Interview: Michael Tanji, CSO at Kyrus
Michael Tanji is CSO and VP of Strategic Development at Kyrus, where his duties have included helping to develop and market Carbon Black. A veteran of the US Army, Michael has served in both strategic and tactical assignments in the Pacific Theater, the Balkans, and the Middle East. He has been a participant in a number of national and international intelligence analysis and policy efforts, including projects for the National Intelligence Council, the National Security Council and NATO.
Since leaving the government Michael has worked as an intelligence and security consultant and is currently an executive with a computer security company. He was a Senior Fellow at the Center for Threat Awareness, an associate of the Terrorism Research Center, a contributor to Complex Terrain Lab, and was selected in 2007 as a Claremont Institute Lincoln Fellow.
Michael lectures on intelligence issues at The George Washington University. A participant on intelligence-related panels at the Heritage Foundation and American Enterprise Institute, he has also been a contributor to the Weekly Standard and Wired’s Danger Room. He is the editor of Threats in the Age of Obama.
Michael writes about issues related to defense and national security on his personal blog: http://www.haftofthespear.com, which also includes links to a number of his media contributions.
1. You have had experience working for the federal government and in a business environment. How would you characterize the differences and the similarities between those settings?
In both environments you have people who work hard and want to do well. The biggest difference is that there are incentives to continue that behavior in the business world (profit, equity, promotion), whereas the government does not have a comparable system. The best security practitioner in a given agency can dramatically improve the security posture of that agency, but they’ll get promoted according to a schedule, their pay will change according to a schedule, and they’ll never get beyond a certain point in the career ladder unless they abandon what they’re passionate about and start to push paper. The commercial world is better at rewarding performance regardless of issues like tenure, and there are far more opportunities to advance _and_ do practical work.
2. Previous individuals have distinguished between information security compliance and some measure of threat protection that goes beyond compliance. How do you explain that difference to a potential client when you are discussing their information security needs?
I make it a point to emphasize that compliance-only isn’t going to be cost effective in the long run. A regulator may say you’re compliant, but all that means is that in a snapshot in time, very specific conditions were met. Unfortunately, threats don’t stand still and neither does your environment. You can’t complain about the cost of incident response and credit monitoring and fines after a breach if all you’ve done is had someone run a scan and check a box.
3. Can you describe some of the different information security roles that exist within your organization, and what sort of background or training is necessary to succeed in each role?
We’re a services firm that places an emphasis on both offense and defense working together. We have people who are very good at breaking things, as well as those who are very good making it hard to break things. Both sides start with a solid foundation in the underlying technology; this means degrees in computer science and engineering. Anyone here could get a technical, non-security job anywhere; security happens to be something they’re passionate about. Most of our people went to schools noted for their undergraduate and graduate programs in technology; very few of them hold security certifications. Any certification that places an emphasis in the practical application of security principles would be valuable, but we verify technical skills ourselves, we don’t let a cert act as a shortcut to a hiring decision.
4. What publications do you personally read in order to keep abreast of current trends in the field of information security?
I actually let the stories and headlines come to me. I have pretty healthy and diverse RSS and Twitter feeds and if a lot of people are talking about issue X, I’ll start reading up on issue X. I’ve given up on trying to track everything, which as an intelligence and warning guy was hard to do.
5. I always thought White Hat Security folks were the good hackers and Black Hats were the bad guys. Yet, last month we had a huge convention in Vegas called the Black Hat Briefings that was well attended by IT security professionals from all over the world, supported by numerous big name sponsors. Was the event a study of the tactics of Black Hats and how to fight them or have “Black Hat” and “White Hat” essentially just become marketing terms to allow different organizations to offer similar services? On the other hand, isn’t it likely that some of the *real* black hats attend some of those conferences too, and in the process learn about the measures that are being used to fight them?
With regards to the conference you have to look its history. Black Hat was about bridging a gap between this little opaque, casual world of offense and the more well-known, button-down world of defense. It was like The Breakfast Club of security; jocks, good girls, bad boys, nerds, and misfits all crammed together, but it worked. You have some really good discussions and made connections you never would have made if you’d stayed in your own cloister. I’m sure good connections are still made today, but BH in 2012 is not a gathering, it’s a conference, with all that that implies.
No one goes to Black Hat – or any conference – to study up on the competition. That’s a continuous process that goes on year-round, and it’s not the polite, civilized exchange held on Con floors and panels.
6. We have discussed offline that your company seeks to provide unique security solutions that don’t just do the job, but do it in a remarkably better, or more comprehensive way than existing approaches. Obviously no company can ever be 100% secure, but how can small to medium companies hope to protect themselves when the implication is that it takes custom solutions to be truly secure?
Step one in situations like this is recognizing you have a problem. SMBs all think they have nothing to worry about. That’s not true, as cases about small business bank accounts being emptied by hackers demonstrate. In other cases they may not be the ultimate target, but a conduit because of a trust relationship they have with a bigger company. On top of that, SMBs all think that security has to cost a lot of money, which is also not true. You don’t have to break the bank to improve your security posture, but you do have to make some kind of effort.
7. Have there been any trends in Information Security in recent years which you think have caught the majority of the security community off guard? If so, in retrospect, should they have seen it coming?
I think if anyone in an organization is going to recognize a problem with some emerging technology or practice it’s the folks in security. They tend to be the first people to look up at the sky and wonder how long till it comes crashing down. The problem isn’t recognition of a potential problem as much as it is being able to argue that security should be considered as a part of the business case. How many businesses rushed to Twitter, then someone made a gaff, and THEN the policy followed? Replace “Twitter” with any hot Internet or Web technology of the past ten years.
Having said that, we have a terrible sense of history in this field. There is precious little that is truly NEW in security, and that’s a good thing because we continue to ignore the lessons of the past…over and over again.
8. If an entry level IT professional or college student were considering a career in information security and came to you for advice, what would you say?
If you want a job, study security; if you want to improve security, study technology. The best security practitioners understand technical fundamentals. They’re engineers or developers or networking guys first, who use that knowledge in the furtherance of security principles. There are plenty of dongle-jockeys and certified paper tigers in this business, and they all have jobs, but they’re not advancing the field. We have enough digital janitors cleaning up yesterday’s engineering messes, we need more security-minded engineers.
9. What changes do you expect to see in the field in coming years, and what does this mean with respect to career opportunities?
I expect to see more consolidation and commoditization. A few larger firms dominating the majority of the market and the promotion of generic approaches to the most common problems facing the largest market segments. Specialization and deep expertise will still be needed, but it will become increasingly rare and come at a premium. Security still isn’t something the market demands, as opposed to functionality, which is paramount. The bigger opportunities will always be in technology first, technology security second.