Mr. Darren Van Booven is a tech executive with over 20 years of experience. He has served in a number of senior executive positions, both in the US federal government as Chief Information Security Officer (CISO) at the U.S. House of Representatives and the private financial sector, including seven years as a counter-intelligence officer at the Central Intelligence Agency’s (CIA) Directorate of Operations.
At the CIA he has been responsible for carrying out nation state intrusion investigations, incident response activities, and countering technical threats against operations. He has also worked as a senior staff operations officer responsible for the mission of offensive cyber operations and forensic exploitation against the terrorist target. Mr. Van Booven spent time as a senior manager in the Office of Inspector General where he evaluated the efficiency and effectiveness of technology used in Agency operations. He also holds CISSP, CISM and CISA certificates, and is licensed CPA.
He sat down with Sensei School’s Co-founder Sunny Pedeva to talk about the current cybersecurity landscape.
The following interview has been edited for consistency, brevity and clarity.
What has led to the boom of cyber threats recently?
Van Booven: I think a combination of a couple different things. One of them is, even though malware like ransomware and the banking Trojans have evolved over time, over the last year or two, it seems like they’ve gotten a lot more sophisticated, so there’s been a big increase in the abilities for, now are email hacks, for example, which is a big one, to infect an organization and take credentials that criminals then use for financial gains. I’ve actually worked in a couple organizations as part of an incident response where almost the entire environment had been affected by this and the criminals had been using the credential to get anything and everything they can. And it’s very hard for an organization to, once they have it in there, to respond appropriately. So there are a lot of organizations that are being constantly hit with things like that or ransomware and somewhat more than in the past. The business email compromise is just very prevalent right now.
Almost every organization I talk to, medium-sized or above, has the same problems and they’re constantly looking at how to solve them. I would say the other one, which is somewhat driven by media, but it’s also a very real thing as you hear about nation-state threats and different types of tools that are deployed because of leaks. I think that just the collection all of those types of things over the last couple years has elevated the understanding of the threat in terms of what is possible, and that also has led to organizations thinking a little bit more careful of the threat. Going back to what we were talking about a minute ago, the Internet of Things, an area,which is too changing from a threat perspective are our critical infrastructure and control system security. It is closely tied to that. A lot of devices or machinery control equipment and whatnot that gets deployed, that’s network and IP enabled, but it doesn’t necessarily have any kind of strong security built into it. We’ve seen, again in the last couple of years more of those types of things being compromised. And I think that also is contributing to the perspective that the threat is expanding in multiple areas, not just the typical office worker on a PC anymore.
Van Booven: I would say that the foundational thing that companies have to start with, that they don’t always start with, is having a defined risk management approach. You can do that, you can choose a particular framework like an ISP ISO framework, or just any of those frameworks to base risk on.It’s essentially the language by which you capture and describe the risk to the organization to the leadership of the organization. So that not only do you have a framework for doing that, but you’re consistently describing the risk. Really the bigger risks that a company faces, whether it’s technical, personnel, physical security, all that stuff, it’s the leadership of the company that has to make the trade-offs and the decision to accept certain kinds of risk. It’s up to the cybersecurity people to describe that adequately.
If you talk to a CEO, or CFO, or CIO, name your person, and you confuse them with technical jargon they don’t understand, in a lot of conversations I’ve had or been a part of, they don’t always tell you when they don’t understand something. They’ll just listen to you and so there really needs to be an assumption that they know the business very well, but a lot of work has to go into describing what it really means to them. We’ve had a problem doing that. And if you don’t,then certain risks are not either understood properly or not accepted.
But once you have an effective process in place to do that, you can then make really good decisions from financial personnel perspectives, to allocate resources in the right way and allocate resources to the risk areas that need it the most. Essentially in a lot of companies, you could throw a $100 million at a security organization, they would probably find a way to spend it, but you can’t defend all areas of the organization equally, you have to pick up this base approach. That’s really what they need to start with and there are some technology solutions out there. At the most basic form, you can use like a spreadsheet to do it. You don’t necessarily have to have all-sensing technology, but the solutions that are out there -governance, risk and compliance tools, do a good job tracking that stuff over time. And budget organizations that get audited a lot — you’ll need to track audit findings and risks that come up in security assessments. All those things really need to play into it. In order to track all of that and have a living picture of what risk looks like, I think you have to have one of those governance tools.
Is this the next big career opportunity for people?
