Lessons Learned in Cybersecurity: Why Tech Skills Aren't Everything
hello everyone you've got me again hello um so we're about to start today's session Lessons Learned in cyber security with Zach Shram we'll have some time at the end once again for a Q&A if you are joining us virtually please place your questions in the chat and I'll read them to our presenter if you are joining us in person please line up to use the microphone and now I'd like to int introduce you today to Zach Zach is currently a technical security consultant at Google Cloud public seor sector his cyber security career has progressed from an internship at do it to roles at Bose Allen Hamilton and manad where he advised a range of organizations including federal agencies the dod the fortune and Fortune 500 companies with expertise in int Ence LED security validation and Google Cloud Technologies he now helps public sector clients Implement secure Cloud Solutions Zach holds a ba in legal studies and criminal justice from W Madison and certifications like the Google Cloud professional security engineer and comp TI CP plus so without further Ado I'll turn the time over to Zach [Applause] all right good afternoon it's a pleasure to be back on campus uh I graduated in the spring of 2020 not a great time to graduate 11 out of 10 do not recommend that um had to heavily rely on my Marine Corps training which was improvise adapt and overcome at the time and was able to uh Kickstart and take the momentum that I had um from being an intern here on campus at do it which I'm incredibly thankful for um and jump into cyber security and make something of that career um so I got hired on at boo Allen um working with the the federal uh environment um public sector um advising in cybercity cyber security operations rolled that into mandant um where I was doing a lot with intelligence Le validation as was mentioned and uh now I'm excited to be at Google Cloud so definitely grateful for my opportunities and experiences here on campus um and it's it's a pleasure to be back with all of you so that's a little bit about me um as I mentioned yeah I'm I'm an alumni of the university and I'm currently at Google um I like to sum up my job is bringing the best of Google to the government um so I work with higher education institutions um with some pretty cool projects that they're a part of uh with research and development how Google's uh Cloud architecture can help support that as well as uh public civilian side of the government um so research institutions like NIH Bureau of Land Management all that kind of stuff and then also the the military and defense space um where I have experience as well so uh today I'm going to share a couple lessons that I uh have learned along the way in my Consulting time um since I've left W um and the first one that I want to share uh with everyone today is that cyber security is not just a tech issue you might be thinking what is going on this guy came to a Tech conference and wants to talk about things that are not Tech problems right but hang in there with me because um in in the time that I spent with Consulting uh I've seen that we need to take a more holistic approach uh to cyber security um and we need to think about it from just more than a technical perspective because well it is true that cyber security does secure very Technical Systems often times um we need to think of it in in a broader scope because some of the the biggest weaknesses and I'll get into this in a minute are The Human Side of cyber security so as Leaders uh how many people here know about John Maxwell leadership author really okay see head's nodding right raise raise your hands anyone there we go all right that's uh so John Maxwell uh is known for one of his uh books that talks about what tools are in a toolbx right uh we need different tools to approach different types of situations because if we just walk around all day with a hammer in our toolbox and that's the only thing that we have we're going to hit everything on the head as if it's a nail and one day we're going to come across a screw but that's not going to work so well if we try to hammer in a screw I've seen it tried one person somehow was a mechanical engineer but he didn't get his degree here at in engineering so maybe that was his first problem that's why maybe he was trying to hammer in group but it's all good right it it's not always a one-sized fits-all solution so as as uh leaders we need to think outside of our toolbox and and add different tools uh that we're able to use and the reason I bring this up and talk about a bigger approach to cyber security than just you know trying to solve things with more technology is um what I led into in my last slide there's a human side to security and uh every year uh mandiant releases their M Trends report which is a culmination of what we've seen uh from doing instant responses and working with organizations at their most crippling uh point with ransomware to doing proactive Consulting to try to fix broken processes or maybe train them up and in this MTR report from 2023 there's a lot of things in there that talk about the technical side right uh we're seeing threat actors that are leveraging things like uh hypervisors and Cloud management planes or living off the land but there's also this Human Side uh to it and things that uh require or have some sort of human characteristic of a vulnerability of us as people things like user susceptibility social engineering anyone that's been paying attention to cyber security in the last year or two is probably familiar with a group known as scattered spider uh who we track at mandiant as 3944 they are marvelous experts at Social Engineering I've listened uh and had the opportunity to hear some of the the fishing calls or helped us calls they try to pretend to be uh to lure people into sharing multifactor authentication codes and stuff like that and they are very believable they sound normal they're not not you know calling you from some random number they're uh trying to do all the things right to make it look like they're coming from a location that you might trust they're doing their due diligence to research um and appear legitimate fishing is something that as as technology leaders I'm sure we're all familiar with by this point right um where we a very similar concept where we take email or maybe some sort of message and we try to exploit that um to get credentials or have someone send a payment that wasn't supposed to be sent to try to make money off of them right um and a human element to that and maybe just the the weakness of us as humans of trying to trust and being intrinsically um inclined to to trust and the last one is weak credential storage because it's so easy to want to use that Post-It note to just put that password