1.1 Industry Controls
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
Good afternoon everyone. This is Ed Amorosa here and uh welcome to our sixth of six sessions. So
you made it this far, I congratulate you um I hope this has been a useful
Five sessions and I hope the 6th one is useful for you as well. We're going to go through the last eight controls again. This is our roadmap,
I'll use a little time at the end to give you a little pep talk because I suspect there's quite a few of you here who are
various stages of your career and
I suspect most of you don't get much pep talks. You know, you get once in a while, a performance review from someone, but
I'll take a few minutes at the end and and see if I can give you some career guidance and advice and if you've been with us then you know, you went through the enterprise controls with us network controls, endpoint
governance and data.
Um this is the road map that I used I use for my cybersecurity industry analysis work at tag cyber I think most of you know that we're trying to be a little disruptive to the industry analysis business. In fact that'll be controlled 43 so I'll be talking to you about that.
but these these controls are really in some sense, you know, they're not really controls so much as areas of focus
for an enterprise security team. I put control because ultimately you do everything in our business to reduce risk. Hence it's a control.
So things you would normally think of as a control like, you know, doing research and development is out of control. An auditor would say no, I would say heck yeah, it is. You know, if you're successful then it results in some insights or new ideas or innovation that helps you reduce risk. So
it's been everything we do um on the defensive side is to reduce risk cancer control.
So today we're going to go through a very unique ones. This is of all the columns is my favorite because it's a hodgepodge of crazy stuff. You won't find any of these things in Nist, you don't find any of the pc. I, you're not gonna find many courses, maybe the training and awareness. I guess that
that's something people talk about and some of them have to do with industry offers. I'm going to try and give you some insight into these offers and when they make sense, when they don't. I think I helped invent
some of these. I'm getting so darn old now
that I look at managed security services, I do the math, I look at the calendars and I think, Gosh should probably
was involved in some of the very early MSs services, if not some of the first.
So I can give you a lot of insight here and help you with these, this column,
you know, kind of separates the pros from the amateurs if you get these things right, everybody on the planet and talk to you about the difference between two or three different firewalls,
but can everyone tell you the right way is to guide the careers
of a team or to understand the wants of information, assurance and government versus commercial service or whatever. That's what we're going to be talking about today. These are,
I think, I think in some sense, for a unique topics, things that you don't often get. Like I said,
we'll save some time at the end to do a little bit of uh, coaching because we have eight controls here. Maybe if we can get through them in the first
40 minutes, 45 minutes, I can take 10, 15 minutes at the end and and and wrap up with some coaching. I like to do that. I do that with my graduate students.
always take the latter portion of the last lecture to really dig in and
try and share with you some of the insights that I have, having been a manager have been a practitioner now going on four decades at this so I can give you some advice that
Yeah, I hope is useful. So let's let's dive in the first one is industry analysis. No. Gosh, you think this is a control? But yeah, I mean,
reading about getting guidance on the industry, the purpose of understanding what's out there, understanding what products people are using and what
what types of services might be appropriate to help you reduce risk or reduce costs or just
simplify your operation or give you some new capability.
These are the kinds of things enterprise security teams do. It's incredibly important. This is in some sense, the oil that lose the engine
really digging in and understanding what's going on. I know we don't often think of it that way. Now to date
it's had a very heavy focus. You know, let's face it
on quadrants and waves and stuff like that.
These are pure pay for play initiatives. We all know that, you know the way it works and take it for me.
I participated in this, um,
where are you? In some sense, you, you let's say you're a new new vendor.
and you have an interesting offer and some pay for play industry analysis company notices you,
they'll, they'll visit with you and say, wow, you're great. We'd like to get you into our quadrant and there'll be a very modest fee to get in there, but you're in there
and now you're psyched because you tell your salespeople, hey, we're in the, in the big wave or whatever it is that you're in.
But now to move, you've got to continue to engage and you probably need to buy more services and you need to demonstrate that you have
not only a willingness but ability to pay.
And as you increase the intensity of that, you move until let's say, you get to where you're paying some pretty hefty fees and you're up in the top right
now that you're in the top right, you're a top writer and you certainly don't want to ever go down, right? That's when the fees get big. I mean, that's, look, I do not begrudge this, but I wish it would just be explained to everyone that that's what it is. It's fine If you're gonna look at a wave just to collect a list of
interesting vendors to talk to and pay no attention to where they show up
topographically on the chart,
then that's fine. It's a list of vendors and you go do the analysis. Look, my belief is
and you can see the chart here where I say democratized expert industry analysis, here's what that is. And that's really what I do for a living. It means recognizing that you have to learn,
there's no shortcut here. I get it. Be nice to give you a short cut and say, oh, you want to buy a car? Here is the best car and here's the second best car. And here's the third best car there. You have it. 12 and three pick want, if you can get one, get it. If you can get to get that, if you get three, everything else, you know, they're all kind of losers.
You know, that's ridiculous. It's not how you buy cars and that's not how you should be buying a sin
or selecting a bug bounty program. You do it that way, you gotta learn. You got to get information. That's what I do.
I sent every minute of every day trying to push out what I'm learning. I just get up in the morning, work all day long, push out content
and the content. I'm sure a lot of you read,
it's just, here's I met this team, here's what I learned. I met with this team, here's what I learned and that's what I do. I think that's what an analyst does.
