Mick Leach: Hello and welcome to another SOC Unlocked: Tales from the Cybersecurity Frontline. I'm Mick Leach, your host and guide on this exciting journey into the SOC universe. In each episode, I chat with various cybersecurity professionals about the latest industry news, emerging threats, practical strategies to keep your organization safe and more. This week, we are excited to have Jeremy Ventura. Jeremy, thank you so much for being
Jeremy Ventura: Thank you, Mick. I appreciate the time and having me as a guest on the podcast. Looking forward to this conversation.
Mick Leach: Yes, indeed. And by the way, Jeremy, and I'm going to give you a moment to introduce yourself and tell us a little bit about yourself, but we share, we share a job title and there are like a dozen of us in the world that I've met so far. So this is super cool for me to meet another field CISO.
Jeremy Ventura: Absolutely. No, we do. It is a small field as far as us, the Field CISOs go, it is definitely a growing field, which I know we'll talk a little bit about today as well, but no super excited again to be here, Mick, and look forward to this.
Mick Leach: Awesome. All right. Well, with that, I would love for you to tell us a little bit about yourself. What's your current role and how did you get here?
Jeremy Ventura: Yeah, absolutely. So I am currently the Field CISO, as mentioned before, for a company called Myriad360. And Myriad 360 is really a systems integrator or a value added based out in New York City, but we have office locations and individuals worldwide. And we partner with great companies, just like Mick, your company here at Abnormal Security as well. And really our goal at the organization is to help our customers and clients really help design, optimize and execute on their cybersecurity, networking and AI strategies. That could be anything from how do we build programs to what tool is the best fit for my organization or even help building some of those different use cases, depending on the organization's needs. But my role here at Myriad as the Field CISO is really to be, you know, in the forefront and center of our customers, our vendors, and in the industry in general. So that's everything from thought leadership and evangelism, could be anything from attending sales meetings and really building credibility, trust, and building really that relationship with our customers so they feel like they're getting that white glove treatment all the
Mick Leach: Yeah. Sorry to be a step on you, Jeremy. So I once heard a person explain a VAR, kind of like a tailor. You know, a tailor just knows all, they knows your sizes. They know what your likes, your dislikes, you're into, what you're into. And then when you call and say, hey, listen, I need, you know, a black tie suit for a very special event.
They know exactly what they need, what you need and what's going to be the best for you and are able to whip that up for you in no time. And I thought, man, that's a great example of how that relationship with a value added reseller. I know I relied on my VAR heavily in my last role. You know, I wouldn't even take, typically wouldn't even take a call from a vendor without them going through my VAR and having them bring them to me. We had that, that tight of a relationship.
Jeremy Ventura: You know, it's when you cultivate it and it goes well, it can really be a beneficial relationship. I'm here to tell you. Absolutely. And you, I love that analogy, first of all, with the tailor. It's funny because I give a very similar analogy. I almost say it's like kind of like the car max of going into you going to buy a car where you might come in, you might be a family of four and you say, you know, I'm looking for an SUV, at the CarMax, we're figuring out, okay, well, how fast do want to go? What's most important? How old are your kids? Do you do mountain biking? Do you need extra storage? What color do you want? Do you want electric? Do you want gas? We own that relationship with that client so we can custom tailor the solution for them. And again, solutions don't necessarily have to be a tool. Solutions can be consulting. It could be services. It could be a very wide array of things to really help our customers out.
Mick Leach: Yeah, and I can tell you what I loved most, I think, about my relationship with my VAR at my last gig was that they were vendor agnostic. And so I knew that I could trust everything they brought to me because they valued the relationship with me more than simply telling me something I wanted to hear on behalf of a particular vendor. The other aspect of that relationship, though, was that, because they had so many relationships, they could share unbiased opinions of other folks that are your size and are doing business the way you are and are having lots of success with this solution. So we would recommend you take a hard look at it. Maybe this solution we've seen other folks your size struggle with scaling or whatever the case may be. And so they may guide me based on unbiased opinions and experiences onto the right solution.
