Cyber Security Today - interview with Darren van Booven - an episode of the Sensei School Meet-a-Pro series
News 2021-02-01 13:39:33
Cybersecurity Today - Interview with Darren Van Booven - an episode of the Sensei School Meet-A-Pro series Originally posted by Dimitar Vidolov on
An episode of Sensei School"s Meet-A-Pro series. At the CIA, he was tasked with investigating sur nation-state intrusions and incident response activities and counter technical threats to operations. He also worked as a senior staff operations officer responsible for the offensive cyber operations mission and forensic exploitation against the terrorist target. Mr. Van Booven spent time as a senior manager in the Office of the Inspector General where he assessed the efficiency and effectiveness of the technology used at Agenc y operations. He also holds CISSP, CISM and CISA certificates and holds a CPA license. He spoke with Sensei School
Co-founder of Sunny Pedeva to talk about the current cybersecurity landscape. The following interview has been modifiediee for consistency, conciseness and clarity. School Sensei: Why do you think cybersecurity is such a hot topic right now? What led to the cyber threat boom recently? Van Booven: I am thinking of a combination of two different things. One of them is that while malware like ransomware and banking Trojans have evolved over time, over the past couple of years it seems like they"ve gotten a lot more sophisticated. , so there has been a huge increase in the capabilities for, now are email hacks, for example, which are important, to infect an organization and take credentials that criminals then use for malicious purposes. financial gains. I have actually worked in a few organizations as part of an incident response where almost the entire environment hadwas affected by this and the criminals were using the credentials to get whatever they could. And it is very difficult for an organization, once it has it in place, to respond appropriately. So there are a lot of organizations that are constantly affected by things like this or ransomware and a little more than in the past. Compromise on business emails is very common these days. Almost every organization I speak to, mid-size or larger, has the same problems and is constantly looking to fix them. I would say the other, which is somewhat media-driven, but it"s also a very real thing when you hear about threats from nation states and the different kinds of tools being deployed due to leaks. I think just collecting all of these types of things over the past couple of years has improved your understanding of the threat in you.rms of what is possible, and it has also led organizations to think a little more carefully about the threat. Going back to what we were talking about a minute ago, the Internet of Things, one area that is evolving too far from a threat perspective, is our critical infrastructure and the security of our control systems. It is closely related to that. A lot of machine control devices or equipment and whatever is deployed, which is network and IP enabled, but it does not necessarily have strong security. We"ve seen, again in the last couple of years, more of these types of things compromised. And I think it also contributes to the prospect of the threat spreading across multiple areas, and not just the typical office worker on a PC. École Sensei: What, in your opinion, are good solutions to manage the risks that are not obvious to most companies? Van Booven: I would say that the fundamental thing that companies have to start with is they don"t always start with a defined risk management. You can do this, you can choose a particular framework like an ISO ISP framework, or any of those frameworks on which to base the risk. It is essentially the language by which you capture and describe the risk to the organization to the leadership of the organization. So not only do you have a framework to do it, but you systematically describe the risk. Really, the biggest risks a business faces, whether technical, personnel, physical security, all of that is the leadership of the business that has to make the tradeoffs and make the decision to accept certain types of risks. . It is up to cybersecurity officials to describe it correctly. Sif you talk to a CEO, CFO or CIO name your person and confuse them with technical jargon they don"t understand, in a lot of the conversations I have had or been involved in , they don"t always tell you when they don"t understand something. They will only listen to you and so it should be assumed that they are very knowledgeable about the company, but there is still a lot of work to be done to describe what it really means to them. We had a problem doing this. And if you don"t, then some risks are not well understood or accepted. But once you have an efficient process in place to do it, then you can make some really good decisions from a finance staff perspective, to allocate resources in the right way and allocate resources to the risk areas that need them most. Essentially, in many undertakingses, you could pay a security organization $ 100 million, they would probably find a way to spend it, but you can"t defend all areas of the organization equally, you have to take this basic approach. This is really what they need to get started and there are technological solutions. In the most basic form, you can use it as a spreadsheet to do this. You don"t necessarily need full sensing technology, but the solutions that exist - governance, risk management, and compliance tools do a good job of tracking these over time. And budget organizations that are audited often - you will need to track audit results and the risks that arise during security assessments. All of these things really have to play into it. To keep track of all this and get a vivid picture of what risk looks like, Ithink you must have one of these governance tools. Sensei school: is there a talent problem in cybersecurity? Is this the next big career opportunity for people? Van Booven: To begin with, I would say that there is a huge opportunity for people in this area for several reasons. One is because it"s v It is very difficult