When assessing the current state of cybersecurity, Panasonic Corporation of North America’s Vice President and Chief Information Security Officer Alexander Bermudez turns to a surprising metaphor.
“It’s like a large amusement park,” Bermudez says. “We’re chartered with protecting all entryways and the assets that allow a park to operate and make money, but at the end of the day, we have to assume the park has been compromised and that threats exist inside and outside the park, from a disgruntled employee and rule breaker who opens up the back door to allow family and friends because he/she feels entitled to a new a new supplier that’s hell bent on making a political statement against a corporate conglomerate by installing bad software onto the automated turnstiles.
“As CISO,” he continues, “I have to worry about every known potential gate, opening, supplier, employee, and asset. The bad guy has to just find just one weakness to exploit and make his or her way in.
“You have to constantly adapt to an ever-evolving world of cyber threats and global regulations to add value and enable the business,” Bermudez continues. “Understanding and aligning a cybersecurity and risk management program requires the team to view security through a business lens to ensure our initiatives our focused in areas that will have the greatest impact in the most efficient way possible.”
“It’s not just about preventing the wrong people from entering the organization. It’s about securing something that’s ephemeral.”
It’s a sobering way to view an amusement park, or, in Bermudez’s case, the world as a whole. It’s no longer about trusting then verifying—the paradigm now requires technology experts to distrust everything and verify all. As a leading manufacturing and technology partner to businesses and governments, Panasonic’s integrated solutions cover a wide range of industries, from automotive to avionics, energy, utilities, food services, hospitality, retail, government and public safety, logistics, manufacturing, and sports entertainment.
It’s a tall order, and it’s up to Bermudez and his regional team of cybersecurity experts to protect the enterprise and its operations from cybersecurity threats while ensuring they remain compliant with global security regulations. The paradox is that, while their mission is unchanging, the threats they face never stop changing.
“We’ve had to evolve in terms of how we’re securing the enterprise,” Bermudez explains. “Years ago, we were really focused on securing the crunchy, tangible exterior. But now, the boundaries of computing are nonexistent. People are everywhere. Data is everywhere. It’s not just about preventing the wrong people from entering the organization and walking away with our sensitive data and/or intellectual property. It’s about securing something that’s ephemeral.” That ephemerality became even more complicated in 2020 when the COVID-19 pandemic forced so many people around the world to begin working from home, resulting in an increased reliance on VPNs, the cloud, and third-party proxy systems.
While much of Bermudez’s role at Panasonic deals with building out processes and solutions that can protect the organization in that kind of complex and challenging environment, the most crucial component comes not from the technology itself but the people who are analyzing, creating, and operating it.
“I look for smart people with an aptitude for learning and a passion for adding value,” Bermudez says. “And they don’t necessarily have to have security expertise, either. While some of my people have been in the tech space for a very long time and are deep technical thinkers, I also have folks who were music and art majors and can think outside of the box. They don’t mind looking at the screen for long hours trying to find that golden nugget that’s of concern to escalate to the person above them.”
The VP also collaborates with outside partners such as Attack Research to ensure his team’s success. As Tadeusz Raven, partner and CEO at Attack Research, explains, “Attack Research operates as an extension of Alex’s team. As consultants, we add value to his organization by augmenting his defensive capabilities and facilitating a rapid response to the ever-changing security landscape.”
At Panasonic, Bermudez’s team consists of security data scientists, business analysts, and hardcore engineers. Some of the team members are new hires, and some were inherited by Bermudez when he transferred to his current position from the company’s avionics division in October 2020. Together, they’re building out a US regional security operations center for Panasonic to serve the needs of the business units in the Americas.
During Bermudez’s five-year stint at Panasonic Avionics, he oversaw cybersecurity programs for the enterprise and the company’s product portfolio, including in-flight entertainment systems, payment systems, and the security infrastructure supporting satellite communications for commercial aircraft with Panasonic product. Because such technology is passenger facing—especially on long-haul flights—it’s an area that often gets a significant amount of attention from airplane manufacturers, airline operators, and information-sharing associations whose members make up, as Bermudez describes it, “various pieces of the aviation ecosystem. People can be on a flight for twenty-one hours tinkering with your system and trying to find flaws in it.”
Today, at the division’s parent company, avionics remains a partial focus, but it’s only one of twenty-one different business units that Bermudez oversees across the entire company.
“I have more macro-level, regional responsibilities,” he says, noting that he’s still somewhat in awe of the scope of the work he gets to do. When he first entered the cybersecurity realm more than twenty years ago, it was just as a security administrator. “I never thought I’d get to the point where I’d run cybersecurity as CISO for a globally recognized brand like Panasonic.”
When asked what advice he would offer to his younger self, Bermudez explains that he would stress the importance of viewing one’s self as being part of something bigger. Always look to add value and strive to look at the problem from a business lens first, as opposed to just looking out for number one.
“That’s an inexperienced mindset,” he says of the latter. “When you’re younger, it’s easy to think selfishly and be more concerned with getting credit for spinning up a new piece of security technology: ‘Look at me. I did this.’ But ultimately, you’re a consultant to business leaders, who have to make informed decisions about risk. You have to be a partner and provide timely and relevant decision support. You have to provide that risk analysis. And you have to learn to adapt your models of protection and align them to the strategic business imperatives.”
Today, as CISO, Bermudez recognizes that that same outlook applies to his leadership of the department. He constantly asks himself how he can enable the business to embark into new business models of digital transformation while balancing the need for security control, how he can optimize existing technical investments in what has been a difficult year, and how he can ensure that the various pillars of the cybersecurity program align with the business mission and risk appetite of the enterprise rather than any one person.
It’s the only way to keep the metaphorical amusement park and its business critical assets protected.