Cybersecurity expert Jon Turdiev shares his journey from IoT to cloud security and offers insights on the future of cybersecurity, including the impact of quantum computing and AI.
Interviewer: Thanks so much for sitting down with me today. You’ve had such an interesting career, starting in IoT and now working in areas like cloud and cybersecurity for startups. How did you get started with IoT, and what pulled you toward its security challenges?
Jon Turdiev: Hello! Thank you for having me! I became interested in IoT during my early career working on embedded computing solutions across various industries, including healthcare, retail, and industrial automation. I led several projects that involved developing IoT products integrated with diverse systems. Many of these solutions had stringent security, data privacy, and compliance requirements. One notable project focused on innovative patient care solutions, integrating various peripherals, including wearable devices for real-time health monitoring. Enabling secure integration and data access across multiple systems was critical, as was ensuring compliance with standards such as HIPAA and GDPR.
These experiences allowed me to observe and identify the unique security challenges that IoT ecosystems face compared to traditional computing environments. Designing secure end-to-end IoT solutions, including remote management capabilities from a central console, motivated me to expand my expertise into related fields such as cloud computing, AI/ML, and cybersecurity.
This journey has led me to my current role at AWS, where I help startup companies in building secure, high-performance, scalable, and resilient solutions in the cloud. My diverse background in IoT and other technologies enables me to provide comprehensive guidance to these innovative businesses.
Interviewer: What were some of the biggest issues you faced when creating these solutions, and how did you approach fixing them?
Jon Turdiev: Securing IoT systems poses unique challenges. Unlike servers deployed in data centers, IoT devices often are deployed in public places that expose them to physical tampering. Also, low-power devices are unable to run traditional security software and connect using existing network protocols. Another issue is the sheer variety of devices—there is no one-size-fits-all solution. I worked closely with engineers to build security into the device from the very beginning, starting from hardware, firmware, application and network connectivity layers. The challenge was about finding the right balance among security, cost, and other competing factors.
Interviewer: You mentioned you also developed patient care devices. That must’ve brought a whole new set of concerns. What was different about securing those devices?
Jon Turdiev: You're right, developing patient care devices brought its own unique set of security challenges and concerns. It involved handling sensitive data like medical records and real-time health data from wearables, requiring stringent privacy and data integrity measures. Compliance with regulations like HIPAA was mandatory, necessitating robust authentication, system hardening, vulnerability management, and audit controls. High availability and resilience were critical, as system failures could be potentially life-threatening. We had to build in redundancies, failover mechanisms, and ensure overall reliability. Additionally, we needed to account for the diverse user base - doctors, nurses, patients - across various care settings like hospitals and homes, enforcing least-privilege access and making security intuitive for all user types.
Interviewer: That’s a lot of pressure! After that, you moved into broader areas of cybersecurity, including cloud security. Did your experiences with IoT help when you started working on securing cloud environments?
Jon Turdiev: My prior IoT security experiences were invaluable when transitioning to cloud security. Handling sensitive data and compliance in IoT gave me a strong foundation in data protection fundamentals like encryption and access controls. The emphasis on high availability and resilience directly mapped to cloud principles of fault tolerance and failover design. The shared responsibility model between providers and customers was familiar ground. Crucially, the security-by-design mindset of making security foundational rather than an afterthought translated seamlessly to securing cloud environments. While cloud opened new frontiers, my IoT background provided a solid base to effectively level up my cloud security expertise.
Interviewer: And now you’re working with startups, helping them secure their IT infrastructure. Startups move fast and often focus on growth over security. What’s your approach to advising them?
Jon Turdiev: You're absolutely right, startups often prioritize rapid growth and innovation over security, which can introduce significant risks. I emphasize that security needs to be a core priority from day one, not an afterthought, in order to reduce the risk of data loss, regulatory fines, reputation damage, disrupted operations etc. I advocate for a "secure by design" methodology - baking in security requirements across the entire development lifecycle. This includes threat modeling, secure coding practices, automated security testing, deployment, and operation.
However, I'm pragmatic in understanding startups' resource constraints. So I guide them on implementing security controls incrementally based on risk exposure and maturity stage. We identify their "crown jewel" assets to prioritize protection.
