Interview: Matt Johansen, Director of Security Services at WhiteHat Security
Matt Johansen is the Director of Security Services and Research at WhiteHat Security where he oversees the development and execution of service related product lines that WhiteHat offers. In addition to these services, Matt also performs research on application security topics that he discusses on the corporate blog and is invited to present at conferences around the world.
Previously Matt was a Sr. Manager for the Threat Research Center at WhiteHat Security where he built and managed a team of Application Security Specialists, Engineers and Supervisors to prevent website security attacks and protect companies’ and their customers’ data. Before this he was an Application Security Engineer where he oversaw and assessed more than 35,000 web applications that WhiteHat has under contract for many Fortune 500 companies across a range of technologies.
Mr. Johansen is also an instructor of Web Application Security at Adelphi University, where he received his Bachelor of Science in Computer Science, and San Jose State University.
1. What did your job as manager of the Threat Research Center at WhiteHat Security entail?
As manager of the Threat Research Center (TRC), I was responsible for finding potential security talent in the area, interviewing candidates, facilitating the training program of new hires, and managing existing teams. I was also the top of the escalation path for any issues that arose in the TRC with service delivery to our customers.
2. What hard and soft skills do you require to succeed at your position?
Hard skills that are very helpful in a management role at a security software company would include the ability to do the job of anybody I managed. The fact that I was promoted to a manager from the role that I was managing was hugely beneficial not only from a day-to-day understanding of tasks but also on a respect and authoritative level. Soft skills are equally as important, as the ability to lead and communicate to the team at large is essential. For my particular role, sharing research with the community at large was also very important. Blogging and presenting on stage were hugely helpful to my career.
3. You lead a team tasked with preventing security attacks and safeguarding not only businesses, but also their customers’ data. Do you find that WhiteHat’s clients are generally aware of the risks they face?
Our clients are very aware of the risks they face on today’s Internet landscape. These are companies that sought out our services and paid for them to begin with though, so the sample is biased. I think due to all the high profile headlines of hacks and data loss these days, many more companies are aware of the risks as compared to a few years ago.
4. How do you go about selling them on the value proposition behind WhiteHat’s services?
The key value prop for WhiteHat as opposed to other services has to do with the amount of internal security overhead we take away for our customers. There are many vulnerability scanners out there but we come to the table with a hacker army of over 125 researchers, and over 10 years of data supporting our services. We also provide continuous monitoring in a production-safe manner, which allows companies to get a yearly overview of their risk profile rather than a point and time assessment.
5. There are a lot of companies out there that offer solutions to help businesses to prevent, or at least reduce the likelihood of, cyberattacks. How does WhiteHat differentiate itself from the competition in terms of solutions it provides?
Our team of researchers, which weeds out all false positives from our scanner, is a huge differentiator. We have the largest team of web application hackers on the planet and they are specialized in finding and verifying web app vulnerabilities.
6. What are some of the mistakes companies typically make that might expose them to cyberattacks?
Many mistakes that cause the most exposure to attack have to do with how companies handle, transport, and store data. We’ve known about SQL Injection for over a decade and it is still largest cause of data loss in breaches to this day.
7. How would a company go about creating a cyber security culture that ensures that everyone is on the same page?
Companies that have created a successful security culture are all built around transparency. For example, Twitter has a system which notifies all developers when bugs are found that identifies which developer was responsible for coding that piece of the application. This serves as a public shaming but also team recognition for speed of remediation.
8. What do you like most about your job, and what do you like least?
Working for a small security company is rewarding in a lot of ways. First, security is always evolving. There is never a point that I’ll feel like I’ve figured it all out. The amount of research that comes out every year is just staggering to stay on top of, which is very exciting. Also, since we have a Silicon Valley culture, there is a ton of perks compared to traditional office jobs. For WhiteHat employees, there is no formal dress code, which is especially nice during the summer months considering Houston’s heat. . Our kitchen is stocked with snacks, and ping pong breaks are often. We have unlimited PTO and very flexible hours. When speaking with friends at oil & gas companies, these are things that drive them crazy.
What I like least is a very small list. I’d say that every security professional faces the challenge of feeling like they are spinning their wheels once in a while. When you’re finding bugs that have been easily fixed for 10 years in modern apps it’s hard to feel like you are making a difference even though you are.
9. What major changes or developments have taken place in the cyber security space since you started your career in the industry?
The huge shift in focus from network-related problems to Internet and web application-related security has been recent. Firewalls and anti-virus used to be the be-all and end-all, and while still holding their huge place in the world, are less important in actually preventing data loss today. Everybody stores everything on the Internet. Between cloud services, web mail, and the ever growing list of Internet-enabled devices, security is getting off the computer and onto the web. We’ve had to stop calling it computer security and start calling it information security.
10. If a college or university student were to ask for your advice on how to break into the cyber security space as an IT/IS professional, what sort of advice would you give?
I actually do this quite often as I visit my alma mater once a year to guest teach and give career advice. We also hire a lot of college students to WhiteHat. The advice I can give is to focus equally on learning new things about security and meeting people in the industry. I’d say going to security conferences and joining the conversation on Twitter was more important in jumpstarting my career than any college class. The classes and other learning exercises are important as a knowledge base of what you need to learn in the future but learning from another human being who has been in the weeds for years is much more valuable. You also never know who you’ll meet or impress that will offer you the job of a lifetime.