It is kind of a path of rock climbing, not ladder climbing. You go sideways, you exercise different muscles. There are many paths to the top. We had an office manager who became one of our top-performing inside sales reps who then went on to become one of our top-performing recruiters and now helps us throw corporate parties and DJs them. Explore and try lots of things; there’s a very good chance you’ll find your way into some opportunity, and you can always pivot from there.
What qualities do you believe all highly successful cybersecurity professionals share?
There are many ways that people achieve success, and not all of them are good. In security, there’s probably more opportunity for folks to be successful without actually contributing very much. That’s not to say the majority of the industry is bad; I just mean that sometimes incentives aren’t really there, and people can get away with a lot. It can be discouraging to see the wrong things happen or people being rewarded for not the best behavior. Likewise, some security companies are creating problems as much as they’re solving them.
There’s one thing everyone at Duo has in common: we’re self-aware. We test this in our behavioral interviews. We’re looking for people who can step outside of themselves and not only understand the impact and effect they have on others but also someone else’s point of view. That’s super important because, in security, you’re trying to solve for the ways in which technology fails—often because someone had a different mind-set or didn’t have the same understanding.
Second, you have to have a fundamental optimism about technology. In the service of solving these problems, you have to build more technology. The answer is not to get rid of all technology. Cars used to not have seatbelts; now they do. Computers used to not have security; now they do. There’s things that you can do to make yourself safe, but you can’t give up on the problem.
Lastly, technology is actually a people business and a team sport. Nobody ever accomplishes anything in this industry alone, except offensively. You can be a very successful offensive hacker on your own, but even then, you’re standing on the shoulders of giants, leveraging what came before you. The best teams I see out there, and the thing I find that is non-negotiable at Duo, all have this in common: good kindergarten skills. What are the three core values? To engineer the business, learn together, and be kinder than necessary. It’s about going out of our way to help each other be successful. At the end of the day, we win as a team or lose as a team, and nothing else matters.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
One is The Checklist Manifesto by Atul Gawande. It’s basically an explanation of why it’s so important to get basics right and why checklists do matter. In our industry, there’s a lot of folks saying compliance is just security by accountants, not real security. I think that’s wrong. Getting those basics right matters, and how you actually build operationally—the kind of discipline to make sure that the right things happen—is super important.
My second recommendation is also not about security but about the challenge of the hyper-connectedness of our systems and our world and the kind of butterfly effect that arises from that: A Demon of Our Own Design by Richard Bookstaber. It’s actually about our financial collapse in the last decade, looking at the ways in which complex systems fail. A lot of it is simple. The warning lights, like at Three Mile Island, didn’t work, and then there’s a cascade of other lack in controls that leads quite literally to a nuclear meltdown. If you’re looking for examples of how security fails, it’s helpful to look at other disciplines.
What is your favorite hacker movie?
Sneakers. I really like WarGames, but Sneakers is by far the best hacker movie that ever existed. Everyone likes Hackers, but Sneakers was great. Duo made an edit of WarGames that basically summarized the entire movie in one minute. You can watch it on YouTube.18
What are your favorite books for motivation, personal development, or enjoyment?
I actually called this out in Inc. Magazine, but I hate business books.19 I think most are just one idea spread out over 300 pages, super tedious, and not that interesting. One of the more inspiring books, for me, in terms of how I conduct my life and career, is The Wu-Tang Manual by The RZA. I wrote about it on LinkedIn (there’s an article on my profile that you can check out), but I like the way that The RZA thought about how they created not only a rap dynasty but also a platform of opportunity for everyone involved with the clan, while also considering where they did it—Staten Island (Shaolin). The notion is that being somewhere outside of all the hustle and hype can be a real strategic advantage. Everyone chasing after each other’s ideas and dollars sometimes doesn’t produce the best results. If you really wanna do something well creatively, you’ve gotta have the space to stretch out and do that with people you really care about and respect.
“Everyone chasing after each other’s ideas and dollars sometimes doesn’t produce the best results. If you really wanna do something well creatively, you’ve gotta have the space to stretch out and do that with people you really care about and respect.”
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Make sure you actually have an access point for your house that has a firewall. Some people think all they need is a passthrough bridge, but you should actually have a real access point with a real firewall so you can block things inbound. You can also use that access point to configure things like OpenDNS, which is useful as just a basic preliminary control.
Make safe choices about computing. Use a Chromebook or an iOS device or iPad. Use the cloud. I guarantee you that hundreds of Google’s security engineers are going to do a better job of protecting your email and storage in their cloud (Gmail and GDrive) than you ever will.
Pick and choose your battles. Thankfully, most of that is pretty easy to solve in the consumer context.
What is a life hack that you’d like to share?
