This is an interview with Richard Bejtlich, Chief Information Security Officer at Mandiant.
1. We have readers with varying levels of information security experience. Please describe the role of a CISO in general, and more specifically your role is at Mandiant.
Because I define security as “the process of maintaining an acceptable level of perceived risk,” the role of a Chief Information Security Officer is to enable security for digital assets. At Mandiant I am Chief Security Officer, which broadens the role somewhat but I am expected to focus on digital assets. These include corporate information, customer information, and to some degree the security of the software products we provide to customers. In addition to being CSO I also advocate defenses against advanced threats by speaking with customers, the press, analysts, and the general public.
2. You worked for quite some time for the Air Force in Intelligence and Information security Monitoring. Can you remember any specific challenges you faced, or adjustments you had to make when you transitioned out of the Air Force in 2001?
My time in the Air Force (four years as a cadet, seven years as a commissioned officer) was brief compared to those who serve twenty or more years and then retire. Thanks to my shorter tenure I didn’t suffer as much of a shock migrating back to the civilian world. Some long-serving military people are surprised to learn that many civilian employees don’t “obey orders” or “serve a common good” the way a military unit might. With respect to digital security, the biggest challenge probably involved a lack of civilian appreciation for the capabilities of threat actors. When I encountered nation-state adversaries as a civilian, I recognized and respected them based on my experience countering them in the Air Force. Too many skeptics think nation-state and other serious adversaries are creations of “FUD.”
3. We will be having a lot of military personnel transitioning to civilian careers in the coming years. What advice would you give them regarding careers in information security?
The digital security community is exciting yet in some ways daunting. The people who thrive are those who integrate lifelong learning into their daily activities. You can’t graduate from a “tech school” and expect to leverage a static skill set for the next five years. If you decide to enter the digital security community, expect to spend a lot of time trying to keep up with the changes in the field on a daily basis.
4. As you look at various career paths that are options for information security professionals, is there specific training that you feel is valuable to the degree that it is a good predictor of career success? Put another way, what training might be considered a good foundation that would help foster success in different infosec roles?
The digital security career field has become extremely fragmented. I recommend developing a general digital security mindset and then concentrate on an area that matches your skills and interests. Examples including network security, host forensics, network forensics, reverse engineering or malware analysis, secure coding, and so on. It is increasingly difficult to begin in one part of the digital security community and then transition to a completely different area later in your career.
5. What impact do you think that Sarbanes-Oxley has had on the information security profession?
At the practitioner level, I don’t see much effect from SOX. To some degree security managers and business asset owners shifted labels to redefine “critical applications” and the like to avoid SOX requirements.
6. Despite Sarbanes Oxley, and regular stories in the news of data breaches of various kinds, there seems to be a wide range of attention to data security in companies that ranges from denial to very aggressive attention. Are you able to observe a pattern with respect to the types of companies that “get it” and are doing well in this area, and those who aren’t?
In general the sectors most likely to understand the real nature of threats include the military, defense contractors, and financial services. Energy companies, some manufacturers, and unfortunately victimized small businesses are also learning about specific threat actors. The best predictor of an organization’s understanding of some aspect of digital risk is their experience suffering a serious intrusion.
7. What do you think are the information security challenges right now that many companies aren’t even thinking about?
Too many organizations still don’t understand the nature of targeted threats. They don’t understand that prevention eventually fails, intrusions are inevitable, and the best way to start a real security program is to determine if you are currently compromised.
8. What about in the near future? What do you think the challenges will be that very few companies or individuals have even thought about?
I predict lawyers, shareholders, the Securities and Exchange Commission, and insurers will play much bigger roles in the near future. Companies will have to worry about whistleblowers reporting intrusions to the SEC when their boards fail to report incidents in disclosure documents.
9. If someone were considering a career in information security, what advice would you give that person?
I recommend reading, subscribing to relevant security professional Twitter feeds and blogs, and pursuing an area of security that you find exciting. If you enter the field because the pay is rewarding you will not be happy. I also highly recommend running a home lab with a mix of Windows and Unix-like systems – it’s a great topic for any technical interview.