Van Booven: For starters, I would say there is a really huge opportunity for people in this field for a few reasons. One is because it’s very difficult to get somebody who has the foundation needed to be effective. I compare cybersecurity professionals to being a doctor. In order to become a medical doctor, you have to have a foundation in the human body, i.e. the respiratory system, the circulatory system, you have to understand medicines. Well to be effective in cybersecurity, you have to understand networking and operating systems, and web applications, and malware and all of the foundations in order to get the big picture. Then adding on top of that, that’s your technical stuff to understand. First, you need to understand policy, you need to understand compliance, you need to understand the risk management side of things. And then overlaying both of those, which is probably the most difficult thing to find, is getting people that have the right mix of soft skills: to be able to write well, to communicate in person, to be able to _influence people_and having the aptitude to constantly learn new things.
“I would rather take somebody who has a part of the foundation and has some gaps, but who is very, very excited and has the aptitude to learn more.”
I’d take those people over somebody who may be a little more experienced, but may not have that same aptitude, because things change so fast, you really have to spend time to keep up with it. For somebody who really enjoys technology, how it’s used, and how it fits into an organization, there’s a huge demand for those types of people and I will see a lot of people who claim to have certain skills, but they don’t necessarily have them in the right areas. What I mean by that is somebody who’s very well technically wants to be a CISO (Chief Information Security Officer) or be Head of Security in an organization, but you need a lot more than the technical skills to be able to do that job and most like this. You need to understand, risk management, compliance, privacy, how to write well, how to budget money, program management type of things, and also how security integrates with the rest of the technology process. So you need to understand change management, configuration management, software development processes, the basic IT processes, which the rest of the IT organization uses. If you’re just somebody who knows malware really well, you may not understand how changes are made to your financial system. Being very open to learning new things is very important.
Sensei School is an instructor led virtual cybersecurity school with no upfront fees and no debt. Launch your new career with an average starting salary of $85,000 by applying today !
Will cybersecurity be something that companies outsource or a capability they develop in-house?
Darren: “That’s a very good question. I think it’s actually a combination of both.”
Van Booven: The reason being that is in terms of developing in-house I think that there’s such a shortage of people out there who have the necessary skills. Companies have to have people looking at this and a lot of them are focusing on how to train and develop their own internal people. And you have to because the range of things that you need to have to have a good foundation is difficult to get unless you have a variety of experiences or you actually consciously working at it. Companies who work with their staff to form a training program of development that includes these things will be the ones who develop good, well-rounded people. If they don’t do that, if they don’t develop their people internally, they’re either going to have to go without them or they will have to outsource those functions.
But going to that question — the threat landscape is so sophisticated these days that to really have all of the right mix of skills that an organization needs to have can be very cost prohibitive for a lot of companies and especially medium-sized companies. They may not have the money to staff people 24/7 who understand malware, intrusion detection, and all of the different elements of security. You may have a good technical team, but not necessarily all the types of people. Moreover, if they do have it, turnover and _attrition_keeping those people there is challenging. A lot of organizations that have a good approach to recruiting, find it difficult to retain people just because of the market position. In these situations continuity of personnel ends up becoming a bigger risk.
If you outsource, or staff out, or hire services to provide some of those, you can get, if you choose the right organization, a more consistent level of service and you can also take advantage of some additional skills that you may not be able to afford in-house. I don’t think that a lot of companies, with the exception of maybe smaller ones, will completely outsource all their security department.The reason why is security is a lot more than just running technical tools. It’s it’s understanding the business, it’s integrating into the businesses IT operations. You’re really a part of the IT department and you can’t do that as you’re sitting halfway across the country from where that stuff is taking place. You have to be in there with the developers and operations, and network guys. You need to have some of those people. You’d probably need both and the mixture of them will be dependent upon the company, the industry and the people that work there.
Darren: “I actually get that question a lot.”
Van Booven: One of the things that I suggest, which is very easy to do for people, is to look at vacancy notices and all of the job ads that companies post on job boards, because it gives you an idea for the different types of positions that are out there, how the company describes these positions, what the skills are that are needed and it just gives you some familiarity with what are the different options that are available. Because there are so many different companies looking for people, you will get a good range of what those are.
But in terms of developing the skills, I would say, I’ve worked with people who come from a lot of different fields, some of them are IT people that may have been system administrators, network engineers, or developers, so they have a certain foundation technology-wise and they would need to look at — are they missing any part of their foundation, basic foundation, if they need to really start looking at those security questions. What I mean by that is that you may have someone who is very strong in networking, but doesn’t really know how a web application works. You really have to have that basic understanding because if you don’t, you’re not going to grasp a big piece of the overall threat landscape.
