Listen to learn how to spot an effective security practitioner.
"In security, there is no 'that's not my job.' When it comes to defending the organization, security practitioners need to be able to put their egos aside, roll up their sleeves, and do what the team needs them to do to make sure the security posture of the organization continues to improve."
Whether you're looking to hire a good security practitioner, or trying to become one, there are certain attitudes and mindsets to look out for.
Joshua Goldfarb (Director of Product Management at F5) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss his recent article - How to Spot an Effective Security Practitioner.
Listen to learn:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. I'm Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. And our guest today is Josh Goldfarb.
He is currently the director of product management at f five. Previously, Josh served as VP and CTO, emerging technologies at FireEye and as chief security officer for NPULSE Technologies until its acquisition by FireEye. Prior to joining NPULSE, Josh worked as an independent consultant applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels.
Earlier in his career, Josh served as the chief of analysis for the United States Computer Emergency Readiness Team, US CERT, where he built from the ground up and subsequently ran the network endpoint and malware analysis forensic capabilities for US cert. Josh, thank you so much for joining us today.
I I would love to get started on, your career path. This is something that a lot of our listeners are are most interested in is who is this person that you're talking to, and how did they get to be where they are in this career that I'm so interested in? So tell me a little bit about your background, and some of the the places you've worked, how you got to be in in the place you are today.
Yeah. That's a great question. Thank you for having me on the podcast today.
Well, I mean, I started out as a computer programmer, when I went to to college, and was graduating college, I was it was luck I was lucky enough to be graduating college during the dot com boom.
In those years, it was hard to find programmers. So they were taking people anybody who pretty much had a a science degree or a math degree or an engineering degree, even if you weren't a computer scientist, they would, take you and train you on the job.
I guess they were looking for people who had a good sense of logic and and good understanding of logic.
So I I started as a computer programmer. I I enjoyed it very much.
After a few years, I was working in a place where they had a shortage in security operation center. At that time, I really didn't understand what a security operation center was, what they did.
I didn't know much about security at the time.
And they asked me if I would be interested in taking a break from programming and trying out being an analyst in in the SOC.
And it sounded interesting. And at the time, I think security was already starting to be this is about twenty years ago. Security was already starting to be, you know, pretty popular topic.
It it was gathering steam. It was gaining interest to people. It was a popular topic of conversation. I figured, you know what? Let's give it a try.
And that was it. I was hooked.
That's good.
I got in I got I got into the stock, and and I started to learn how to be an analyst and an incident responder.
I very much enjoyed it.
From from there, I continued essentially converting from a contract employee at Department of Homeland Security in the US to, a government employee. I was one of the initial founding members of US CERT.
We built up the team there and the capabilities. It was, a good ride.
Well, that's true. We actually had, I don't know if you you're familiar. We had a a gentleman named Jeff Sanders.
I hope I got his name right, from from US CERT. And and people who there's a lot of people who don't know about US CERT and what it what it can bring their organization. And so, if you're listening and you've never heard of it, go look it up. But I didn't mean to interrupt you, but I just have a lot of respect for that organization and wanted to to emphasize that with our listeners. So please continue.
Yeah. No. That was it was definitely a great experience.
Really great training for the future. But we also, we were able to to do a lot of things to to help the state of security in the US at the time.
And I'm sure they've continued the work since then.
After that, I decided I wanted to essentially be an independent consultant. After a few years in Homeland Security, I said I wanna take my expertise in in in the SOC area, and offer that as an independent consultant. And so I went, to to a number of security operation centers in government and also in finance in the New York area.
After that, I began, working in those socks and did that for a number of years, and and that was quite good.
Came to Israel, continued to do that.
Came to Israel in two thousand twelve, continued to do that, and then, essentially joined a security startup, called impulse in twenty fourteen, which was acquired by FireEye.
Stayed with FireEye for a few years after the acquisition, went back to being an independent consultant, and then, found my way to f five, where I've been for about a year and a half.
That's at a very high level where my career has taken me.
I think, you know, my advice to people who who wanna get into the security field, because I know that there's a lot of interest in that.
It helps to have one of two backgrounds, either a programming background or a systems administrator firewall type of background. Those backgrounds are helpful because while they're not security in and of themselves, they they show employers or prospective employers a very, good that a person has a good understanding of logic, that they have a good understanding of how systems and networks work. And that is essentially the fundamental knowledge in my opinion, to being a decent security professional. If you can analyze data, if you can look at things logically, if you can figure out what attackers might do and how you might follow them throughout the network, throughout different endpoints and systems on the network, nowadays into the cloud, right, as as organizations move to the cloud.
