based out of them, you know, that becomes that source of information leakage. So that second point is securing the credentials. And then I’d say the third thing you had, you had talked a little bit about this. But as we work from home, you know, when you’re going into the office, you have network engineers who have built out the Cisco access points, the network controller to make sure that everything is really locked down, you’re using radius and you’ve got a certificate on there, man, you’re doing the best in class strategy for protecting these wireless devices. And then the user goes home. And then they have an open Wi Fi network. And they live in an apartment building with 40 other Wi Fi networks right next to them, who’s to say that not only you know, when you live, live and work from an environment like that, maybe you trust all of your neighbors, but you trust all of your neighbors to update their devices, and to lock down their security, who’s to say that they don’t have a device that’s infected on their network that is then probing and exploring out in that Wi Fi space to say, what’s the next thing that I can hop to all they want, you know, hackers, we see the depiction of hackers. In media as these guys of course, in a hoodie, they always have to be in a black hoodie, and they’re, they’re typing furiously. I love the the NCIS meme of like, oh, no, someone’s hacking into the mainframe. And two people hop on the keyboard at the same time, like that’s that that allows them to act faster. We have this like romanticized vision that there’s like an individual that is specifically targeting you, and is trying to get in and it’s a race against time, when in reality, most hackers are looking on stack Stack Overflow, they’ve probably got, you know, a coffee and energy drink or something like that. And they’re coding out bots, and scripts. They don’t do this stuff in real time, not unless they’re in advanced persistent threat in a PT. So a lot of this time, it’s just something that they’ve programmed that says go out into the world and start collecting, start scooping up this stuff. You know, we live in the world of big data. And so you’re not really trying to target one person. So if someone gets infected in your apartment complex, then the entire list the entire wireless network around them can be the next hop. And so if they can get onto your employees, open Wi Fi network, they can start attacking other devices. Do you have IoT devices? You know, a, do you have security cameras, etc. It’s all that sort of stuff that becomes the next vulnerability. So the third point that I’m trying to make is securing the network. You can’t always guarantee that someone’s not using A router with known backdoors known vulnerabilities. If someone can just reach that box from the internet, they’ve gotten into the home Wi Fi network. So VPNs virtual private networks become such an essential piece of the work from home equation. Because it guarantees that everything that you’re using, whether it’s your email, or some sort of business app, all of that data gets protected. And no one can kind of snoop. As to, you know, are there any passwords that are going through the clear? Can I do? You know, Can I do a man in the middle attack? Can I start to say, Oh, I’m the person in this certificate chain, you should trust me. You know, any, any of those sorts of types of attacks become even more prevalent in a work from home environment?

 

Scott D Clary  40:55

And do you see the largest targets being, you know, the fortune 500 fortune 100 enterprise? Or do you actually see some of the targets being companies that are growing quickly, but have not put enough thought into it yet, where they have zero infrastructure in place?

 

Andrew Nichols  41:16

I think it’s more of the latter than the former. And that’s simply because if you’re going to develop attacks for those fortune 500, companies, you’re spending a lot of time and a lot of money, trying to get something of value. And a lot of you know, information security is what’s the lowest hanging fruit. And so you’re going to want to target those companies who are becoming increasingly connected, increasingly mobile, but haven’t thought about how to protect the device, how to protect credentials, how to protect the network. And so you want to try to pick off the lowest hanging fruit you want to go for the easiest wins the things that are going to get you a return on your money. It’s those advanced persistent threats that are targeting DoD government agencies, fortune 100, fortune 500 companies, whether it’s corporate espionage, whether it’s stealing intellectual property, that’s a lot harder to achieve. But it’s got such a big payout, especially when we talk about things in this industry are moving so fast, you want to be first to market, you want to be the first to develop a feature or to take the lessons learned. So you don’t have to do all of that r&d yourself. We see this happening at more of a national scale where certain nations are, you know, have agencies within themselves that are targeting companies than we do. You know, kind of those shops that are information brokers aren’t necessarily targeting this fortune 500 companies.