And yes, there are times when I meet with teams and this stuff is terrible and what do I do? I just don't cover it.
That's been my approach, Somebody else might do something else. I don't begrudge someone saying I met with this team and they were terrible as long as it's not because they didn't get paid.
that quick comment perfectly fine to, to monetize research and projects and sponsorships,
like I take sponsorships for my work. I say, you know, thank you to the following companies essentially for a grant to make it possible for me to pay my bills to do this kind of work. And I thank a bunch of companies for helping me. That's what I say, I'm very transparent about that.
So I think an industry analysis, I'm hoping
that the trend curve goes down here, look, the focus on waves and so on. This is the traditional trend curve. The effectiveness, I think it was less effective, less effective, become even less effective. But what will become more effective is this democratized concept with considerably less focused on these things in the beginning, Summerlee magazines, very low quality pay for play. I think it still is.
I think in the future you should demand honest democratized analysis. That is a requirement in what we do and also domain specific analysts when somebody's telling you a story about IOT,
I hope they have some experience with that. I had the great advantage of having worked in a huge mess of carrier
which gives you exposure to everything.
You know, we talk about, you know, people will say, well gosh, what do you know about physical security is quite a bit, you know, dealt with one of the largest footprints in the world and on and on. And I was lucky.
But let's say for example, you never worked in a bank and I did. I was on a board member of the bank. I'll tell you never did. Um how can you possibly make commentary, reasonable commentary on financial service cybersecurity? I don't think you can.
So again, I'm probably a weird and unique duck having had the lock of being exposed to so many areas. But I think moving forward when you're reading any type of
domain specific analysis, read the resume, the person who wrote it,
if they graduated three years ago or if they've been bouncing around a little bit, they were a journalist. They did, then that's not, somebody's going to tell you about industrial control risk because they don't work in a factory. You get the point.
So this is a big one as a C. So as a budding see. So you should have a very specific opinion and you should be extremely passionate
about the type of industry analysis that gets pushed around our industry because it's not done us well, where do we sit today? It was like we can't even protect credentials.
So this has to improve. And I'm excited that I think democratization and people demanding better, better work, less pay for play is going to put us in a much improved place. So that's first one.
Now. This is an interesting what information assurance Now some of you listening,
they live kind of on the government side of things. The federal government. And I will tell you that information assurance services for federal government,
like in a different galaxy than cybersecurity services for commercial.
We all think they're the same. It looks the same, but they're not they just are not
they're not procured the same.
They're not tested the same way assurances, not demonstrated the same way the life cycle is not arranged the same way the support models around these things are not the same. They're all completely different fact the financial models are different.
So what's happened is in the early days
you had a lot of commercial entities that said, wow I can sell the government and they had trouble.
And then you had a lot of government players who were selling information warfare information assurance
tools to government wanted to sell the commercial and they had trouble by the way the term information assurance
is just looking glass is half full
at the glass is half empty term Information warfare,
it's just a corresponding term,
the information warfare that's all.
But I think it's important as an enterprise, as an enterprise security professional for you to understand kind of the way the government solutions model works and it's not just in the U. S. This is also all over europe.
Um I really don't know how it works in china or Russia being honest, there is a place where I just don't know,
but I suspect there's probably some similarity um
both of them have heavy emphasis on offense, but I'm more interested here in defense. That's why I put information assurance, not,
you know, like election disruption or things like that is relevant to what we do. Um but we're all interested in playing defense. Um
So information assurance, what's the general effectiveness of tools and services being sold to government are improving?
I don't know that that's necessarily true
of some of the programs in government. I'm not a huge kind of fan of the direction that programs like Einstein have gone in the past for dhs I think it's improving. I like that they're thinking more virtual, thinking more mobile, thinking less
dems That's good. There are some nice people there that and I try to spend some time helping
so but generally the information assurance offers from places like light dose and
Boeing and A T and T and others really getting good. Like I look at the things that they're pushing out and their creative and they have
info ops background people working on them, it's really kind of exciting,
like you wouldn't guess that you think, jeez the stuff being sold to government is probably terrible. That's not been my understanding and that's why I drew this curve because I just see them getting better, more accurate, more integrated of modern technologies, artificial intelligence embedded in a lot of these solutions. Really good stuff.
But government is still somewhat lagging now. What I do see
Is that we all had high hopes see this chart of transferring government solutions to commercial somewhere around here. Like maybe 10 years ago, we were all absolutely certain that you could easily go from government to commercial. Look at some of the companies that you know, hopped over to do that.
I won't name names, but there's a bunch that did,
I don't think it worked out so well and I see that as being less of a trend. I think when you do government, you should celebrate that.
