Interviews from The Underground Economy Conference – Part 3

Professional Advice

Team Cymru holds four conferences per year, three Regional Internet Security Conferences and an annual conference called Underground Economy. If you are interested in applying for admittance to one of our events, please visit our events page.

In 2019, we interviewed several of our veteran Underground Economy attendees. The following is Part 3 of our “Interviews from the Underground Economy Conference” series.

 

WHAT WE ASKED…

What advice would you give to someone wanting to start a career in Information Security?

If you were to give two or three bits of advice to established Information Security professionals that want to further their careers, what would you say?

If you could share three bits of security advice to family and friends what would those be?

 

Q: What advice would you give to someone wanting to start a career in Information Security?

 

A: “I would say that if you’re going to come into the security world, the biggest thing you have to be comfortable with is changing yourself. The things that work from a technology perspective today won’t work in five years, and the things that worked five years ago won’t work today. But at the same time, the human aspect of breaking something, getting into it, is something that’s unchanging. We’re always going to be clever; we’re always going to find a way to break something or to hack it or to get it to through it or something so my advice would just be that the techniques you use to get into the space, learning on YouTube, learning on forums, school or whatever, that can’t stop. You need to be willing to do that, I think with a lot of industries you can kind of go into them and change is slow and small and then in this industry it’s constantly changing, there’s always something going on and you need to be comfortable that. If you’re not, then it’s not for you.”

Elliot Anderson – Elliot is a developer at Shadow Dragon, he leads trainings as well as a lot of other things. Shadow Dragon is not a huge company, so Elliot wears a lot of hats. Elliot has been in the information technology and cyber security world for almost 20 years.  He has been doing this a long time and loves doing it. https://www.linkedin.com/in/lemmingrush/ @lemmingrush

 

 

A: “If you want to be a part of the cyber security community or information security system, I think there are a couple of things you need.  First, you need to be passionate.  You need to love your job and you need to really like it because otherwise you won’t be able to carry all of the loads and the effort you need to keep on in these fields.  The other thing is that you need to be curious and be willing to have new knowledge and experience with new technology and try new things and keep your mind open to new solutions and new ways to investigate.  So, I think that should be the most important things if you want to be in this business.  Be passionate and have curiosity and willingness for knowledge.”

César Lorenzana – César is from Spain; he works for the Guardia Civil in the Cyber Crime Central Unit.  He has been there for the last 15 years fighting against cyber-crime.

 

 

A: “My advice I would have for someone who wants to come into the IT security world completely fresh would be don’t hesitate, don’t be intimidated just do it. There are plenty of, even if you don’t have a college degree, there are plenty of certifications which will both build up your chops and give you the credentials to join the industry. Things like SAN certifications or DLC. I just suggest going in and building up your chops actually hacking, joining capture the flag teams. ctftime.org is a is a great place where it’s basically a shooting range for hacking completely legal and you can build your chops without actually getting in any trouble. There is such a need within the industry that people will talk to you. You send in a resume you’re going to get a response. My main suggestion is if you have a passion for it don’t wait do it and if you’re currently in let’s say an IT position that doesn’t have a security angle, to make a security angle for it start building information security things into your workday, and that even if your current position isn’t necessarily an information security position. You can make it one and that goes a long way for applying to an actual position.”

Alexander Heid – Alexander is the chief research officer of Security Scorecard and the co-founder of the Hack Miami organization.

 

 

A: “I get this question a lot and my short answer to that is- “be curious”. I mean that’s how I started. The cybersecurity field is very dynamic. You need to be up to date as things evolve very rapidly and you have to be very passionate about this field to be able to succeed. Without the passion it can be tough to keep up with it. Be curious, experiment with things, ask people around. Our industry is very open about sharing and helping each other and these kinds of conferences (Team Cymru’s UE) make it quite easy to collaborate and learn from each other.”

Vicky Ray – Vicky is a principal researcher for the Unit 42 team of Palo Alto Networks. Vicky manages the Asia Pacific region on all threat intel initiatives for Palo Alto Networks. Having a large part of work in Asia Pacific involves collaborating with both public and private sectors. https://www.linkedin.com/in/vickray @0xVK

 

 

Q: If you were to give two or three bits of advice to established Information Security professionals that want to further their careers, what would you say?

 

A: “If you want to further your career in cyber security, it matters which level you are at, but I have found that what I can do as a single person has a limit.  What I can do with a team or a group of people is a lot more.  So, I would say if you have come to the point where you are really a master of a discipline and you want to advance, you need to improve your ability to build a good team.  Find the people that are better than you in some areas, put them together and see how the magic works.  But I think the number one thing is to try to turn your focus to the business of whatever company you are working for because security is usually an insurance and something that is important.  But, first and foremost, security is supposed to be the business enabler.  If you start doing security for security’s sake, and you end up running a security theater, that won’t help anybody.  Once you have the professional knowledge around everything digital and security, try to further your business knowledge and see how you can fit security in as the business strategy.  That would greatly elevate your importance to the company and ensure a career.”

Bjoern Watne – Bjoern is Norwegian, UE2019 was his second Underground Economy conference. He is a computer engineer by profession and has been working in information security for almost 20 years. Bjoern is employed as a CISO at a financial services company. http://linkedin.com/in/bjornwatne

 

 

A: “Find at least one excellent mentor – two or three, no matter how many, whom you can trust and whom you can talk to about whatever you’d like or whenever you’re in trouble.  However, this is very challenging, especially for young people to find such a mentor. Thus, I believe that the senior information security professional needs to volunteer how we can help younger generations advance their careers by sharing our experience and even mistakes or failures.  Such opportunity will help us learn from younger generations.”