 

Scott D Clary  42:56

I just want to take a second to thank the sponsor of today’s episode HubSpot. Now, running your own business means uncertainty is everywhere. So wouldn’t it be nice to have a CRM platform that just works a CRM platform that helps you provide a seamless, connected best in class customer experience. For too long, businesses have had to deal with managing point solutions that slow down their teams, frustrated customers, and hit them with hidden fees, hub spots, all in one CRM platform has everything you need to do business, no hidden fees included with a connected platform that’s easy to implement and use. Your teams have all the tools and data they need to spend more time on what matters most creating remarkable customer experiences. Learn how HubSpot can help your business grow better@hubspot.com. And in my experience, yeah, no, that’s fair. And I guess, what have some of the what if some of the worst case scenarios that you see maybe not exactly, Samsung customers, but what are some of the things that maybe people have either seen the news or not seen in the news, where specifically, this particular setup impacted the security? So work from home, mobile, not protected? What are some of the couple different case studies and then we’re going to talk about some of the positive things that we’ve seen from proper mobile security, but some of the things where they weren’t set up properly? Do you have any, any stories, any horror stories?

 

Andrew Nichols  44:28

Yeah, you know, I in terms of horror stories, I tend to catch customers that already have an established security organization that already have people that are harping on. Okay, we need to recycle passwords. We need to make sure that the mobile device itself has good policies and as locked down. So most of the customers that I work with, are already starting to practice these things that I’m talking about. It’s those some small to medium businesses, which are exposed to risk that don’t even have the organizations to tell them that they have been compromised. That’s the scary part is, as they get increasingly connected, they may not even be aware that someone’s already in their email server, they don’t already know that someone is has taken a device has put information onto it, because they stole some corporate potential from someone. Because the corporate credential was the exact same thing that someone was using for their LinkedIn profile. As we put information into, into the mobile space, it really matters on protecting credentials, and making sure that this information is protected. So I don’t have a lot of examples on small businesses don’t know well,

 

Scott D Clary    45:52

probably because they may not know stuff, they may not know either, right? If you’re doing corporate espionage, it’s not like a ransomware attack, where you’re definitely going to know it’s going to be they have the documents that they want. And they don’t ever want you to know that they have those documents. So yeah, so Okay, so I want to I want to understand more about because obviously, your baby and what you’ve sort of brought to life is Samsung Knox. So let’s talk a little bit about that. Let’s talk about first of all, what so what I mean, I always like to ask why, like, Why did Samsung want to take this product to market? Why did Samsung want to champion this? Why did they want to champion security? They do a lot of different things, obviously. So what was the high zone that tried to take this to market? And then how do you how do you differentiate yourself against all the other security products? Why is this something that people have to think about?

 

Andrew Nichols  46:44

Yeah, so I think when Samsung was first coming out with Android mobile devices, Samsung wanted to be top in line, this is something that’s very built into Samsung DNA. You know, I’ve gone to Korea a couple of times. I’ve worked with a lot of Korean co workers, and there’s so absolutely driven by wanting to be first in every product category. TVs, refrigerators, mobile devices, you know, whatever it is, Samsung KNOX became this answer to the question of, there’s a lot of businesses that exist out there. BlackBerry is not doing well, in this consumer competitive environment where users are electing for iPhones and Androids over BlackBerry devices. Lots of businesses, were asking, how do we secure this down? And so out of Samsung r&d, or research and development arm, there were individuals that were saying, Well, what can we do to make mobile devices even more secure than desktop, traditional PC environments. And so we got this concept of sandboxing, out of Android, every application gets its own little data repository, all that information gets saved into there, if you want to try accessing some other apps data, you have to ask permission for that sort of stuff. If you want contacts, you have to ask permission from the user. You know, that sort of concept was the start of it. But Samsung KNOX developed, as I said, back on the Galaxy S four, starting out with how do we separate work from personal data. So the Android enterprise concept that we see where personal and work data is separated with something that’s sung originated, this is something that we built into the, you know, the very core of this device. And all we’ve been doing every year after has been, well, what are the common vulnerabilities that we’re seeing? What are the common ways to exploit these devices? And we’ve just been coming up with solution and solution to really kind of meet this. So in in the time that I’ve seen the product evolve, we’re really trying to answer that question of how do you take a mobile device and make it incredibly simple to secure, you can just trust that as as long as you have this device in your hand, it’s already working to protect you. And then as you enable enterprise capabilities on it, so whether you’re using this device as a consumer, or you’re utilizing this device, as a business or an organization, there’s extra features and functionality to help restrict and limit that threat surface. So maybe Bluetooth doesn’t have to be a risk because you’ve disabled Bluetooth. Or maybe you don’t have to worry about the network on the device because it’s got a VPN, we’ve we’ve been building these devices in collaboration with independent software vendors ISV. We’ve been working towards trying to provide lots of functionality and capability into these devices to really make it what you want, whether you’re an end user or as an enterprise.