Or you understand deeply how systems and networks work and you're able to really, have that expertise and bring it to bear from a security perspective. Those two backgrounds, I think give employers a really good basis. If they're looking for security talent, then that security talent just doesn't happen, to to be recruitable, pre trained, if they need to train them on the ground.
I agree with you one hundred percent. I I often will see people lamenting the idea that there are no entry level security jobs. My response to that is always, yes, there are. It's called IT.
Right? So That's correct. Understanding how systems work, helps you understand the security of those systems. Understanding how, applications work and helps you understand the security of an application.
So so as you said, either development or operational background will give you a really good stepping stone into, security. And and I'm so glad to hear that you said that.
So so so, you know, the other thing I wanted to ask you to clarify is most of our listeners will understand what a SAC is, but some of them are not familiar with with what a SAC is or or how it functions or or what it what it brings to an organization. Can you go into that just a little more?
Sure. The acronym stands for security operation center. Essentially, a SOC is usually staffed twenty four seven, not always, but usually, whether it's staffed internally or or staffed via outsourcing to an MSSP or something similar.
And basically the security operations center is charged with, defending the organization from attack on a day to day basis on an ongoing basis. So that involves, collecting logs and other data from from different systems around around the enterprise and and from cloud environments, etcetera.
It involves analyzing that data, looking for evidence of intrusion, if intrusion is found responding and containing that intrusion. That's essentially the work of the security operations center. It's kind of the, front lines, if you will, or the operations of the security team, in in any given enterprise.
Excellent. So, so some like you said, some groups have this internally and some people outsource it.
But one of the things and I and this is the reason that I reached out to you originally is that sometimes it's hard for the business side to know, do we have good security people? Are are are are the personnel that we have in those spots taking care of our security, are these the right professionals for us? And whether it's internal or or or, third party, I think that these, these points that you made in an article that you wrote are really applicable. So I wanted to go through some of them and and kind of talk about it. So so you you wrote, by understanding what makes a great security practitioner, organizations can learn how to recruit and retain effective security practitioners. So what what prompted you to write this article?
Yeah. You know, so so this was an interesting one.
I I get inspiration for my articles from a number of different things. Sometimes something will happen to me in the analog world, and I'm able to to deduce or find a security lesson in it. Sometimes something happens actually practicing security and and I learn from it and I wanna share it.
In this particular case, I'd actually been been thinking back. The article prior to this one was how to spot an ineffective security practitioner.
For those of in your audience who aren't aware, I do write a monthly for security weekend for dark greeting.
And so the previous month's piece to this one had been how to spot an ineffective security practitioner where I thought back on some of the people who I had found during the course of my career that were not the greatest security practitioners.
And I thought about why it is, that that they had so many challenges when trying to do their job.
And that and that was the inspiration for that piece. And then when I posted it to to social media, there was actually a very interesting discussion on Twitter where a couple of people said it would be great to frame this positively and they actually requested this sort of inverse article, which is to how to spot an effective security practitioner. And so that's actually what, what drove this particular article. It was a request from from different from a conversation that unfolded on Twitter, which is great. Anytime people read something and engage, comment on it, ask questions, or or perhaps offer constructive feedback, that's always great. I I guess a part of me is always concerned that when I write something, nobody ever reads it. So, you know, when there's some commentary on it, it's always a good sign that at least some some people have have read it and and taken a look at it and are thinking about it.
Yeah. Well, I and I love that how you put this because you talked about the traits of a security practitioner that let you know that they're effective, and you start with selflessness. So Mhmm. So what what do you why was that number one, and and what does that mean?
Yeah. You know, it's, it's interesting. So first of all, on the traits, this gets back to what we talked about earlier.
Like you said, there the the entry level job for security is either to be a developer or to be an IT. Right? Because we talked about the fundamental skills that form the basis of a really good security professional, and that's a great way to get into the business.
So so along those lines, one of the character traits that makes for a really good security, practitioner is to be selfless. And why is that?
It it reminds me there there was a, you know, a picture with a funny cap caption that I saw maybe twenty five, thirty years ago.
It would appear it appeared in the newspaper, but I I think probably it was like the first meme before we had such a thing on the Internet.
And it it showed, a yellow line like you would find in the middle of a of a road going over a possum, just paint the driver of the yellow line truck painted right over the roadkill and continued on down the road. And it said winner of the not my job award.