Look at the trend you're on. If you're selling government services, if you're selling platform cybersecurity platforms of federal agencies, what you're doing is from what I can see is awesome. Keep doing it. What I get somebody somewhere covets commercial,
They have this image that
you know in commercial, what we do is I pick up the phone, I call a bank, I said, hey, you want to spend a million dollars on my stuff and they say, yeah that sounds great here. I'll send you a contract sign here, let's go, hey let's go have lunch tomorrow and an hour you made a sale. You know, and and in government instead you have to work for three years on the life cycle. That's the cartoonish
kind of narrative that you here and it's all nonsense. You know, government and commercial are different
and they both have the respect of pros and cons. But when you're good at government, celebrate that for heaven's sake. So look that focus here obviously is on nation state risk,
you know, so nobody's hiring uh one of the defense, one of the dib companies to uh to come in and help you know, make passwords stronger. These are, these are the Nation state races, big
program type activity. And like I said, I'm very impressed with a lot of this and some of the companies I named, I think you're doing just a real bang up job, full disclosure. And I used to work at A T. And T. So when I say nice things about them, I can't help it
because I know what goes on there but recognize I do collect the retirement from them so maybe I should recuse from mentioning them. But they really did do a good job. So all right, let's go into
next MSs managed security services. This is a wild area.
First off, every MSP wants to be an M. S. S. P. I blogged about this last week. You know, every time I talked to him sp
and I say what are you doing insecurity? They brighten up and they go, oh it's just like you just ask them, how are you going to make your next million? You know they see it as this amazing Upsell and
um and in many cases it's probably true you know that they can they've got a wonderful relationship with the client. Let's say you're doing I. T. Management for a law firm or something
and they want to do neck
what would be the natural team to do that and you do and you make more money and you do a great job and everybody is happy and lo and behold you're an M. S. Sp. So it's perfectly fine. I think that's
wonderful. But here's the problem.
that MSs services will have to become more virtual. They have to
really the essence of playing defense is being quick and nimble right? The ability to make changes quickly to swap one vendor in for another
if you're a hockey coach, you know the idea of switching lines and stuff
is that what it all comes down to, whether you win or not, how good you are at managing your team and making changes quickly.
Our cyber security defenses now are so static.
If I told you tomorrow, let's say for example, you're using Acme
an acne sim, there's no such company and you want to switch to a uh, you know, smith sim, I don't think there's a company called smith selling the sims. You wanna go acme to smith?
What do you do? Can you do it in an hour? No. Can you do it in a day? No. Can you do it in a week? Probably not. Can you do it in a month? Maybe?
Now? What if you had to make the change fast? It takes you a month.
What kind of craziness is that? That's not how you play defense.
And yet we don't even question that.
And MSs teams
as they participate in this are the most vulnerable as we fix it because the way we'll fix it is on demand, virtualized deployment, monitoring and management of infrastructure.
If I can point to click
to deploy a product
then what do I need a managed security service for?
Think about that.
That's a big deal now. Yes, maybe the MSs points and clicks for you. Maybe they monitor the output. I do a little bit of that work work.
You know, you just don't want to deal with the day to day. So it's not like this goes away.
But I think what will happen is that my belief is you see this curve here virtual MSs drinker managed security service teams that learn to understand virtualization even better suffer to find networking STN.
They are going to thrive. They're gonna do a ton of business. It's gonna be exciting. I there's some companies that are that have this in their D N. A. And they're going to drive it. Look obviously the Telkom's have an advantage here but there is a lot of other companies that have huge advantages to so, so if you're watching and you're working in MSs,
please, the take away here is go back and think through how you can help your customers
drive device to cloud drive Zero trust dr deep criminalization. Dr scattered hybrid distributed systems Drive hybrid cloud,
that's what you need to be supporting. And the ones that do
will do just really well. And this will be a vibrant area and we'll all be talking about, you know, the growth and managed security services and I'll have a smile from ear to ear because I love this business. But the traditional stuff up down management,
a bunch of people sitting in a sock watching, you're a bunch of firewalls that are physical appliances sitting in a bunch of dems come on,
there's no way that business at least as an industry trend will grow,
you may have a little pocket somewhere where you have some growth, whatever. Again, I'm not even suggesting it goes away
just saying in terms of trending,
you'd be crazy not to take the time to understand how virtualization
affects your customer and in some sense affects the way that you
we'll support their work activities, so
gosh, I hope you, you keep that in mind. Um you know, kind of moving forward into MSs and by the way, MSs is for just about everything. If you go back here
like in this sub chart, you can manage I. D. S, you can manage DLP, you can manage firewalls, you can manage neck little harder, you can certainly wafts
get the point like all of these things Dido's is a managed service, usually
network monitoring, managed
mobile management mainframe, probably not I. C. S. Hardware. These are all things like this. This topic of managed security service pervades
this list of emphasis areas across the whole tag sort of road map here. So keep that in mind. And that's also going to be true
for this topic for security consulting the next topic and that's
where you're hiring experts to come help you
with with your security. Now in the early days, by the way, security consulting just mon atomically improving
I tip my hat to those of you who do this work because you're getting better. I
like the early days
you had somebody come in,
they ran a scan on your network, they gave you a boilerplate output with a
executive summary, some boilerplate suggestions and then a appendix with your
the results of your found Stone scan or something. It was really quite terrible and it was generalized high level stuff.
It was all like advice on optimizing what you had and it was it wasn't so good
and then that got better. Maybe the people just got better. I don't know that consultants just seems so much smarter
as time went on and we all sort of learned what customers wanted or didn't want.
