Cybersecurity Effectiveness Podcast

back to podcasts
Listen on:
Subscribe:
stay up to date

Raj Samani

“The role of the security department is judged on what you fail at. You can be 99.9% successful, and yet when there's a major breach, you're the first one to get thrown out, and so demonstrating and articulating value is the challenge that we face as an industry, and I think we've fundamentally failed as an industry to do that.”

Raj Samani is a computer security expert working as the Chief Scientist and Fellow for cybersecurity firm McAfee. He has been recognized for his contribution to the computer security industry through numerous awards, including the Infosecurity Europe hall of Fame, PeterSzor award, and many others.

Brian Contos:                

Welcome to the Cybersecurity Effectiveness podcast, sponsored by Verodin. The Verodin Security Instrumentation Platform is the only business platform for security that helps you manage, measure, improve, and communicate security effectiveness. I'm your host Brian Contos, and we've got a really special guest today. Joining me is Raj Samani. Welcome to the podcast, Raj.

Raj Samani:                  

Hi Brian.

Brian Contos:                

Raj, before we get going, you've got a great, great background in security, and your path, you know, to CTO of EMEA for McAfee, and then eventually Fellow, and Chief Scientist, and can you kind of tell us your story.

Raj Samani:                  

Well to be honest, I'm still Raj, and I always say to people, you know, don't define me by my job title, judge me on who I am, and I think regardless of the title that I have, I would rather kind of position myself like that, because ultimately the job title doesn't define who you are.

Raj Samani:                  

But actually it was quite interesting, because I finished up a master's degree in information technology, and at the time, there wasn't really a career path to get into security, but I just knew that I loved it. In fact, my final dissertation as part of my masters was developing a Bastion host within a pharmaceutical company. Now, for those of you that are a little older, you may understand the term Bastion host, but I always kind of had this interest.

Raj Samani:                  

And you know, even when I began my career, I started at the help desk. I kind of veered towards roles that were I think more security related. So for example, I led investigations against misuse of acceptable use policies, even when there weren't acceptable use policies, and it was actually after I finished my master's, I did 35 professional exams right from, you know, from the Ciscos,to the Microsofts, to the RSA Secure ID, and so I kind of always was interested in security, but I just didn't know whether there was actually a job or a career.

Raj Samani:                  

And it was interesting, because I actually made this conscious decision to pursue a career in this kind of nascent industry, and you know, it wasn't really an industry actually, it was probably more of a community, and so I started in the help desk, and then I worked in the server infrastructure for a large telco, and then all of a sudden a security consultancy role came up, and it was poorly paid, but it was what I wanted to do.

Raj Samani:                  

And I think it really started from there, and I think the scariest things for me were public speaking for the first time. I did that in InfoSec, and I was petrified, and then of course, writing books, and doing my own research, and really I think everything that I've done, I've kind of done in many cases, my own time, all of my learning. So, writing a book, researching, doing certifications, they were all done whilst I had a day job, and actually I was just married as well, and you know, kids came through as well.

Brian Contos:                

Well, no one's ever gonna say you don't wear a lot of hats. I mean, I remember when we were working together, when I was at McAfee covering emerging markets, you had just completed a book on, I believe related to the smart grid, but essentially tied to security for critical infrastructure, and SCADA, and things like that, of which there's just not a ton of literature out there on that topic. So you know, you're certainly a man of many parts.

Raj Samani:                  

Well, no one read it.

Brian Contos:                

My mom said it was great.

Raj Samani:                  

Yeah.You know, we were battling with Harry Potter for a while, but they just crept ahead.

Brian Contos:                

It didn't make it to the Oprah Book Club for some reason, I don't know why. You know Raj, what I love about you, and I love many things, but one of them is you often have a very different perspective on things than the majority of the sort of cybersecurity thought leaders, and one of the topics that we've chatted about in the past is this cybersecurity skill gap, and everywhere you go, there's a skill gap, there's not enough people, there's not enough training, we don't have the right folks, and you've actually said there is no cybersecurity skill gap. So, what exactly do you mean by that?