Yes.
Right? Now that I'm sure you remember it, right? It was very famous to twenty five, thirty years ago. It was very, very famous.
Everybody got a a big kick out of it. It was it's just one of my favorite pictures with captions I've ever seen. But in security, there there is no not my job. Right?
When it when it comes to defending the organization, if it means that you have to get roll up your sleeves and spend the entire day digging through a tedious log or or trying to figure out how how to get something configured when it's not working properly or even doing something like, like governance risk and compliance, which is not as sexy if you will as security operations, but it's equally important as is every aspect of security.
Security practitioners need to be able to put their egos aside, roll up their sleeves, and do what the team needs them to do in order to move forward and and make sure that the security posture of the organization, continues to improve. And if a person is unable to do that and says, no, my job is a, b, and c, and I will only do a, b, and c, they'll never make it as a security practitioner. It just doesn't work.
Yep. For sure. And I see that all the time in in the groups that I work with.
I like what you said about compliance. It's not the sexiest thing and it's not fun a lot of times. But the the groups that I that I work with that are that most successfully, meet an adequate security stance for their organization, reach their compliance goals, quickly are the ones who don't, like you said, who are selfless in in what they what they need to accomplish, including some of the things that maybe a lot of security professionals are would would like to say, oh, that's not my job, like, documentation. Documentation is no fun at all.
And and a lot of people don't wanna do it, but the ones who are best at security are also the ones who are willing to step up and and meet the very boring documentation, aspects of their compliance reviews. So here's another one that you you talked about, which is a a good listener. Tell me about being a good listener and how that translates to being good at security.
Mhmm. Yeah. Well, I think one of the one of the challenges we as a security community struggle with, is is gaining trust and buy in of stakeholders. And I don't mean within the security community, I mean within the business.
It's very common, or I've heard many times in the course of my career, that the security team is the team of no.
The security team always makes everything hard, right?
Right.
And and that's not to say that we should just rubber stamp every single thing that the business wants to do and let them do whatever they want. That would be irresponsible.
But it does but it does mean that we need to find ways, to gain confidence, build trust, build consensus, and that involves working with the business. And and and a big part of working with the business is understanding what drives them. What are their goals? What are their priorities? What are their objectives? Right? Those things are gonna be much, much different than ours will be on the security side.
Absolutely.
But if we if we can't convince the business that we're actually here to help them make more money, reach their goals more securely, and and do so in a way that's very responsible but doesn't sort of impede their ability to meet their objectives. If we can't convince them of that, we'll never we'll never be able, to to really win their buy in and and their and their support to help us move our security initiatives forward. So that that skill to be able to talk to one or many people on the business side who have all kinds of different responsibilities, none of them having to do with security and all of them having to do with money and revenue and things like that. If we don't have the ability to listen to them and to really internalize what it is that they need to do and what's important to them, we have no no hope in being able to translate that into security, priorities and goals that we can move forward with.
Absolutely. And and as you know, there are so many different ways to meet security, responsibilities.
And if you do know more about what the business is is trying to accomplish and how they function, then choosing the right security controls to to apply to the right areas is, it just becomes so much easier rather than, you know, one size fits all in your security that you might try to apply if you didn't understand the business. So the next one is, being introspective.
In your article, you you quoted Bertrand Russell, in saying the fundamental cause of the trouble is that in the modern world, the stupid are cocksure while the intelligent are full of doubt. I love that. Or I had to to say that one because it's one of my favorite quotes. But tell me about being introspective and how it applies to to security.
Yeah. I think that, one of the things that, I'll say modern society struggles with a little bit is understanding that it's okay, to make mistakes and it's okay to do things that don't work out well. It's not okay to behave responsibly and make, sort of callous decisions, but it is okay, to make educated guesses, make a decision in the moment a command decision if you will and go forward with that. And of course they're not always right. Okay.
But one of the ways in which we improve or get better as a security professional, but also as a security community, is by understanding that if we make the wrong call and it works out badly, sometimes it blows up in your face, sometimes it costs you a couple of relationships inside the business, sometimes you lose a little bit of respect or a little bit of political capital, whatever the the blowback or the ramifications are.
If we have the ability rather than pointing the finger and trying to blame others, if we have the ability to look inside and say, you know what?
I really should have been more careful when making that decision or I needed more data and and I made assumptions that weren't correct or I I used, intuition and emotion instead of using facts, and data. If you have the ability to look inside and and and understand that, you're you're much more likely to learn from that which of course means that the mistake isn't necessarily a waste of time if you learn from it. In fact, I would argue quite the opposite.
