Welcome back to part 16 of unusual journeys into infosec, one of the things that continues to surprise me is the varied backgrounds that people have when they finally end up in our industry.

These diverse background only enriches the community, because this help create unique approaches to problem solving by drawing down on life experiences. And by sharing these journeys it only encourages those who think they don’t fit, to make the push.

Essentially, it doesn’t matter what your background is, its your aptitude and attitude is really what counts.

Now in this episode I wanted to understand the CISO’s (Chief Information Security Officer’s), perspective about all things infosec, and the challenges in finding talent!

There are few names that have the depth and breadth of experience (and sense of humour), of Michael Ball, so he was my logical choice!!

I’ve been speaking to Michael for a few years now on Twitter, he’s even come along for the ride on a few Threadzilla’s!!! I really wanted to get into his ribs, understand his background and what he thinks the industry can do to better attract and retain the very best talent!

So sit back and enjoy the ride, and history lesson that is Michael Ball’s (Unix_Guru) Unusual Journey into Infosec!!

CyberSecStu (CSS): I’m looking to understand unusual journeys into infosec, and specifically in this interview your perspective as a tenured CISO. Where did your journey begin?

Michael Ball (MB): Electronics technologist at IBM, working on OS2 Warp drivers and accessories. Took a networking and another on firewall. Newish concepts at the time. (‘94)

Large insurance company in Canada hired me to architect their internet access and DMZ. I asked for their information security policy… standards… anything that I could hitch a design standard to. They waived a two paragraph page at me…

I refused to build against a non existing policy framework. I didn’t want the accountability. Which nobody understood at the time. A month later, they asked me to help with governance. Having zero experience, I said the only thing I could… “Love to! Where do I sign?”

Spent six years running IT security. Eventually named CISO when that became a thing. Did all the architecture, because that’s what I knew. Took RSA and SANS courses, and eventually created an information security policy framework.

What nobody told me, was that you cant easily audit what isn’t documented… and once you document things… the auditors have a field day… Lesson learned was “keep your first set of information security standards within reach of achievement”!

I was following “best practice”, and had a long way to go to hardening the environment.

CSS: Was there a big jump from what you were doing before, to Infosec, and how did you manage?

MB: I lucked out, getting into infosec in its infancy. We didn’t have the vendors and maturity we have now.

On the other hand, because it was so new, everyone thought we had to follow strict NIST guidance, which was totally unrealistic. Auditors were our adversaries back then. Today, they are my companions.

Controls were black and white. Compensating controls were not something the auditors had experience with.

The first year, I told the board of directors “we need to protect our bbs and web server from the internet” we need a firewall… I got budget.

Year two… same story… thank you for the firewall budget, but it doesn’t protect from brute force hacking… I need intrusion detection. They were leery… we just gave you budget for internet protection. Why do you need more?

I had to explain to the executive that Internet threats were steadily getting more advanced. A firewall simply followed a set of predefined rules for what traffic was allowed in, and the bad guys could emulate that traffic to get THEIR stuff in too. I got budget that year too… barely…

By year three, when our IDS was firing constantly, and nobody knew anything about deciphering false positives, or comprehending the crazy complex logs from firewalls, web servers, intrusion detection, anti-malware, Active Directory… I asked for a SIEM…. they lost their shit!!

“Listen! You told us that you could protect us with a firewall thing… we gave it to you!… Then you told us that wasn’t good enough, and you needed some OTHER thing to track attackers… Now you are telling us THAT is not good enough? No! Not gunna happen!”

Aaaaand that’s when I decided that the Audit team was going to become my new best friend.

When you give up the adversarial relationship with internal audit, and help them do their job (your job!), you can build an achievable roadmap to security controls.

CSS: Thanks for sharing this, I agree Internal Audit have become a vital role in supporting the CISO, especially in Financial Services with the 3 lines of defence! What do you think are the biggest challenges facing a CISO today?

MB: Hmmm… getting the message across to your Executive (without panicking them!), that not only WILL we get breached someday, but could quite possibly be breached RIGHT NOW and not know it.

That a properly articulated AND TESTED Breach Response plan is necessary, and this includes pre-planned communications templates for all potential stake holders.

Awareness training is another challenge. Many companies do it annually… Read/watch a big presentation, answer a few skill testing questions, sign off. Meh… not good enough.

I like to break it into bite size chunks, and publish a short 2–3 slide presentation with 1–2 questions monthly. Keep it topical, but fun and friendly.

Another issue is in constantly keeping MYSELF educated. The vendor noise these days is ridiculous. Every vendor out there has the magic elixir for all my security woes.