 

Scott D Clary   50:07

And that’s another thing too, like it can be scaled up right? So I can get Samsung Knox, if I just feel like this is something that I want to keep on my phone to make it more secure, all the way through to I can deploy it for 10,000 devices across my organization, you create a site that does have all these different use cases.

 

Scott D Clary  50:28

And that brings me back to my question No. So when you look at without, it’s always it’s always you know, I’m sort of giving you the the ability to differentiate yourself, you have to name the competitors, because a lot of competitors now that are in the security space, but what what differentiates Samsung KNOX because again, if I’m if I’m ignorant, and I’m trying to figure something out, I’m going to probably go through four or five different providers that I’ll claim to keep my devices secure, help my employees work from home, all these different things. Now, Samsung, I’ve always found his best in class and most everything that they’ve done, and this is from the TVs that I’ve purchased to the laptops that that they’ve that they do very good, they create very good products. But what what is the main differentiator, if you look at all the other enterprise management system security management systems that you can install on devices that Samsung has brought to the table that currently you may not see in the market.

 

Andrew Nichols  51:24

The the image that comes to mind is having a bicycle. And if you’ve ever lived in the city, you know that if you’re going to have a lock on your bicycle, you can’t just do a Master Lock, you can’t just do kind of a chain around the frame and the wheel, the image that comes to mind is someone who’s got one of those you locks, you know, the really heavy bolt ones, and they put it on a bollard, just one of those poles that sticks straight up. And so the bike is really well secured to something that is inherently not a secured thing. One of the things that sets Samsung apart from our competition is this is the point that we argue is from the hardware itself from the chipset design, we make sure that these devices are secure, they’ve got always on encryption. So when you put and save data on the device, we never know what that encryption key is every single device, all the billions of Samsung devices, we don’t know what the encryption key is for that if we were to try to decrypt that device, we wouldn’t even be able to, we’d have to defeat aes 256 bit encryption, before we’d even be able to decrypt a Samsung device. So we start out from the hardware from the factories, every single device is unique in the way that it protects itself. And that hardware is that first step. The second thing is our supply chain. The devices that come through Samsung factories, whether it’s in India, if it’s in Korea, if it’s an Nam, or any of the other factories that we have around the world, that supply chain is secure. There have been attacks on other vendors devices, where even before it gets to the user or enterprises hands, there’s someone in the gray market, there’s some reseller that has taken those devices and started putting their own software onto them. That supply chain that comes from Samsung devices is secure as well. So we start from the hardware, we go through the logistics up until the time that you turn on that device, then it’s the software running on that thing, you know, our competitors will offer software solutions, which is that that image that I’m describing, it’s that really heavy, you lock bolt. But if you can’t trust the device itself, you know, everything else kind of falls apart? How do you trust the software running on a device if you don’t even trust that the device is running the software it was intended to. So our devices have something called a Knox warranty bit really cool stuff. There’s this electronic fuse in every single one of the Samsung devices in the s series, the Z series, etc. And in those devices, if someone routes the device, then that fuse gets permanently blown. So any corporate data, any work data, as a consumer, you can download an app called Secure folder. And that utilizes the exact same containerization technology that an enterprise would use but as a consumer. Now you can have two copies of the same app. You can have a different camera different three, you know things like that and you can keep it separate. So whether you’re just like a small business running, contracting, consulting on the side, and you don’t have an enterprise mobility management, you don’t have all this stuff. You can still use the secure folder and yep, So even on the consumer side, you can download secure folder. So that way you can, you know, if you’re a small business, if you’re a contractor, you can keep your business separate from your personal stuff on your phone, you know, we start out with the hardware, we do the supply chain, but even the software layer on top, we continuously try to protect this device. So what sets us apart from the competitors is the competitors are always trying to put icing on a cake. But if the cake itself isn’t very tasty, and if the cake isn’t very well constructed, it doesn’t matter how much icing that you put on it, it’s still not definitely the cake that you want to eat.

