The trio describes their experience of the conference so far before diving into the red-hot topic of security. Next, they consider the challenges which everyone in tech is up against right now, before ending the discussion on diversity (or the lack of it) in the IT industry.
For all the juicy details watch the video interview, audio podcast or scroll down for the readable Q&A.
Eric Berg: What has your conference been like so far?
Paula Januszkiewicz: It’s super crazy because I also have the community reporter role at Microsoft Ignite. That makes me really have to jump to many different locations for different interviews, with different people and so on. I also had my session yesterday.
Alex Benoit: Was the room packed?
Paula J.: Absolutely, it was full. And I’ve heard not everybody managed to actually get into the room, which I’m really sorry about but luckily, they were playing it in the Beemer over here. So that’s not too bad.
Alex B.: So how is Ignite for you?
Paula J.: Ignite is very good. It’s always an opportunity for me to meet up with other geeks. And really, this is the thing that I care about the most as I really like to be with people and talk to people, and wave to people, and have these conversations and interviews. So, it’s really something that gives me energy.
Eric Berg: Have you seen anything at Microsoft Ignite that was mind-blowing?
Paula J.: The Passwordless Resync. It’s bringing a little bit of a comfort for everybody.
Alex B.: How do you see the role of the CISO guys in the companies? It’s pretty challenging to stay ahead on every discussion with everything that’s going on even for us guys.
Paula J.: Yes, CISO is a very challenging role. I’m dealing with CISOs pretty much all the time because that’s my job. I’m the CEO of the company at the same time doing pen-tests, consulting customers etc. So, we have this conversation about what is the biggest problem nowadays in cybersecurity and I think that the biggest problem that we have right now is the lack of a skill set. And I like to quote this one thing and sometimes I feel like I’m repeating myself, but Financial Times actually made a very good point, because they said by 2019 we going to be in the need of six million cybersecurity professionals.
Alex B.: Oh, wow.
Paula J.: With the current development we have we’re going to be one and a half million short which means many things. Maybe security services’ prices will go up because the skill set matters. It really matters how much you know in cybersecurity. The companies will suffer because they will need to pay more for it. But on the other hand, if you want to hire someone good, you need to grow this person from the beginning. And I really think that this is an approach that companies should take.
Alex B.: And it’s very tough to hire people overall. The security consultant or security market overall is empty and there are no people to hire.
Paula J.: It’s not that bad, it’s just very difficult and I was also struggling with that problem. We are all struggling with that problem all the time. But who is actually a cybersecurity consultant if we try to define that person? It’s a person that could be growing under the wings of some kind of an enterprise or it could be an independent consultant which is a pretty hard job because you need to do your own sales.
Alex B.: And that costs a lot of time, right?
Paula J.: That’s my point. So sometimes, when we are searching for security consultants, we pick that area, because these people usually are a little bit tired of dealing with the sales part.
Eric Berg: That’s so true.
Paula J.: And that’s why we say, “Hey, you don’t need to do the sales part anymore. Come over and you’re going to do your geeky stuff.” And this is how you acquire a good talent. In security, you need to be up to date pretty much every day. It’s a mindset. To me, someone could finish in whatever subject but if there is a good approach and a good mindset that is a person to grow in cyber.
Eric Berg: Everybody here at Ignite sees a man, man, man, and sometimes, man. I think it’s the only conference where men have to wait to go to the restroom and the women always laugh at us for this.
Paula J.: Oh yeah.
Eric Berg: What about the role of women in technology and especially maybe women in security? What do you see there? Is this probably an opportunity to get some new people into this?
Paula Januszkiewicz: Yes! But just to give you an example, at one of the biggest banks actually the person who manages their major, mainframe over there is a woman. I’m actually proud of that particular single event. Gender to me is not very important as what matters really is how much you know. But a couple of years ago, it maybe was a little different.
I actually established the Women in Technology 12 years ago in my country in Poland. I’m not doing it anymore because I don’t have time, but at that time, that was actually needed. We are part of the minority group, and to step into the majority, you’re maybe a little bit shy.
My message at the time – and I haven’t changed the message – is that what really matters how much you know. It’s really inspiring if you know something. The first thing I want to do when I learn something is to share it. Of course, there might be no one who wants to listen, but I’m still like ‘who wants to listen?’, yes.
Eric Berg: What you’re doing is good, so probably everybody wants to listen to you.
Paula J.: Cybersecurity is an interesting subject to so it kind of defends itself. I’m really happy to see more women around us now than in the past.
The young generation got that message when I was doing this 12 years ago. They were women around their 20’s, so now they are in their 30’s and in their professional careers. If the Women in Technology helped to bring about a change, I’m very proud to see that, and I’m not the only one that was doing this. If what we see right now is the result of what was happening in the past, awesome.
Eric Berg: What’s a good point to start in security? How do you get into this topic to grow your knowledge?