I would call it a triage of your skill set, doing an assessment of your skills, like what do you have and what do you not have. If you are coming in from a completely different field and don’t have any technology background getting that foundation is definitely the most important thing to start with. Understanding the basics of networking, operating systems and I suggest both Windows and Linux. A coordinated approach to hitting each one of these areas, web applications, malware and there’s a lot of reading that somebody needs to do to identify what the best way is to get some of those. It makes sense to get certifications in certain areas more because in the process of getting a certification it teaches you all of the foundational skills. It can take a while to get all those different areas.
But again, it’s hard to do security effectively without at least having some skills in each of these foundational areas, and, if you do, it’s understanding risk management that is very important. What are the risks associated with them? What are the threats? How do you manage vulnerabilities? Some think it needs a lot of people, but it really doesn’t. One thing which a lot of security people don’t necessarily do, which they could do to enhance their careers and focus on areas that the rest of the IT organizations and then, again change management. How the security fits into that. A lot of people may be in the field one or two years and then the next year they want to be a CISO. There is a huge gap there between skill sets as far as what you need, and just having a coordinated plan that you work on is important, making sure you hit on each of the areas.
Van Booven: I would say probably the biggest thing that I found to be most useful is to actively manage your career in that you always have a development plan, which has a few different aspects to it. One is the technical aspects. The other one is just the overall career goal. Do you want to be a technical expert? Where do you see your career going? Actually documenting that and creating goals around it, so that you can work towards those things and course correct as needed and talk to a lot of people.
People actually will reach out to me on LinkedIn with questions. And I may not have all the right answers, in fact, I know I don’t, but I will give them my opinion based on my experience and if they talk to a lot of different people, they’ll get a lot of different perspectives. And then they’ll have some good input to base their own career decision on. Being open to talking to others, learning from others who have gone through some of the same things, same challenges, networking, going to conferences and events, participating in forums online. They’re very important.. This field is very big into information sharing, you really have to network and somebody who does that and has an open mind I think will be successful.
And not everybody does that. Everybody’s in charge of their own career. It’s great when you have a management team who supports your career, but as an individual you want your own career. You may be in an organization where there is not enough headroom to get promoted to a certain model, but you really are ready then sometimes you have to look at moving to another organization. That’s another thing, which some people are willing to do and some aren’t. If you sort of stay in the same place in the same job for 10 years, you’re not getting that diversity of experience that you need.
Van Booven: At the moment I’m starting a new professional services company, Nereus Systems, with my partner. It’s designed to focus on changes in the technology landscape and the need to keep pace with those changes from a security perspective. And also to understand how they impact technologies that are currently in use, including changes in the application, development and operations world, which is really transitioning to a model of delivering applications — using microservices and containers in the cloud. A lot of organizations have started that transition, but there are a lot more that haven’t or don’t necessarily have the skill sets and the know-how to do that.
With that comes a change because applications are being delivered a bit differently — security people have to look at how to secure those things properly. It is a little bit different from your typical monolithic application. And then helping organizations to navigate that and the security map, as well as the underlying processes in that organization. Such as — how to do DevOps and how to get from development to production. It’s one thing to know the technology, but it’s another to understand the process underneath it. Helping them with the process change and security is built into that process as well. There’s a lot of organizational change management that has to occur.
The next area, which you hear a lot about is machine learning and artificial intelligence. The reason that is out there quite a bit is because the machine learning algorithms have been really hit, with what I would call fine time in terms of being able to actually solve real business problems. People that know both the technology side and are able to think abstractly and answer business questions are in short supply. Someone may know what the technology is, but they may not know how to use that to solve business problems and vice versa. A combination of these and the proliferation of IoT (Internet of Things), how to network those things and secure them properly is another part of the whole computing environment. Knowing how to do that and provide assurance over their operation as company or organization can be challenging for a lot of people because they haven’t really incorporated that into their security. These may appear to be three completely different areas, but really I think the importance is to effectively manage security and provide assurance over information. You have to understand how people use technology and that really involves getting into understand why are they choosing technology, how they are using it and be able to consult on that.
Hiring security talent? Get in touch at www.sensei.school/hire.
Sensei School is an instructor led virtual cybersecurity school with no upfront fees and no debt. Launch your new career with an average starting salary of $85,000 by applying today !
Sensei School’s Meet-A-Pro series feature notable leaders in different fields from around the world, who share their insights and knowledge.They are also sometimes guest lecturers at Sensei School.
Edited by Teodor Teofilov, Sunny Pedeva & Dimitar Vidolov
If you found this useful and/or interesting — give it a clap below so it reaches more people!