right there in the monitor at the bottom so that way we know where it is every time you want to use it right it's a human weakness of us wanting to make things easy because we don't want to have to click through six different screens to get to last pass or whatever password manager maybe it is that you're using um because that takes too much time and that that slows us down right it's it's so much easier to do that so we have these technical uh problems or they can lead to technical Problems But ultimately they're caused by uh weaknesses of of us as humans so how do we solve that right you say okay we have this issue we've we've identified that you know we can take this bigger approach and my pitch to that is uh finding people who come from non-technical backgrounds to help strengthen and bolster and diversify our cybercity team these are all examples of different uh roles that you can fulfill um without maybe a super technical background and still be highly successful in cyber security things like training and education which I hope doesn't go in for you was here at W Madison right um as part of my job at e m or at mandiant um I've been part of our training Education team um which has been a super rewarding opportunity to take the knowledge that I have and share it with different groups um and every time I I do that I I learned so much from the people that were teaching almost more than something times I'm teaching them it seems like um so training education is is entirely um you know an important aspect to that as well we need lawyers and people who have legal backgrounds to help us with the ickiness and the messiness of governments and compliance things like fed ramp getting an atto for federal systems making sure that we have um accreditation uh making sure that we're in compliance with maybe things like furpa here on campus or Hippa if we're talking about snph um and the school of medicine right um all all different uh requirements that we have to think of we also need our business school folks uh with their NBAs to come on in and help us identify what's costing us too much money where do we have redundancy in our environment how can we make our processes more efficient and how can we make our people you know uh better trained and then there's also other opportunities for things like security authorization analysts where my career here at du started uh way back in in 2016 and I'm aging myself now um a little bit things have changed here in Madison a lot it seems like I haven't been back in a while and suddenly uh region streets grown six six stories on every direction right um crazy but security authorization right we need people to Grant access to systems so as we're doing that very basic cyber security concept right the CIA Triad we want to make sure we have the confidentiality of our systems that only the people who need access have access to it really important but it's ultimately a business process that it's pretty easy to train people on we can train them use that training education to do the technical side but they bring so many different skill sets so this is where my personal narrative of this comes in right uh as mentioned in the beginning I was a legal studies major while I was here at ubby Madison and my sophomore year I had the opportunity to take a class which was comparative literature 203 with Professor Grunwald who's probably somewhere here on campus not too far from me with his ears ringing right now because I'm talking about him but at the time he hadn't written a book yet that I have up here on the screen um which ultimately talks about these narratives of guilt and innocence and how the literary themes and the way that a lawyer a defense attorney tells a story impact someone's outcome while they're on trial whether they are found guilty or innocent and I went to office hours a lot and got to know him pretty well and thought this was a really intriguing idea but what I didn't know at the time was that this would have some parallels to my career uh a little bit later on uh while I was at uh Booze Allen and I was working in the um public sector space I had the opportunity to start getting into cyber intelligence and a lot of those same literary themes the impact uh on on law as an outcome by the way that we tell a story and this very clear concise way of writing without bias made me a really great cyber in intelligence uh analyst because when you write a intelligence product it has to be written in a very clear concise way we can't uh put our own personal bias in that report because it'll skew the the way that people who are receiving and and de siphoning that intelligence will perceive it so it needs to only state the facts that go along with it so you can see here the comparison um of some of these skill sets that we bring in from other backgrounds we have a lot of students here on campus um who like to work in in these fields just like myself um once was uh one of those students so you know we have a lot of uh backgrounds to pull from myself and another one uh of the students that I worked with both went into cyber security and are still working one just got hired at Microsoft and I've been at Google Now for a while um so these skill sets that we bring along help contribute I've seen this a lot too with people who have transitioned from nursing or maybe even law enforcement uh into cyber security because they understand the methodology right a nurse uh has to take in all the different information you tell them right I have these symptoms these are the things that I'm feeling I took this medication but it didn't help to help make a diagnosis and help solve your your me your medical issue right uh police officers who have investigative backgrounds are taking all different types of information and have to dephon it so that way they're able to uh ultimately come up with pieces of evidence that can help them solve a crime and get to the root cause of what actually happened on a scene so those skill sets are really helpful when we're talk talking about security analysts who are working in a sock taking in all those raw logs and trying to understand siphon through all that noise and understand what was the root cause of that caused this alert to fire on that endpoint or that machine the second lesson I want to share today is that cyber is better when we're working together and some of this actually came from my experience here that very early on in my career um actually my last year here on campus I had the opportunity to work on the Cyber policy team um and this was a really unique experience because here at UB Madison a very polarizing uh shared governance model some people love it some people hate it right but it allows key stakeholders to come together and have a stake in what's going on around campus and have