This is an interview with Richard Bejtlich, Chief Information Security Officer at Mandiant.

1. We have readers with varying levels of information security experience. Please describe the role of a CISO in general, and more specifically your role is at Mandiant.

Because I define security as “the process of maintaining an acceptable level of perceived risk,” the role of a Chief Information Security Officer is to enable security for digital assets. At Mandiant I am Chief Security Officer, which broadens the role somewhat but I am expected to focus on digital assets. These include corporate information, customer information, and to some degree the security of the software products we provide to customers. In addition to being CSO I also advocate defenses against advanced threats by speaking with customers, the press, analysts, and the general public.

2. You worked for quite some time for the Air Force in Intelligence and Information security Monitoring. Can you remember any specific challenges you faced, or adjustments you had to make when you transitioned out of the Air Force in 2001?

My time in the Air Force (four years as a cadet, seven years as a commissioned officer) was brief compared to those who serve twenty or more years and then retire. Thanks to my shorter tenure I didn’t suffer as much of a shock migrating back to the civilian world. Some long-serving military people are surprised to learn that many civilian employees don’t “obey orders” or “serve a common good” the way a military unit might. With respect to digital security, the biggest challenge probably involved a lack of civilian appreciation for the capabilities of threat actors. When I encountered nation-state adversaries as a civilian, I recognized and respected them based on my experience countering them in the Air Force. Too many skeptics think nation-state and other serious adversaries are creations of “FUD.”

3. We will be having a lot of military personnel transitioning to civilian careers in the coming years. What advice would you give them regarding careers in information security?

The digital security community is exciting yet in some ways daunting. The people who thrive are those who integrate lifelong learning into their daily activities. You can’t graduate from a “tech school” and expect to leverage a static skill set for the next five years. If you decide to enter the digital security community, expect to spend a lot of time trying to keep up with the changes in the field on a daily basis.

4. As you look at various career paths that are options for information security professionals, is there specific training that you feel is valuable to the degree that it is a good predictor of career success? Put another way, what training might be considered a good foundation that would help foster success in different infosec roles?

The digital security career field has become extremely fragmented. I recommend developing a general digital security mindset and then concentrate on an area that matches your skills and interests. Examples including network security, host forensics, network forensics, reverse engineering or malware analysis, secure coding, and so on. It is increasingly difficult to begin in one part of the digital security community and then transition to a completely different area later in your career.

5. What impact do you think that Sarbanes-Oxley has had on the information security profession?

At the practitioner level, I don’t see much effect from SOX. To some degree security managers and business asset owners shifted labels to redefine “critical applications” and the like to avoid SOX requirements.

6. Despite Sarbanes Oxley, and regular stories in the news of data breaches of various kinds, there seems to be a wide range of attention to data security in companies that ranges from denial to very aggressive attention. Are you able to observe a pattern with respect to the types of companies that “get it” and are doing well in this area, and those who aren’t?

In general the sectors most likely to understand the real nature of threats include the military, defense contractors, and financial services. Energy companies, some manufacturers, and unfortunately victimized small businesses are also learning about specific threat actors. The best predictor of an organization’s understanding of some aspect of digital risk is their experience suffering a serious intrusion.

7. What do you think are the information security challenges right now that many companies aren’t even thinking about?

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

Too many organizations still don’t understand the nature of targeted threats. They don’t understand that prevention eventually fails, intrusions are inevitable, and the best way to start a real security program is to determine if you are currently compromised.

 

8. What about in the near future? What do you think the challenges will be that very few companies or individuals have even thought about?

I predict lawyers, shareholders, the Securities and Exchange Commission, and insurers will play much bigger roles in the near future. Companies will have to worry about whistleblowers reporting intrusions to the SEC when their boards fail to report incidents in disclosure documents.

9. If someone were considering a career in information security, what advice would you give that person?

I recommend reading, subscribing to relevant security professional Twitter feeds and blogs, and pursuing an area of security that you find exciting. If you enter the field because the pay is rewarding you will not be happy. I also highly recommend running a home lab with a mix of Windows and Unix-like systems – it’s a great topic for any technical interview.