Jeremy Ventura: Yeah, you're totally right. And I think, you know, kind of taking even it back to our both of our titles and our roles at our respective companies, the Field CISO plays perfectly, especially working for a company in this business, because it really is about the credibility and trust, as we mentioned before. But, you know, it's okay to sometimes say no, we don't think that's the right fit or, you know, we push them into a certain area. And I think the word you know, always look for is we're guiding, right? We're an extension to our customers. We're guiding them to make sure that at the end of the day, their security, their network, and their AI teams are performing at their best. Right. And so if they say we want tool X and we want this, you know, our jobs are always first to ask why so we can really understand, right. And lead them down the path. But, you know, you mentioned something there and I think it's especially in our roles, no matter what companies we work for the Field CISO, Field CTO, evangelists, product strategist, whatever you want to call it, it's really about the art of storytelling.
And, you know, can I help my customers, but also by sharing information about what other people are doing, as you and I both know this in the industry, like everybody wants to know what everybody else is doing? Because we're stuck in our day jobs all day, right? Working 40, if not more hours a week and grinding on the keyboard as a SOC analyst or as a CISO. And sometimes we kind of have the blinders on. We don't actually see or hear all the time about, you know, what our competitors are doing? What is somebody in an adjacent industry? What is somebody doing overseas that may be the same security team size as us? I think that's really the value, the value add that a Field CISO brings to no matter what company they work for.
Mick Leach: Yeah. Could not agree more. Certainly enjoy the role. So let me ask you a couple of questions here on the front end. Love to learn a little bit more about you. And as my longtime listeners will know, we'll look at the past, the present, the future, and then talk a little bit about career advice.
So that's kind of the architecture of the conversation here So to that end, I mean what inspired you to pursue a career in cyber security and how did you find your way? Into the roles that you've had now, but also even any time that you've had in security operations. How did you end up there?
Jeremy Ventura: So I think it actually started for me when I was back in college and actually ended up graduating with a bachelor's degree in criminal justice. I always thought that I wanted to go into law enforcement and, you know, you'll see that there are a lot of cybersecurity professionals that come from the law enforcement background or military background. And it's interesting because I know, you do as well, I'm one of them. Exactly. And, there's so many like qualities from both of those different types of professions and fields that really translate over and over. And so for me, it actually started with an internship. I was interning for a federal law enforcement agency outside of Boston. And I got my first act into cyber when the federal agents were in the field, you know, they're doing all the good guy stuff and stopping bad guys and they needed help with social media, creating profiles to go and potentially persuade individuals or research and do some open source intelligence, I'll call it, being very careful of how much I say, but open source intelligence on how we could go and how they could go and track down criminals or potential criminals.
And, you know, at the time, this is back when Facebook is hot and a lot of people really didn't know how to use it. You know, I think now we would both laugh and agree. I think sometimes our parents and grandparents are more on Facebook now than we are. But back in the day, 12, 13, 15 years ago, um, it was our generation and we're on Facebook all the time. And so they didn't know how to use it. And so they said, Hey, Jeremy, here's Facebook. Here's my space. Here's all Twitter. Here's all these other things. Can you go and just help us create profiles? And so I did. And I was so passionate about it. I came back like the next day and I said, Hey guys, here's like everything I've done. And they were like, Holy crap. Like, how did you do that so fast? Right. And I guess that was the generational thing. And like, I just knew how to, how to work that. And so it really started from there, my interest into, not just, specifically cybersecurity, but specifically working even for federal law enforcement agencies behind a computer. What did that look like? What did that mean? How old could I expand and so it's really where I got my first act, but really where things start to take off was, actually in college, I had a professor, at the time that said, you know, are you interested in working in cybersecurity? I've seen what you've done in other internships. I am a vice president at the very large, United States government defense contract agency Raytheon. And would you like to come do an internship? And I said at the time I was like, Hey, I know how to work Facebook, but I don't know how to I don't know how to script. don't
I don't, I'm not a computer science major. And they said, don't worry about that. We're going to teach everything on the job. And, know, we can talk about this all day and especially career advice. It's like finding those mentors, finding those people that you can latch onto that can show you the roads. And I think that was, that's what was the pivotal moment in my career, very early on that said, you know what, let me go and take the risk. Let me go work this internship. And I fell in love with it. And I went back to school. I got a Master's Degree in Cybersecurity and Homeland security.