I had some adjacency to this in my old shop at 18 teen. The teams get better and better and better with each engagement that just got smarter. There's a brand new field here. So it doesn't, it doesn't surprise me go from less effective and those of you are working these days, I hope you're not mad at me that I say it was less effective because you were inventing the concept
got better. Certainly effective. I would have recommended during this period that anyone do it.
Now, what I recommend, knowing that I didn't put more effective, I didn't put more effective here
because I still think there's room for improvement. But domain specific consulting is really interesting to me, the idea that
we're not really at the point where you need to hire a consultant to tell you that you need a security policy. I can tell you that right now for free,
but if you're rolling out for example, complex manufacturing infrastructure using some weird protocols and you need to add, I don't know, cloud or mobility to that.
Having a consultant has done that before, understands the manufacturing equipment and software protocols.
I kind of think that's a great thing to do to hire. So those of you out there who make a living hanging a shingle as a consultant, domain specificity
I personally believe is going to be the big
the sales door,
you know, moving forward, you're going to have to convince your clients that, you know, something about something.
Just the general sort of security expertise, one area, obviously cloud, like I couldn't resist
Calling out cloud as one specific area
where the consulting is going to be particularly important. And what's the number one question? How do I transition securely and safely and in a cost effective manner
from my existing enterprise land to a hybrid or full public cloud? Question number one,
if you're good at answering that, if you've
done it, if you understand the tools and the vendors and the pitfalls and then you've got good case study information and you've made a million mistakes as I have,
you know, doing that kind of stuff like I could probably lead the league and telling you things not to do.
Um, then you're going to do. Well that's the kind of thing that I think really helps
helps a consultant
differentiate, you know, in and around this type of
consultation engagement. So let's go through a couple of the forces here,
generalized high level
the early days
specialist domain specific. So I said here, there's a good one advice to optimize existing security overlay retrofit
in terms of advice to distribute and virtualized security. Both design words distribute and virtualized ar verbs, their action verbs
that implied design. So I love that instead of hey, here's your mess of ***
and here's a way to make it a little less messy and crappy.
We're going from that to hey, here's your mess of ***.
Let's fly this plane out of these clouds. Let's let's do something. That's probably the reverse of the bad metaphor.
Let's fly into these usually bumpy,
you're giving advice and helping people get to a better place architecturally. So I personally think that seems like you're going from retrofit to design and that's always the right thing. Three big areas, Cloud Mobile Virtual. I mentioned IOT and Industrial Control, Financial services. These are all
domain areas. That makes sense. So if you're planning your living,
if you want your income to improve, make sure you're good at something.
There's a crazy one too, right?
So in the early days security recruiting meant you call the headhunter and they don't like when you use that term. So whatever you want to call it a
personnel consultant or search firm, whatever
and maybe had a very transactional sort of thing.
It may may have not been retained search, but it certainly wasn't relationship based, much more transactional and it was usually focused on a job search. A very specifically we are looking for a person to do the following.
Um You retain a search firm and then the search firm calls up everybody. They know they reach their tentacles out, they bring some people in, they take a little cut. And that was their business model.
Um for most of us, that's kind of a business model that
is not optimal for a few reasons. First of all transactional things like that don't make sense when we're talking about people's careers.
It strikes me you see this thing on the bottom from transactional to relationship based.
Come on man, I mean you want to have a relationship with somebody who's helping you both
in terms of retained search where you're building your team.
And also in terms of job finding, if you're actually out managing your career, looking for
other types of things and keep in mind that unlike in the real estate industry.
Headhunters happy to sort of represent both both entities here.
You know not making money off both but rather you know making money on the transaction.
So I think what's happened and this is good definitely increased partnership.
So the companies that are good at this, the ones doing retained in contingency search I think everyone
well we'll agree that increasing and improving
the relationship element
of their interactions with their customers
is a huge differentiator. The ones that don't do that. The ones that are kind of cold and transactional. Send me your resume. Thank you very much. Here's the job. Sorry you didn't do good on the thing. I'll go buy forever. That's crazy. Makes more more sense for them to take an interest in. You
learn what you're doing sort of like a financial advisor in a sense
one thing and again that will continue to become more holistic. You can see holistic career management, relationship based support. That's what you should be looking for on both ends of both retained search and also using
security recruiting firm to get your drive your own career. By the way you don't have to.
There's a lot of I think just being social
and going to events and meeting people being out there. That's generally a pretty good way
to to to learn the opportunities that are there. You don't need a headhunter. Now what I think I've seen since about oh seven and most of you know I have a deep deep 30 year kind of career in academia. Teaching I teach every semester at stevens and now I've
spend a great deal of time over an N. Y. U. And the
Um uh students always coming up to me saying well how to get into cyber and kind of before 07 wasn't sure now. I think a lot more companies are are doing university hires into cybersecurity position. Certainly all the consulting firms do this.
So it provides a pretty good entree.
I like to say when somebody says how do I break into security that there's no one path? Right. It all depends on your passion
and what you're looking to do. If you're if you love software networking, do that.
Um you'll find your way to security if you like to get into that area, learn networking. If you're more an audit typed and take a job doing some audit work and learn about the controls and learn the process and you'll find your way to cyber
if you're the type who likes business business operations
going that route. If you love cyber, there's always these business information, security officers and business contacts that do local sort of coordination of cybersecurity initiatives, you know, at the at the business unit level happens all the time. So there's a lot of different paths. But I do see more and more companies hiring young people
to the point where I think it will surpass
with with the search firms. It hasn't yet, but I think it will. So this I think is a good story for some of the younger people who may be listening to the these discussions.