A mistake that was made with the right intentions and using educated guesses and logic and data, even so, we sometimes make the wrong decisions. If we learn from it, it's actually, I would say constructive and helpful in our careers and certainly, to the security posture of the organization, especially if we take your advice and document what we've learned, which we know is not the easiest thing to do.
That for sure. Because then there's no running from it. We did this thing. It didn't work out.
Here's how we what we learned from it. But but those lessons learned are so important, not just to us, but to other people that are coming behind us who, you know, there there's a lot of shifting and changing throughout people's careers. And and sometimes we'll get thrown into the deep end on, you know, from my background, being in IT operations, where somebody else went through it but didn't tell us that, hey. Mhmm.
This is what happened the last time we tried this. And so you end up repeating mistakes where where allowing yourself to be in in a slightly vulnerable position of of, documenting that is not is going to help the next person as well. Mhmm. So I'm glad glad you pointed that out.
And and kind of hand in hand with that is the is the next trait that you that you put down, which is credits others.
Mhmm.
Yep. Absolutely.
So, one of the things when when when you have a a talented security professional, and they're reporting to somebody who who blames everybody else when things go wrong and takes credit when when things go right, whether or not they were actually heavily involved in things going right. There's there are few things in the workplace that are more frustrating than that.
And and I've certainly been on the receiving side of that, and I know many, many security professionals who have had, bosses like that.
But I think the flip side of that is that then when we get into a position of of being in a leadership position, whether it be managerial leadership or whether it be just technical leadership and and advising the organization on the right way forward. When things go right, we need to realize that it's a little cliche, but it kind of takes a village, right? So for example, at F five, when we any initiative that we wanna move forward involves cross functionally and cross product group organizations. And there are a number of different stakeholders involved at every stage of the process.
And they each help and contribute to moving the effort forward.
And if you fail to credit them, right, I'm talking on an on at F five, then then you burn bridges, you lose confidence, you lose trust, and people are less likely to be excited about helping you the next time. All the more so when you're running a security program, right? If you credit others and you have that trait within yourselves, you'll build trust, you'll gain faith and the confidence of others, which means that when you approach them and say candidly, look, we need to talk about this new business initiative that you have going. I have some security concerns.
I think we can work it in and, you know, we can we can help address those concerns without negatively affecting your your projections for the year or your outcomes for the year. They're they're more likely to believe you rather than sort of casting you aside, as somebody who just, you know, comes in and says one thing and and then, doesn't come back and say thank you. It doesn't give credit, when it's time to give credit. So so that's definitely, definitely something that's very important.
Absolutely. And I have had, managers in in previous jobs that have done that.
The all the blame goes outward and all the credit goes inward. And and when you are reporting to someone like that, it's it's so disheartening.
But but, what you don't realize is that the people above that person, they see through that. They they know. They know who's actually doing the work. I mean, they might get away with with it for a little while, but, eventually, everybody does see where the work is actually coming from. And so by doing that, they're not actually doing themselves any favor.
They're just upsetting the people around them. And and so, it it's a all the way around, it's a it's a bad strategy to to to to take. So, you you you talked a little bit about being collaborative with other groups.
To talk a little bit more about that.
Yeah. I think, one of the things that that's frustrated me over the course of my career is when I see security leadership, kind of, butting heads or or throwing elbows, so to speak, figuratively inside an organization.
When you approach the table, for discussion with the business or with leadership or executives and you say, you know, we're the security team and we know and this is the way it has to be.
Unfortunately, it isn't the way it has to be. And in many cases, I've seen that kind of headstrong approach backfire and the security team, get reduced budget, walk with its tail between its legs as it goes out the door the other side.
It's much more effective to work collaboratively with other areas of the business, including executives, leadership, the board, have them believe in you as a subject matter expert, or in the team as a group of subject matter experts. Have them believe that you're their partner in other words, a partner to the business to get the business to operate and profit more securely and not necessarily there to kind of strong-arm them into doing things that are gonna make life difficult for them. It's much more effective approach in my experience, than than kind of just bulldozing ahead without regard for that collaboration.
Sure. Yeah. For sure. So that takes us directly to the next one, the next trait being being communicative.
This is not always easy for people in, the security world.
Communicating effectively, I think, is something that that some groups might struggle with. What can you tell people about communication and and how it how it increases security?
