DefCamp #11: Konrad Jędrzejczyk on ownership, autonomy, and co-creating with the infosec community

Nuance is what makes information security both fascinating and highly complex. The spectrum of choices, the intricacy of systems and how they correlate – they’re as thought-provoking as they can be mind-stretching. You can see this throughout the DefCamp 11 interview series.

Our guest today has a granular understanding of the role of nuance in this field, sharing with us his expert observations on key topics. From cybersecurity product development to the changing landscape of infosec jobs, you can learn a lot from this interview with Konrad Jędrzejczyk – Vice President (Lead Cyber Security Threat Hunter) at Credit Suisse and former DefCamp speaker.

We’ve always appreciated Konrad not just for his expertize, but also for his straightforward manner. He is a man of focused action and relentless perseverance, increasing standards through his work and approach.

Building with the community, not just for it

Konrad makes an important point about one of the topics that deserve a lot more attention from the infosec industry than they get: building products with the infosec community, not just for the community.

“Over the years, I observed many security solution providers pushing products completely closed to the community. If they were not state or big mother-company backed, they usually died off after a few years (this obviously excludes antimalware for many reasons). Those who survived still offer new functionality as an option to be delivered for their clients, usually within several weeks (or they do not offer it at all).

The same progress can be achieved instantly by just giving access to some of the scripting capabilities to the security experts around the world. These people are truly ready to give their ideas and insights for free, companies just need to understand how to take it. You cannot simply buy all around the skills needed for such improvements, add-ons, and idea pool. There is somewhere always somebody who will know how to do it or do it better, always.

It is easy to look at the top frameworks for web pen testing, forensics, data aggregation for threat hunting, and incident response.

Were they open?

If so, how aggressive was their market expansion in relation to expenses compared to those few that still rely on expensive internal teams and hardcoded analytics?

If your specialist is convincing you to opt for security by obscurity for something that is open by design in a competitive product, know that it is the quality and logic of his code they are afraid of.”

Choosing constant improvement over market dominance (“we are the best”) is not only a more effective approach, but also one that fosters open collaboration. The lack of strong ongoing cooperation between private organizations has kept the industry in catching up mode to how fast cybercrime is evolving and that’s just one of the reasons we need a lot more of it.

Infosec specialists need more autonomy

One of the challenges that Konrad is actively tackling in his community leader role is to enable infosec specialists to act with greater autonomy.

We all know that reaction speed is crucial to limit damage in case of a cyberattack. The larger the organization, the bigger a problem this is. So Konrad advocates for a less restrictive setup guided by the job to be done.

“There is always THIS vendor. The one who designed your network card, whitelisted part of code, signed a new update, or had full control over microcode and electronics of every single piece of your infrastructure in the factory.

I’ve seen lots of frameworks, policies, and highly paid contractors trying to put vendors in some kind of hybrid risk assessments. All of these were shiny and polished pieces of reports. All were as positive as they needed to be in order for the client to remain a paying client. Still, attacks via compromised vendors (with many fancy names for just that) happen and it is only a matter of time when your vendor delivers you something that will put you in the news headlines in the opposite way that your PR department imagined.

There is no instant solution for it but you can try not to be part of the problem.

A few years ago, when I was starting my journey with threat hunting, I had the pleasure of working with a big and solid team of threat hunters based in Texas. Their approach was efficient and practical. It came from the idea that if the attacker can do something, why couldn’t the blue team?

Everything was done instantly, without endless procedures and multilevel approvals with strict separation of duties. There was a lot of trust given to the threat hunting team and it was never misused.

This is something unthinkable in any financial institution (and not only). I still see a lot of people’s potential being wasted by the schematic approach. Threat hunters need to be able to do much more on a read-only basis.

Is there a need for network visibility? Put a single box with an approved VPN and be done with it.

Do you have a guy who can truly look for things in machine code and is he willing to look for something of interest? It is irrelevant if you have the “patching team” – just give it to him and let him do the magic.

Simple, but at the same time beyond most decision-makers.”

Konrad doesn’t just want a blank check for blue teamers or other infosec specialists. He also helps them cultivate their mindset, one of the strongest assets anyone working in this field can have.

Of all the things he’s learned through hands-on practice, our guest singles out a single key lesson that’s incredibly powerful:

“There is really only one thing – it is taking ownership of the things you are committed to.

I could only describe here the basics that would sound like a compilation of corporate buzzwords that are currently losing their impact. Instead, I highly recommend a great book that you just need to read regardless of your seniority level and specialty. It is called “Extreme Ownership” by Jocko Willink and Leif Babin.”

The ripple effect – how WFH and infosec jobs are connected

It’s a brave new world out there, in the information security industry. While working from home has created more opportunities in infosec, it’s unclear whether the growth prospects will follow a constant growth pattern throughout 2021.

What’s certain is that strengthening your mindset, skills, and taking ownership of your professional and personal growth are all things you can do to advance your career and break out from the crowd.

“Except for the obvious implications of now common work from home and BYOD, companies finally understood that work can be done efficiently from any location. The comfort of your own setup can mitigate some of the fatal mistakes of the office space like a single LCD policy for ANY employee.

Yes, there were places with several hundred employees with such a setup at the beginning of 2020 and this is only one of sad examples.

Wide acceptance of work from home will give extra working opportunities to all living in small cities, where the big business did not look for employees till now. As always, everything is connected, so the opportunity for one group will mean lowering the pay range for those who decided to move to big cities before the pandemic. Some will say that salaries for cybersecurity experts can only grow despite any and all market turbulences, but the question about the curve remains. We will see more and more analyses of this in the coming years.”

So keep an eye out for an interesting year! Embrace the challenges, commit to growth and especially to being an active member of the community – you’ll thank yourself for it before you know!

3 key takeaways to build on:

  1. building products with the infosec community, not just for the community, is an approach more in tune with what the world needs right now
  2. infosec specialists needs more autonomy to act in the company’s best interest, especially as blue team members
  3. working from home has created more job opportunities in infosec, but it’s unclear whether the growth prospects will follow a constant growth pattern or not.

    Related articles​

    Securing the cloud: insights on threats, ..

    BY Adina Harabagiu
    There is no mystery that everything nowadays has a digital component. A growing number of companies are ..

    Striking a balance between security updates, ..

    BY Adina Harabagiu
    The world of cybersecurity is fast paced, there’s no denying it. Innovation is constant and threats are ..

    Pentesting: a tool for empowering – not ..

    BY Adina Harabagiu
    You’ve likely caught wind of this rising tide – offensive security, pentesting, and #RedTeams are not ..