Paula J.: I really think that for someone who has no experience, it’s quite hard to be hired in an organization that will immediately give you some kind of a responsibility on the infrastructure. So, I really think that the good way to start for young people is to start at consulting companies. And the reason why I say this is because consulting companies will never give you a responsibility to do the implementation at the customer side, but they will grow you because this is in their business and they earn money on it.
So basically, if you’re young, you can jump into that kind of environment. Yes. It’s going to be hard. I was sleeping – and I still do – about four hours per day to technically do some stuff, like assist in the PKI implementations in the past. But that was really worth it. And I’m really thankful for whoever grew me.
Alex B.: Yeah, I would be totally scared if I was hired by a company and then responsible for the firewall even if it’s not the first line firewall and they say, “Hey, deal with the firewall” and I have no idea what I’m doing.
Eric Berg: If something happens that’s your fault.
Paula J.: Another issue is that we all tend to go where we feel comfortable, and you start feeling comfortable in the area that you don’t have a full expertise in, which kind of makes you to make even worse mistakes. So, you are learning this, but you don’t really know if it’s a good way or bad way and there are not many people to challenge you. And in the consultancy world, there are actually challenges for you all the time.
Alex B.: And you will do these mistakes, right? There’s no way around it because you don’t know everything.
Paula J.: Of course.
Alex B.: And there are always people that are smarter than you in one another area.
Paula J.: Always. And even when a company is hacked then there are forensic teams that come to the place. It’s a question of who was smarter, the hacker or you. And there was always someone being smarter and of course, that’s kind of like minimizes somewhere in the bottom. And there are small mistakes that we can make. But still, there’s always someone that looks at security from a different angle and I really appreciate that. Also, at Microsoft Ignite there are all these different security sessions and different conversations.
Everybody has their own experience and security is a relatively new subject. Sharing is caring; I know this about that environment and this is how we exploit it. And someone says, “Oh, there was this tool that one of the geeks wrote. Do you want to have it?” And then we exchange tools and knowledge which is really what I love about Ignite.
Alex B.: Eric and myself, were at the trust and tech close security roundtable on Tuesday and there were so many people from all the different areas and they always see CQURE. There were people from the firewall and then we had network guys and some application security people there, and everybody brought in their experience. It’s always about sharing information.
Alex B.: So, joining a consulting business is a good starting point. How do you proceed then?
Paula Januszkiewicz: How do we start? I would suggest for juniors to actually get engaged with some kind of a consulting company so that they will challenge you to the point that you need to act faster. It’s kind of cruel but that’s how you challenge yourself. Not everybody is happy with doing this, of course. Not everybody needs to be challenged all the time as people don’t feel comfortable.
But security is actually that kind of a business in my opinion. So, you are basically in a consulting company, and then you need to find yourself a good leader, good mentors that will give you good examples. It’s very important because we have like 20 years of experience working in IT environments, but we sometimes lack the basics in security.
Maybe it’s not nice to say, but this is what I see in practice when I do pen-test, sometimes it’s just a boring job. You go to the customers and you’re like, “Oh no this isn’t working” and it’s the same mistake that you see all the time.
If you want to start your adventure in security, you need to read Windows Internals and the 1500 pages need to be read not in one night but maybe many times for a year. This is the book to read. To actually learn security basics.
Eric Berg: Yeah, I’ve spoken to CISO or security people. They did firewall stuff and haven’t had any idea of how some IP 6 works and that’s because they said, “Hey, we only have IP 4 and we haven’t the chance to deal with that yet.”
Paula J.: They could find a good technical advisor. The question is, does the CISO actually need to be that knowledgeable in technologies? Yes, they should be tech-savvy for sure and somewhat knowledgeable in my opinion. And they should also have an awareness that he or she is not really like, 100 percent tech savvy or like super geek out there in these technologies. So, then this person should hire an advisor, maybe internally, maybe externally, who knows someone who knows the technology best.
For example, right now, the trend is information protection. It’s been there for so many years but now people are starting to talk about it, and we’re like, “Okay, that makes sense.” We don’t want our documents to leak. So, what was happening, excuse me for the past 10 years documents were leaking.
Eric Berg: You see this quite often today; everybody thinking oh that’s brand new, but we had it in the past and now everybody’s like, “Oh, that’s a good new idea.”
Paula J.: Totally.
Eric Berg: What are the other challenges you see?
Paula J.: The challenges that I see are that first of all experience needs to be built in general. We can see, for example, systems that are out there for like three months and then they’re like, “Hey, Paula, I just acquired this role, I am a CISO for three months we need a little bit of help.” Sometimes someone might be working in technology their whole life and then they take on a CISO role and I would say that’s maybe a little bit better.