their voice heard so that when these uh Global policy decisions are made on campus we understand the impact that it'll have on each college and division um without just you know being toned deaf to the the impact that our policy is going to have so as I got to Google uh Phil venes who is our Cloud ceso uh talks about this concept that he likes to think of with security that is built in from the beginning not bolted on so when I talked uh at an opportunity that I had a couple uh months ago um with a client they were like oh you know we have all this great technology all this kind of stuff but they weren't implementing it they didn't really have um any sort of uh roadmap for how they were going to do it so we talked about how do we get the key stakeholders together to help work together and and figure this out which brought us to some of the characteristics for Success so these are things like establishing clear goals uh and shared understanding so I worked with a client earlier um about two years ago and they had kind of the blank check they had all the technology in the world they had Splunk they had all of the uh endpoint detection and response tools you could ever imagine they had all this great stuff right anyone who would you know love to get their hands on all the cool Tech technology and cyber security this was the place you'd have wanted to be right or at least the environment you wanted uh from a technical standpoint however they didn't have any leadership they didn't have buyin they didn't have a clear Mission and they didn't know what they wanted to do really to actually defend their technology uh and and their company from any cyber threats and they got breached multiple times which is why we got brought in to try to help this so there organizational I guess management because I wouldn't necessarily call them leadership uh decided we're going to do this program we're call It Best in Class but there was nothing to measure what was best and what class they were actually supposedly competing with uh so it it made it really hard because there was never really any organizational change because the mid-level managers as as Laura talked about you know getting that technology leadership right those technical experts those are the ones that are going to help drive this because they're the resident experts they're the ones working on this on these products and solutions day in and day out and then you have your mid-level managers who may be helping with that but they didn't have an idea of what they were doing they were just you know doing whacka moole and hoping that something would stick they also didn't really have this culture of collaboration and Trust which is super important in an organization because if you don't feel like you can take risks and make mistakes you're not going to do the things that are Innovative you're not going to have meaningful change you're not going to have meaningful impact if you're worried about it so a lot of those mid-level managers were fighting each other for different uh management higher up opportunities so it was a lot of fish in a small in a small pond with small opportunities for growth so they would backstab each other or their actual Engineers if they make a mistake so they weren't actually innovating or changing or growing because they didn't have the opportunity to do that so it's important to make sure that we uh have that trust and collaboration one of the cool things that I love working uh in public sector at least with universities is I see so much more appetite for uh experimentation within security so using things like elk stack instead of Splunk or Q radar for a Sim because you have the technical expertise to maintain elk stack and deploy it and tune it and go through your logs and all those kinds of things and it's really cool to see some of the novel and uh outside of the box things that come from that another one that's really really important is providing the role specific in training uh for and awareness uh as I mentioned I I do a lot of this kind of thing with mandiant um in our Mandan Academy where I go out and teach Network traffic analysis or I go out and teach um cyber risk for executives where we bring in Executives who maybe uh oversee teams that have cyber component but don't necessarily understand all the technical details or maybe don't need to understand those but they at least need to understand what the capabilities of their team are and every time I teach that course they get so excited by the end of it because like wow I never knew that our team could do this so wow that really got me thinking that you know our team has so much more capability or wow I didn't know that you know that maybe they need a little bit more budget for some of these things and the actual value that they can provide to our organization so uh making sure that we're training our people uh to become you know better in their role and uh have those opport to go to conferences meet other people find new ways to do things all that kind of thing and then also teaching uh the leaders so that way they understand the importance and the value that um their their people are bringing to the organization which gets to the last point that I have of celebrating success and recognizing those contributions this is so important because you get uh people who you know make those make those uh big changes or you know there's sounds like there's some really great initiatives going on here at w um with this this workday deployment all those types of things and as we get to those small wins along the way it's important to celebrate those because that allows us to demonstrate that hey we're we're having impact here um what we are doing is leading to a bigger cause having those clear goals and that shared understanding and we are making impact because uh I was a cross country Runner when I was in high school and if you always thought about finishing the race you would never get to the end of the race because you were so worried that oh I have two miles left to go right you just need to run each mile at a time and and and be like all right I got through mile one that's great now I'm going to go have a really good mile two and take it each step of the way and celebrate those little successes along the way so that way your people uh feel like they've been recognized and um have have the opportunity to share uh the impact and and the contributions to the organization all right that's what I have for us today do I have questions from anyone I know we have some online folks as well yes we have two questions online all right the first what is the stress level for this career is it more stressful when you start and gets less stressful as you progress it seems that I would have hard time going to sleep thinking about all