9
Kyle Bubp
“For me, many security decisions can be hard decisions, but if we do our homework and use the data to our advantage, we can make well-informed decisions and minimize impact.”
Twitter: @kylebubp For more than a decade, Kyle Bubp has worked for enterprises, hosting providers, the FBI, the Department of Energy, and the Department of Defense to analyze and improve their security posture. As cofounder of Savage Security, he focused on cutting through fear, uncertainty, and doubt (FUD) to help make defensive strategies cheaper and easier for customers. His company was later acquired by Threatcare, where Kyle served as the director of strategic services and worked directly with the CEO. Kyle continues to develop practical defensive strategies, research security issues, and publish articles and presentations on improving the security industry. Outside of work, you'll find him hiking, riding motorcycles, hitting the gym, playing music, and exploring the globe. Do you believe there is a massive shortage of career cybersecurity professionals? I'm not sure how I would define a career cybersecurity professional. I think there's a shortage in realistic expectations. Perhaps instead of a shortage of talent, we have an excess of expectations? By that I mean most of the really good cybersecurity folks were once really good Windows/Linux/network admins. They've been around the block; they understand how to configure and maintain the systems they are now entrusted to protect. They've likely written scripts to automate repetitive tasks, and they've had to work with management and cross-functional teams on projects. They don't have “security” or “cyber” in their job titles, but they would likely make excellent security practitioners. Perhaps we should stop scouring the job sites for “security” candidates and instead think about our environments, where our risk resides, and then find folks who are experts in those systems with an interest in security, demonstrated ability to work across teams, and a continued history of education, training, and curiosity. What's the most important decision you've made or action you've taken related to a business risk? I don't know if it's the most important decision, but it's certainly a recent decision that could have had a massive impact on email, both to and from our organization. We recently implemented SPF and DMARC in a hard fail mode. This impacts not just inbound email but also any marketing emails that masquerade as coming from our domain. Anyone who has worked in a large environment with multiple technical teams will tell you that there is shadow IT. We did our best to do our due diligence and gather logs of who was sending as us, validating those senders, and then adding them to our SPF records. The time came for the change to go into effect that would hard fail any sender not aligned to our policies. Furthermore, we are a retail organization going into the holiday season, so any email delivery issues could really impact revenue. I chose the path to move forward with a hard fail on our 15+ domains because I trusted in our team, the work we did to gather logs, and the risk reduction of spoofed emails. After the change, we monitored our aggregate and forensic reports, compared that data and volume to before the change, and worked with our marketing departments to ensure that there was no disruption to their services. How do you make hard decisions? Do you find yourself more often making people, process, or technology decisions? A lot of the decisions we make affect many aspects of the organization, so it's important that we take into account the impact not simply on cyber risk but on how it might affect processes and workflows elsewhere. For me, many security decisions can be hard decisions, but if we do our homework and use the data to our advantage, we can make well-informed decisions and minimize impact. I know that's super vague, but that's really what it comes down to. Digest the facts, weigh the risk, and make the best decision you can make at the time. Adjust as needed. My time is mostly dedicated to technology and process decisions, which in turn affect people. What's something that you struggle with as a leader, and how do you overcome that? Initially I had an issue with delegation, but I also recognized this as an issue and dealt with it by being a better communicator. I took the time to first run through the process myself and document it. Then I would walk through the process with whomever I was delegating to, asking them to follow my documentation and make changes as they saw fit. This allowed me to see their process, as well as errors in my own, and gave both of us the ability to ask questions and get answers. Finally, I simply handed it off. As the team grows, I realize I won't be able to have this one-to-one workflow with every employee, so we are focusing on building up our playbooks. I believe that empowerment and autonomy are key for engagement, so I try to foster that as much as possible. How do you lead your team to execute and get results? Clear and concise communication of what the results should be is step 1. If we don't know what is expected of us or what the end goal should look like, it's hard to really drive to those goals and hold ourselves and others accountable for them. We also break up large projects into small milestones and then assign those milestones to individuals. We use a Kanban board to track progress, and I review the board daily when we get there in the morning. I encourage our team members to seek advice from others, offer ideas and opinions, and get involved outside of purely technical teams. This is similar to how I try to contribute as an individual, so I suppose I'm not too creative in that aspect. Do you have