#124 – Douglas Brush (Part 2): Words of Advice

[00:00:09] I'm Douglas Brush and you're listening to Cyber Security Interviews. Cyber Security Interviews is the weekly podcast dedicated to digging into the minds of the influencers, thought leaders and individuals who shape the cybersecurity industry. I discover what motivates them, explore their journey in cybersecurity and discuss where

[00:00:29] they think the industry is going. The show lets listeners learn from the expert stories and hear their opinions on what works and doesn't in cybersecurity. Welcome to Cyber Security Interviews.

[00:00:49] It's back after a long hiatus and a lot going on in my life, I am bringing back the podcast. In order to do so, I brought my good friend and colleague and data privacy and cybersecurity person of interest Dan Ayala to interview me.

[00:01:04] So over the next few episodes, we'll discuss where I've been in the past 18 months, what I'm doing now and where I think this industry is going and why I plan to leave it within the next seven years. Hello and welcome to episode 124 of Cyber Security Interviews.

[00:01:20] Dan Ayala continues to interview me. In this episode, we're going to dig into how I started in cybersecurity, some of the defining moments of my career, my first computer, my early entrepreneurism, characteristics I look for in InfoSec and some of the problems that I see with cybersecurity gatekeeping.

[00:01:38] Let's get to it. You'll be able to see that in the waveforms. So Doug, one of the one of the truisms that I've come to really believe in that we are, we are made up of all of the experiences that that we have had before now, that

[00:02:00] which makes us now is a result of that collection of experiences. If you had to pick two or three core defining moments in your life, in your career that brought you closer toward a career and information security, what would those be?

[00:02:18] It's hard to frame it necessarily in the career. It could be life events too. But well, I think that's it. You know, with me having such a strong technology background, I think I'm

[00:02:34] very fortunate in my life to be paid to do things that I was going to do, whether I got paid or not. You know, so it's it was an inevitability. It was an inevitability.

[00:02:48] You know, and a lot of it was, you know, it was funny as even I got hired from Splunk, they're like, look, we want you, we want you to go out there, work with the community, connect with CISOs, understand their

[00:03:00] strategy and really how products and vendors can do a better job. I was like, I was, I was literally going to do this anyway, but if you want to give me a paycheck and it's not counted. Yeah, absolutely.

[00:03:12] I mean, but that's like, you know, I've been very fortunate to be able to do things I'm passionate about that I was going to do. And it goes back to the early 80s. Again, my parents being communications consultants were very, you would have loved my father.

[00:03:28] And he was so much like us in a gearhead. Like we talked about the Moran systems. He was an audiophile. He had all his cool audio gear, built his own box speakers measured it. I mean, now I know where I have my obsession from, even though I said

[00:03:42] I would never be my father, but we all become him at one point measuring out. We've become our fathers or our wife's fathers. The amount of time I just got energy, Brangler came with an aftermarket head unit and it has the output.

[00:03:56] I mean, I just sit there in the car going, no, six Ks a little bit and just balance like in my, I can hear it. Nobody else can, but I know those balancing because I just had that.

[00:04:05] I grew up with like this level of audio attention and it was really, it was attention to everything technology wise. And so we had VCRs, we had Betamax, we had three quarter inch and half inch tape. I just had all this crap around me all the time.

[00:04:19] So I was used to it. Like I said, you know, when you and I've talked about our AV backgrounds, it was very much in that. And I think again, coming from parents that fundamentally looked at it from technologies and Mabler for people to do their jobs better.

[00:04:34] You know, whether it's audio, video, computer, whatever it is, it's, you know, we're able to either get to more people, we're either able to communicate more effectively, we're able to create evergreen content that could be reused and has more meaning.

[00:04:48] Whatever the value of the message is, it could be amplified in a naval biotechnology. They were never like technology first. They're like, it's an afterthought, but the people, the message, you know, the message is the medium, you know, it's a very

[00:04:59] martial McLuhan insums that I heard in my house growing up and they they built that in. So I think, you know, we really go to doctors days and when the first computer I had was a TI 99A. My parents were working for Texas Instruments out of Texas.

[00:05:14] No, no. And we had a, we had a, we had the computer was shipped to the house and they were doing some work on it about how it's going to, you know, have PCs. And this is the very early days of these, you know, the PC wars

[00:05:25] of for everybody that's now too young to even know this. There was, you know, patent infringement lawsuits over the BIOSes and that compact was, you know, with, with Microsoft, I'm sorry, with IBM and IBM and its OS things and it was just

[00:05:44] the early days in the days were really interesting because there was much more disparate in the technology now than people think we have all these platforms. Had you only known and grown up in the early 80s? I mean, nothing worked together in the last, but that all being

[00:05:58] said, it was a really exciting time to even be young six, seven years old, seeing this stuff and picking up the magazines and reading about them. And so I started writing basic code on the TI 99 and there was an audio cassette recorder where she recorded and played back.

[00:06:11] And there was games like hunt the wampus and they were like really kind of just, I would still play the game. It's just fine. I don't know. Was this a weird puzzle solving game? That all being said, I had this really early connection with

[00:06:23] with technology and eventually we had their early laptops that had dial up capability. So you can dial into PBS is you can dial into comp you serve. And for those again, that are younger than us. You don't know about area codes and toll charges.

[00:06:41] If you really have all telecom works, it was absorbent and fees. And so, yeah, those those $700 phone bills from your grandmother's place when you were calling back to New York City, BBS numbers were there were some talking to us about that. And I got into the early nineties.

[00:06:59] You know, it was it was Prodigy was a long and then early internet and with folks like Gavin sing that really helped shape me to understand what enterprise networking is going to be. You know, computers or funds in the toy for you to but these are business machines.

[00:07:13] You know, and I think I grew up in a wary or that was very IBM country focused. And they said, you know, well, Doug, you have this strong. I mean, clearly you've been on the forefront of this like your kid that understands computers.

[00:07:25] You got to go work for IBM. Why? Mainframes. And I got like Gavin and others are going to be going, it's not mainframes. Gavin worked at IBM. He was just like, no, it's the end users equipment going to go back to think about my parents.

[00:07:36] I'm like, right, because people are trying to do their jobs better and faster. It's not the back end. Those are that's not where the growth is. And I really found there was a neglected market. So I was talking to a group of people at a local business

[00:07:48] event actually for my parents, PR company about this new thing. It still has really take on what's called the internet. And you can set up these home pages. I don't know if you've heard of these. They come with little pictures of construction men.

[00:08:01] Yeah, you can you can always think about Homer Simpson's web page because there was this many animated things. You know, when it was, I think it was might have an HTML one was right around that when you start animating stuff and the blink tag.

[00:08:14] Yeah, it was a funny part is because I pretty much do that now that I think about still just means that are animated images. So I really did. I don't grow up. But you know, we were talking about how this this was going to revolutionize communications

[00:08:28] because you can you can put out this dynamic pages. You can change them at marketing at that time as you had to get all this desktop publishing. Remember that? Oh, yeah. Done. And then you'd have to know how this page made to get set.

[00:08:41] And then you had to make sure that somebody can print it. You had it in the right art format. I mean, this still exists and printing now for the most part, but it was it was so much more annoying.

[00:08:52] And so I said, well, what if he just had like a brochure where site that was up? People connect to it. We were like at this meeting, like, ah, we have no idea what you're talking about. This all seems cool. And one of the guys pulled me aside.

[00:09:03] This became one of those fundamental ways. Like, look, you clearly know your stuff. Most of us don't. There's a market out there for individuals and small businesses that just don't understand any of this technology, but we're being kind of forced into adapting and using it.

