Throughout 2019, this mini-series will interview leaders from around the globe to discuss areas of cybersecurity. The purpose is to help students and those new to the industry gain perspective and guidance from professionals in the field. These interview insights aim to kick-start or re-energise your career journey in cybersecurity.
In this month’s feature, Brian Kelly, Chief Security Officer (CSO) of Rackspace, shares his story about:
I was fortunate to participate in a fellowship program in Washington, DC for one year. I jokingly say fellows are cheap labour in D.C. because government officials often know where you are. Fellows are typically tapped to write speeches and perform various research activities. I never knew what I may be approached to support; however, I was fortunate to have an opportunity to spend time with the United States (U.S.) Department of Defense to discuss information warfare. At that time, we were asking some very fundamental questions:
These are his insights. How would you characterise the early days of cybersecurity? Kelly starts with his time at Trident Data Systems: This was a smaller company that operated with a low profile because of their service within the intelligence communities. What I enjoyed most was their philosophy to take care of the customers first and the business will take care of itself. As part of the effort to support the foundation of the AFIWC, they also developed the first-ever intrusion detection system (IDS) called distributed intrusion detection system (DIDS). Similarly, they helped to develop technology widely considered as the predecessor to the security event incident management (SEIM) solution. DIDS was built for and used by the AFIWC for the government’s first cybersecurity operations center referred to in the early days as AFCERT (Air Force Computer Emergency Response Team). The opportunity was intriguing because I could take my theoretical cybersecurity knowledge and apply this in practice with AFIWC. We built tools and deployed processes to detect and respond to threats while training our cybersecurity analysts. How had your cybersecurity journey progressed after your time in D.C. and at Trident? Kelly pauses and explains: This was also around the time the financial services sector was working aggressively to respond to this new threat. They understood it was only a matter of time before the sector witnessed a serious cybersecurity attack. This news came in 1998 as Citigroup was one of the first to publicly acknowledge a cybersecurity attack had occurred. I was watching the financial services sector struggle to manage this rapidly emerging threat. I realised it was time to transition to the private sector, and the most logical place to focus my energy was with financial services on Wall Street. For two years, I supported and delivered solutions as part of Deloitte's Enterprise Risk Services group – specifically focused on cybersecurity. Looking back on this time, there were only a handful of vendors providing cybersecurity services. This is incredible to think how much the industry has changed over the last twenty years. How did you identify and evaluate the next step in your cybersecurity journey? Kelly examines and highlights: Near the end of my tenure with Deloitte, I eagerly wanted to build my own cybersecurity threat intelligence company – an immature space in 2000. Cybersecurity professionals assumed the U.S. government had all the answers as to the activities of other nation states and threat actors. I found there to be a lack of actionable intelligence for private companies. With this, I assumed responsibility as the Chief Executive Officer (CEO) of iDefense – one of the first Cybersecurity Threat Intelligence companies in the country. Our goal was to deliver timely and actionable intelligence to the private sector so these companies could focus and invest their time on deterrence and resilience, while making effective use of their limited resources. As one of the first private threat intelligence companies, iDefense provided technical and non-technical research with fact-based data on cybersecurity threats such as, but not limited to, malware and bigger-picture human factors like nation-state threat actors. Looking back at your time with iDefense, what would you recommend to someone considering starting their own cybersecurity firm? Kelly reflects upon an early challenge he experienced as CEO: Public sector skepticism quickly arose within the industry that a company could provide cybersecurity threat intelligence services outside of the U.S. government. I would go to the White House and other government agencies to discuss iDefense’s research. Although hesitant initially, they soon came to realise that a private company, working within the law, sometimes had greater flexibility and access to produce needed intelligence. This played out with the work we did around Russian-organised crime. This research in particular seemed to break down the government’s resistance to private sector intelligence. While we demonstrated our value and flexibility to support both the public and the private sectors, the industry struggled to understand how organisations could best leverage this intelligence information. Today, there are many threat intelligence solutions that can plug directly into an organisation's processes and serve as an integral part of their cybersecurity operations. We realised we were laying the groundwork for future generations of cybersecurity threat intelligence. How do you envision the cybersecurity space evolving? Kelly reverts to his days in D.C., at the AFIWC and with Trident. He reflects on some of the early technologies and the amount of innovation that eventually found its way to the commercial sector. One of the first commercial intrusion detection technologies was called