What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
I’m specifically going to focus on attending and speaking at conferences, the mind-set of technical knowledge being king, and the fact that engaging with people and collaboration are often looked down on in this industry. I will tell you that, in my own experience, doing less of the first two and developing my own people and collaboration skills accelerated my career growth and earning potential way more than increasing my technical expertise ever did. I would never tell people to stop attending or speaking at conferences or continually improving their technical knowledge. Those are all useful, even if I do often question the value people truly get out of most conferences.
I would encourage people to think about what really improves security and changes security behaviors in a company. We’re ultimately trying to change the mind-set and behaviors of people, so any technical controls we try to implement fail to really address this. Look to work with people from different backgrounds and different industries.
Finally, speak to people. If you ask smart questions and actually meet people face to face to talk about security, their concerns, and what you can do to help them, you’ll be surprised at how useful that is. You really need to learn how to engage with non-tech influencers, what those people care about, and how you can get them to buy into security. After a certain point in your career, the people you work with and want to influence really don’t care about a stunt-hacking talk you gave/attended at BlackHat. It’s important for people to learn that early on and focus on developing the soft skills alongside the tech.
What qualities do you believe all highly successful cybersecurity professionals share?
The best cybersecurity professionals I know all share a small set of qualities. They’re all very passionate about ensuring that people are safe and secure; effectively, they want to protect people from harm. They also tend to be very curious and driven, as in they always want to continue learning and, more importantly, share their knowledge.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
The Phoenix Project. I think the head of information security in that book demonstrates exactly what cybersecurity professionals shouldn’t be like, but often are. If you read that book and set out to be the opposite of that character, you’ll set yourself up to be successful in this industry. I think the book does a great job of outlining the kind of challenges we all face daily—just don’t turn into that kind of cybersecurity professional. Next to our Dublin Information Security team, we have a quote from Rich Smith (@iodboi) that says, “If security introduces blocking to the org, it will be ignored, not embraced.” This always helps us deal with the challenges that our jobs bring without turning into “that security guy” and being bypassed.
What is your favorite hacker movie?
It has to be Hackers. Who doesn’t want to share floppy disks with friends and hack things while rollerskating and listen to The Prodigy?
What are your favorite books for motivation, personal development, or enjoyment?
I have a few different ones in mind. I always recommend The Checklist Manifesto to new people on my team. I’ve found checklists to be very beneficial in my personal and professional life for more than 10 years now. I include this on the reading list for any new hires I make to my team nowadays. We work with complex systems, and security teams are often smaller than they need to be. It’s easy for us to overlook simple things because we’re so focused on finding the doomsday vulnerabilities in our products. By integrating checklists into your life, you’re not trying to dumb things down; you’re actually making yourself better at your job. We often have an ego problem in cybersecurity, which probably stops many people from adopting a simple checklist. Let me put it this way: if checklists are fine for the pilots who fly you around the world, the architects who design the office you work in, and for doctors and surgeons who may care for you one day, they sure as hell can be used for your next security review.
I found Chaos Monkeys to be a fantastic read, covering the early days of Facebook and the funding model for startups in Silicon Valley. It’s a great read for anyone in tech and/or anyone looking to launch their own startup.
From a personal development point of view, I’m going to pick a book that changed my early thinking at Riot Games. Switch: How to Change Things When Change Is Hard is a book I read soon after joining Riot to build its application security program. The bright spots story really got my attention because it was simple but effective. How often do you see cybersecurity teams scratching their heads about a specific team or person’s bad security behavior? If we focus more on what makes the good people and teams good, we can potentially learn how to level everyone up. When we ran application security focus groups with a behavioral psychologist at Riot, we found what made our good teams good. The teams that needed to improve lacked the knowledge and resources that the good teams had. Those were the things that made the good teams good. That made crafting a road map pretty easy for us!
Leading Snowflakes is my final recommendation. It helped me make the transition from being a security engineer to being a security leader with people-management responsibilities. It helped me figure out what my days should look like and how to redefine value/good work in my mind. It’s a must-read for anyone making the transition from a purely technical role to one where you manage and develop others.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
I think it’s largely the same things people have been recommending for many years now. It’s the simple things we often overlook. If people ensured that all of their computers, phones, devices, and so on were patched, that would help significantly. If people used password managers and two-factor authentication (where available) on their accounts, they’d be significantly more difficult to attack.
What is a life hack that you’d like to share?