[00:09:19] And we know we need it, but we don't know how to support it. We just want to do our job. I don't want this to be a headache. Can you come support us? And that's when I started computer house calls and it was December 94 and then really

[00:09:32] into 95 in that it was really the business of going out and helping folks get their computers up. And it was initially for home users and small businesses and I grew into enterprises and I was doing enterprise support for companies like Merrill Lynch and other companies in

[00:09:48] different different capacities. But it was it was really that moment where somebody said, I get what you're saying, but you're years ahead of where we are. We need you to roll this back and really find the need. What's now? And I was like, oh, that'll be easy.

[00:10:03] That I got. I want the challenging thing, but then became the challenging thing of running a business. And as a late teen, early 20s, my friend are off at college and I'm trying to figure out how to start a business. And that was that was a real challenge,

[00:10:18] but it was something I'm doing again. You know, how many 30 years later? So one of the opportunistic being in the right place at the right time in the right era was a huge piece of it. I was in a I was in a.

[00:10:34] A mentoring call with somebody who is looking to get into the InfoSec field just the other day, and he asked a great question. He said, Dan, what what is a characteristic that you think is really important for someone coming into information security?

[00:10:48] And my immediate off the cuff answer was curiosity, like the ability and desire to be able to dig into something. But then I realized that weren't kids people growing up that are younger than us. And I'm beware, I'm going to have an old

[00:11:04] man shaking his fist at the cloud moment. Haven't did not have the accessibility or the freedoms that came in the area you just described where poking around did not have consequences where the rails were not given and doing the wrong thing didn't end up derailing

[00:11:26] your hopes at college and or career in a way that I think many people see today. So that kind of curiosity or the ability to be curious has changed in the last 30 years, at least in my view, curious on your perspective and how people can

[00:11:43] still be curious or get that kind of curiosity or experience in a world with much bigger rails. Yeah, there's a couple, a couple parts of that that I think about. You know, I get that question too. And I think curiosity, problem solving

[00:12:02] is often how I probably use that ability of saying, you know, wait a minute, you know, healthy dose of skepticism, even when I've had my staff, they'll do things like why do you do this? Because he told me to I was like, OK,

[00:12:15] well, why did you do it? Now what's the underlying purpose? I don't know. I was like, OK, that's fine. Then we need to discuss that. You need to understand the fundamentals, particularly when we're doing a lot of forensic and IR work while we ran this

[00:12:27] tool, we got this result. OK. Why? The tool said so. I was like, OK, let's so who testifies if I have to take the support tool or me, you know, in this idea that you need to be able to explain how this works. It comes to two things

[00:12:43] of critical thinking and communications ability to articulate these things and these findings and why you're doing things. So I think there's kind of two sides that I've too often broken down into two different things, but I think they're really symbiotic more than separate points.

[00:13:00] So I think a few assets like you had to be curious and you had to be able to communicate. But I do agree is that it's the access to stuff. Now, I'd say on one hand, people have more access to stand up test environments. There's more free

[00:13:16] training out there. A lot of people say what are some of the certs saying it? And I think of one of the forms or slack channels were on. People are saying, you know, or at least I try to encourage them like, look, if you're out of work now,

[00:13:27] don't sit on your ass. This is a great opportunity to work on yourself. There is so much free material out there, certifications, things you can learn on. Just go to, you know, I'm not advocating AWS over GCP or Azure or anything, but AWS

[00:13:42] has a bunch of free training out there. You can get your AWS certifications. You can get on a right trajectory to change your career now and learn about things and ways that you know before Splunk has a bunch of free stuff. I'm really

[00:13:53] encouraged by that. So there's a ton of stuff out there. But it does happen in kind of a safe environment. It's a little too sanitized for me at times, because it's really hard to break things. Right. And to your point, it's like, I think it's tough now

[00:14:07] because you learn from making mistakes. And you really have to think into that. Okay, it's not getting frustrated by something in work. It's that curiosity. Okay, why didn't work? What do I have to do? But being willing to push the button, even though you don't know