Yeah. I think, probably the easiest way to think about it is to put to put yourself inside inside the head of of a kind of a business leader who doesn't know much about security, may maybe grew up, you know, in years before security was something that people really talked about. I think it's different if you have a business leader who's who's kind of grown up in the last ten or twenty years. But, you know, there there are people who are probably getting closer to retirement that grew up at a time when security was, you know, something that was hardly ever spoken about and and maybe never spoken about. It was we we were in a much different world. A lot of it was offline and or mainframe systems and, you know, all kinds of different a different environment than we find ourselves in for the last, say, fifteen, twenty years.
And so I think when you think about that type of a mindset, you have to imagine them asking the question, what does security actually do around here?
What have they done for me lately? What are they doing for this organization, for this enterprise, for this business? What is it that they spend all of their days doing? Not necessarily asking from a from a cynical or a malicious place, but just a genuine lack of understanding of what the security team actually does and why they need x number of resources to do that. Whether those resources be, monetary people or or otherwise.
And and if you think about that, then if you begin to communicate in in terms that the business and others can understand, not overly using jargon, not overly technical, not overly in the weeds, but showing the value you're providing to the organization, showing the impact of the initiatives and efforts that the security team is moving forward, Showing metrics that the business can understand, measurements or metrics that the business can internalize. By investing X amount of dollars, we save Y amount of dollars in fraud loss, or Z amount of dollars, in avoided security incidents and the like.
And if you think about communicating in those terms, what are we doing? What effect is it having on the business? Why is it good for the business? Why should you care about it? Right? Then then you can you you really can can build a lot more confidence in the security program but also make it clear to people why they should work together collaboratively with security because it's overall good for the business as a whole and that's something that we as a community, I think struggle sometimes to communicate that. And sometimes we even struggle to understand that we need to be able to communicate that.
And so in my experience, it's very, very important, to really to to get that out there for people to see that are outside the security team. Yeah.
Yeah. Because I've seen groups sometimes when I go to an organization where you can tell that the security or or IT team or both are are feuding with the business side because they use more jargon. They increase the technical language. And it it it they use language as a way to put up barriers rather than to to create a a common understanding. And so in those cases, they're obviously not on the same page in terms of how do we solve this common problem of of security. And so, using communication, to create what as as cliched as it sounds, rather create bridges rather than put up walls.
But but recognizing and you can kinda see it if you recognize that jargon is coming into the language, if you recognize that that people leave a conversation more upset than they entered the conversation, then communication is not truly happening. It's it's instead, it's a it's a war with words rather than true truly communicating.
So so that brings us to the the final trait that you had in your article, which is, a security professional delivers.
That's right.
Yep. I I think, I know I'm not alone, when when I say that we in the security field have seen our fair share of, all talk and no delivery.
Mhmm.
I've I've unfortunately worked with a few people. Luckily, not by far the majority of them, but I've definitely worked with a few people during the course of my career who, you know, they they talk, like a like a spiraling storm of words. Yeah. But in the end, when it comes time to actually follow through on on even a portion of what they've of the words that they've spoken. It it doesn't happen.
And and ultimately, it it's great to say the right words when you're in a meeting. It's great to, you know, be able to to understand topics and communicate them. It's great to be able to speak to the business.
But you gotta do more than just talk as a security professional. And a big part of being a security professional is rolling up your sleeves, getting your hands dirty, and getting in there and making sure that the project or the effort gets across the finish line. Or if you're in an operational position, that day to day, you give it your all, and make sure that you do what's right and best for the organization day in and day out. At the end of the day, it's about action and not about words.
And and the best security professionals I've known, they under promise and over deliver. Mhmm. Right? They they make sure that people understand what's expected of them and what they can produce, And they always go above and beyond, and give the organization more than the organization was banking on. And that you know, and and that's that's really what it is. At the end of the day, you know, you gotta know what to say, but you also have to follow it up with action.
Terrific. Well, this has been really, helpful to me to hear from you. I'll I'll I'm sure that our listeners would like to hear more. We'll put a link in in the podcast notes to your article on dark reading so that, people can read your articles monthly and comment on it, give you feedback on that, and and also dig deeper into into the article that we that we covered today, the the traits of a successful security professional.
Sure appreciate you coming and and speaking with me today.
Yeah. Thank you very much for having me. It's been a pleasure.
Thank you. Bye bye. Thanks for joining us again here at the SecurityMetrics podcast. I hope you'll join us again in two weeks for our next episode.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms.
See you on the slopes.
.svg)