And then from there, it kind of went off into working for large companies like IBM as a consultant in Boston. I moved to California where I currently reside in Southern California. And I worked for large companies, vendor companies like Tenable and Mimecast or Reliaquest and ThreadX. I even worked for internal security companies, companies like Gong as well, helping build some of their cybersecurity programs and kind of, know, quickly going through the path. It's, you know, really building the stepping stones learning so many different aspects of cybersecurity because it changes every single day. so, you know, working in email security for three years and then working in vulnerability management for three years and then helping build security operations centers, like building upon all those different building blocks of stepping stones really kind of helped me propel myself to where I got now, which is kind of in this Field CISO role, especially as we kind of talked about earlier, alluded to earlier, working now where no pun intended to the company I work for, Myriad 360, but the name, the 360 really being able to see the full spectrum of cybersecurity teams. And so I think that's kind of unique in its aspect that kind of everything is kind of led up into this moment. I like to believe we'll see what happens 10 years from now, 15 years from now where we all are. But yeah, that's a little bit about how I got my first interest in cyber. And then even from an internship into kind of where I got myself to now.
Mick Leach: Yeah, no, that's awesome, Jeremy. I appreciate it. You know, doing these one thing I've learned is that, you know, all of us have taken a slightly different path into cybersecurity and yet, you know, we all needed someone to believe in us and give us that first big break and give us a chance. You know, I was no different than that. And so, but once we get in, you know, the path sort of normalizes at that point and we get to get in and make the world a better and safer place. And I think that's, I think everybody I've spoken to so far, that's been a big driver. So it's fun to hear that's the same for you as well.
Jeremy Ventura: Absolutely. No, and you kind of hit it right on its head there where even though I thought I was going to be a police officer or federal law enforcement agency and, you know, right? Serve and protect. We are, we are service protecting even behind our keyboards, even as consultants, even as Field CISOs or working for cybersecurity. We are in the line of helping our customers and the world become more resilient, more safer just in a different battlefield, right? I think that's the unique aspect. But here we are in 2024 where, you know, left and right, we're seeing cybersecurity incidents that are happening and affecting everyday people. And so I think, you know, we are fighting the good fight. And yeah.
Mick Leach: I love it. I love it. Well, and that's what, you know, we talk to. These are certainly the bulk of our listeners, our cyber defenders. They're on the front lines, you know, defending and battling the forces of darkness. you know, this is certainly in the military, we phrase things that way, I know in law enforcement similarly. So now that's awesome. I love it. So with a varied background as such as yours and years and years of experience, you must have seen a thing or three in your time. So can you kind of describe for us a particularly challenging cybersecurity threat or attack that you've encountered and maybe how that played out, how you detected, responded to it, that sort of thing.
Jeremy Ventura: Absolutely. So as you mentioned, there's probably three per week that we see right in our field. So, so many of them to kind of talk about, but I love this question because I think sometimes my answer will change. If you asked me today versus you asked me maybe six hours from now and kind of what comes up, what pops into my head first. And I will talk about one story recently where I was working for a security vendor. So we were not breached or anything like that, but we were helping out, this potential time was a potential customer. It wasn't even a customer yet. And this organization was kind of running around with their hair on fire. They were going through an active cybersecurity incident and they didn't know who to call. They didn't know how to respond. They weren't prepared for this. Again, I'm not going to say the name of the companies to protect everybody here. But at the same time,
The issue was really around insider threats. And I think this organization had put so many tools and protections around, how do I protect against ransomware? How do I protect against phishing attacks? How do I protect my employees? And they had a blind spot. And that blind spot was, what is actually going on internally within my network? What happens if I have a disgruntled employee?
It was actually in the application security realm and it was a disgruntled employee. And the motive, you can ask that employee and there it's probably going through legal ramifications right now. But from our perspective, what happened was this employee had, let's just say a lot of permissions and access into the backend databases. The applications at this company were provisioning, deploying and helping their end users, you know, perform business and all this kind of starts with this, right? Access and privilege. And so, what happened was this employee was being terminated and was very disgruntled. And at the same time, I believe they had a competitive offer to another organization. And so kind of a two prong approach, the first prong approach this employee did, they, believe they gave the individual, said, you know, you're going to be terminated by the end of the week. You have until Friday. So too much time for this employee to do some damage. First thing this individual did was legitimately just grabbed a USB stick, stuck it in their computer, and started offloading and downloading a bunch of files, which had a bunch of sensitive information, had a bunch of PII information on customers of this organization, on internal employees, on source code, on what was being created, documents, call it like even architectural diagrams and business plans, some serious, serious stuff, an offload of this.