[00:14:21] what it's going to do. There's nothing worse than a button that says do not push to me. Whether it be on a person or a keyboard, you know, it's I have to know I have to see where that's going to go. I'll keep that in mind

[00:14:34] for when I try to get you framed for something. Oh, just it's easy. I mean, yeah. It's just to me, it's it's that's what's going to happen. And to me, that's the heart of this that old MIT, early Berkeley hacker mentality thing. I mean, granted, I can't grow

[00:14:52] a beard and my glasses are not as thick. But you know, I think I think about it in that sense of when we talk about hackers as being that kind of curiosity, that kind of thing like, don't take things at face right, you know,

[00:15:03] break things down, put it together, make it better, keep going. Like how does this work? Why did you did it to I know we've never discussed it, but I guarantee you took a part of BCR one time. Yeah, I mean, just one. We why? Yeah, exactly.

[00:15:17] Just one. And the thing is, I was fortunate to have a father that did it alongside with me. But I mean, you know, I just I just had to need to know how these things work. Right. I think that's kind of lost and people just assume they work.

[00:15:28] Well, we also live in a world now in which taking them apart is not physically possible or likely that you can get into and understand what it's doing. Well, without law, I mean, I mean, I mean, yeah, I mean, the level of that now

[00:15:44] it's like you were encouraged in the early know when I talk about those early areas of even all there was all this IP litigation on the operating systems. The bios is the hardware. There was I mean, look at, you know, Wozniak and jobs were going to fricking building

[00:15:59] stuff out of the garage from going to computer show. I mean, it was the community was there to fucking break things, solder things, blow things up and then put it in this key for why things don't work how to make it better. I do have a fear

[00:16:10] of that. It's almost too sanitary now. It's like we see kids that don't go to the playground and just do pickup sports anymore. They go to organized sports and they can't deal with things that don't go their way. And I'm concerned about that. And she

[00:16:23] were like, this was supposed to happen this way. We trained for it. I'm like, hey, train for the expected. But what about the unexpected? You never trained for that. That is cybersecurity. It never works. It never works. And you've got to be able to think

[00:16:35] around that. And if you just sit there staring at the screen wondering why things not working and going to somebody else, you're not you're not built for this. It's funny. I can deal with that just fine in my technology and security work. When I went to Chipotle the

[00:16:49] other day and they were out of chicken and said, no, we can't give you cilantro. I was absolutely floored and didn't actually know how to respond. So I guess we all have our topics. So Doug, you came into the field early on. Did you

[00:17:06] have along the way a view of what information security would look like? Let's say in the 2020s or 20, 30 years down the road. What did that picture look like? Well, I mean, again, I go up with movies like War Games, sneakers. I've always wanted to be Robert Redford and

[00:17:30] every movie he's ever been in. Because I fancy myself as this swath charming guy with blue eyes. Although I did meet him one time at one of the mental health compensation workers. He's much shorter than I am. I found that out. So I had that on him.

[00:17:44] So went for Doug. No, but it was you know, it was this idea of this kind of coolness with this. This look, I'm a punk too, right? And it's always about questioning authority and questioning. I think there's so much of the hacker community and punk

[00:17:56] community, the ethos of it is saying, hold on, we're not taking this advisor. It's not like fuck authority to say fuck authority. It's like, well, why should we trust you? Trust is earned not given. And you know, that's what I'm saying. There's a fundamental that right? You

[00:18:11] know, security is trust would verify. And I think that's kind of a lot of them. I want to test them. I want to make sure things are working because I know things don't work as as planned all the time. And I think early on, I

[00:18:23] saw that in the technology space and as some of the folks that were getting in trouble in the late 80s and 90s, and I followed them on various things. And probably listen to what you know, I consider the first cybersecurity podcast was off the hook, you