a workforce philosophy or unique approach to talent acquisition? I don't value degrees all that much; instead, I would like to see certifications, projects completed, and technical assessments. I look for folks who are hungry, show a passion for learning, and try to solve issues on their own before engaging others. Technical prescreens for candidates are important, and it helps save a lot of time and money in the hiring process. I also try to understand how the candidate would react in a lose-lose scenario, as those tend to happen in our industry. This helps me understand their emotional IQ. Retaining goes back to the whole autonomy thing I mentioned earlier. Of course, our employees should also have a well-communicated career path, requirements, and milestones. I want to make sure they feel like they have support to pursue their interests, and I hope they stick around, but eventually everyone will find “the next big thing,” so if we can build them up to better their lives elsewhere, so be it. Have you created a cohesive strategy for your information security program or business unit? This seems to be a moving target as business requirements change and new ideas are incorporated into our organization. We also have to be cognizant of regulation and legislation that is passed, and those things impact and influence our strategies. From a technical perspective, we stay up to date on tactics, techniques, and procedures (TTPs) to ensure we are doing the right things to minimize our risk there. We support the technical decisions with documented policies and procedures so that employees know what is expected of them and how to execute. The most difficult part is the disruption around “We've always done it this way.” Whenever a new idea or process is implemented, even if it's better, there will be pushback. Humans like routine, and when our routine is changed, it causes friction. Clear and concise communication about what to expect, and why the change is being made, is important. However, empathy is also extremely important here, and I think that's what some folks miss. What are your communication tips for interacting with executive leadership? Never try to bullsh*t anyone, whether they are above you, a peer, or below you in the org chart. Everyone brings different life experiences to the workplace, and eventually you're going to get found out. People don't forget, and once that trust is gone, it's hard to get back. That being said, I try to keep my communication with executives very short and concise. Their worlds are busy, so I try to feed them exactly the data points they need, what it means to them, and what I recommend we do (or inform them of what we have done). They want to keep their finger on the pulse, but they don't need the full-panel bloodwork results of the physical. My boss gets a little more context and some more off-topic bumper conversation, but I still try to respect his time to keep things on task. My communications are concise, and I make it a point to let him know when I need his help to move a project along. With peers and direct reports there is more of a friendly, jovial environment. I try to find opportunities to mentor folks when possible but also take time to be mentored by others. At the end of the day, I just try to respect everyone's time, learn a little bit about them, and make them feel respected and welcomed. How do you cultivate productive relationships with your boss, peers, direct reports, and other team members? In a word, respect. I know that the security program is nothing without everyone's knowledge, support, and technical expertise. I try to keep that in perspective and don't shy away from acknowledgment of their efforts and appreciation of their time. Outside of that, it's just being human: learning about your peers, finding things you have a mutual interest in, supporting each other when you can tell someone is having a bad day, and asking what you can do to help (even when you really know there's nothing you can do). Just be a good human. Have you encountered challenges collaborating with revenue-generating teams like sales and product development? Of course, but you have to realize that many times your goals are not their goals, and if you get in the way of their goals, it's not going to be good for them. To simplify, you have to be selfless and understand that the reason the business exists at the end of the day is because they generate revenue, not because you have the best firewall rules this side of the Mississippi. It's about communicating your goals, why they're important, how they will affect the user, and the risk of not doing it. Take time to educate, understand, and communicate, and it generally goes well. Also, expect to be the butt of a joke or two. Don't take offense; just roll with it. Have you encountered challenges collaborating with technology teams like information technology and software development? Yes, indeed. I'm not sure one can build a security program without encountering these challenges. I approach it the same way as the previous question. It's really important that everyone has their own priorities, and security usually isn't one of them. Thus, the communication of the risk, the impact, and what is necessary is crucial. Also, in the technical scenarios, it's important to offer to do as much of the work as possible. Many times, you will be turned down, but it's important to offer and do the work if they take you up on your offer. Do you have any favorite books to recommend for people who want to lead cybersecurity teams? Leading a security team and building a security program is a mix of management, social engineering, and sales. Here are a few of the books I think have made an impact on the way in which I approach things:
