From Signals to Strategy: Rethinking Enterprise Defense Amid Behavioral Risks and Infrastructure Exposure

In this interview, TechNadu spoke with the Field CISO of Mitiga, Brian Contos, about the evolving threat landscape from insider risks to critical infrastructure vulnerabilities.

In today’s hyper-connected digital world, security leaders across disciplines, whether CISOs, DevSecOps teams, cloud architects, or risk managers, are confronting threats that are expanding faster than traditional tools and processes can keep up.

This conversation addresses the core challenges shaping modern cybersecurity: from multi-cloud complexity to Mergers and Acquisitions (M&A) blind spots, IoT vulnerabilities, and the convergence of digital and physical infrastructure.

We examine the subtle behavioral signals behind insider attacks and the limits of legacy detection tools in decentralized cloud environments. The interview also explores how emerging strategies like cloud-native detection, behavioral analytics, and unified visibility are helping security teams respond faster and more effectively.

For anyone responsible for safeguarding sensitive systems and data in dynamic, high-scale environments, this conversation offers a grounded look at where conventional defenses fall short and how to build security programs resilient enough to meet today’s evolving attack surface.

Vishwa: You’ve had a remarkable trajectory leading to your current role at Mitiga, spanning 30 years in the security domain, including your service with the Defense Information Systems Agency (DISA). Could you walk us through the pivotal phases of that journey—what originally sparked your interest in cybersecurity following your B.S.B.A. in Management Information Systems, and what critical lessons and challenges have shaped your philosophy over the decades?

Brian: Prior to college, I was very interested in security and hacking. I would modify police scanner radios to listen to my sisters talk on cordless telephones, try to crack copyright protections on video games, and spend countless hours learning how everything from worked from telephone networks to operating systems. 

By the time I went to college, I was taking every opportunity to learn more about security through classes, research, clubs, and building test labs. When I was recruited to work at DISA while still in college, my offensive and defensive cyber skill set were greatly amplified, and I was afforded the opportunity to get my hands on very specialized tools and work alongside extremely brilliant people. 

However, it wasn’t until after DISA when I joined Bell Labs and moved to Brazil to help build out security infrastructure for large telcos that I knew security was my path. And upon returning to the United States to help build Riptech (later acquired by Symantec), my first of what turned out to be many security startups, I realized that building innovative security companies that help organizations solve important and challenging issues would be my career.

Vishwa: With insider threats becoming more frequent and sophisticated, your work, particularly your book "Enemy at the Water Cooler," offers unique insights. From your perspective, what behavioural cues or digital footprints are often the earliest signs of a brewing insider threat? Additionally, what psychological or organizational patterns tend to precede an employee’s shift toward malicious activity?

Brian: Insider threats can be challenging to detect and remediate because organizations have historically lacked the detailed information and analytical capabilities necessary to determine if something is benign, suspicious, or malicious.

SIEM solutions helped address this to a certain extent for on prem controls, but with the adoption of cloud solutions that include multiple cloud infrastructure providers, identity solutions, productivity suites, and SaaS applications, finding insider threats became all but untenable. 

With the introduction of distributed data lakes and cloud detection and response capabilities, there are now early warnings to most insider threats that include, but aren’t limited to, volumetric analysis, temporal analysis, anomaly detection, pattern discovery, and AI capabilities trained on how a forensic investigators and incident responders research and remediate insiders.

Vishwa: Critical infrastructure faced over 400 million cyberattacks in just a year. From your vantage point, what kinds of tactics worry you most right now and how should organizations rethink their defences as digital and physical security continue to converge?

Brian: The nightmare scenario continues to be the destruction of the underlying infrastructure that everything else depends on. If the electric grid is gone, for example, you don’t just lose power. 

Your supply chain breaks down – grocery stores run out of food, ATMs run out of money, people can’t get medicine, etc. Transportation, sanitation, communication to include Internet, TV, and radio, are greatly impacted. In just a matter of days, there is mass hysteria and a sharp increase in looting and violent crimes. 

Emergency services such as police, fire, and medical professionals will be overwhelmed, and the military will have to be brought in to try to create some semblance of order. This would all happen in days to weeks – not months. And if it continues for months, the world could enter into a dystopian, post-apocalyptic hellscape.

Vishwa: Mergers and acquisitions often expose technical and cultural gaps in security. From your experience, what are the most common blind spots post-acquisition, and what should CISOs focus on to ensure a unified, resilient security posture from day one?

Brian: M&A issues usually boil down to visibility, and understanding where your critical assets are, what do they do, who has access to them, etc. This is important for solutions that are on-prem and in the cloud. 

Once you understand the state of your assets, you can begin to understand the state of the controls protecting those assets across prevention, detection, and response. A resilient security posture is one that doesn’t rely on prevention alone, as it doesn’t scale, and must be augmented with detection and response. 

CISOs need to ensure they have visibility into their sensitive data, critical applications, assets, and identities. They must employ preventative controls in tandem with incident detection and response to maintain resilience.

Vishwa: The threat surface has expanded rapidly with the rise of IoT, OT, IoMT, and IIoT environments, each with distinct vulnerabilities and regulatory constraints. What do you see as the subtle but critical differences in how threat actors exploit these ecosystems? And how can organizations establish proactive security baselines that are specific to the nature of each environment while maintaining a unified risk management framework?

Brian: IoT and IoT-adjacent technologies are simply purpose-built computers with specialized capabilities like being a printer, security camera, door lock, or HVAC system. Unfortunately, they aren’t treated or secured like most computers. While they run common operating systems like Linux with the same if not greater network, storage, and processing capabilities as your laptop, they suffer from several issues. 

They are rarely updated and operate with critical vulnerabilities. They often operate with default passwords or passwords that are never changed. And many organizations aren’t even sure who is responsible for maintaining them and keeping them secure: IT, security, facilities, 3^rd party vendors, etc.

Vishwa: Mitiga says its AI-powered Cloud Detection and Response system is built for the realities of modern cloud threats. What does that mean in plain terms? Could you share how it works behind the scenes and maybe an example of how it catches threats that traditional tools might miss?

Brian: Using a distributed data lake with API connectivity and no agents, Mitiga collects log, telemetry, and alert information across multi-cloud, identity, productivity suites, SaaS applications, and security controls. 

This distributed aggregation allows near-real-time AI analysis for suspicious and malicious activity that simply can’t be gleaned by looking at any one source. For example, an attacker by compromise secrets from a SaaS application. 

They then use those credentials to gain access through an identity solution, which further allows them to access other SaaS applications and cloud infrastructure, ranging from email and CRM solutions to development tools and HR systems. 

This access can allow for the theft of sensitive data, installation of malware, ransomware attacks, etc. Mitiga quickly detects and responds to these attacks, thus mitigating them efficiently and effectively.