 

Scott D Clary  55:40

I love that. No, it’s smart. And I I can I can I love the analogy you used. And I want to walk through even before we started recording, I think that when you deploy something at this level, it’s exceptional some of the customers that you’ve worked with. So I was looking at some of the like in your career with Samsung, some of the some of the deployments that you’ve done, like you’re working with PepsiCo, you’re working with Harley Davidson, you’re working with probably a lot of people like government agencies that I don’t even I don’t even know about. But walk me through some of the most interesting setups, the most interesting deployments, how its benefited companies. And because if we can sort of learn from the best of the best that are doing this properly, then hopefully small and mid size can take some examples from how you set these companies up for success.

 

Andrew Nichols  56:28

That’s what’s really great about this problem in particular is it doesn’t matter the size of the company that you are, no one really wants to spend too much time talking or thinking about security, they just want it to work, it needs to work out of the box from the get go. So I’ve worked with government agencies, three letter agencies that have a lot of security experts in a room that are asking all these questions, how do you protect against this? How do you do this. And the Samsung KNOX story that we tell is the thing that not only convinces them that yes, they can get a Samsung devices, but in general, they weren’t using mobile devices before. I’ve worked with police agencies who are using Samsung phones as body cams, you know, getting transparency to the public and being able to record officers interactions, while also trying to make sure that officers are protected. In man down sorts of situations, they need to be able to know that those audio and video recordings are stored securely on the device. And when they do go into an evidence locker, a digital evidence locker, that that information is being transmitted in a secure way. You never want someone who is in sort of like a domestic abuse situation. Or if someone’s undercover, you don’t want that to become exposed. So being able to trust the devices security is the essential thing to get someone to not only buy into a mobile device strategy, but also to to pick Samsung Knox, we’ve worked with agencies that have deployed if you if you didn’t know about this feature, a Samsung phone like the Z fold three, or the S series. They’re capable of a feature called Samsung Dex or desktop experience, you know, especially when on the question of work from home. I’ve had a lot of companies in manufacturing, in retail in logistics that have wanted to replace purchasing that laptop with just getting a phone. But what if your phone could also be your laptop, and that’s one of the exciting things about Samsung Dex is you can take a Samsung phone, you can plug it into a monitor with a keyboard and a mouse. And all of your Android apps go on to the screen in Windows just like you’re used to on an actual laptop or a desktop. That’s very good. It’s just your same article, you can take a look at your messages, you can pull up an internet browser and you’d have tabs now so you don’t have to like go switch through all that stuff. It’s the experience that you’re already used to. But, you know, there was this term that Engadget had used many, many years ago of the ubiquitous device. This one thing that you can carry around, that is your phone. That is your tablet that is your drawing pad that is your computer. And we’re getting really close to that. So organizations that want to secure down these devices. You know, some of the stuff that I’ve seen is they’ve taken these phones and they plug it into their car into the squad car for some Police Officers, they’ll plug in a Samsung phone, and they’ve got a little screen built into the dash with the keyboard and mouse. Now they don’t need to carry around that extra laptop. Now their phone, they can go out, they can collect evidence, take all the pictures and stuff, they go into their squad car, and they upload all that stuff directly from their phone, there’s no switching different devices, it’s all the same sort of experience. It just changes that user interface to, to what they need. So some of those things that I’ve seen in in my you know, eight years career is not only convincing people on that Samsung story, the security story of Android and why protected by Android is such an important aspect to these mobile devices. But it’s also about how you can utilize this stuff, I’m so incredibly excited about reducing the time it takes to do stuff, reducing the cost it takes or reducing the complexity of this stuff, you know, you don’t need multiple things, you just really need to be simple, cheap and quick. And that’s what a lot of Samsung Knox has brought value to companies, even to the point that you know, financial and finance vertical, we’ve got companies that are using Samsung devices. As I said before, logistics and retail hits, it’s all part of that ever increasing trend of becoming more interconnected, becoming even more mobile, and having a device that you know that you can trust.