Security. I'm d this is a mess.
Now, here's what I mean by this.
I do not mean research in the sense of digging through vulnerabilities,
hacking research in a sense, that's not what I'm talking about here.
Research and development is something so few people really understand
how to do. I had the great
to have grown up in Bell Laboratories where I watched it done properly.
in many cases setting up conditions
where ideas can be passed across an eclectic group with common skills. Again, you don't put
unskilled people into a research group and think something good will come. You have to have a lot of training, a lot of domain specific understanding,
but you want an eclectic group and you create the conditions for that group
to invent or innovate
on whatever it is. You're areas if it's biology or if it's computer science or mathematics or if it's
and some engineering topic or even if it's a social science,
the idea of doing research is this exciting, crazy, unstructured in many cases thing. Now, structure sometimes comes out
of great ideas when a unstructured discussion leads to an idea that requires intense focus over a period of time. Structure takes over quickly.
But here's the reason research has been such a troubling thing, particularly here in the US.
You really don't know if anything good is going to come out at the end and in fact,
you do not lay out the specific goal of a research activity.
If you do that, you're not doing research, you're doing development.
So research has to be
this curiosity. Again, driven by an eclectic group of people with common, deep domain specific skills. So these are experts
and they're encouraged
to allow their ideas to kind of marinate amongst themselves into something new.
And you don't know what the new thing might be. It might have nothing to do with your business. It might be inappropriate. It might be this crazy branch where the business teams think
now we can't do that. I could go into a lot of examples of my own career where
I I think I've been involved in innovation that just wasn't consistent with the business that I was part of
and and it just didn't go anywhere for that reason. So it is hard to do in businesses, you know, in the old Bell system, many, many, many years ago,
The research was mandated by the government said $1 of every 10
needs to go and it was $1 of every 101%.
He's going to research.
So the old bell system in the us prior to divestiture in the 80's
had these research teams that they would fund and they would do basic mathematics and metallurgy and invented the transistor. All these crazy things came out of that.
But but but it was not because somebody had set out
to build a program plan to create lasers. It was rather the research that was going on, moved in that direction. And lo and behold it, lead the teams down a path to something that now
is an important part of our lives. UNIX came from something like that and then never any
a plan to go build UNIX. It was a bunch of developers who were working on a program called Baltics and they said, this is just getting too complicated
and they quit the Multex project came home zones, make this simpler, what do you think? And they worked on some very simple software
of Dennis Ritchie and ken Thompson and others.
They called it UNIX a little simpler than Baltic. So they used it for the secretaries in the area
to make them a little bit more efficient at text processing with you programmed and see, you know, that it's extremely comfortable programming environment for manipulating tax.
is that some program managers that go do UNIX? No, of course not. So what do we have now? What does this mean to cybersecurity Now?
Can you think of any places where there's really unbounded, unstructured, holistic, creative, eclectic research with a team of experts? It's some universities, a couple of national labs. I have the great pleasure to spend a bunch of my time at the applied physics lab,
johns Hopkins and the Asymmetric Operations Group.
There's that spirit of that there, that's why go there
because it just makes me feel good that there's a bunch of people really trying hard to be creative.
Does that mean that every time a group of people get together, something awesome pops out? No, that's the whole point.
You know that that's the reason people hate to do R. And D.
Because it's perfectly fine for there to be no output. And it's just like, well, sorry, we didn't come up with anything. That's the nature of research. So I think we hit the dark ages from 07-16 is the papers that came out the research.
So nowheresville in my mind, I think it's getting better. I'm optimistic. I see some, like I said, some universities are getting better and I have to tell you outside the US
there's an awful lot of really good students and researchers and their creative. We have this delusion in the United States
that we're the only ones who can be creative and everybody copies off of us. Give me a break. That's just not that's not the journals I'm reading
china some pretty wonderful researchers and a lot of them. You know I heard stevens have such a large population of wonderful kids. International kids. Many of whom will leave the U. S. After they do their studies
who are capable and creative and smart. So
maybe an internationally there's a little bit more of that spirit. I don't know. Some of you might say. Well yeah I mean if you have a government that dumps the money in and fine and I'd say well yeah whatever. I don't I don't know I'm not a good politician
but I will tell you that the old bell system was certainly essentially part of the government. So I don't know.
Well I'm just sort of being observational here and you can draw your own conclusions. If you've been with me through these
you'll know that I encourage you to disagree with me.
I want you to have an opinion. This is not I'm not just doing these courses because I feel like Aaron, you hear me?
Lord knows I'm doing this so long. That's the last thing I need to sit in front of people. Just haven't been drone on. And have you hear my voice? I want you to have an opinion. That's the whole point.
So if you look at this and you disagree, draw your own.