The second aspect was this individual was also a very skilled engineer and coder on the team. And so decided to potentially again, being careful how much I say, allegedly put a back door into an application that was being, that was in that wasn't ready for prime time yet, wasn't ready for production, I should say. I think the company was about two weeks away from pushing this piece of code into production for their end users, let's call it a mobile app. And this individual had sneakily put in a backdoor application hitting them where they were soft and two things. So you got the USB with all the company files and documentation, and then you've also got this backdoor.
So the company had no idea that this was happening. They had no protections in place to kind of see what was going on. And it wasn't until two weeks later, the code was ready to be pushed to production. They push it, they push it. Let's say, hey, we're going into runtime and it's in production and boom. The entire application just starts spitting out all this crazy stuff. Starts breaking other adjacent applications.
Let's just call it a disaster as much as I can say. End users can't access not just this new piece of application, they can't access almost anything that this business provides to them. And of course, immediately this organization is freaking out as most companies would be. And they were able to call us. We were able to quickly get on scene, get some remote access into kind of what was going on. And Mick, you and I even kind of talked about this in our past careers. Like the first instant responders should do, especially as consultants, is take a deep breath. The first thing is like, stop for a second. Like everyone's screaming, everyone's running around. I get it. Right. And potentially the business is losing money and potentially losing customers. but it's not going to fix if everyone's yelling, right? That you're not going to, you're not going to progress and really get that meantime to detect and respond if your emotions are running high.
That was one of the first things we did was like, how do you get everybody, including the security team, everyone's pointing fingers. I always call it the Spiderman meme. Like, okay, who did this? And everyone's pointing at each other. And at the same time, it's like, you got to get everybody to relax and calm down. So that was the first thing. Once we kind of got clarity on kind of what was going on, we were able to run some analysis, work with other forensics investigation companies and determine that this was actually a backdoor that was put in.
As we went through more and more of this investigation, then it came up to like, okay, well, let's see what access and permission does this user still have. Two weeks after this employee was terminated, they still had full access. So there was no automation of offboarding and termination of the employee. I can see you over here shaking your head. so we didn't find out about the USB stuff until the first, obviously, instance was, wait, the application went down. Who potentially had access? Who pushed the code? Where was everything? We went all the way, found out this individual then said, wait, this individual was terminated two weeks ago. Like, wait, what's going on? Let's go and do some analysis on permission levels, access, what did this user have? And we're signing all this stuff that the user still was entering this into the organization or potentially an access. so, you know, once we were able to kind of assess it, mitigate the threat, clean it up, remediate. I think the real shocker here for the organization was it wasn't a shocker at first, but now it is, was the after action report of like, this is what happened. And all the different little permission levels that we found that were never terminated when this employee was let go. And they have still full access to the database, still full access to the system. And so it just goes to show you whether it's email security, vulnerability management, identity access and privilege access management. At the end of the day, organizations are still getting owned right now, or I should say pwned.
The fundamentals like user access control and no visibility into what this user is doing and nevermind being able to push code and boom, then all of these things in runtime and now everything breaks. So that's one of the worst ones I've seen because again, emotions are running high. There's so many different access points and now you got to go and run backwards as fast as possible while trying to calm everybody down.
Yeah, that's one of the ones that come to mind. was, I will say, it wasn't fun, but not fun for anybody, never is. But looking back at it after, it's, you know, I think, I know we're better off as consultants or, you know, Field CISOs of learning and kind of helping the organizations. But in addition to that, hopefully that organization has learned kind of, you know, what to do in a crisis and how to also prepare for something in the future.