NetRanger, developed by the WheelGroup and led by former AFIWC and Trident team members. We understood at this time that this technology was desperately needed in the private sector. Coincidentally, WheelGroup was purchased by Cisco where the NetRanger technology contributed directly to the family of intrusion detection solutions that continue to serve the marketplace. Many Trident team members also went to work with other early cybersecurity companies such as Symantec, whom shifted from an early antivirus company to a more comprehensive provider of cybersecurity solutions. They were one of the early “managed service providers” offering Security Operations Center (SOC)-type services following their purchase of a company called Riptech. It is interesting to consider all the ties back to the AFIWC. Each year, the number of people that jumped into the industry were doubling and tripling because of increased investment. There was a need and thirst for new ideas, innovative approaches and transformative technologies in the early 2000s. We recently completed another RSA Security Conference – the largest in our industry. It is amazing to me how much the event has grown, and the extent of the innovation and investment made in the cybersecurity industry. While this level of focus and innovation is exciting, there are unintended consequences. Most notably is the perpetuation of single point solutions which contributes to unnecessary complexity. We need to break away from many of these point solutions and take a fresh look at new, less complicated architectures and solutions. Although I have a bias, I was pleased to see more focus on what I believe to be new and promising approaches:
What concerns you the most about cybersecurity? Kelly quickly responds: The amount of technical debt carried by companies. We cannot replace technology overnight. This is more complicated than I originally thought; however, I am still bullish on the cloud industry. Many companies have discovered they no longer need to be in the IT business. It is too complicated, resource intensive and expensive. Cloud providers can deliver their IT products and services so that the company can focus on their core business. Companies can approach any cloud provider and gain access to infrastructure, compute and storage overnight with access to any enterprise application suite on a utility-use basis. This is evidenced by hundreds of new companies that have been ‘born-in-the-cloud’. What excites you the most about cybersecurity? Kelly emphasises three areas: The evolution of managed and hybrid services, the extent of innovation and many rewarding career opportunities. Managed services. This is an area of opportunity for cloud service providers. This is different from typical managed services in that often the provider does not manage the customer’s workloads but rather only the monitoring. In this traditional model, when the provider detects abnormal behaviour, they generate an alert and often frustrates the customer because they may lack the resources, skills or be equipped to appropriately respond. What is unique about cloud managed services is that the provider can wholly monitor the environment and manage the workloads simultaneously. For example, if the provider identifies abnormal behaviour, they can act if instructed by their customers through a PAA (pre-approved actions) or similar agreement. How cloud service providers view managed services is different than the traditional managed services models. I do not believe these traditional models are in decline as there are numerous customers that operate large, complex IT workloads without the necessary cybersecurity expertise. As more organisations migrate to the cloud, we will notice the security monitoring and response operations shift to the service provider. This will allow an organisation to take advantage of a full-spectrum of monitoring and response capabilities with utility-based pricing. Innovation. The cybersecurity industry can be proud of the good work that has been done over the past two decades. Yet, we must recognise the times are changing and by perpetuating these past solutions, we further contribute to complexity – the enemy of cybersecurity. Somewhere, similar spirit and opportunity for innovation that we witnessed in the early AFIWC days exists. I truly believe this opportunity now rests with the cloud industry. I am encouraged by the tremendous cooperation from cloud providers to tackle common problems while exploring new solutions. Senior cybersecurity professionals from all the major cloud providers meet quarterly to share and discuss challenges and opportunities of mutual interest. Rewarding career opportunities. This is an exciting time for people coming up or looking to get into cybersecurity. You should pursue this path if this is of interest because of the potential for a very rewarding career with numerous opportunities well into the future. As we see today, every university is competing with their own version of a cybersecurity program. I could not be more excited for our next generation of cybersecurity professionals. In conclusion, this month’s post was brought to you by Brian Kelly, Chief Security Officer (CSO) of Rackspace, where he:
Please be on the lookout for next month’s issue of Decoding Cybersecurity: Interview Insights with Leaders as the journey continues. Please leverage the comment box below to suggest future topics or guests, provide feedback or share with others.
0 Comments
Throughout 2019, this mini-series will interview leaders from around the globe to discuss areas of cybersecurity. The purpose is to help students and those new to the industry gain perspective and guidance from professionals in the field. These interview insights aim to kick-start or re-energise your career journey in cybersecurity.