Raj Samani:                  

Alright, so I'm bracing myself to be flayed. What I meant by that is, people go out, and say, "Well, you know, we need to go, and hire somebody." Actually,I'll tell you a real case, a friend of mine is an application developer, and he's a security developer. So, he actually went for a job, and it was for a security developer for a public sector organization, and they offered him 25,000, and we kind of had a big chuckle about that, because you know, clearly he's been doing this for years, but it kind of plays to this issue whereby companies go out, and say, "Well, I want somebody with X years worth of experience, I need somebody with these certifications. I need somebody who has a clearance," and et cetera, et cetera, et cetera, when sometimes you just need to say, "You know what? What I need to do is I need to find somebody with the right attitude, somebody with enthusiasm, somebody willing to kind of step in, and learn," and that to me is what I meant by that, which is like for example, I've just taken on an individual, Lee Munson, and like three years ago, Lee was working in a supermarket, and you know, I hired him, because here's a guy that demonstrates passion.

Raj Samani:                  

Here's a guy that in his own time began to learn, here's somebody that began to blog, began to do podcasts, and so forth, and so for me, it's more a case of find[ing] the right person, because quite frankly, technical skills are overrated. You can learn that from a book, but having the right attitude, having the right enthusiasm, having a passion for our industry, that's not something that you can learn. That's not something you can get out of a book.

Brian Contos:                

Yeah.You know, I always see these organizations looking for unicorns, especially when I see folks hiring for like SOC analysts, and there's this need to have SOC analysts in all these different organizations, public sector, private sector around the world, but the things that they're asking, they're complete unicorns, as opposed to what you said, somebody that's passionate, and eager, and willing to put in the cycles in the back end, which are unique people, and don't necessarily come--and I say this all the time--they don't necessarily come from that technical computer science, computer engineering, you know, security certification background, they come from other areas.

Brian Contos:                

So, that's great to hear you're a proponent of that as well, but how do we get more people into this industry? Clearly there's always going to be a need, and a growing need. How do we attract people?

Raj Samani:                  

So, there's a major issue, and actually, let me relay a story to you. So in fact, my kids just moved to a new school, and we actually went to see actually my old school funny enough, and I remember we were actually being shown around.

Raj Samani:                  

It's a secondary school, so I think like the equivalent is high school, and I remember at the time, this kid turns around to us who's showing us around, and said, "Does your daughter like beauty?" And he actually spoke like that, and I went, 'What does that question actually mean?' Like, I have genuinely nobody in the 21 years that I've been alive ...

Brian Contos:                

See if your daughter liked beauty.

Raj Samani:                  

See if my daughter liked beauty, and I went, "I have no idea what that means," but I just went, "Yeah, sure," and he gets to this door, and there's like a knock at the door, and the door opens, and a woman comes out who's dressed up in an outfit that you would see in a salon.

Raj Samani:                  

And behind her, there're these salon benches, and there's three girls in there, there's this one girl folding towels, and she's really young, but she's dressed up again like a salon, and there's another girl lying down while her feet are being pedicured in a school.

Raj Samani:                  

And I said, "What is going on? I've no idea what's happening here," and she said really proudly, she said, "Well, you know, some of our girls aren't going to be going down the traditional path of GCSE," so like, when you're 16 allows you to get into college. "What we do is, we find these girls, and we teach them about becoming beauticians," and I said,"Right," "And we give them a diploma, and then they can go out, and work for local salons, and in fact, we've taken loads of girls who now work at local salons."

Brian Contos:                

Wow.

Raj Samani:                  

And I was like speechless. I was like, 'What the hell are you talking about?', and my wife, and I, we just looked at each other, and like we've got this telepathic link, we look at each other, and she's got this look which kind of says, "Honey, this is bullshit," and she looked at me in that way, and we just kind of ran screaming.

Raj Samani:                  

But it kind of made me realize that the reality is, is that these girls probably haven't even considered a career in cyber security, and funnily enough, I go to speak at a school every month, right? So, I try to speak at a school every month to talk about getting into this industry, and three days later, I actually went to another school, and I spoke to them about my job.

Raj Samani:                  

And as a result, because it was a girl school at the time, three of the girls said,"How do we get into this industry?” And actually I spent some time talking to them, and showing them the path to get into this industry, and I think, you know, for every single person listening to this podcast, get up off your backside, contact a local school, and just talk about your job, and you know, we sponsored Bletchley Park, and we've actually organized for schools to come up to Bletchley Park where we'll give talks about getting into the industry.