Jeremy Ventura: Yeah. There's so much you can double click into on that and kind of unpack, but I love the idea that as incident responders, we've got to come in and be the calm, in command, control voice in the room, settle everybody down, and let's get focused on understanding the problem, and then seeking to mitigate and then ultimately remediate the issue. But often,
I too have come into rooms like that where the leadership is more focused on what happened, whose fault is it? And we're like, guys, we'll deal with fault a little bit later on. Right now we have a very serious problem that we need to tackle. so those are the things we'll do at the very end.
But you're right, we're right now in the midst of NFL training camp and it kind of reminds me as I watch videos or I've attended a few practices in the past of NFL training camps. And I'm thinking to myself, these are professionals who have played this game for 30 years plus in some cases. And yet in NFL training camp, what they start doing is blocking and tackling. It's the things that they've been doing their whole lives, but that's where they start the practice, even though they're professionals.
Even though they've done this every day, almost their entire lives, they still start with that blocking and tackling. And I think there's a lesson for us as cyber defenders that we could take from that, which is we may want to focus on the interesting technical threats that are coming our way. You know, the ransomwares and all that and you know, there's just all these really cool technical things that we could you know focus on nation state actors that kind of thing. Those are the things that are exciting to us that we want to defend against. But what we really ought to spend our time initially focused on is that blocking and tackling right? Let's make sure we've got you know, onboarding and offboarding is automated and it's triggered. Let's make sure that we've got any annual access reviews. Let's make sure that we’re adhering to the principle of least privilege and separating our users' access when that's possible so that maybe they have to elevate their permissions and that all of this is being logged so that we can get attribution later down the road. So what a great story about learning to focus on the details.
Jeremy Ventura: Yeah, I know. And I love your analogy there to football. As you were saying, I was kind of laughing. I was like, you're not going to see Patrick Mahomes throwing his no-look passes day one of training camp, right? These guys are in the weight room, they're stretching, they're working on footwork, they're working on just getting that motion, the arm before they can go do all the fancy stuff, to your point. 100 % relates to cybersecurity and kind of the world we live in where over and over and over every week, if not every day or every month that we're seeing this, when we start looking at some of these massive cybersecurity incidents that have happened and you really start to get the report and the analyzations of what's going on.
More times than not, it's coming down to the fundamentals every single time. You're not hearing too many stories of like, this nation state had this really sophisticated AI tool and it was able to, you know, send robots up to the moon and destroy the world. hopefully we'll never get there, but like, we're not there, right? And I think AI comes into many aspects of what we do. And I know we'll probably talk about that too. But at the same time, it's the fundamentals. It's that cyber hygiene that we've been stressing for years since this thing became a field.
And I think, you know, when you look at some of the root causes, we're just moving so fast. Business is the world and security, we've always said, you know, not just me, but everyone in this field has always been like, security has always fallen behind of how the business is moving. And it's, it's true, right? But I also think it's like, we can't give up. We have to continue to make those strides to keep up with the business, right? At the end of the day, cybersecurity, like we are in the business of making sure our organizations can take risks, right? And I think that's
huge. And until we understand that and we understand like, and businesses understand and boards understand that security is not in the business of saying no, like we're just trying to help the organization and report on the risk and the threat. But as security professionals, we need to again, understand that we are in the business of allowing organizations to take risks. And until that concept is actually fully understood, we're always going to be the pointing game, right? The name game or whose fault is it or again, the emotions running high or security just saying no again, all those guys in the basement in the corner, like, what do they know? Right? Like we're going to do it anyway. And so we need to change that narrative. I think we're getting better as an industry, but we still have a long way to go. And that conversation has to continue to keep happening.
Mick Leach: Yeah. You mean we could be known as something other than the department of no? We have to be right. Indeed. Indeed. At the end of the day, our job is to enable the business to move forward in a safe and secure way. So that's sometimes what we forget about. But there was one last thing before we move on that I want to tease out from what you said, particularly around Patrick Mahomes and his throwing, right? Just getting that throwing motion. He just throws over and over and over again. What a great example of how we need to be running, you know, different tests and, you know, we've got to continue to practice what we're doing because that's how you're building that muscle memory. So running tabletop exercises in terms of incident response, it should be something that when it happens, we as responders know exactly what we're gonna do. And we practice it so much that we can just respond automatically.