In this month’s feature, Shane Moffitt, the Assistant Chief Information Security Officer (CISO) for the Victorian Government, shares his story about:
As my career progressed, I learned a great deal about IT and cybersecurity but struggled getting organisations to make what I considered the right decision. While there were fewer cybersecurity professionals to network with and learn from early in my career, I had tremendous mentors I could lean on for expertise and guidance. I had the opportunity to work for a director in a prior job that was instrumental in my professional development. He taught me the more nuanced side of organisational politics, governance and influence. Many cybersecurity professionals devalue these disciplines. Without an understanding of the organisation, governance and what drives decision making we will struggle to get the right decisions made. “There is no value in being right if no one listens to you” in this case, we need to re-think our value proposition and purpose. My mentor and I shared the same moral compass. As I look back on our time together, I am thankful for his advice and wisdom as I navigated my cybersecurity career,” emphasises Moffitt. These are his insights. What does cybersecurity mean to you, and how has this evolved during your career? Moffitt describes, "cybersecurity played numerous roles over the course of my career from:
This experience opened doors to new opportunities across financial services and consulting. One opportunity was with EY where I served as the Oceania Practice Lead for ISO27001. I found this role and the organisation to be incredibly influential as I had opportunities to enable a wealth of talent to support our client’s business objectives. After spending time with the Victorian government, I had some strong opinions about what needed to be done. When I saw that my role was being advertised, I felt I could have a significant impact on progressing towards a safer and more secure Australia. I figured I might as well have a swing at it,” Moffitt explains. Why do you do what you do? What motivates you as a cybersecurity professional? Moffitt pauses, "I believe the world should be a certain way. I believe:
There is real meaning behind our work in the cybersecurity space. I am privileged to have roles that provide me with purpose because of the market demands for cybersecurity talent. What, if any, information you would have liked to know starting out in your career? Moffitt pauses, laughs and describes "there are three things I would have told myself:
How would you suggest others new to the field get involved? Moffitt emphasises, "cybersecurity teams require diverse skillsets from:
I look for candidates with prior exposure outside of cybersecurity because of the value we place on influencing and listening to others. As a cybersecurity professional, we enable our colleagues to more securely execute in their role. We lose out on the intended purpose if we become too myopic and push cybersecurity for the sake. For example, if I was leading a security team at a logistics company, I would insist on having a person on my team who had worked in the warehouse. If you understand the business model and an organisation’s objectives, you have an opportunity to become a successful and long-standing cybersecurity professional,” explains Moffitt. In conclusion, this month’s blog post was brought to you in support by Shane Moffitt, the Assistant Chief Information Security Officer (CISO) for the Victorian Government, where he:
Please be on the lookout for next month’s issue of Decoding Cybersecurity: Interview Insights with Leaders as the journey continues. Please leverage the comment box below to suggest future topics or guests, provide feedback or share with others. Throughout 2019, this mini-series will interview leaders from around the globe to discuss areas of cybersecurity. The purpose is to help students or those new to the industry gain perspective and guidance from professionals in the field. These interview insights aim to kick-start or re-energise your career journey in cybersecurity.
In this month’s feature, Justin Greis, EY’s Americas Practice leader for Cyber Resilience, shares:
These are his insights. What is cybersecurity resilience, and how this is portrayed in the market? Greis outlines concerns he hears from the Boards he consistently interacts with where cybersecurity risks are the number one concern. Greis questions, “why are we seeing an increase in public attacks that make headlines? Why are these attacks becoming more destructive and manipulative? We saw this wave of events turning away from fraud, exfiltration and manipulation from people and blackmail to destruction and now, more broadly, cognitive warfare shaping our social and political discourse. Our team decided to address these challenges. We defined Cyber Resilience as an organisation’s ability to prepare for, respond to and recover from a cybersecurity-triggered business disaster - which we characterise as a large-scale cybersecurity-attack with the intent to destroy or manipulate critical data or systems. We analysed leading companies and established a hypothesis that there is often a missing discipline in a cybersecurity function that focuses on the capabilities that enable a company to defend and adequately recover from disaster-level attacks. We defined this capability into Proactive and Reactive elements.” The Proactive function is the 'running' aspect of Cyber Resilience. Security Architecture is, so often a missing discipline, and Greis believes it is an essential component enabling a company to bounce back. Greis explains, “security architects develop resilient patterns of cybersecurity solutions that are propagated, evangelised and promoted throughout the organisation. These patterns can be taken from prior attacks, natural improvements and upgrades, or can arise out of proactive investment to improve the cybersecurity posture of an organisation. The Reactive function activates when a cybersecurity-triggered business disaster occurs. We identified that a discipline called Cyber Crisis Management (CCM) is often missing from the equation. We found too often when an incident occurs it is:
What, if any, information you would have liked to know starting out in your career? Greis explains, “I would categorise the advice and guidance into three buckets:
How would you suggest others new to the field get involved? Greis emphasises, “This is similar advice I provide to anyone attempting to make a career switch; it has never been easier to reinvent yourself in today’s technology-connected world. If you are in the consulting space, you can become whatever you want to become. It just takes effort and initiative:
This area of cybersecurity is intriguing, in-demand by the market and considered as an excellent career starter. Please be on the lookout for next month’s issue of Decoding Cybersecurity: Interview Insights from Leaders as the journey continues. Please leverage the comment box below to suggest future topics or guests, provide feedback or share with others. Over the next twelve months this mini-series will interview leaders from around the globe to discuss areas of cybersecurity. The purpose is to help students and those new to the industry gain perspective and guidance from professionals in the field. These interview insights aim to kick-start or re-energise your career in cybersecurity.