This isn’t so much of a life hack as it is a principle, but it does have quite a bit of bearing on how I conduct myself. My dad was a Buddhist monk, and it’s quite a long story of how he got to working at a liquor store. He tells me that reputation takes a lifetime to build, but it can go away in a second. The meaning of life, he said, is to live a life of meaning. What does that mean? A life of meaning is to have an impact and help others. At the end of the day, we’re not going to take it with us. No one has ambitions to die rich. What is the legacy that you’re going to leave behind? If you’re a good person and do right by others, the universe won’t let you starve. That’s how I conduct my life and career and the models of leadership that I have for myself, my company, and my community.
I started something eight years ago called the Ann Arbor New Tech Meetup. It’s a startup showcase of five new companies presenting every month, so we’ve had hundreds of companies and thousands of founders. What makes this event great is not that you’ve met a lot of people but that you’ve introduced a lot of people. Being useful is the greatest hack of all. People think of hacks as shortcuts, but I think of them as strategies. A good hack is an interesting strategy that people overlook, and sometimes the simplest things are standing right before us. I try to be useful and make sure that I’m doing the right things in life.
What is the biggest mistake you’ve ever made, and how did you recover from it?
This probably isn’t a single mistake, but it took a long time to learn: my success isn’t entirely my own. It does take a village, not just to raise a family or a child or a company, but even on my personal journey, I would need help along the way, and I’d have to ask for that. I think one of the hardest things to do in life is to know when or how or whom to ask for help. Over time, and also through the course of many relationships, being well-flanked by different perspectives has helped me realize who I can go to, and for what kind of advice, and then actually reach out to them. Sometimes I think people are too proud or
don’t want to be embarrassed, but the most successful people I know in life (conventionally successful)—who have changed the world and had a huge impact—they’re also some of the humblest. They’ve always kept that beginner’s mind-set and never really lost that.
It took time for me to learn how to be vulnerable in a professional context, but it allowed me to reach out and not be afraid or scared or embarrassed to. ■
Notes
16. Alex Stamos (@alexstamos), “1) Unify behind cloud SSO (Okta, OneLogin); 2) Two-factor (Duo, Yubikey); 3) Push IT to ditch Exchange for GSuite or O365,” Twitter, May 3, 2018, https://twitter.com/alexstamos/status/992206933418430465.
17. Fahmida Y. Rashid, “LinkedIn CISO: How We Bring Diversity into Security with the Stories We Tell,” Decipher, April 13, 2018, accessed May 2018, https://duo.com/decipher/linkedin-ciso- bringing-diversity-into-security-with-the-stories-we-tell.
18. YouTube, “WarGames: The Two-Factor Edit,” Video, June 5, 2014, accessed May 2018, https://www.youtube.com/watch?v=WH_KuCCf0c0.
19. Christina DesMarais, “25 of the Most Inspiring Books Everyone Should Read,” Inc.com, February 16, 2017, accessed May 2018, https://www.inc.com/christina-desmarais/25-of-the-most- inspiring-books-everyone-should-read.html.
62
Jayson E. Street
“There is no finite point where it’s going to be, ‘Well, okay, we’ve now spent enough. We’re secure.’ ”
Twitter: @jaysonstreet • Website: jaysonestreet.com
Jayson E. Street is a co-author of the Dissecting the Hack series. He is also the DEF CON Groups Global Ambassador and the VP of InfoSec for SphereNY. Jayson has spoken on a variety of information security subjects, including events at DEF CON, DerbyCon, GrrCon, and several other cons and colleges.
If there is one myth that you could debunk in cybersecurity, what would it be?
That humans are a liability. We always want to blame humans: “stupid user clicked on a link,” “stupid user had a bad password,” “stupid user went to a website,” when it was actually “stupid information security who didn’t properly train their users.” Employees will do everything necessary to stay employed in their jobs and do what they’re told. We don’t teach them that part of their responsibility is to be security-minded. So, therefore, they don’t have to be. It’s not up to them to intuitively know about that. It’s up to us to teach them that that’s expected, and then they’ll do that because that’s part of their job. We don’t need to keep getting technology to protect our users. We need to start getting our users better able to protect the technology.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
I think the biggest is investing in security awareness training and training your employees to be an asset instead of a liability. Do that at the beginning of their orientation when they’re doing the rest of the training for their job.
How is it that cybersecurity spending is increasing but breaches are still happening?