But how can you possibly come to the conclusion that through 2019 were any better than we were in 98? Like, I think, you know, 98 I would have liked to have seen it go like this up instead, just the doldrums, everybody like around the dot com boom, everybody just quitting their research to go do a dot com hit its low point. And I think about 10 years ago, maybe around the crash of oh eight,
you started to see some people really produce a little better research results, the papers coming out of universities, a lot of international stuff moving forward. I think we get to the point where we have a wide range of well funded scientific efforts, but right now it's still
kind of weak and I hope you'll have an opinion about this because I think this is super important
security training. So there's two kinds of security training. We always talk about the first. That's awareness for dummies.
That's where we say everybody stopped clicking on bad lengths. What are you dummy or something?
I mean we fish them and we and stuff and I do cartoons about it.
So that's important. I'm not, I'm not being glib here. You have to do that. And by the way, the idea that the awareness will take your risk to zero is patent patently ridiculous, right? You already know that.
But if it can lower it, why wouldn't you do it? So it's not that expensive to do it actually can be kind of fun.
You can make videos, you can have, you know, big games that you play all kinds of fun things.
Little bowl of pencils that say security is good outside the cafeteria. Maybe we could do without that. But
there's, there's security awareness training that I think is good and it's gotten better and better. I like my friends at uh, over at my, I'm cast and, and, and other places, they make videos. They're, I think they're good. I, I don't know even a total geek, but I like them. I think they're funny and there
well produced and,
and most of the, like the fishing stuff has gotten so good. The platforms are good, eyes, directional arrow up, all the security awareness training. The company that we're doing this work, where cyber very, what a wonderful experience. You don't see a lot of the behind the scenes here.
But boy, if they made this easy for me, we get on a few minutes before these lectures, I always have a very nice person who helps me just pull the app up, we stream, we make sure I'm hitting the right server,
Very friendly there on the like, we're texting to me now as we're going through this and it's a very wonderful experience if we'd done this 15 years ago, I think the whole thing would have been a mess. So it's gotten good.
But one thing that I have seen that has really in some sense been a business,
I don't know that it's competitor, but it's, it's a challenge for companies trying to make a living doing security awareness training
is that the online stuff has gotten so good. Oh my gosh! And I mean when, I mean online, I probably mean free
I I watch videos all the time, you know from like mitt and
stanford and even at high and stevens where I am,
I did a bunch of work with Coursera, you could put my name at any security topic,
Type it into a browser, probably of course Sarah video and then I did 180 videos with them on and it's all free stuff.
So and against cyber very my goodness. They have some things that are out there that are wonderful as well. But I think the free things be created challenge yet to be careful though. Maybe the advantage of a cyber very is that they're curating like we spent a lot of time going through this course before I did is not me with a webcam,
you know, so you have to be a little careful with the free stuff. But like I said, the competition is a professor at MIT up talking about machine learning,
sign me up for that any day and I do watch that stuff. So, so that's an important one. If you're on a super low budget or if you have like zero security budget, you should be able to still
create a program of free. You just have to have a social network to make sure that you know what's good and what's terrible because there is
quite a bit out there that is terrible.
What are the factors, general stuff.
Again, domain specific being an important thing moving forward. And then these conventional info *** sessions. Remember those training was just kind of uh, to social, video viral and so on. Now, I said there were two kinds of training. That's the awareness. The second is for, um,
for practitioners and experts. And again, I'm showing online that's also for awareness. But
need a different kind of training and that's kind of all over the map. Most of you would say you do sands, Orion's or cyber very or whatever and that's good by all means do that. A lot of you listening to this are experts. And the fact that you're part of this course
tells me that you value this. But how do you train your sim analysts? What do you do?
Um, there's a whole collage of opportunities. First, every vendor that you buy fun from, we'll have some training and you'd be nuts not to pay the extra money or take the free training that they'll give you. That's number one. That should be a
Absolute requirement that if you're dealing with 37 vendors,
Let's say you're dealing with 52 vendors. I'll tell you why in a minute, if you have 52 vendors
then once a week you should have a training activity from one of your vendors and and asked them to do it free and most of them be happy to do it.
There you go. You know, 52 weeks of one hour per week training for your team. It comes from your vendors. You should definitely do that.
A second thing, like I said, is a lot of the free stuff. A third would be, you know, university type things and of the programs I'm associated with, offer master's degrees for people with jobs.
Most of the graduate students that I deal with, for example, at N. Y. You have a job stevens maybe a little less, little more full time graduate students there, but there's a lot of people floating around here getting master's degrees who work full time and I think it's a wonderful trend. So you should do that as well
and then books and articles and so should I do think SAM's and irons are good events.
Marcy McCarthy runs some nice events and there's all kinds of different groups that run events. You should go to these things. It's a good
way for practitioners to learn.
And now I think we've come to our last control. I want to spend a couple minutes on this and then I promised that I would take a few minutes to give some coaching,
value added resellers. These are solution providers and cybersecurity. This used to be a business where you just held paper meaning
you sat between your client and the contracts that they were managing
with a variety of different vendors you were good at that you became evaluated reseller. You might have overland some consulting onto it.