to find someone who has the basics to be effective. I compare cybersecurity professionals to being a doctor. To become a doctor, you must have a base in the human body, that is, the respiratory system, the circulatory system, you must understand the drugs. Well, to be effective in cybersecurity, you have to understand network and operating systems, and web applications, and malware and all the basics to get the big picture. Then adding on top of that, it "sst your technical thing to understand. First of all you have to understand the policy, you have to understand the compliance, you have to understand the risk management side. And then, layering the two, which is probably the hardest thing to find, is bringing in people who have the right mix of soft skills: being able to write well, to communicate in person, to be able to influence people and have the ability to constantly learn new things. I would take these people above someone who might be a little more experienced, but not have the same aptitude, because things change so fast, you really have to spend time to keep up. For someone who really enjoys technology, how it is used and how it fits into an organization, there is a huge demand for these type of people and I will see a lot of people who claim to have certain skills.nces, but they don "t necessarily have them in the right areas. What I mean by this is someone who is very good technically wants to be an RSSI (Chief Information Security Officer) or Head of Security in an organization, but it takes a lot more than technical skills to be able to do this job and most like thi s. You need to understand risk management, compliance, privacy, how to write well, how to budget money, the type of program management, as well as how security fits into the rest of the technology process. So you need to understand change management, configuration management, software development processes, basic IT processes, which the rest of the IT organization uses. If you are just someone who is very knowledgeable about malware, you may not understand how changes are made to your computer.re financial system. Being very open to learning new things is very important. Sensei School: What do you think is the trend? Will cybersecurity be something companies outsource or a capacity they develop in-house? Van Booven: The reason being that it "s in terms of internal development, I think there is such a shortage of people who have the necessary skills. Companies must have people looking at this and a lot of them are focused on how to train and develop their own internal staff. And you have to do it because the range of things you need to have a good foundation are hard to come by unless you have a variety of experiences or are consciously working on them. Companies who work with their staff to form a development training programwho understands these elements will be the ones that will form good, well-rounded people. If they don"t do this, if they don"t develop their staff in-house, they will either have to do without them or outsource these functions. this question - the threat landscape is so sophisticated these days that to really have the right mix of skills that an organization needs it can be very costly to many companies and in particular medium-sized companies. They might not have the money to staff 24/7 people who understand malware, intrusion detection, and all the different security elements. You might have a good technical team, but not necessarily all types of people. Plus, if they have it, the turnover and attrition of keeping these people there is a challenge. Many organizedtions who have a good approach to recruiting find it difficult to retain people simply because of the position in the market. In these situations, staff continuity ends up becoming a greater risk. If you outsource, hire staff or hire services to provide some, you can get, if you choose the right organization, a more consistent level of service and you can also take advantage of some additional skills that you may not be able to afford internally. I don"t think many companies, except maybe smaller ones, will completely outsource their entire security department. It"s about understanding the business; it fits into the business"s IT operations. You really are part of the IT department and you can"t do that because you are sitting on the other end of the country where these things are happening. You must bee there with the developers and operations, and the guys from the network. You must have some of these people. You will likely need both, and the mix will depend on the company, industry, and people who work there. School Sensei: What do you think is the right starting point for people looking to embark on a career in cybersecurity? Van Booven: One of the things I suggest, which is very easy for people to do, is to look at the vacancy notices and all the job postings that companies post on job boards, as this gives you an idea of the different types of positions that are out there, how the company describes these positions, what skills are needed and what you do just lets you familiarize yourself with are the different options available. Because there are so many different companies out there looking for people, you getget a good range of what are. But in terms of skills development I would say that I "I have worked with people who come from many different fields, some of them are IT people who might have been sysadmins, network engineers, or developers, so they"ve got a certain tech base and they should look into - are they missing some of their foundation, some basic foundation, if they really need to address these security issues. What I mean by that is, maybe you have someone who"s really good at networking, but doesn"t really know how a web application works. You really need to have this basic understanding, because otherwise you are not going to grasp much of the overall threat landscape. I would call it a triage of your skills, making an assessment of your skillss, like what you have and what you don "t have. If you come from a completely different field and don"t have any technological background, getting that foundation is