these security issues absolutely I think within security there's more roles uh there some roles that have more levels of stress right I would never want to be a siso I respect what they do but it's a a a decent amount of pay for a lot of stress because when something happens and it all hits the fan you're the guy they're going to be looking to right um so I think you know there's a lot of stress in that I know uh handful of wonderful incident responders uh who work who I've worked with at mandant but a lot of times they're flying on that crazy flight over to Singapore or over to Europe because the client had a breach and they need people on site because we don't have connectivity in their environment anymore because we had to contain it and shut it down so at a moment's notice they're getting on a plane and going um it's super fun to be part of the noise uh be part of all that in the moment but then when you're on week two and a half three week four where you've been working every day non-stop to contain and eradicate in this crazy environment with ransomware it can start to wear in you so um you know I've been part of sans's uh conferences and spoke at one last spring um where we talked about that and the risk of burnout in cyber security keeping yourself fresh having time to uh develop yourself and maybe take a little bit of a step back balance that 6040 right or 60% of it is work maybe 40% of is learning take a week or two focus on learning um maybe not so much on the stressful aspect of logs and security analysis or managerial stuff focus on learning development maybe something that you enjoy um from a a personal development standpoint so that way you don't burn yourself out thank you another and the next question really curious to know how the leak of Vault 7 CIA hacking tools affected the security industry uh yeah definitely a big one right um it's hard because once you take a cat out of the bag you can't put it back in so you know once tools that have been you know novely deployed or or developed for specific use cases get out uh that can continue to be evolved and and um utilized for nefarious purposes we saw this with several V variants of of malware and ransomware that have hit over the last 10 or 15 years where maybe they were part of uh nation state tools that got leaked um you know by you know activists and all that kind of stuff and if it's something that we don't know about yet um that's called a zero day so it exploits those zero days are things that we're not aware of that might be vulnerabilities or weaknesses and then we have to play catchup to try to contain and um make sure that we get those devices secured again so uh definitely has a huge impact um on the security industry and it's something that we always are are monitoring and vigilant for questions in the room yeah hey Zach good to see you on campus again absolutely thanks uh so coming from a a background where where you're working in a Consulting environment um you know especially a firm like Booz Allen Hamilton a lot of organizations you know will hire a consultant and they like to listen to the consultant about you know advice that you have for you know hey here's what your your security team can do like wow I never knew that when the security team might be saying gosh I wish that my management would listen to me so a you know as an external adviser what advice do you have for it or organizational leaders ERS ship you know with respect to kind of taking that internal feedback from their own teams absolutely I think it's important to stay true to what your mission is and who you are as an organization and some organizations know that and are better than that than others right uh like we've heard people like Simon Sy say know what you do but also why you do it so I think that those organizations are really well founded in their ability to understand what they're doing take that advice and provide that uplift from the external Consultants um some of those other organizations that maybe don't have that rely more those Consultants to help Drive what that is and maybe it's a little bit different it might be a little uncomfortable for them because they're not used to having that strong notion of that guiding nor star of here's what we're doing here's the mission and here's why we're doing it um so I think that you know those organizations are a little bit more susceptible to that and maybe not that it's necessarily always a bad thing because it's important to have external checks and balances and understanding of hey here's what we're doing you know what are we doing to um you know continue to grow as an organization continue to develop and sometimes we need that external voice telling us what those things are um that we need to do and maybe pointing out those things that from a Outsider perspective uh that we would not necessarily recognize um you know being part of it every day thanks hi uh Phillip D uh question for you you mentioned uh time in the Marine Corps I believe can you uh tell us a little bit about uh some specific Marine Corps uh skills or things you learn there that you really carried over into your career that really helped you specifically in this high stress cybercity career absolutely uh a couple things one like I mentioned uh improvise adapt and overcome uh things won't always be perfect in security but you need to make sure that you're resilient you can't get too focused on or hung up on one thing you need to continue forward to what that actual big picture goal is and and how that relates to it the other one that I think is really really important is the ability to cross Trin um and know what each other is doing um something that we teach in the Marine Corps I was an infantryman is we're part of a a team a fire Squad right four or five guys um and that if one of us goes down for whatever reason uh we need to be able to take that person's job and fulfill those duties so that way we're still a strong and resilient team so in cybercity that's really important that you know I'm not asking everyone to go be a cyber lawyer right and have deep you know years of cyber expertise in in law and policy right but at least understand enough of what that component is um cross train within that or maybe not go be a super technical you know Cloud resident expert um on how to deploy secure GPC or Google Cloud uh VPC right virtual um containers so that way they're segregated environments but at least understand that hey we need to have some compliance and we maybe shouldn't just put all this in a flat Network kind of thing right um so I think those are definitely uh two main ones that stick out uh for me from that experience thank you that a great question any other questions in the room all right well thanks everyone I appreciate it [Applause]
2024-12-20 03:25