Shin Adachi – Shin has been doing information security and system administration for decades. He works mainly in incident response and gives advice to other incident responders around the globe. Shin is based in Silicon Valley, California, while majority of his teams are based in Tokyo. https://www.linkedin.com/in/shin1adachi/ @s_adachi

 

 

A: “My first piece of advice for anybody who’s in the cyber security field and wants to really develop is to actually broaden their experience, so take the opportunity whatever company you’re with, look at what other people do. You may be in a role let’s say that does pentesting or forensics or IR but don’t just be satisfied with that. Learn what the other folks in your firm do and try to also you cross nurture those kinds of skills get involved with their whatever cases there involved in and just try and learn from them, because the best way to go up is by having a broader knowledge of the whole cyber security landscape. The second way of progressing your career, if you like is to is to really get involved, is in public speaking. To get out and to share what you know, because you’re doing two good things there. Firstly, you’re sharing knowledge obviously. Secondly, you’re building that confidence in communications and going up the chain within an organization is all about communications. It’s all about translating technology into a story, into something meaningful, because time and again when I’m mentoring the the junior staffing in organizations that I’ve worked for, it’s getting that ability to tell a story based on their technological findings that will make sense to senior leaders and will enable them to make key decisions in a crisis sometimes or in a cyber security situation. That is something that’s critical as you want to move up in your career so take any opportunity to do public speaking, to get in front of an audience and to learn to communicate things that you’ve researched or things that you’ve been doing at work. Lastly, as I mentioned before just to get involved in the community because the more, you’re involved in the community the more opportunities will come to you. You’ll network better and you will see opportunities that come for growth in other organizations and you can move your career on by learning in different environments and using that to to go up the food chain.”

Paul Jackson – Paul is the Asia Pacific head of Cyber Risk for Kroll. Before this, he was a police officer in Hong Kong where he worked for 22 years. The majority of which was engaged in cybercrime investigation and forensics. Between that job and joining Kroll, Paul was with JP Morgan, so for a while Paul was the global head of cyber investigations with JP Morgan based out of the US in New York.

 

 

Q: If you could share 3 bits of security advice to family and friends what would those be?

 

A: “My advice to my friends and my family out there about information security and network security is, “it is not a spectator sport.  You have to be engaged. We teach our kids, and I know my parents have taught me, how to be street smart, how to walk down the street, go over to my friend’s house as a kid and be able to be aware of what’s happening around me and know that maybe there’s a person that I don’t want to walk too close to, so I want to cross the street and take a little bit of a different path. We teach our daughters to go out at night when they are in college or even late in high school to go out in pairs and have a buddy system and be smart that way. The challenge is that in the information security world and in the Internet world today, the technology is moving so fast that this sort of street-smart training, the street-smart awareness, is not yet ingrained in our society. So, my biggest piece of advice is not only do we need to teach our friends and our families to be street smart whether it is our children or is our seniors or ourselves, we need to teach them how to be cyber smart and how to be cyber street smart. We in the Information Security community have an obligation to help our fellow citizens become cyber smart!”

John Brown – John is Co-Founder and CTO of an internet service provider called CityLink Telecommunications, based in Albuquerque, New Mexico. https://www.linkedin.com/in/john-brown-cissp-020135

 

 

A: “My advice is, keep your devices always up to date with security patches, be extremely paranoid with email attachments, and don’t install software unless it comes from a trusted source. Also limit as much as possible the personal data you share online, with yourself and your children as well unless you absolutely need to. Once it’s online, you never know how it’s going to be used. Also never underestimate the value of privacy and the danger of surveillance even if you think you have nothing to hide. That’s more than three.”

Romain Wartel – Romain has worked at CERN, the European Organization for Nuclear Research, is one of the world’s largest and most respected centers for scientific research for the last 14 years. https://www.linkedin.com/in/romain-wartel-659b0a3/

 

 

A: “OK, instead of three bits of advice, I am going to give one because this to me is the biggest one.  Don’t use the same passwords on all the same platforms.  Use different passwords, use a password manager.  Use some type of way to vary up your passwords because this is going to be the biggest threat of the next couple years… so please don’t do it!

Liv Rowley – Liv is a Threat Intelligence Analyst at Blueliv which is a Barcelona Threat Intelligence based company.  A lot of her research is based around the dark web and how cybercriminals are using that to interact with one another and what they’re talking about. https://www.linkedin.com/in/livrowley/ @OLRowley

 

 

A: “Three bits of security advice I would give to family and friends is to be careful with unsecured wifi.  It’s amazing how many people still log into their bank accounts and other sensitive platforms through unsecured wifi.  One thing I really stress particularly with young people as well is be careful with your online footprint and the use of social media.  The internet never ever forgets.  If you say something or do something online, it’s there forever.  It can affect your future, your relationships, and future employment.  Also, be careful with how much of your identity you put online as well in places where other people can use it to create false identity.  Also, one bit of advice is getting a reputable password manager as well.  I find that people try to remember passwords or write them down and often they are very simple passwords which can be cracked quite easily so my advice is make passwords complex and get a reputable password manager, so you don’t have to try and remember those complex passwords.”

Scott Mellis – Scott is an Australian Federal Police Cybercrime Liaison Officer to the United Kingdom.  He is originally from Melbourne and currently lives in London.  Scott has been in cybercrime and cybercrime intelligence for around 17 years. www.linkedin.com/in/scott-mellis-cissp-cism-9097706