Um and it was a nice setup and I think through the 90s, even into the early parts of the 2000s, pretty vibrant business
but I think it's become tough because my opinion is
hardware transactional type arrangements
are probably not as long lasting and don't match D perimeter ization and virtualization
properly, all those things I said earlier about undermanned
um deployment and provisioning into the cloud
are absolutely almost existential problems for value added resellers. I mean if I can my experience buying Fortinet
is that I go onto a website and it's like I'm on amazon buying paper
and what's the need for evaluated reseller. The answer is the var becomes a consulting partner. And
and I think as that shift occurs more about relationship and cloud and in particular helping customers transition to cloud, the the value added reseller becomes evaluated consultant.
Um I think that that's a big win, especially if they still do hold paper and they can help you buy and they can, you know, provide better deals for you and give you guidance on on which vendors you should be dealing with. All those things are wonderful. A lot of consultants can't do that, consultant tells you, hey,
you should have the following um, you know, two factor authentication, your infrastructure and you Okay great. What do I do in the consultant goes, I don't know,
evaluated reseller would say you want to do that and oh by the way here the two or three I've deals with.
If you're set to go, I can have them delivered in no time and we can take care of all the business end of this for you, boo boo boo boo. Be really wonderful. So this idea of going from transactional
to a strategic relationship, if you work in a bar,
you should have that hanging on your wall
that you've got to go from a transactional holder of paper
to a strategic partner in the cloud. Like the shift down here to virtual
that trend curve. The ones that get virtual, the ones that can help me with cloud, the ones that can help me
understand software to find everything they are going to thrive. And the companies that just kind of want to hold hardware paper
you're going to stagnate. I don't think that's all that terribly
controversial to say right. I mean,
I think that even the biggest virus would agree with you on that. So, so this is the way it goes here. What are the forces get hardware to kind of architecture, strategy,
product resale to a solution consultant and trusted partner. That makes sense to me.
And, and again, as a buyer, I hope you'll visit with evaluated resellers that you talk to now.
Um, and try and understand where they are on that life cycle road back
now. Let's go back here
and let's talk a little bit about you.
so it's weird through the magic of
and my Mac book air here. I'm looking into a little round hole
and I can't see you. But I can imagine all of you kind of looking at a screen here and listening to my words.
I kind of imagine most of you working in enterprise doing security,
you probably have some aspirations personally,
probably want to make more money, have more responsibility,
be better at what you do. Have your work valued, feel some financial security, feel some job security. These are all the things that are important to people
who do what we do. And I've managed thousands of you
through many generations. So I think I know what's going through your head. And again I congratulate you for taking the time to be here listening.
I think that career wise, there's an interesting thing happening amongst enterprise security teams
and and it's
two forces in completely opposite directions.
The first forces that security is clearly becoming more important. And you know that if you go to cocktail parties,
you go to a party, you're there with your spouse,
you get your drink, you can go over to a little group, you meet some people you have met before, they say, oh hi Ed, what do you do? I say I'm a cybersecurity geek and their brighten up and they go, wow,
man. Did you pick the right field boy? Are you lucky?
That's all anybody talks about cybersecurity? My gosh, it's cybersecurity, this cyber security, that
so you know that you're in a field that's growing. That's the force that may be the normal force upward.
The opposing force downward though is, is a tough one.
And that's that
the fact that it's so much obsession across everything we do
implies that it becomes more embedded
and I think we need to prepare for that. The idea that
lot of what we do becomes integrated and intimate
with the network and software and system and management systems and controls and business areas and so on
that. Normally we would have provided over layer cover for
think about it, uh,
reliability and dependability. Are these engineering attributes that end in it?
You don't have separate groups that do reliability. We did for a while, you know, a guy named john musa
did software, reliability engineering build software and they just engineering to make it more reliable.
I guess. He used to build cars that way. Like in the 80s you build a car and then it goes somewhere you make it higher quality, that's not the way to do it.
In fact, quality had the same thing where in the 90s
you had these quality circles where you took business processes and you improve them by being a quality expert.
all that's gone away right. You don't talk about doing quality after a design. You talk about doing quality in the design
and there's no more quality engineers.
It's everybody's quality engineer, everybody on the line, Everybody can pull the chain and stop the factory line if there's something that's going to cause a problem, we all know that model.
And yet in security we still have the old model, don't we? Where
you build things and then you bring all of us in as experts to overlay something to patch up bad design
that's going to change.
And once security is the
purview of everyone,
what's your job going to be?
Hard to say. That's why I think you need to make sure you're surfing these trends and keeping your eyes open, make sure that you're good at things.
So you know if you have the ability, for example, let's say you do identity access management,
that's a skill. It's going to be important no matter what whether it's called security or called it, I don't care what it's called.
Um I am is maybe the ultimate example of things that have become integrated, right? Can you really tell the difference between an I. T. Expert and then I am expert really
they're the same thing, right? You know what I mean? You know
it's maybe a little peek into
where things are headed. If you're really good,
for example at network monitoring for anomalies then you're probably good at networking, right?
Or if you're good at intrusion detection and sock hunting and threat analytics
then you're probably good at analytics, right? And we know that's going to be important to get the point. So as you plan your career,
I think you want to do maybe the opposite of what I've been suggesting within our business where I said become more domain specific
in a holistic sense. From a security perspective I think we want to become less security domain specific and more focused
on the kinds of things around us that are real attention. A firewall doesn't make anybody any money is unless you're a vendor that sells them, but like a bank doesn't make any money by putting
next generation firewalls in.