In this month’s feature, Alexandra Panaretos, EY America’s Practice Leader for Cybersecurity Awareness and Training, shares her story about:
What is cybersecurity training and awareness, and how this is best embedded within an organisation's business? Panaretos describes “the key to cybersecurity awareness is not to create the mythical “human firewall” or turn every employee into a security specialist. The role of cybersecurity awareness is to:
The reality is that most employees are fairly educated on cybersecurity risks, but are not given “permission” to feel comfortable challenging odd behaviour or seeming uneducated on the technology. Teaching employees that it is Okay to trust their instincts and report if they:
Companies that have done this well have started 'The Day in the Life of the Employee' adapted to the role of the employee. Manufacturing floor employees play a different role than a non-connected worker (e.g., maintenance worker, janitor, cafeteria staff). Successful organisations take a step back and consider a risk and role-based approach. It's about cultivating a program relevant to the workforce and realising this is a living process. The program should never look the same year to year because the threats, technologies, and situations will change,” said Panaretos How have you identified and explored various opportunities during your career journey? Panaretos explains “I could tell a story with the Who, What, When, Where, Why and make it relevant for the individual to help them understand the risk. For example, posting a military deployment return date on social media is a big deal and real concern due to the public nature of these platforms. Adversaries are looking for information like this to piece together with other intelligence. What then is the low hanging fruit? It's people! Crafting the story of how the employee plays a role not only in their own physical security but also with their friends and loved ones transitioned well to the business world because of their continual focus on technology; as such, there has been minimal focus around what a company cannot control – their people. An organisation's high value asset and greatest vulnerability. I created content that was simple for non-technical people to consume and digest. The improvement and adoption of behaviour and cybersecurity hygiene was immense,” said Panaretos. What, if any, information you would have liked to know starting out in your career? Panaretos emphasises, “I didn't have to have a strong technical background. I know enough about the technology to be dangerous…I learned to ask better questions; however, I may not be the right person to define an organisation’s network architecture or deploy firewalls. The biggest misconception is that cybersecurity is dramatically technical. There are many roles in communications, marketing, psychology, and education to help cybersecurity teams succeed. We need technical people to build, develop, and remediate. We also need people with the skillset to communicate this back to the business. Currently, there is a skills gap because most outside the industry feel they need to be highly technical and that is not true. There is a wide spectrum of roles with varying skills required. I need to know what the role or tool/platform does, but I don't need to know the “how” it is accomplished. There is power in asking better questions. I ask people to explain concepts in a non-technical way, which in turn, enables them to better communicate their message to the enterprise,” Panaretos described. What motivated you to pursue your passion? Panaretos explains, “I found myself jumping in head-first because no one was recruiting this role, or they weren't advertising it. I found myself reaching to my network to ask if this was a feasible career, or if I needed the technical background knowledge to succeed. Through numerous conversations, I identified cybersecurity training and awareness was an in-demand career path, but with a lack of resources and skills necessary to support the adoption of end-user behaviour changes to better secure our organisations and families,” Panaretos describes. "Many people within in the technology industry still do not recognise cybersecurity awareness as a fundamental requirement for reaching the human aspects of cybersecurity." How would you suggest others new to the field get involved? Panaretos emphasises, “Two things:
For every tool, platform, and technology we develop, we need to be able to explain it to end-users. Alternatively, if highly technical why do you build/create things a certain way? Do you build cybersecurity into everything, or are you trying to stop an attack or adversary? Find your passion and adapt it to life in a digital world. We are currently amid one of the greatest technologically developed generation and part of the most impactful digital transformation since World War II. No longer are we living in a physical world, but we all have a digital presence as well. Find a career that is able to bridge the gap with both,” Panaretos urges. In conclusion, this month’s edition was brought to you by Alexandra Panaretos, EY Americas Practice Lead for Cybersecurity Awareness and Training. This area of cybersecurity is intriguing, in-demand by the market and considered as an excellent career starter. Please be on the lookout for next month’s issue of Decoding Cybersecurity: Interview Insights With Leaders as the journey continues. Over the next twelve months this mini-series will interview leaders from around the globe to discuss areas of cybersecurity. The purpose is to help students and those new to the industry gain perspective and guidance from professionals in the field. These interview insights aim to kick-start or re-energize your career journey in cybersecurity.
Each month will serve as platform for a leader to:
|
AuthorElliot is a Senior Manager in the EY Cybersecurity practice. Elliot enables organizations to build in risk thinking from the onset, enhancing global innovation with confidence. He leads global teams to reduce response times and minimize the impact of security incidents by building and operating mature security, logging, monitoring, alerting, and incident response practices. He successfully led response to and recovery from complex security incidents, such as data exposures, third party compromises, and vulnerability exposures, by coordinating across large enterprises through effective incident response procedures to minimize business impact. Archives
April 2020
Categories |