When you’ve been in information security as long as Jeff Man has, you have a unique vantage point.
Frankly, we don’t know many people with over 36 years of experience, who can point to the sources of the infosec mindset and explain how things have transformed over the course of decades.
One key lesson we drew from this interview with Jeff is to never stop questioning things (ideas, m.o.’s, roles, problems, solutions, etc.), especially those we think we know and understand.
You’ll surely discover plenty more revealing insights that will surely come into play in your work.
The most difficult aspects of cybersecurity
“I currently have one customer, and this customer epitomizes everything wrong about our cybersecurity industry.
The lack of any institutional, cultural focus (or even understanding) of the basic needs of Information Security. The mentality that it (security) is someone else’ problem. Approaching compliance as a point-in-time audit, rather than a spot check of how well ongoing processes and procedures are working in the enterprise.
What I’m learning is that overall we are losing the battle of implementing the things in organizations that will actually make a difference in terms of overall security (whatever that means).”
Jeff’s scathing observations may hit close to home for you, if you’ve been in this industry long enough. If you’re rather new, don’t be alarmed – the sooner you face the reality of cybersecurity challenges, the more adept you can become at making a real, positive impact in your workplace.
For example, Jeff has been in cybersecurity ever since the field emerged.
“I’ve been involved in Information Security for over 36 years, and I’m honestly not sure when “cybersecurity” started (or what it means for that matter).
I started within the Department of Defense where the rules were well understood and part of the entire “corporate” culture. The mission of the organization was clear, and everything that was done (or not done) aligned with the overall mission. AND – everyone understood their role and how important it was to follow the rules. Period.”
While looking at this landmark, we had to ask how the rules have changed since then.
“Quite frankly, that attitude/culture has never been adequately embraced by the private or commercial sector. Many would say that “DoD Level” cybersecurity is not required nor appropriate (read: too expensive) for the “real world”. Ask the latest company that has suffered a breach what they think…”
But while companies at large still struggle with integrating the cornerstone infosec elements that make a difference in real-life, cybersecurity specialists can’t sit arms crossed. Building a company culture that values security as a key component is a process that needs work and dedication.
So if this mission gets you excited and motivated, here’s what Jeff recommends aspiring infosec specialists look for to develop and apply their skills and knowledge.
Finding a workplace where you can grow
“I try to tell all the people I meet, that ask some variation of the question “How do I break into/succeed in this industry?”, to expose themselves to as many facets of this industry as possible to find out:
a) what you’re good at and
b) what you like to do (hopefully these two things are the same).
If you’re good at what you do and you like doing it you are best positioned to make the biggest positive impact for your employer and/or your customers.
The “cue” that I would look for is to discover whether your employer embraces this idea and provides a work environment that promotes learning, questions, experimenting, trying, failing, and somehow puts this at least on the same level as productivity and the bottom line.”
A world in upheaval where cybersecurity is indispensable
There’s a red thread connecting Jeff’s experience and his perspective on what it takes to make an impact as a cybersecurity professional.
When we asked him which tech advancement increases cybersecurity risks the most and why, Jeff did not beat around the bush:
“All of them.
But to answer this question, I must qualify how I define the terms you’ve employed here.
Risk is defined as a quantitative measure of the likelihood and consequences of some (generally adverse) event occurring. Cybersecurity risk then implies that whatever risk the organization is concerned about is happening through/by/because of the computing and networking technologies they have employed.
I believe the fundamental problem that we all share is the belief that any technology advancement [within cybersecurity] actually solves the problems associated with higher/unacceptable values we assign to risk whether addressing the likelihood or consequences.
Quite simply, technology is not the solution – technology is the problem.
The issues of information, data, cyber security are non-technical in nature and need to be understood at a non-technical level. Then apply the technology tools that are used to conduct business and to apply cybersecurity and see where it gets you.
But never forget that the fundamentals of cybersecurity are mostly information or data security issues.
The basics of what needs to be addressed to be “secure” have not changed, but thanks to technology what you need to do has changed greatly.
Unfortunately, I think we have introduced more vulnerabilities than countermeasures or mitigations which means we are losing the battle.”
Reframing the infosec specialist’s role
Just like you, we take our role in the infosec community seriously. We want to contribute to making it stronger, and we believe that collaboration is essential for it.
So we asked Jeff to share a bit of his wisdom regarding the most important things that would serve the community, to make it stronger and more united.
“Several things that I would categorize as “attitude adjustment”.
First, the community needs to understand that they don’t own this problem at least from a solutions perspective. That is to say, we need to get over the “us vs. them” mentality that often crops up in our industry regardless of whether “them” is management, developers, auditors, attackers, or whomever.
There are lots of people/groups in organizations that participate in the overall cybersecurity of the organization – not just the ones labeled “cybersecurity professionals”. We need to get along better with our peers which mostly means we need to teach them (because we see the problems).
I am not convinced though that we have the answers – otherwise we would have solved the problem by now.
Cybersecurity is ultimately a non-technical issue which requires at least a non-technical understanding before we start to apply all the technical “solutions.
If nothing else, this should lead to informed consent and an understanding of what the solutions do and don’t do (and what’s left to be done that will never be done by a technical solution).”
Jeff’s emphasis that infosec specialists must be – most of all – persistent educators is something we truly stand behind.
Whether it’s through training, articles, presentations (such as the ones we’ll have at DefCamp), podcasts or any other form, it’s our responsibility to teach others the mental models involved in cybersecurity. It’s up to us to show people how malicious actors exploit their human vulnerabilities and how that impacts them professionally and personally.
As a community, we can learn A LOT from people like Jeff, who have lived through countless experiences, learning and improving with every opportunity.
When it comes to DefCamp, Jeff Man has a clear mission:
“My goal at every conference where I attend or speak is to get people to question, and in so doing get people to think.
I’m not out to change anyone’s mind about any issue within our field; but I am trying to get people to step back and take a broader look at the problems we all face, what we’re doing to address the problems, and maybe, just maybe come up with another approach.
Ultimately, I don’t believe there is a single solution other than mass education, awareness, due diligence, and understanding. Not too lofty a goal, or is it?”
It doesn’t happen every day/month/year to have someone like Jeff join us in Bucharest, so make sure to take advantage of this unique opportunity!
This year, we’re taking DefCamp to the next level with the help of our main, long-time partner, Orange. With support from IXIA – a Keysight Business, Secureworks, UiPath, Bit Sentinel, Thales, and other selected tech companies that value the power of community, we’re building valuable, hands-on learning experiences for 2000+ attendees from all over the world!
Join us to educate, secure, and change the world!