Richard Bird, Chief Security Officer of Traceable in this quick chat highlights current state of API security and biggest threats for organizations, key challenges in implementing zero-trust framework, data privacy concerns and more…
——————–
Hi Richard, tell us about yourself and more about your role at Traceable.
I currently serve as the chief security officer at Traceable AI, where I live out my passion for protecting consumer rights and online privacy in our increasingly digital age. My day-to-day tasks include managing security risks, implementing safeguards, overseeing secure AI implementation, and incident response planning. Before Traceable, I served in several corporate leadership and startup roles at Ping Identity, Optiv, JPMorgan, and Accenture.
When I’m not in the technical weeds, I enjoy sharing insights with the media into how other organizations can secure digital infrastructure and improve cybersecurity practices. Over the years, I’ve also enjoyed delivering talks on AI security, cybersecurity leadership, digital transformation, and more.
Also Read: CIO Influence Interview With Karthik Ranganathan, co-founder and co-CEO of Yugabyte
Outside of my professional life, I love spending time with my family, and I am a big advocate for balance. I also have an affinity for bow ties, tattoos, and music festivals. Lastly, I enjoy writing and just published my first book, “Famous With 12 People: A Career Guide On How To Be An Internationally Recognized Expert In Something Nobody Cares About.”
How would you describe the current state of API security, and what are the biggest threats organizations face today?
They say that the definition of insanity is ‘doing the same thing over and over again and expecting different results.’ I don’t necessarily want to put any labels on organizations’ approach to API security, but when the shoe fits…
Right now, the biggest threat to API security is the industry’s denial that there is a problem. Despite breaches running rampant, organizations keep deploying the same legacy solutions—web application firewalls (WAFs), API gateways, and lifecycle tools—despite only a small percentage reporting real success. This cognitive dissonance keeps chipping away at companies’ security posture, leaving open gaps for adversaries to take advantage of.
To change the narrative, organizations must confront the truth that their current strategies aren’t working against bot attacks, API fraud, new vulnerabilities from AI applications, and other top threats against today’s APIs. Without a shift in security strategy, we’ll continue to see breaches climb.
You’re known for your expertise in Zero Trust. What are the key challenges businesses encounter when implementing a zero-trust framework, and how do APIs fit into this model
The biggest challenge today when it comes to implementing Zero Trust is that organizations need to pay attention to APIs. Unfortunately, APIs have rapidly become the DevOps workaround for Zero Trust. Most violations of basic Zero Trust requirements, such as “all communications are secured,” are rampant in the application layer. Why? As I discussed before, APIs are rarely included in anyone’s security program, let alone in their Zero Trust strategy.
Organizations must consider APIs in their Zero Trust strategy and take the following steps:
- Catalog the network. You can’t secure what you don’t know you have. Survey the users, accounts, servers, network switches, and sensitive data you have. At the end of the process, you should understand what data flows through where to which applications and their components in your network and a nice picture of your application landscape.
- Improve application authentication. While this might seem like a no-brainer security measure, many organizations dread it because of how painful it can be. However, by improving authentication protocols in your applications, you can ultimately gain more assurance that the people or machines accessing your network are who they say they are.
- Limit authorization. You might have thought you were done taking inventory once you cataloged your network, but think again. To truly limit authorization, you have to understand the primary and secondary job responsibilities of each application user. This requires making some hard judgment calls about what access is essential. Your response shouldn’t eliminate user capabilities but limit them to only what they need to do to perform day-to-day tasks.
- Stay vigilant. Intelligent security monitoring will enable security teams to build context about how users use applications, ensure employees have all the access they need to do their jobs and minimize workflow interruptions. Visibility into who accesses applications from where and when will establish a normal flow for users and enable security operations to take action right away when something seems amiss.
Traceable is at the forefront of API security. Can you elaborate on how your role as CSO shapes the company’s security strategy and supports innovation in protecting APIs?
As the chief security officer, my most important role is to foster a culture of security awareness across all levels of the organization and provide training and resources to educate employees on best cybersecurity practices.
Also Read: A Comprehensive Guide to DDoS Protection Strategies for Modern Enterprises
To do this, I’m responsible for learning the top cybersecurity threats and ensuring that our organization is 1) in the best posture to prevent them and 2) tailoring our solution to help our customers do the same. After all, if I’m not on top of them, how can I expect my team or our organization to continue to lead the way for innovation in the API space?
What specific data privacy concerns should organizations keep in mind when developing and deploying APIs?
Traceable recently released our annual Global State of API Security report, which detailed some of the most pressing API security concerns organizations are facing today. One of the biggest takeaways from the report is that generative AI (GenAI) applications, where users intentionally share sensitive information under the assumption that it will remain secure (spoiler alert: it won’t), create some of the most risks. More than half (60%) state that the additional API integrations required for these applications expand the attack surface and are concerned about sensitive data exposure and unauthorized access.
Technology evolutions are always several years ahead of security, so organizations must have a solid data privacy strategy to protect data shared in GenAI applications, especially as GenAI evolves. Without it, organizations share a plethora of sensitive information without any safety nets.
What advice would you give C-suite leaders when it comes to building a proactive, resilient cybersecurity strategy centered around API security?
Stop ignoring the increase in API breaches and wake up. Take a good, hard look at your entire security stack and find the holes in your current API strategy. If you don’t have the technology to verify user authenticity, understand API and data context, ensure secure deployment, implement rate limiting, and/or grant least privilege, or have APIs considered in your Zero Trust policy, you have some work to do.
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
Richard William Bird is known worldwide for his tattoos, bow ties, and expert insights on API security, zero trust, data privacy, and digital identity. He is also the author of “Famous With 12 People – A Career Guide On How To Be An Internationally Recognized Expert In Something Nobody Cares About”.
Richard is a seasoned presenter and keynote speaker. He currently serves as the Chief Security Officer for Traceable.ai, a leading company in API security. His influence extends beyond the corporate world, as he is a Senior Fellow with the CyberTheory Zero Trust Institute and an Executive Member of CyberEdBoard. His expertise is widely recognized, with frequent interviews and quotes in global media outlets such as the Wall Street Journal, CNBC, Bloomberg, The Financial Times, Business Insider, CNN, NBC Nightly News, and TechRepublic.
Traceable is the industry’s leading API Security company that helps organizations achieve API visibility and attack protection in a cloud-first, API-driven world. Traceable is the only intelligent and context-aware solution that powers complete API security – API discovery and posture management, API security testing, attack detection and protection, anywhere your APIs live. Traceable enables organizations to minimize risk and maximize the value that APIs bring their customers. To learn more about how API security can help your business, book a demo with a security expert.