They make money by
enabling connectivity to customers.
And if that has to be done securely then so be it.
So you go from being the firewall expert to being the how do we get our customers to communicate better with us?
You see what you see what I mean? So
think about your career that way because I think that's likely to be the path
for most security teams moving forward now if you're a C. So our budding see, so
I have even more abrupt news for you.
So hold onto your hat on this one.
Csos are executives. It's an executive role.
I probably learned that the hard way. So being a
having academic credentials, writing books, articles, being good at something written, a lot of code hanging around the right conference is being a good hacker
dressing the part.
These are the things that got you maybe the job but they're not the things that are going to help you succeed,
the kinds of things that help you succeed as a C. So start with communication,
you know, continue on through deep understanding of how business works,
travel up through
having just impeccable relationships with other executives
including personal characteristics like empathy and
the ability to listen and understanding the things that are important from an executive perspective like finance and corporate finance.
If you don't understand capital on how to obtain it, how to manage it, how to build metrics around your financial systems,
you can't be a C. So and none of this stuff has anything. Did I have any did we talk about this in the last six weeks? No,
but it's essential that you have these well rounded skills days. There was a book called theories. E
From William, Okie, from Stanford and the popular book in the 80s,
They said a lot of japanese firms would make you the first few years of your career, jump around to every part of the business before you would even be considered for promotion
as old G model companies. A lot of companies that 18 he does that
there's something to that, right? I mean if you just sit siloed in cybersecurity, your whole career,
then that may be fine,
But you're probably not going to become an executive, you're not going to be AC. So probably you might have 10 years ago. That's a path that may have worked. Then it's not going to work now.
You have to talk to regulators and boards and customers if you can't do that stuff, forget it.
And also fight for your team and fight for budget, fight for staff and speak the language of the executive team.
So it's ok if you want to stay very specific to a security discipline. But if not if you're willing to try some other things,
then think about what would happen. Let's say you're the deputy C so somewhere
maybe it's not even called that. But let's see the number two or three person on your team
and your boss's boss calls you and says, listen,
I know you'd like to be in that C so role.
So what we'd like you to do is go over and spend the next year in marketing. We think that will be a valuable skill for you.
You're going to work on brand segmentation and customer understanding and you'll
have some responsibility for the marketing of our products and services. And then we'll see. Maybe you come back as the sea. So what would you say?
I know everyone on this call would say you'd go, what
If I went away for, you know, even 10 minutes from this field, I'd come back and I wouldn't know what was going on. I'd lose my edge. I'd lose all of my understanding of the topic. I wouldn't get it. How could I possibly come back?
that's the path every executive takes
to the senior role.
let's say you're in it, you're CIA
and you're offered the opportunity to run the South american operation
to spend two years down there just running the business in South America. And then when you come back
maybe we'll promote you to running infrastructure.
Every ceo I know takes that job
they pack up and they go,
they're sending you postcards from brazil,
then they come back and they take over infrastructure and it looks like they haven't missed a beat
and you go,
you've been out of infrastructure and or the C I. O How did you do that?
And that's the point.
They did that because they've learned skills that allow them to not have to be the deep
expert on every little thing they can sit managing an organization without really understanding every little nut and bolt the engine.
You're going to have to think that through this community is going to have to think through whether that is an acceptable career path or not
because if you want to be a chief information security officer in the future, you're going to have to have a more holistic view of the business. It's just a fact.
I want you to think about that. That may be one of the real big takeaways from all this. We went through all these controls, I showed you what you needed to know to be
good at this. But I'm ending with the real, real, real important point that if you really want to be a C. So you're going to have to think more holistically than just what we all enjoy, it is perfectly fine to say I want to wear my Birkenstocks and stay technical my whole life. That's fine. And there are C says that are pretty technical and a very technical role. And you say, well, what about this person? I'm just telling you that they got to that position through a path that's not going to be available to you in the future. You're going to have to have a more well rounded background to take those jobs that's going to happen. So,
so look, I hope that's my little I don't want to make this seem like a whole sermon here,
but I want to help you. I hope this has been helpful to you. I'm available any way you see me on linkedin. I hope you follow me on lengthen
on twitter. I'm at at hashtag underscore cyber.
I hope you subscribe to my Youtube channel. It's tag cyber youtube. I post a video interview every single day.
Um it's all free. I hope you jump on. I mean the Sai Buri people are so wonderful. They
help highlight my work and they were kind enough to let me come spend some time with you guys. I hope you stay in touch with me. My email address is right there.
I'm pretty good about getting back. I didn't put a phone number because I never answer my phone and I never listen to voicemail,
but I'm happy to respond to email and I like I said, I really hope
that you'll follow me on length and maybe a few of you have already. But if you haven't jump on linkedin and follow me, I write articles just about every day.
And again I do that for you.
So I hope you'll join our community. Listen to what I push out there
and listen. I wish you all the best. I hope things work out for you in the next
coming weeks and months and years and stay in touch with me. If you get a big promotion,
send me a note and I'll congratulate you. So listen, thanks so much and thanks to the cyber very team for such a wonderful job. There's a bunch of people who have helped
and if you're listening, I want to thank you for doing such a fine job with that.
Well, shut down our 6th session. I wish you all the best. Thanks everyone.