That’s like talking about how “safe technology” is increasing but there’s still safe-crackers and bank robberies. There is no finite point where it’s going to be, “Well, okay, we’ve now spent enough. We’re secure.” It doesn’t work that way. Information security is not about eliminating risk. To think that we’re eliminating risk is a whole false scenario. What we do is mitigate risk. We try to mitigate as much risk as we can with the budget that we have. We then go to upper-level management and tell them we’ve eliminated this much risk, mitigated it, but now there’s this much risk that we can offset by using a cloud service provider or using another company that’s got a service level agreement (SLA) and a contract to protect us. At the end of the day, after mitigation, after offsetting, there is still going to be a point where we go, “This is how much risk we have to accept.” There will always be risk when dealing with online transactions or anything offline as well. There’s always going to be a risk that they have to accept. Our job is to mitigate as much as possible, offset as much as possible, so we can present them with the narrowest amount of risk they have to accept. That requires a budget. It requires constantly evolving technology, and it requires staying ahead of where the attackers are going, what the criminals are doing, and that does cost money.
Do you need a college degree or certification to be a cybersecurity professional?
Well, since I’m a high school dropout who used to live behind a dumpster, I’m going to say “no” on that one. College and certifications and degrees are helpful to give you the methodology and stuff that’s already in place so you don’t have to learn the hard way like I did. Still, at the end of the day, it doesn’t matter what paper you have. You should be judged by what you bring to the table and what knowledge you can succinctly disseminate among your peers and to the executive team. It’s up to you to show them the knowledge that you have and to put it into action. The paper may get you in the door, but it’s not going to keep you there. It’s hard to fake competence in this industry for long, unless you’re a thought leader.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I’ve always been interested in security, and I’ve always liked helping people. I started more than 30 years ago doing physical security. When I was doing IT help desk back in 2000, I was introduced to the VP of security, Tim Smith. He wanted to hire me to do computer security, and that’s when my whole life changed. I never knew you could do computers and security and that no one shoots at you, which was amazing. So I was like, “Yes, please.” It’s really awesome and I never looked back.
A beginner can get into the industry by learning what they want to do for the rest of their lives. This field is so varied—from forensics, malware analysis, IP, TCB inspection, log review, intrusion detection systems, and firewall technology to social engineering, red teaming, pentesting, vulnerability assessment, and code review—there are so many different aspects of the field. Look for the one that makes you happy, that you’re interested in, and that you have a passion for, and then find someone to pay you for it. That way, you stop working. I stopped working about five years ago. I still get a paycheck, but now I’m getting paid to do something that I would love to do anyway.
Also, you can go to iR0nin (ir0nin.com) and navigate to the Getting Started page. This is actually a page that I developed for people who are trying to get into information security. It has resources and a couple of videos on how to do that.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I call what I do “being a teachable moment.” I do security awareness engagements where people pay me to break into their companies or rob their banks before an actual bad guy does. I don’t write reports; I educate every single person on location after I’ve successfully robbed them. I then go back and talk to them and tell them what I did and how they can do better to detect me next time. So, I have a direct impact on the employees immediately.
There are people who do training for social engineering, like Chris Hadnagy (www.social-engineer.org). He does training on social engineering, and I give training on security awareness and how to engage your users into security awareness. That’s my passion now. You also have to have an innate quality (what I call my main attribute) of having no shame and bad impulse control, which is the reason why I’m so successful.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
The best career advice for getting hired is do good work. It’s not about playing politics or trying to shine; it’s about being consistently good at your job and having a passion for it. In my bio on my web page, I put: “I was the best janitor for two years in a row at McDonald’s Southeast Texas region.” I was one of the best janitors out there, and I’m proud of that. I did a good job, and I did it very
well, and I was recognized for that. Whatever you do, do it well, do it proficiently, have a passion for it, and make sure that you’re doing it right. If it’s something that you don’t want to do forever, then continuously do a good job, but also let everybody know that you want to advance—or find somewhere else where you can grow. Never go in and do a half-hearted job because you’re not interested or you don’t like the position. Make it the position you want it to be, or go somewhere else.
“Whatever you do, do it well, do it proficiently, have a passion for it, and make sure that you’re doing it right.”
What qualities do you believe all highly successful cybersecurity professionals share?
Passion and curiosity. You need to have the innate ability and curiosity to want to solve problems and find solutions for things, especially when they’re difficult. You also need to have the passion to keep wanting to search and look.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Apollo 13, because they were in a situation they had never seen before, people’s lives were on the line, and they had to create something out of nothing. They took things that were totally contrary to what they needed to do and they did it. This is the very definition of hacking—going around how systems and things are supposed to be to make it work for you.
What is your favorite hacker movie?
Hackers. Everyone wants to say WarGames or Sneakers to sound sophisticated or refined, but no. Hackers is still my favorite. I still stand by the fact that Angelina Jolie got more people into hacking than high-speed modems did. It’s approachable and not just a hacker movie—it’s also a cool and fun story. I like it for many different reasons.
What are your favorite books for motivation, personal development, or enjoyment?
Tribe of Hackers Page 38