definitely the most important thing to get started. Understanding the basics of networking, operating systems and I suggest both Windows and Linux. A coordinated approach to reaching each of these areas, web applications, malware and there is a lot of reading someone has to do to identify what is the best way to get some of them. It makes sense to get certifications in some areas more, because in the process of getting certified, it teaches you all the basic skills. It may take a while to get all of these different areas. But again, it is difficult to do security effectively without at least having skills in each of these areasfundamentals, and, if you do, understanding risk management is very important. What are the risks associated with them? What are the threats? How do you deal with vulnerabilities? Some think he needs a lot of people, but he really isn"t. One thing that a lot of security folks don"t necessarily do is what they could do to improve their careers and focus on areas where the rest of IT organizations are, and then back to change management. How security fits into this. A lot of people can be in the field for one or two years and then the next year they want to become an RSSI. There is a huge gap between what skills you need and what you need, and it"s important to have a coordinated plan you"re working on, to make sure you"re hitting each area. School Sensei: Is there Anything else you would like to sharer with people looking to enter the cybersecurity space? Van Booven: I would probably say that The most important thing that I have found the most useful is to actively manage your career in as you always have a business plan, which has many different aspects. One is the technical aspects. The other is just the overall career goal. Do you want to be a technical expert? Where do you see your career? In fact, documenting that and creating goals around it, so that you can work on those things and correct the course if necessary and talk to a lot of people. People will actually contact me on LinkedIn with questions. And I might not have all the right answers, in fact I know I don "t have any, but I will give them my opinion based on my experience and if they talk to a lot of different peoplees, they will become very different points of view. And then they will have a good contribution on which to base their own career decision. Being open to talking to others, learning from others who have been through some of the same things, the same challenges, networking, going to conferences and events, participating in online forums. They are very important. This area is very important for information sharing, you really have to do networking and someone who does it and has an open mind, I think, will be successful. And not everyone does that. Everyone is in charge of their own career. It"s great when you have a management team that supports your career, but as an individual you want your own career. You may be in an organization where there is not enough headroom to be promoted to a certain model, but you are really ready so sometimes you have to consider moving to another organization.sation. This is another thing, which some people are willing to do and some not. If you kind of stay in the same place in the same job for 10 years, you don"t get the School Sensei: What are you currently working on? Van Booven: At the moment, I am launching a new professional services company, Nereus Systems
, with my partner. It is designed to focus on the changes in the technological landscape and the need to keep pace with these changes from a security perspective. And also to understand their impact on the technologies currently in use, including changes in the world of applications, development and operations, which is actually moving to a supplied model.Application ture - using microservic es and containers in the cloud. Many organizations have started this transition, but there are many more that do not or do not necessarily have the skills and know-how to do so. This causes a change as applications are delivered a little differently - security officials should seek to secure these items properly. It "sa bit different from your typical monolithic application. And then help organizations navigate that and the security map, and the underlying processes in that organization. Such as - how to do DevOps and how to go from development to production. Knowing the technology is one thing, but understanding the process behind it is another. Helping them with process change and security is also built into this process. There is a lot of change management oOrganizational to do. The next area you hear a lot about is machine learning and artificial intelligence. The reason is that machine learning algorithms have been really hit, with what I would call a good time in terms of the ability to solve real business problems. People who know both the technological aspect and are able to think abstractly and answer business questions are rare. Someone might know what the technology is, but they might not know how to use it to solve business problems and vice versa. A combination of these and the proliferation of IoT (Internet of Things), how to network these things and secure them properly is another part of the whole computing environment. Know how to do this and provide assurance on how they operate as a businessise or organization can be a challenge for a lot of people because they haven"t really built that into their security. These might seem like three completely different areas, but I really think the importance is managing security effectively and providing assurance. e on information. You have to understand how people use technology and that really involves understanding why they choose technology, how they use it and being able to consult about it. The Sensei School Meet-A-Pro Series features notable leaders in different fields from around the world, who share their ideas and their knowledge. They are also sometimes guest lecturers at the Sensei School. Modified by Teodor Teofilov
, Sunny Pedeva and Dimitar Vidolov If you found this useful and / or interesting - applaud it below to make it reach more people!