Raj Samani:                  

And I think we need to act as role models, you, me, you know, our peers to get kids to understand like how awesome this industry really is. I mean, I've got to meet heads of state, I get to sit down with CEOs. That to me is the opportunity for all of us to help inspire a generation.

Brian Contos:                

Yeah, I think that's fantastic advice. I know you, and I share that desire, and you know, I have two daughters. They're both in middle school, and you know, they're involved with Python programming, and robotics engineering, and I've done the same, not as often as you, but I go, and speak at the school sometimes, just so they know that there's an opportunity that there's this typeof job, because it's not necessarily something that people would think about it unless they've researched this path of security that, “Hey, this is an option.”

Brian Contos:                

And within security, there's so many different aspects of it. I love that you're doing that, and I think you're absolutely right, more of us need to get involved, but if we switch gears a little bit, and we talk about cybersecurity overall, I know there's a lot of frustration in this space as well amongst people that have been in the space for I guess, more than a few weeks, and that's, that we always seem to be playing catch up as it relates to cyber attacks. Why do you think that's the case?

Raj Samani:                  

Well, we're not, and actually I kind of want to disprove that, and actually, here is the fundamental issue about our industry. So, funny enough actually, I was actually talking to a CSO of one of the biggest banks, and he said to me,"You know, Raj, there were 11 malware samples that got through our environment, and detonated," the exact words, and I said, "Okay," and he said, "But you know, the reality is that, I mean, I was beaten up about that, but the reality is, is that we stopped tens of millions of other attacks."

Raj Samani:                  

The fact is, three, or four, or five, or six would've gotten through, and that's the crux of the issue, because the role of the security department is judged on what you fail, and what you miss at, right? So for example, you know, if I'm a big Tottenham Hotspur Fan, right?

Raj Samani:                  

So, if Harry Kane, who's, like, the best striker in the world, if he scored, if he got 99.9% shock conversion, it would be dramatic. Everyone would go, "Wow, what a remarkable, and amazing player," whereas we, we're judged on what we miss, rather than what we successfully stop, and I think the challenge that we face as an industry is, we need to start to determine ways that we can articulate the value that we provide to the business, rather than just simply being judged on what we miss out on.

Raj Samani:                   Because actually, we're so successful. I mean, you find me another department that has a 99.9% success rate, and I will call you a liar, because I don't think that exists, right? Whereas, that's what we are. We are 99.9% successful, and yet when there's a major breach, you're the first one to get thrown out, you're the first one to be kind of thrown out, and so demonstrating, and articulating value is the challenge that we face as an industry, and I think we've fundamentally failed as an industry to do that.

Raj Samani:                  

And you know, that's part of the reason why in Fortune 500 companies that not a single person in a senior executive position, say as a CEO, that I think has actually come from security. So, these are the challenges that I think we're going to have to address as an industry.

Brian Contos:                

Yeah, and I couldn't agree with you more. Demonstrating, and articulating value, showing me what's working, what's not, what I need you to fix it, where I need to invest, and prioritize, and making sure that the leaders that might not be security experts, or might not even be technical, kind of understand you can put that into business terms.

Brian Contos:                

No, I love that, again, another great perspective. Let's talk a little bit about security vendors. What are some fundamental things that you feel security vendors should be doing that they perhaps currently aren't doing?

Raj Samani:                  

You know, it's funny. When we worked together, there was this term that goes around like trusted advisor, you remember that?

Brian Contos:                

Oh yeah. We had whole campaigns around the trusted advisor.

Raj Samani:                  

But it's remarkable, because when I was a CSO, I remember there were three companies that I would consider my trusted advisers. You know, they were the biggest database company, the company that provided my servers, and another, and like for me, I want to be careful that I don't keep kind of reiterating like stereotypes, but quite frankly, you need somebody who's your partner, and I'll give you a great case in point.

Raj Samani:                  

I mean, I remember when there was a major attack compromising systems all across the Middle East. Do you remember the Shamoon attacks?

Brian Contos:                

Absolutely.

Raj Samani:                  

Those were wiper programs that were out systems all across the environment, and we ended up getting a phone call from one organization, and they said, 'Look, you know, we need help. Can you get somebody here?'

Raj Samani:                  

And that's the role of a security vendor who's a security partner, and your ability to be able to make that phone call at the right level to be able to get that support when you need it the most. You know, the fact that you can have 25 people on site the next day completely hunting for the malware, reversing, determining what it is, beginning the rebuild process, getting that organization back on line.

Raj Samani:                  

And I think all too often there's kind of this really, vicious rhetoric where people look at security vendors with disdain, and you know, I don't think that's really very helpful. I mean, we're just normal people trying to do a job, and you know, ultimately we're trying to support organizations in achieving their business objectives, which fundamentally is staying online, fundamentally making sure that their customer information is not stolen, and sold by criminals online.

Raj Samani:                  

When WannaCry happened, people looked at us, and said, 'Well, can you tell us whether we're protected? Can you tell us how the malware works? Can you tell us where it might have come from? Were we targeted? And I think all too often, you know, the security vendor community, to me, it's not a tactical relationship.

Raj Samani:                  

It actually needs to be a kind of bonafide relationship that you have, such that if there is an issue, or even if there's not an issue, you know, you keep me updated with what's actually happening, or what type of threats are likely to come down my environment, because if you don't do that, the term CSO stands forCareer Is So Over, because they're the first ones in the firing line.

Brian Contos:                

Yeah. You know, and that this whole notion of, you know, the vendor has a scarlet V on their chest, so before the conversation even starts, you have to take it with a grain of salt. I think that's very much a legacy perspective.

Brian Contos:                

You know, I think a lot of people are doing good work, and trying to do a good things, and to your point, becoming that trusted advisor is so important, because you're more than a product, you're more than a service, you're a partner.

Brian Contos:                

Let's talk a little bit about Europe. You know, you travel the world, you've been everywhere multiple times, but specifically to Europe, juxtaposed to the rest of the world. When it comes to cybersecurity, doing about the same, better, worse, how would you characterize it?

Raj Samani:                  

Well, so I always hate those questions, because there are no borders, and there are no boundaries on the internet. You know, the reality is, is that criminals don't see them as, 'Oh well that's Europe, or that's Germany, or that's the UK.'

Raj Samani:                  

Ultimately, it's an IP address. Ultimately, it's an open RDP port 3389. The reality is, is that, that's the way that we're perceived by the criminal environment, and so why do we try to categorize, why do we try to segment?

Raj Samani:                  

Fundamentally, it doesn't matter where you are, it doesn't matter the fact that I'm, you know, I'm kind of five, or eight, or nine hours behind you. The reality is, is that whether it's Europe, whether it's the United States, there are systems that are well patched, and well secured, and there are systems that aren't well patched, and aren't well secured, and almost physically where that system sits I think is irrelevant.

Raj Samani:                  

And you know, we need to sort of move away from this concept of, you know, the UK is more vulnerable, or less vulnerable than the US, or the UK. I mean, I think all of us realize that that's kind of like an urban myth.

Brian Contos:                

Sure. Now, great, great perspective on that as well. So Raj, as we wrap up here, there's a question I like to ask everybody that comes on the show, and that's who's your favorite superhero, or a super villain, and why?

Raj Samani:                  

I love Thanos. I think Thanos...

Brian Contos:                

Of course you'd say Thanos! Of all the options you had, you had to pick him.

Raj Samani:                  

Well, you know, 'cause I liked the film. I can't stand the Captain Americas, andThors, and the goody-goody two shoes, because actually life is not black and white, and actually if we look at our industry, it's not black and white, because you know, people will say, "Well, cyber-criminals are really terrible. Cyber-criminals shouldn't be doing what they're doing, or they all come out from Eastern Europe."

Raj Samani:                  

But actually, we need to ask ourselves a question, why does somebody in say, for example, you know, everybody says, "All right, it's from Russia," for example. Well, why are people going out, and conducting ransomware campaigns?Well, let's have a look at the environment that they work in.

Raj Samani:                  

If people have good IT skills, look at the amount of money that they're likely to make, and the life that they're likely to have within within these particular nations, and I think when you look at it from that perspective, which is it's not black, and white. The reason that somebody might be doing this is because A, there's a perceived less lack of risk, or B, they might be doing this, because actually the reality is, is they're not going to be able to get, you know, a career, or a salary that's befitting the talents that they have.

Raj Samani:                  

Likewise, if you look at the last Avengers movie, it's not black and white, you know, you say with Thanos for example, what he did was he did it for the long term benefits of human race. Well, is that good, is that bad? You know, and I think like, that juxtaposition that we have with regards to the way we look at things, it's not black and white. Nothing is black and white.

Raj Samani:                  

How can we start getting people to move away from cyber-crime? Well, quite frankly, we need to find ways to find economic opportunities within the white hat space. Likewise, how do we begin to address some of the perceived lack of risk? Well, that's where working with law enforcement needs to happen.

Raj Samani:                  

That's where more arrests need to happen, but how do you do that when you've got the lack of extradition treaties with nations that for example, are not cooperative, and so it's not a simple question, and I think that's the role ofour industry, which is it's not an IT problem. We are literally facing kind of huge geopolitical situations, and ultimately, our systems are the pawns in these major fights.

Brian Contos:                

Well stated as always. You know, here's the thing. You know, when you're a kid, you like Batman, and when you grow up, you realize the Joker was always right, and that things aren't as black and white, and perspectives are always changing, and growing, and maturing, and this, and that, and I think you're right.

Brian Contos:                

If you look at somebody in a country that they don't have any other options, but to be a black hat, they're going to take that option, because it's not a question of even want, it's a question of need, as opposed to having these opportunities, and of course we see that in a lot of locations around the world, certainly in certain eastern European countries where people just don't have those opportunities to do other things. So, yeah.

Raj Samani:                  

So actually, funny enough, we actually interviewed a criminal that was behind the ransomware campaigns, because of course they give you their contact details. I mean, we're the only area of crime with a help desk, and we actually asked this person, we said, "Look, you know, why are you doing this?"

Raj Samani:                  

And it turned out that they were from eastern Africa, and they said, "Well, I'm doing it to buy a house." So that's what I mean, they did this, because they didn't think there was any other way that they could afford a house. Now, I'm not saying that that's the right way to do things, but if we had the opportunity to be able to reach out to that person, and if they had the right technical skills, then maybe they could have followed a path that wasn't encrypting systems across the world.

Raj Samani:                  

And so, it's not a black and white question, and I think, you know, clearly if you  do something that breaks the law, then clearly you need to pay the consequences, but likewise, the macro situation that we've created and the disparate nature of wealth means that if you're born in a certain country, it doesn't matter what technical skills you have, you don't get the same opportunities that say, Brian Contos has for example.

Brian Contos:                

Yeah, yeah. No, you're right, and I think this actually might be an interesting follow-up topic. It's something that we can go really deep into, and you know ,you and I have both traveled everywhere. I think I've been to 50 plus countries, and just seeing the opportunities that people have, and don't have ,and what's available to them, and you know, you gain a new perspective on sort of this global world that we live in, and kind of people's approaches to things. "Hey, I'm hacking, because I need to buy a house, and I need to buy a house, because I have a family, and I have to take care of them. That's all, you know? That's all there is to it."

Raj Samani:                  

Yeah I mean, I saw this young boy, we were in Bombay, and I remember at the time he was actually living on the street with his parents, and you know, he turned around, he was looking at my wife, and I went, and spoke to him, and I said,"Are you okay?" And we had ice creams, and he said, "I've never had an ice cream in my life," and he was like 12, 13 years old, and I was like, Oh my God, you know, I gave him an ice cream, and you know, we take things like for granted.

Raj Samani:                  

You know, you and I complain, "Oh I'm not an SVP," or, "Oh my God, you know, life is terrible, cause my electric gates don't work," but I think we lose perspective of like 95% of the world around us, and I sat down, and I watched this little boy eat ice cream, and I was like, "Well jeez, that's not going to help you."

Raj Samani:                  

So, funny enough, we actually bought him a shoeshine kit. So, he can now begin to earn money for his family, and that was like, what, five bucks? You know? I didn't even think about it, and so it's important not to lose sight of the fact that we are human beings, and whether you're a vendor, whether you're a CSO, ultimately, we're all human beings trying to do the right thing, and so I think that's probably the message that I'd like to leave us with.

Brian Contos:              

 Awesome. Well Raj, thanks so much, and thanks to our listeners again for joining us. Be sure to check out other Cybersecurity Effectiveness Podcasts, sponsored by Verodin.

 

 

download transcript (PDF)
back to podcasts
Follow:
Subscribe:
join the list
X
Business Need
technology
company
resources
blog