 

Scott D Clary  1:01:36

And when you look at what you’ve built so far, which is incredible. But you see the future of Knox, you see the future of mobile security as an industry? What are the things that you want to accomplish with Knox? And what are some of the things that you think will be prevalent in mobile security and or just security for corporations in the next five years.

 

Andrew Nichols  1:01:57

So security is never done in a vacuum. Security is this used to be a really secure organization. For most people that have worked in network security or InfoSec. You know, the thing that that keeps coming up in that industry is it’s Whack a Mole. There’s no anyone who tells you this product is secure, and it will forever be secure, are probably lying out of their teeth, or they just don’t know what they’re talking about. In the threat landscape where I see the future of this stuff is that we fix problems faster. And we start learning from how those problems occur, and try to architect new chips, new designs, etc. That even replace the the need to do the patching for that. So I go to Blackhat I go to DEF CON I participate in I talk to the researchers, the speakers, etc. And I always try to keep up to date on what what is the state of art. What is academia talking about in learning? What are the security companies talking about and learning. And one of the things that I really like about Samsung, because we have such a close knit relationship with the research community. When there’s something that comes out, we’re quick to fix it, where we talk about that with our customers. So one of the things I lead is I do all of our technical write ups for our b2b customers on any vulnerability that comes out. I tell them what the vulnerability is, which devices it affects how it can get patched, et cetera. So all of this really comes down to the the future where I see Samsung KNOX is being closely connected with the larger community of security researchers, threat developers, etc. And just trying to keep pace with it. It’s going to be impossible for anyone to be ahead of that curve and say, we’re secure we’ll never be attacked. iOS devices get attacked Windows devices get attacked. Android devices get attacked. It’s it’s just part of it. But being able to have products like Knox, II FOTA or enterprise firmware over the air, customers can push down firmware to the device on their schedule. If they’re not ready to go for an OS upgrade from os 12 to 13. They don’t have to they can lock down all of their devices and prevent them from going there. But as soon as they are ready, let’s say that there’s a major security vulnerability on Bluetooth. And Samsung has come up with a patch for it within 30 days, our S series devices and many of our other devices get monthly patches So as soon as something does come out less than three days later, we’ve got a fix for it. Well, when something like that does happen, our customers need to be able to push out that software immediately. And for other devices and other software solutions, it’s kind of a let the user decide, they’ll get to pick when they need to update, but for Samsung devices with IE FOTA, you’re able to just push that down, you’re able to say, well, I want all 1000 of my devices in this location to update at 2am, don’t even prompt the user, just go ahead and update, or, Hey, we’ve got several updates that we need to. So we’re going to have the device go through every single one of those updates until it gets to the patch that we need. So the future where I see this stuff is it’s impossible to build a perfectly secure platform. Now you can get pretty close. And I think that Samsung KNOX gets right there, it gets really close to a very secure solution, especially coming from that out of the box. But the future of where I see this is being very fast at coming up with these fixes, and learning these lessons to see what academia has learned to see what advanced persistent threats have been doing, to try to innovate and build on that. So you can rest assure that when you buy one of these devices, it’s already using the state of art technology to protect you against the most common types of threats.