[00:18:38] know, it's a radio show and they follow the exploits of the various kevins. And, you know, you saw these things and it was like, oh, okay, I can do some of this stuff. And I know that both the board dial-in is probably saying I know where I can

[00:18:54] get into most things I've word-out enough or I know where again, living in IBM country, there's plenty of AS 400s ahead, you know, there was but I'm not going to cross out like I just, you know, there was too many things that had a

[00:19:06] fear and aversion to but I got the concept of it. And I really focused more on the business side and networking side because I said, okay, it's, you know, at some point there was, you know, the famous kind of saying, you know, hacking for fun and

[00:19:20] profit that came out, you know, the early Defconn age but it's like I always thought about it as profit. There's always a business. I mean, there's always some support of the technology and if you have to find the weaknesses and the vulnerabilities, it's because I don't want it

[00:19:32] to break. And so I always had that mentality. I always carried the house is going to fall apart kind of thing and test the systems even when I was deploying them. So I really kind of saw that I'd say in late 90s early 2000s particularly as

[00:19:46] the internet was coming up, I found myself doing a lot of security work, whether I knew it or not. There's a lot of end point malware remediation due to insecure browsers, binaries that would just get pulled over for free music video games you name it.

[00:20:00] Or people that purposely installed 20 different toolbars such that their web browser was this big when it was all done. There were so many businesses and households I supported that I would explain like you got to get a watch your kid the good teenagers are the

[00:20:16] ones installing this voice understand we have like to the point where the computer went booed, I had to like get my my DOS 6.22 boot disk go in, you know, command line it to the auto exact bad files because take out all the preloaded drivers going

[00:20:29] to like the wind. I mean, it was just a lot of editing of stuff that got loaded in because yeah, sure every every every application needs access to root because why wouldn't you? And, you know, I found myself doing a lot of remediation setting permission but network

[00:20:44] security to certainly as the internet came up. And particularly as I was dealing with enterprise customers in a highly regulated environment, you know, access to the outside world was carefully managed. So I had to build systems for that. And so I got the constant. I just saw

[00:20:59] that being that the framework of it is this idea that security is going to have to support the business. And it's part of this. It's not this. The hacker stuff's fun. Don't get me wrong. But I mean, it's it's got to be more than cool. You know, I'm

[00:21:13] a conscious gentle capitalist at heart. I believe there should be rules around him. But I mean, the end of the day we're living in a world where businesses are driving a lot of things and to support them, you have to understand where the weaknesses are and

[00:21:26] exploit them for good on behalf of the business to show Hey, look, you know, here's where you have a problem. Not just, you know, lighting a house on fire and say, well, look, you know, you were you were vulnerable. Like to me, that's never going

[00:21:37] to be the cool part of hacking. It's just trash. So are we on the right track now as an industry in career field? I don't think that I use the term right in in purposeful, you know, corporate air quotes. Christ, the proper within an agree with an agree

[00:21:55] of certainty council. I can say that we are in one standard deviation. My deficit, you want to pose me for the rest of this? I'll run circles. It's it's. No, no, I still think there's too much a focus. You know, one of the challenges

[00:22:10] that I had in the vendor space when I was working there were really strong security leaders with inside the organization that were very customer facing that was saying to me, well, Doug, you're not you're not technical enough. OK, what made you think that what we haven't seen it?

[00:22:27] I was like, because I don't flex on that anymore. My trust me, I'm arrogant. I'm a no at all. If you want me to do that, I'll run circles around all you guys. I've no problem doing that. That's not where my career pass going because I've done it

[00:22:39] all. And for me, the next challenges are communicating to the business, elevating business risk in ways that are digestible and help support the business. And I think a lot of that cool kids mentality, the, you know, the cool table and lunch that exists with a lot of the.