The companies currently have to build a security framework or cybersecurity framework of the set of areas that everybody needs to cover and plan cybersecurity in every single area. Starting for example with (I know it’s another very technical subject) but let’s say HR. Who do you hire as your domain admin? It’s also a security process. And I’m not saying that domain admins are bad. But we’ve heard stories where domain admins were actually violating security.
I participated in a project like that, where we had to do forensics because domain admin was not very nice. And at the end, these people have access to our super-secret information and to our companies’ know-how. So, Information Protection comes into place. And there’s always this question of who controls the domain admin. So, there is a little bit of trust that we need to give to this person and secure ourselves with technology. But that trust should be actually a reasonably given trust by a well-designed HR process of hiring someone that has access to the full details of our company.
This is also a role of the CISO, to design these kinds of things. But of course, things like technology, what kind of algorithm, what kind of cryptography do we use in our company? Is it compliant with XYZ? Is it good for us? Bad for us? Do we have important incident response procedures?
Lots of companies, they don’t have it. For example, there was a forensic project, not long ago that we did and one of the first things we ask is, “Okay, so guys, did you manage to get the memory dump, this dump, etc?” And they were like, “No, because we had to recover because there is business going on. So, there was no time for that.” Okay, we understand, but that really makes it difficult at the end to spell out what actually happened in this company.
Eric Berg: I’m working a lot with the system admins, not the security guys in the company. And for them, it’s like, oh, our anti-virus has shown up that there was a Trojan or whatever and it was deleted. So, everything is fine. I’m done. And every time I’m like, “Are you sure? Are you sure that it was really just this one file that has been deleted?”
Alex B.: Are you interested in where it came from?
Eric Berg: Where it came from and where it ends and what happened before and after. So, it’s a good thing because you said two or three times now it’s processes and I have seen so many companies thinking about tools. I paid so much money for my tools and I bought this tool and I bought that tool and actually if you don’t have a process to deal with the tools it’s a problem. Do you see this too?
Paula J.: Absolutely and this is my favorite, actually. Some of the companies are very aware and that’s fantastic. I love to work this way. But some other companies might be a little bit challenging. There is one example that’s always in my head which was “we have like three anti-spam solutions”. That’s a quote.
I said, “Okay. Why do you need three?” And they said, “because the first one doesn’t discover it, and the second one …” And I said, “Why don’t you just have one, but configured well?” And they said, “Oh no, no, no, no we prefer to have three.” I’m like, “Okay. Great.” So basically, it’s just really a matter of awareness.
Alex B.: What we see a lot is that if a breach happens, nobody has an idea of what to do next. Do you see that too?
Paula J.: Yes, and that’s very sad because it happens. Incident procedure response is something that can be well-designed and well-planned. It’s not really a difficult process; the well-written incident response procedure is like a two-pager.
One of the funny biggest mistakes that companies make is when they know that they are supposed to do the memory dump on to this dump. The first thing that they are struggling with is to find a drive, a USB drive on which you can actually store the evidence.
They’re like, “Oh, yeah, we know what to do. Has anybody got 300 gigs of free space?” There should be this pile of empty drives that are ready for that moment and toolkits – that is an externally plugged in toolkit from which we actually run different types of tools. I’ve seen forensic teams coming on site and there were in studying the FDK on the host that was actually to be analyzed. My heart was bleeding. What can you say?!
Alex B.: You are a security expert. So, tell us a secret. How do you stay ahead?
Paula J.: Teamwork. Seriously, I regret that I have only one brain! I would like to have 10. That would be nice. But yes, it’s teamwork. If I don’t have time to check for something I’ve heard about on the news I’m like, “Oh, this is interesting. Hey guys, can you please check it.” Then whoever has time in our team will check it and share the knowledge with everybody.
Eric Berg: That is great.
Paula J.: That is really the power of security. It’s impossible to stay up to date by yourself so team up with someone; you have to be part of some kind of a group. And I’m not saying here let’s socialize or something. No, I’m talking about knowledge groups. The more we are able to cooperate with someone, the more we exchange.
I had a session yesterday and that session was also teamwork. I had an idea, but it needed a month of preparation. Can I spend one month on preparation? I would love to, but that’s really not possible. So, we always need to be supported by our team members.
And that’s why the trust is absolutely important, even though it’s an unpopular security statement!
Eric Berg: If you had a magic wish what would it be?
Paula J.: Okay, I still want to have my job, but at the same time, I really wish that everybody could implement a code execution prevention. So that any tool that we write it doesn’t work. This will be awesome because Ransomware has been there for the past five years. And there are still companies that did nothing about it. And it’s really painful to see that.
Basically, these are allowing the code that we don’t know to run, now with Microsoft, so Windows Defender ATP, we’ve got an expert guard. It’s an additional layer of protection because the regular antivirus etc. will not protect us from executing the malicious code directly in the memory. Our performance at least nowadays would die a little bit. So, if I could just have one wish it would be the code execution prevention, totally.