 

Scott D Clary  1:06:31

I want to I want to, I want to wrap this up, and I want to go into some quick, rapid fire to close it out. But I want to just point people in the right direction as well. So floor is yours closing thoughts that if there’s anything we didn’t go into about any of the topics, I think we did a pretty good job going into most everything. But that was sort of a masterclass for people that are trying to get a better understanding of mobile security and security in general in the in the entire landscape. But any closing thoughts that I forgot to ask you, because you are definitely way more well versed in this than I am. So I appreciate it. But then also, where do people connect with you? Where do people go to find out more about Samsung Knox, all of that?

 

Andrew Nichols  1:07:10

Yeah. So in closing thoughts, I’ll just reiterate on on some of the lessons that I’ve learned that whether you’re a small to medium business, or your larger enterprise, and you’re responsible for, you know, the mobile devices or the security of these things, really reiterating those three points, secure the device, secure the credentials, secure the network, if you can do those three things, you’re really taking out some of the biggest threats that you’ve got. Everything else that kind of comes out in the mobile security landscape are going to be things that someone needs physical access to your device, that’s advanced persistent threat territory, where someone stealing your device, and is trying to like hook up electronic probes to it to try to get data information out of it. You know, by default, Samsung devices are really secure. They’ve got always on encryption. They’ve got Knox, the platform in general, but on like our S series devices, they have that Knox vaults where all that information is stored separately in a tamper resistant chip. The hardware design of it is really important. So when you are selecting a device, it may not just be enough to say, what is our mobile strategy, which mobile devices are we going to allow? It may be the consideration that you have to have of which devices can I trust? Is it Google Pixel? Is it Motorola? Is it any generic Android device? Or are we going to pick on Samsung? You know Gartner is an organization that evaluates the industry as a whole. And for multiple years, Samsung and Samsung’s KNOX platform has been rated as one of the top if not the top security platform or secure mobile operating system and platform in the industry. We’ve been keeping state of the art through many years, as I had said from the Galaxy S four. So you know some of those things that I just want to reiterate is making sure that you pick the right device and making sure that you do some of those basic simple things to protect. The most common ways that an organization is going to, you know, get attacked is they have services that are exposed to the general internet because they’re not utilizing a VPN. They have credentials that users are reusing because they don’t store things in like a password vault, or they don’t store things into a secure environment on the device itself and making sure that the device is protected from potentially harmful applications. By utilizing that containerization separating personal from work, your employees will Want to carry around these devices? They’re fantastic, great screens, great cameras. So you know, let them use those devices the way that they’d like to without compromising on that security for your data for your work documents, your contacts, your organization’s information. So that’s kind of the first thing that I’d say you had a second part to the question. I just need a little reminding of,

 

Scott D Clary  1:10:25

oh, it was it was really just where do people where do people find out more information? Where do people connect with you? Where do people go to find more about Samsung Knox?

 

Andrew Nichols  1:10:33

Yeah, so um, you can find me on LinkedIn. So Andrew Nichols, that’s my name, you’ll find me as an employee of Samsung Electronics, America, I’d say if you’re gonna try to reach out to me professionally, that’s where you’re gonna find me. I’m not on social media otherwise, so you won’t be able to find me from any other links. But if you want to find out more about Samsung Knox, really simple, you can either go to Samsung KNOX a.com. If you want to get in contact with someone from my team, there’s a little email box where you can say talk to a salesperson for a little bit more. Well, I work with all of our sales engineers. So that’s one of the ways that you’d be able to get in contact with me from a professional standpoint. But you know, I do the training for all the sales engineers. So all the stuff that I know, I tried to disseminate out to the, you know, over the members of my team, so it’s, it’s something that I’m happy to help talk this stuff over. If you have concerns, if you have questions, if you just want to talk about, you know, what is the state of the art, what is where is this industry going? That’s all stuff that I’m very interested in talking about. So yeah, that Samsung knox.com.