Jeremy Ventura: Exactly. And even from my days as an incident response consultant, specifically, I had kind of two roles at my time. And the first one was a post-incident. So again, kind of going back to that story of helping organizations kind of clean up and deal with data breaches. But then the first was a pre-incident. And I think that was also interesting. Like how do you build playbooks and how do you make sure they're effective? And that goes right to what you're saying. How do you conduct tabletop exercises or fire, firetops or simulations? And one of the biggest things was what I noticed is companies said they would do it, but it was really a checkbox, right? For the auditors, we ran yearly tabletop simulation and prepare that, you know, if it was a ransomware attack. And then you find out like, if you're actually in the room, it's like maybe the four SOC analysts the CISO, and like the IT director, and that's the only ones in the room. And they're just going through like, what tools do we use? And it's a half day session, right? What we're missing is how about all the other leaders from the business units and departments within a company? How about the CFO? How about the CEO? How about the CRO? How about the marketing team and legal? What's going to happen if you need to make a statement?
Uh, really fast for now, especially with the SEC rules. And if you're a public company, right? How do you determine material incident? And then how do you make that statement in the 10K the AKs and all the other fun jazz that we've got going on here within that timeframe. And I think it's going to become more and more important. Um, we can probably have a whole podcast about this more and more important for companies to really start. I hate to say this in a political sense, but like cross the aisle, right? Incorporate other business units, even from security to engineering, right? This whole concept of dead sec ops.
Right. That can start there from a security team, but from a business standpoint, again, like cybersecurity is not a technical issue. is, it is a business issue, a business risk and the board needs to understand that as well. And once they do, and once the executive team incorporates that kind of culture, everyone's better for it. Right. And those tabletops happen and people are more prepared. And so when innocent does happen, people take a deep breath. They can stay calm and get through that because they know what they've done exactly to your point. Practice makes perfect, but you need to practice over and over and over.
Mick Leach: Absolutely. OK, moving forward into kind of the present, what is, in your opinion, the biggest threat that we see today out there?
Jeremy Ventura: Yeah, so I think today, I'm going to go a little bit of a different route on this one. I love always talking about the kind of the concept of people process technology. And for this one, I want to focus on people in the sense of, I do feel like more and more, we are just overwhelmed. And when I say we, analysts, the incident responders, the red team, the blue team, even our counterparts in GRC, there's just so much going on in policy and regulations and legal.
Nevermind what we have to deal with from a cybersecurity perspective to always kind of keep the lights on, right? And make sure that, you know, I can maybe go home to my family on the weekend versus like, I'm getting called on 4th of July. I need to come respond to an incident. And I think from just, there's a couple of different things. Obviously attackers are getting more advanced, right? We'll talk about AI in a second, but with that being said, there are just so many alerts. There's so many things. There's so many tools, even within security.
And how do we help consolidate that? How do we find the best of breed? How do we make sure that our analysts are looking at the things they actually need to care about or respond to? And I think that kind of comes down to, of course, there's a bunch of kind of bullet points, sub bullet points under all these concepts. But I think the biggest challenge that we're seeing right now is just, you know, how do we stay on top of what our daily job is? How do we not get burnt out? How do we make sure if we're in executive management that my entire SOC analyst team isn't going to leave me tomorrow and go take an offer at another job because they're going to get paid more, or maybe it's less stress. And we see that every single day, even not from the analyst, even from a CISO, right? I think, what is it now? It's like 18 to 24 months, the average lifespan of a CISO. I'm hearing. Yeah. I think, you know, as a world, need to, as an industry, we need to get better about employee retention even from a mental health aspect of this is a very high anxiety, tough, fast paced job. And it's not for everybody. And I think a lot of people want to come in. see it's like, I can make six figures right out of college and get there. And they get in there and like, man, I don't want to do this anymore. And unfortunately that's happening too. And we see it with so many open recs and jobs that are open.