My advice is to figure out what you need to do to look after yourself. All of the best leaders I know in this field have a significant hobby outside of cybersecurity. It can be working out at the gym, playing games, going surfing, or arts and crafts. It doesn’t matter what it is, provided it disconnects you from this weird world we live and work in.
Take time off from work; you’ve got very little to gain from killing yourself for a company and so much to gain from relaxing and enjoying free time. That also extends to not keeping an eye on emails, Slack, etc. all hours of the day. Turn it all off. In fact, if you can, don’t even have that stuff on your personal devices. If you don’t work for a company that supports a good work-life balance, find another company to work for.
What is the biggest mistake you’ve ever made, and how did you recover from it?
The biggest mistake I ever made in my professional career is ultimately a story about me being arrogant and making assumptions. As I mentioned earlier, I used to work in infrastructure and network security, which involved owning our production firewalls. I was cleaning up firewall rules that weren’t being used, and I felt like I had a solid plan: I checked our logs to see which rules were being used. If I didn’t find an entry in the logs, I assumed the rules weren’t being used, so they went on my list to be disabled.
I did all of the relevant change-management paperwork and waited for the next maintenance window. I logged into the firewall, removed all the unused rules, and pushed my changes. A few minutes later, all of our service-monitoring systems started turning red. No customer payment transactions were being processed. I was asked if my changes could’ve caused this, and arrogant young David said, “No, I only disabled rules that weren’t being used, right?”
Well, it turns out I’d made a big mistake. The top rule in the list allowed our web servers to connect to our database servers, and that’s one of the rules I removed. We didn’t have logging enabled on that
rule because of the amount of noise it would’ve generated. I trusted the logs too much and never really looked at the rules I was removing. Once I’d realized it was my mistake, I rolled back the changes and held up my hands—I had caused a service outage for some very large companies.
The lesson here is don’t be arrogant like I was, and don’t make assumptions. We’re all very capable of making mistakes, and if we’re pushing ourselves to be better, we should make mistakes. However, some mistakes, like this one, are definitely avoidable, so now I double- and triple-check important things before making a move. ■
56
Guillaume Ross
“Truly knowing how to operate something lets you define how it should be secured in terms your colleagues will easily understand. Read, test, test in real life, and iterate.”
Twitter: @gepeto42 • Website: caffeinesecurity.com
Guillaume Ross is an experienced information security professional, providing services to an array of organizations as the lead consultant and founder of Caffeine Security, Inc. Having worked in multiple verticals, from Fortune 50 to startups, Guillaume’s specialty is providing the right security program and architecture for each specific environment and company.
If there is one myth that you could debunk in cybersecurity, what would it be?
That attacks are advanced. They’re never more advanced than they need to be, and that means they are frequently very basic, as companies have a hard time doing the so-called “basics” well. Managing hundreds, thousands, or often many more systems well is hard work, and it’s not something any product can do on its own. Unfortunately, when people get breached, they rarely claim they were successfully attacked by a very simple technique targeting default passwords, SQL injection, and unpatched, exposed systems. The more sensationalist headlines are often the most popular.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Deploying a multibrowser strategy. For example, prevent the use of browsers with plugins enabled on anything but internal and whitelisted websites, and force the use of a modern browser, such as Edge or Chrome, with a hardened configuration to access the Web. That’s free, and more effective than a lot of expensive products.
How is it that cybersecurity spending is increasing but breaches are still happening?
Many security problems are caused by a lack of IT hygiene and software security issues. Unfortunately, a lot of cybersecurity spending goes to “advanced/next-gen solutions,” monitoring, and discovering more issues rather than improving the health of IT systems. Improving the quality of configurations, and the speed at which systems can be reconfigured, has a huge security impact. But that would often be seen as IT or development spending, while security teams, unfortunately, often only deploy more third-party software to try to bolt security onto fundamentally unsafe systems.
Do you need a college degree or certification to be a cybersecurity professional?
Not having one won’t stop you if you’re motivated, but it may make employment in some very process-heavy environments much harder to obtain. Still, many companies would be glad to hire someone who’s shown they can get stuff done, that they understand security, and, most of all, that they understand how to effectively apply it within a company’s environment. The less experience you have, the more useful that degree or certification will be—but so would participation in open source projects, community events, or security research.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I had always been interested in technology, networking, and security. When I started working in IT, I was still interested in security, but back then I didn’t even know it was a full-time job. I simply assumed that every IT person at the large bank where I worked had to be amazing at security. When I realized that wasn’t necessarily the case, I focused on understanding how to secure every technology I worked with to the best of my abilities. I got involved in more security projects and finally made the jump to full-time security.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
Planning entire security programs, and on the technical side, securing corporate environments in large companies, especially around end-user workstations and Active Directory. Securing all this is important, and yet, the most difficult part is not necessarily the technical aspect of locking it down but rather doing it in a way that does not break the business.
The best way to learn how to do this is to pick a smaller environment, or a subset of a bigger one, and try to improve it a bit. Iterate, read all the vendor documentation you can find, and try to improve a few areas every week. Knowing how things work is a skill that can sound almost too obvious to be worth mentioning, but truly knowing how to operate something lets you define how it should be secured in terms your IT colleagues will easily understand, Read, test, test in real life, and iterate.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
If you have little experience, participate in community events and publish research and/or tools for the community to discover. As a hiring manager, I highly value this type of involvement, and as someone starting out, there is no barrier to entry.
What qualities do you believe all highly successful cybersecurity professionals share?
Being curious and motivated. Also knowing how to communicate not only the issues but the proposed improvements as well. A combination of technical skills and soft skills is a great way to get the important stuff done: improving security.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Home Alone will show you that, with enough motivation, anyone can defend himself from common attacks. All it takes is thinking outside the box. Kevin didn’t even need to buy anything “next-gen!”
What is your favorite hacker movie?
WarGames is a great hacker movie, but Office Space is closer to the day-to-day of many security teams.
What are your favorite books for motivation, personal development, or enjoyment?
As someone who has been consulting for many years, Professional Services Marketing by Mike Schultz and John E. Doerr and Managing the Professional Service Firm by David H. Maister are two very useful books I read in the last year. Consulting practices, such as law firms, have been providing services pretty much since Emperor Claudius abolished the ban on fees. There is a lot to be learned from the experience of people selling services, even if it’s in other professions.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Keep your systems up to date, use a password manager, enable two-factor authentication (2FA) where you can, and most of all, keep offline and offsite backups of your most important files.
What is a life hack that you’d like to share?
Find an app to manage to-dos that works on your main computer and your phone and that supports geofencing. That way, you can easily be reminded about a specific email when you get to work in the morning, but it will also remind you to pick up some whiskey next time you drive by the liquor store. Anything that allows you to offload the mental load of having to remember things on your own helps you focus. If you’re trying to secure an organization or system, you already have enough things working against you; no need to risk forgetting things or wasting brain cycles trying to remember.
What is the biggest mistake you’ve ever made, and how did you recover from it?
On the first morning of the first day of a new job early in my career, while trying to update software for an employee having issues with timesheets, I rebooted the employee’s computer. But it did not reboot; I simply saw a new desktop background all of a sudden. I realized I had rebooted a remote term
inal server with hundreds of users. What I thought was her desktop just wasn’t.
I recovered by rapidly informing our director of IT, the help desk, and getting ready to downgrade what I had accidentally upgraded when the server came back up (there was a reason it was running a specific version). I felt quite stupid, but I would’ve felt even stupider trying to hide my own reckless action. ■
57
Brad Schaufenbuel
“Once you’ve reached a point in life where your financial needs are met, the source of your happiness shifts from more money to whether your role provides you with the opportunity to grow with an organization that has a culture that makes you excited to get up in the morning and immerse yourself in it every day.”
Website: www.linkedin.com/in/bradleyschaufenbuel
Bradley Schaufenbuel is VP and CISO at Paylocity. He has held security leadership positions at numerous companies in the financial services and technology industries over his 22-year career. Bradley has MBA, JD, and LLM degrees; is a licensed attorney; and holds 23 professional certifications. He is a prolific author and speaker and serves on the advisory boards of multiple venture funds and startups.
If there is one myth that you could debunk in cybersecurity, what would it be?
The myth I would debunk is that cybersecurity success is largely the result of buying and implementing new technology. Vendors especially would like us to believe that if we just bought their wares, we would be secure. Many security leaders share this belief. Their cybersecurity programs consist of an endless search for silver bullets, punctuated by cycles of technology implementation projects. In reality, an effective cybersecurity program depends on people, process, and technology, in that order of importance. Even the best security technology is useless without repeatable processes in place to manage it. Even the best security processes are useless without good people to execute them. People are what make the difference between a world-class cybersecurity program and an ineffective one.
Tribe of Hackers Page 34