 

Scott D Clary  1:11:52

Okay, perfect. All right, let’s do a couple rapid fire just to pull out some last insights from you, obviously, a very successful career, you’ve worked your way up, and now you’re building products as one of the largest organizations in the world. So I want to pull some last thoughts for people that are listening that sort of want to get some inspiration from your career. So in your professional life, what keeps you up at night now, and it could be related to your personal professional life, like where you are in your career? Or it could be in the grand scheme of security and threats?

 

Andrew Nichols  1:12:21

Yeah, so the joke answer is it’s Korea. They’re on a different timezone. So anytime that I have to meet with Korea, they’re the thing that’s keeping me up at night, the little bit more serious of an answer is, it’s fine. You know, as the industry has been patching security vulnerabilities, and has been learning from academia, the thing that that’s really starting to scare me is that the tacks are getting much more sophisticated and are happening at the chip level, it’s finding vulnerabilities within firmware, that’s not even part of the Android operating system anymore. So making sure that customers select a mobile device manufacturer, that is selecting good components is such an essential part of that security model. That’s the thing that really scares me is I’m not seeing email worms anymore. Now I’m seeing applications that are vacuuming and harvesting data in mass, I’m seeing Bluetooth attacks that can rewrite the firmware on the Bluetooth chip that the Android operating system doesn’t even have exposure to. And then all of a sudden, that gives a foothold for the next sort of attack. It’s those sorts of things that are keeping me up at night. And I think that the last thing that’s keeping me up at night are protocol attacks. These are things that even if we’ve open sourced the code, even if plenty of people have reviewed it Heartbleed was one of those major things that was really scaring the industry. Because we trusted SSL for a long time, we trusted the ability to do secure connections over the internet with it. And if it turns out that the protocol can be attacked, well, then we have to do a new protocol. And we have to move everything over in software. And that takes a long time when not every organization is keeping up to date on those updates. So it’s also important to make sure that when you do get the prompt to update your device, you shouldn’t be doing that as quickly as possible. By doing so you make it much harder for the bad guys to get money. If it’s hard for them to get paid. They’re going to want to go try to find different work. They’re going to go after different targets Don’t be the lowest hanging fruit.

 

Scott D Clary  1:14:50

What’s the biggest challenge you’ve had to overcome in your career?

 

Andrew Nichols  1:14:54

Um, I think the biggest challenge I’ve had to overcome has has been fanboy ism, I know that’s probably not, you know, it’s people that have an attachment towards a particular device or a brand and aren’t able to justify that logically, you know, I like to tell stories because stories appeal to the emotional aspect. But I’m also an engineer. So I like to talk about the logical aspect of it as well. Being too entrenched in a particular brand or product, and not being able to justify it has been one of the hardest challenges for me to overcome, because it’s still not something that I know how to tackle and change. You know, in the industry, we know that certain competitors of ours have messaging clients that are specific to them. And the, you know, younger generations, teenagers are utilizing these devices, and they get bullied unless they don’t use that device. So if they’re not on that messaging client, they’re being excluded. So that’s, that’s definitely a real sort of fear of mine is that people are going to be so entrenched into just one brand, that they’re not willing to consider another. And they also don’t, you know, they rest on those laurels. They don’t really try to say, Well, is this really secure for me, I can’t utilize a personal side and a work side on this particular device. But it’s the thing that they’ve grown up using, you know, I utilize Linux, Windows, Apple, etc, I try to use everything that I can. Because I care about the state of the industry, I care about the technology itself. And so I want to keep on learning what’s new, and what’s good. I don’t, you know, I don’t want to just stick even though I work for Samsung, I don’t want to just stick within one shop, it’s really important to be able to explore out. And so that’s the hardest thing I’ve had to deal with is convincing people who don’t want to be convinced.