I think, again, this is another topic that we can really dig into a lot, there's so many different things, I think as an industry, even as leaders, as ourselves that we can do to help solve that, right? Giving chances to people, making sure that people are heard, listen, right? Giving opportunity to grow outside of maybe their domain. You got hired today to run the EDR tool, but because we're so overwhelmed, you're doing email security, vulnerability management, you're working on our firewalls. You're, gotta do a policy refresh, whatever it might be. And as you're learning all those skills, they're also thinking to yourself, man, like, what am I doing? Right. And I think as industry leaders, we need to also help, I'm not even saying younger, but the other generation, the newer generation that's coming in, regardless of age, regardless of looks, regardless of nationality, regardless of political or sexual beliefs, right? We need to be more inclusive in how we're bringing folks into this field and then how we're retaining them and making sure that we're evolving them so that they are protecting and helping us as well.
Mick Leach: Yeah, agreed wholeheartedly. Now, looking into the future, what advances or changes do you foresee in the field of cybersecurity and how do you think they're going to impact SOC operations? Because if you listen to the news and you kind of take in everything, all the posts on LinkedIn, apparently AI is coming for all of us and it's going to take all of our jobs. We won't need SOC analysts anymore. At least that's what you would think based on what you see on LinkedIn. What are your thoughts?
Jeremy Ventura: I knew we were going to mention AI and I already kind of throughout this podcast, but this is a good segment because everybody wants to talk about it. And I do think the future is AI, but I also don't think it's in a scary sense. I think to your point, there are a lot of people, there's a lot of things out there right now. It's like, you just said it, like AI is taking over the SOC analysts and we're never going to have analysts anymore. No, like at the end of the day.
Cybersecurity is still, we need human intelligence, right? We need to make that decision. Now, can AI help enable us? Can AI help enable a business in so many different aspects besides cybersecurity? Of course it can, right? And we're already seeing that on a daily basis of how productivity or ease of use or how our customers can access certain things or find information or help themselves, self -help themselves. Now, with that all being said, I think it is an explosion of AI, especially from a marketing standpoint and the last couple of years here, if not even sooner in the last six months. As an organization, like as a security team, you know, consulting with security teams and organizations, it is definitely starting to start taking the stuff seriously. You know, where is AI being incorporated? Who has access to AI security tools? you know, I was just talking to one customer we're working on here at Myriad working on like an AI readiness service.
You know, we just started kind of teasing out the questions of how was AI used in your organization? And, know, it's, it's the Spiderman meme. I don't know. Like, I think they're using ChatGPT. I think some people are using Copilot. I think some people might be using Gemini on their phones, corporate devices. We don't know. And I think that's, I think we're in a long battle coming up. But I think it's, I don't think it's a surprise to anybody, but I don't think from the opposite side, AI is going to take over our jobs. I think AI will absolutely help enable us to do our jobs if it's done effectively. But I organizations need to really take a look about how it's being incorporated, how threat actors are leveraging AI against our organizations. And if we can start to put the realms around that, and then obviously there's a whole other aspect around policies and procedures and regulations and laws, not just in the United States, but all around the world, once that starts to come into formulation and how we can do responsible things like responsible AI.
I think we'll start to get a handle, but I don't think we can allow ourselves as an industry to be so behind in AI. It's a little bit of a fear. but like, when we think about all these other aspects of technology that's come out, again, security has always kind of been behind. I think this is the one where we need to get as far as fast as possible, as smart as possible ahead of the curve or else it's just, it's, we could be drowning in it. And I think that's sometimes realistic of what's kind of a little bit of happening right now, but I do feel as a world, not just as an industry, as a world, everyone's kind of leveraging or knowing about AI, knowing this thing's coming fast. So that's where I think the future is. I agree with you. I definitely don't think it's taking our jobs. I think it will, if done right, will be an enabler for some of the teams.
Mick Leach: Yeah, agree wholeheartedly. I see AI becoming a force multiplier, you know, similar to many other, you know, groundbreaking technologies as they came out. EDR, I remember years ago when EDR came out and how it kind of changed the way we did things. So very interesting. So changing gears a little bit in terms of folks trying to get into cybersecurity. Many of our listeners are in other roles, but aspire to a position in a SOC as a SOC analyst becoming, you know, maybe it's incident response, it's, you know, digital forensics and incident response, there are folks that want to get into cybersecurity. What advice would you give to those folks that are looking for a SOC role? We can talk a little bit, not only that, but I'd also like part B of that is in terms of the knowledge, where do you land on a formal education through college or certifications or maybe just self-study you busted your butt and you learned a bunch of stuff and you think you're ready. Where do you land with this?