[00:22:58] Cyber security gatekeepers and hackers is killing us. It's this attitude of this is the way we always done it. And, you know, everybody has to be able to do this. And I'm like, no, we're at degrees of specialization. You know, figure out what your

[00:23:11] base skills are going to be. And then you're going to have to fork and be on some special. I've had been fortunate to be able to do it all. But really, again, my area specialization right now is in cybersecurity leadership litigation and understanding the business risk.

[00:23:22] And great, I have a household attack, but I don't have to prove myself anymore. And I feel this need that still exists within the community that you have to have some level of street cred, like I have to go cap somebody in the street because, you

[00:23:35] know, to maintain street cred is like ridiculous. And too much of that is permanent. And there's this idea of well, everybody's got to be the same. Everybody has got to be well rounded. Everybody's yeah, everybody's got to be a full stack engineer. Everybody's got to

[00:23:44] be full stack, you know, secure. That's just not pragmatic. It's not possible for shooting ourselves in the foot when you look at these job wrecks that want all these skills and experience and they don't ask for things like we talked about. They don't screen for

[00:23:56] curiosity, don't screen for communication skills. The best hires that I've had are the pen testers that came from audio engineering. I mean, Jan Petrov who had edited a lot in the first series of podcasts, he came from audio engineering. I was very fortunate to get to know

[00:24:12] him because he edited like Coldplay albums and he got to work on the early, you know, podcasts of the cybersecurity interviews, but he had that ability to think through things and solve problems. Now he's in a very great place and hire up with the with the

[00:24:26] financial service institution and on paper he wouldn't seem hire. Hell, if you look at my job and what I'm doing now, my resume couldn't get me hired. I don't have college degrees in this. I don't let most of my certs lapse. I don't have many times I've

[00:24:44] thought about getting the cyst tried and just just what's the point? Like I can do this like I don't who am I trying to prove? And so I think there's still too much of a focus on that that this has this gatekeeping improvement and

[00:24:55] this inability to look outside of technical fields because what's changing with cybersecurity is not technical anymore. That's a component. We're not a product of IT. It's part of our makeup, but we need to be focused on the business, how we support the business. Doug LaHota, who I

[00:25:10] worked with at Splunk, I've totally stolen without credit and attribution enough times. But an analogy he used that I use now in presentations, particularly around resiliency is that, you know, breaks on a car or not there to stop the car. They're there to enable that

[00:25:25] vehicle, that high performance machine to operate at the safest possible speeds and perform at its best capacity so it doesn't crash and burn. And I think there's too much of this idea that cybersecurity is this IT function that's going to slow people down. I'm like, we've

[00:25:41] got to stop that. We have to move cybersecurity up the balance sheet and be more of a business enabler. And to do that, we need to talk to them better. I can't tell you how many times I've been in organizations where they don't get it. They don't understand.

[00:25:54] And the people saying that are high level executives that either have a cybersecurity or IT function that are complaining about the board, the CEO, the CFO, the COO, whoever, somebody doesn't get it. I'm like, do you think it might be you? I think the problem might be

[00:26:10] on your side of the table. Nobody gives a shit about your Splunk dashboards on the business side. They want to know what is happening to the business, where the risks are, where we're making acceptable risk, turn it into dollars and cents, not bits and bytes.

[00:26:26] And we are still too focused on that. We still want to live in this comfort zone of being too technical, which is so ironic to me because the roots of this was to get outside your comfort zone, to be curious, to explore not to get complacent.

[00:26:40] I feel too many people on the higher end are complacent in keeping gatekeeping for people that should be coming in from various fields out. Thank you for joining us for another part of the return of the Cybersecurity Interviews podcast. Join us next time as we dig into

[00:26:56] what I'm doing now and why I think it's going to change the industry. Thank you so much for joining us today on Cybersecurity Interviews. I hope that you enjoyed this interview as much as I did. Please go to Cybersecurity Interviews dot com where you can find every episode,

[00:27:12] including show notes and links for each guest. There you can also find social media links and just sign up for new episode notifications. Thanks. We'll talk soon.