 

Scott D Clary  1:17:06

I mean, that’s a good, that’s a very valid point. But I think that’s something that actually education can solve for, and hopefully, especially at a corporate level. I mean, if an individual is compromised in terms of their device, it’s very unfortunate, but it would not have the same impact that it could have when a large organization. So I think that education across individuals and organizations is important. But that’s, that’s always where it starts, like even just having a conversation today, I learned stuff. And I consider myself relatively technical. But I mean, I learned stuff that I never knew before, either. So it’s just about having more conversations, I think and being able to, you know, find those conversation gets in front of the right people. But I think that’s a very, very good point. If you had to pick a person, and I usually ask a mentor of yourself, and you can mention somebody who’s been impactful in your career. Or you can also mention somebody that insecurity and mobile security is sort of on the forefront of thought leadership. You can go either direction, but I think it’d be a shame for you to pick some person that’s been impactful in your life.

 

Andrew Nichols  1:18:11

Everything that I’ve learned has always been from someone else, whether it was through college, my career at Boeing and Samsung, everything that I’ve learned has been through a larger sort of body of knowledge. And I’ve had people who have been kind enough to take their time to really educate me on some of these complex topics. When I asked them, you know, what is the man in the middle attack? Well, why does encryption protect against this? Well, how do you protect against that sort of thing? I had people that have taught me, so I don’t know if I can name one individual. But really, be kind to other people. You know, if you know something, and you’re willing to be an educator, someone’s new within your organization and is just trying to learn what is technology I was that person, I came from an arts background, and I had to learn all about computers, et cetera. You know, even though my dad worked for a tech company, I didn’t know all this stuff. I wasn’t a programmer, etc. You know, I still even struggle with programming. It’s tough for me, even though I love to do it. I’m not great at it. I always have to rely on a body of knowledge. So I wouldn’t name an individual person but it may be you it may be the person listening to this, like, think about can you help educate someone? Can you help inspire them to be that person that is the educator, that person that is speaking about these topics, because what really drives me are passion is our passionate people. And so being able to meet someone and talk with someone that is passionate about it, and teaches me something that If I haven’t been able to do this alone, I’m not self taught. I just absorb a lot of knowledge and I’m able to regurgitate it.

 

Scott D Clary  1:20:09

I love it. Dude, that’s a really good lesson. That’s a very, very good lesson. If you had to pick a book or a podcast, obviously, obviously not this one another, another podcast or some book that you would recommend people go check out, what would it be?

 

Andrew Nichols  1:20:25

Um, gosh, so I’m, I’m an avid reader, but I read the Internet a lot. The last book that I read was The jungle by Upton Sinclair. Just read that over the summer. Gosh, wait to put me on the spot with with something I don’t even listen to podcasts either.

 

Scott D Clary  1:20:49

No, no, it’s fine. I’m okay. So let’s think so. I mean, no, I mean, the jungle is fine. I guess let’s let’s pivot and ask the question differently. If somebody wants to learn more about security and somebody is liberal arts degree, somebody is trying to start their career off? What are the forums? I don’t give a shit if it’s if it’s Stack Overflow, or I don’t I don’t care. Where do you send people to learn more, that’s the most useful information.

 

Andrew Nichols  1:21:14

So XDA Developers is a really great source for that. The I really love Reddit. That is probably the only social media that I use, but um, our net sec, network security, shortened down to net sec. That subreddit is really great. People post white papers, people post blog posts from Zimperium Esper Esper is really great. Their blog talks about it. You know, this industry is constantly changing. So someone that was doing really great before might suddenly vanish. And so there’s a little bit more archived and historical, but the only thing that I can tell people is read, read, read, read as much as you can. Because getting more of the stories understanding this architecture, because it’s complex, understanding an entire operating system, and all the threats that go along with it. But being able to read that body of knowledge, seeing what other researchers have found online has good resources, like I said, from Reddit, from net sec, from XDA Developers from zoom periods, blog esper.io. Those are really great places to get started with learning about the mobile ecosystem and what threats occur on them.