And they ALL use Containerized-Blockchain-Threat-Hunting-AI with Deep Learning Bayesian-Curve technology!

I mean, how can I possibly choose between them? Especially the ones that have been doing this for nine years in a two year old market!?

Privileged Access Management, Cloud Access Security Brokers, and a strong SIEM practice, are my top three initiatives to protect and preserve.

CSS: Excellent, I love this. I assume being a CISO you had people in your team?

MB: I’ve had a couple different CISO gigs. In the larger companies, I was blessed with direct reports who ran security operations, and helped with governance and compliance.

My most recent two CISO gigs were actually “Virtual CISO” or “CISO Consultant”. The companies were either too small to justify a full time CISO, or wanted to build the Business Case for hiring a full time CISO.

I provide the governance oversight, and have “dotted line” roles report to me.

CSS: Yeah the Virtual CISO is an important role these days, I think quite a few companies like this idea!

When you hired people in infosec what did you look for- and what were your biggest challenges/wins finding people?

MB: I’d rather take someone with skills in networking or sysadmin, and who has a passion for their job, and train them in security.

Skills you can train. Passion, devotion, and loyalty cannot be trained, but have to be earned.

Trying to hire “Infosec peeps” today is tough. There are two issues with hiring “experienced” Infosec people.. They know that they are a hot commodity and rightfully expect high money, and they come with their previous employer’s baggage. “THIS IS HOW WE’VE DONE THIS AT ACME Inc”.

I don’t subscribe to “This is how we’ve always done it here” so I CERTAINLY don’t subscribe to “This is how we’ve always done it THERE”.

CSS: Haha yes exactly. What do you think companies can do to attract and retain talent today?

MB: Security peeps like to continually learn.

Advertise and provide a continuous training package as part of their benefits. Lock it in so that they actually HAVE to use it as well. It goes both ways:

• Provide opportunities for growth

• Rotate people through roles

• Don’t let them stagnate in a single job.

CSS: What advice do you have for people starting out on their journey into infosec today?

MB: Look up a local infosec gathering, and attend regularly. Not just BSides, but look for monthly get togethers in your city on meetup.

Besides sharing in knowledge, it will get your face in front of others in the community when they’re hiring.

And if there is NOT a local infosec meetup, start one! Nothing wrong with 4–5 people to start, in a coffee shop or local library. Invite vendors out to talk about their space, not specifically about their product. You’d be surprised how willing most vendors are to have an audience, no matter how small.

Participate actively online. Get to know the thought leaders on Twitter and that FaceThing… ask questions, engage. There are no stupid questions, just stupid users.

CSS: Excellent!!! What’s most valuable to you as a hiring manager for noobs?

MB: Enthusiasm and both a desire to learn, as well as a desire to share. Retention is difficult, so making sure that individuals feel wanted and respected within the team is of utmost importance.

CSS: One final question.. what is it about infosec you love the most?

MB: Can I say Job Security? LOL

It’s a field or service that EVERY company needs, and most are still in the low end of the maturity model. I like feeling like I’m doing something good.

I have no misconceptions that any one engagement is going to be long term. If I do my job correctly, I’ll do myself out of that job.

As a virtual CISO, I typically get to go into a company that is struggling in an audit, or has had regulations heaped on them. I get to guide them through the process of creating an Information Security Framework, and create/update/validate Security Operations procedures and guidelines.

Being able to show a positive trend in security metrics is always a delight.

CSS: I absolutely agree!!

Thank you so much for sharing your valuable exp. Is there anyone you’d like to thank or mention…( soapbox moment)?

My early sounding boards here on Twitter were @3ncr1pt3d @synackpse@bigendiansmalls, @mainframed767 @nixcraft @Cannibal @sudosev@5683Monkey @securitybrew @darksim905 @blackroomsec @benheise@ronindey

Michael has so much experience, its hard to fit this into a short article let alone trying to distil this into a bite-sized takeaway!!

Firstly Michael mentioned the importance of “getting out there” when first starting out in infosec. Especially local Bsides and meetups, but the advice that personally stood out — was starting your own, if one does not exist.

This strikes a chord with me personally, as having started up The Many Hats Club, having not connected to any online community (outside of Twitter), was one of the best things I have done to date! So starting an online or even better, a meetup is always highly recommended — even as Michael rightly said starting small and growing over time.

Also you when searching for a new role, hunting down companies that offer ongoing training is vitally important, as this shows a willingness to invest long term in your career and development!

Finally, these are words to live by and adopt:

Skills you can train. Passion, devotion, and loyalty cannot be trained, but have to be earned.