Additionally, I make security enablement a priority by conducting workshops, creating reusable content, and sharing AWS's wide range of security services and automation tools. This empowers startups to build security capabilities efficiently.
Interviewer: Looking ahead, you must be thinking about where cybersecurity is going next. Technologies like quantum computing and AI are becoming big topics. How do you see those changing the cybersecurity landscape?
Jon Turdiev: It’s really interesting! Quantum computing, for instance, could completely change how we think about security. Right now, a lot of our encryption algorithms are based on solving difficult mathematical problems that would take an infeasible amount of time to solve with conventional computers, even with supercomputers. Quantum computers could solve such problems much faster, thus breaking many asymmetric cryptographic algorithms that we use for data encryption today, so we’ll need new ways to protect data.
AI is already making an impact, too. On the positive side, it can greatly increase our productivity. But on the flip side, AI poses new types of security risks and vulnerabilities that require novel mitigation options.
For example, generative AI introduces risks like AI-generated phishing/malicious code at scale, but also opportunities for enhanced threat detection and proactive defense using AI.
AI raises concerns around intellectual property theft by recreating copyrighted content, as well as issues like model bias and hallucinations requiring governance.
Overall, quantum computers and AI will necessitate a paradigm shift in cybersecurity - new encryption, authentication, threat detection techniques, and potentially rethinking cybersecurity fundamentals.
Interviewer: That’s a bit unsettling, but also exciting! How do you think companies can start preparing for these shifts, especially when it comes to quantum computing?
Jon Turdiev: They need to stay updated on the timelines for practical quantum computing, which will drive their migration roadmaps. Encouragingly, work is already underway on quantum-resistant crypto algorithms. Recently, the National Institute of Standards and Technology (NIST) released the first 3 finalized post-quantum encryption standards. Companies should start exploring and testing these for future migration, which will be a massive multi-year effort.
Allocating budgets, resources and upskilling teams on post-quantum crypto will be critical.
The key is beginning quantum-preparedness now through assessments, new tech explorations, skill development and careful roadmap planning. Companies that take a proactive stance will be better positioned when quantum computing realities hit.
Interviewer: AI is already here and growing fast. Do you think it will be more helpful or more harmful in the world of cybersecurity?
Jon Turdiev: When it comes to AI's impact on cybersecurity, I believe it will introduce new threats like AI-powered phishing, deep fakes, and malicious code generation, but also enable far more powerful defensive capabilities through intelligent threat detection, automated patch development, and predictive risk analytics. We may see an "AI vs AI" paradigm emerge pitting defensive AI against offensive AI utilized by attackers. Ultimately, I think the cybersecurity upsides of AI will outweigh the risks if we get ahead through AI governance frameworks, robustness testing for defensive AI systems, and implementing controls around AI model development and usage. Getting these measures right will allow us to fully harness AI's immense potential for cybersecurity while mitigating the risks.
Interviewer: It sounds like we’re heading into an interesting future. What’s exciting you the most about the changes happening in cybersecurity?
Jon Turdiev: I'm really excited about the potential for AI-powered security automation and autonomous response capabilities to rapidly neutralize complex cyber threats. And, of course, quantum computing will bring a lot of change—so it’s an exciting time to be in this field. From a career perspective, these tectonic technology shifts will create new research opportunities.
Interviewer: For someone just starting in cybersecurity, especially with all these changes coming, what advice would you give?
Jon Turdiev: I’d say, cultivate a lifelong learning mindset, as cybersecurity is extremely dynamic. Build a strong foundation across fundamentals like networking, programming, and security principles, but also gain exposure to emerging technologies like AI and quantum computing.
Prioritize hands-on experience through internships, projects, and certifications to build a practical skills portfolio. Explore specialization paths aligned with your interests, but remain flexible.
Develop strong problem-solving, critical thinking, and communication abilities - conveying complex concepts is crucial.
Get involved in the cybersecurity community through meetups, conferences, and networking to foster collaboration.
Interviewer: Great advice. Thanks again for sharing your journey and insights with us. It’s been a pleasure, and I’m sure our readers will appreciate hearing from someone with such broad experience in the field.
Name: Jon Turdiev
Job: Senior Solutions Architect at AWS