Jeremy Ventura: Great question. and I'll kind of start at the part B stuff and kind of come back to a, but, I'll say this education and college degrees are not for everybody. Some people may not have the financial resources or even the physical resources to go to a college or even online have that access to that. And, that's okay. And I think that needs to be said, like not everyone is going to have the privilege to go get a Master's Degree or PhD in Cryptology. so, you know, I think with that being said, there are so many different avenues, there's so many different paths of how to get in this field and continue to educate, even us being in the field, we need to continue to educate ourselves, it's certifications, whether it's training sessions, it's listening to each other's podcasts and different guests that are on, there's so many different aspects of enablement and learning that is out there.
There's so much free stuff too. I know right now you can go online, you can go on YouTube and type in like, how do I do A, B and C, right? I won't tell you exactly what to YouTube, but you can go figure out what it might be or like explain to me the concept of privilege access management. And you can watch hours and hours and hours and hours of content, just on that one topic. So I think there's so many resources out there. I will preface it with, knowing specifically when I'm hiring, throughout my career.
There's really three categories I look for. And I like to say it, I'll tell everybody kind of the secret. And I think it's universal. And I think it's hungry, humble and smart. And the hungry aspect is having the drive and motivation to learn a certain topic. Or if you don't know it, that's okay. But like, can you come back and be hungry enough to go have that fire, gain that passion, whatever that might be. Humble, right? This is one of those that's sometimes lost almost every single profession. Can I be humble? Right? Take the ego, check the ego out of the door. Can I be a nice person? Am I a good team player? As we know, SOC analysis, again, it's like a football team or a basketball team or any sport we're working together. And I think that's a big component. Like, do I have those teamwork skills? Do I have those communication skills? Do I have those soft skills that allow me to be effective, not just in my role, but with my peers? And then the last one is smart.
And I'm not talking about going to again, going to get that PhD in Cryptology, that's great. Or go and get your CISSP, that's great. But there's more to that. The smart is really kind of that, the street smart, right? Can I think outside the box? Just because your manager says, this is the way we've done it for 15 years, who cares? Challenge it, right? Challenge the status quo. Do you have that drive to continue to not necessarily go around, but think outside the box, right? And come up with new ideas or fresh ideas.
And there's so many different aspects I've seen with peers of mine, even people that I've hired, again, people I've worked alongside that have demonstrated this in so many different ways. And I'll leave you with one story on this. At a previous company, we had an open role, just one open role for a SOC analyst. It was truly a SOC Analyst One, a Junior SOC Analyst. And we had hundreds, hundreds of applicants. The person that we went to was an individual. She was a hairdresser for the last 13 years. And she showed more skills and drive the hungry, humble, smart than anybody else. And we hired her from the hungry aspect, right? She was taking online. She had her full -time job. She had a family. I'm a hairdresser. work 40 hours a week. Uh, but at the same time, even though I have a family, I'm going to do some online courses. I'm going to study. I'm going to get some books. I'm going to read. I'm going to listen to podcasts, and be intelligent enough to understand what's going on in the world of cyber.
The humble, great person, right? Think about the people skills of being a hairdresser. You deal with, you know, tens of people, 40, 30, 25 people per day. Not everyone's going to be in a good mood and happy or tip you well. Um, right. Somebody's not, may not like the haircut. And so the people skills and soft skills that she had were just impeccable. And then the last was smart, right? She knew how to think outside the box. She was applying for a job, which can be scary for anybody. We all see it. It's like, oh yeah, you got the SOC Analyst job and you got a thousand applicants in the first 24 hours on LinkedIn, right? Don't be afraid to take those risks. And that's exactly what she did. And she demonstrated all three of those qualities. Cause we can teach, we can teach you how to go grep. We can teach you how to go code. We can teach you how to use this tool and click on that box. That's part of the job. We all learn too, as we continue to go. What I can't teach is those soft skills, right? What I can't teach is the experience and life experience that you had. So we hired her.
And now I believe she is one of the most senior members of that security operation teams, if not running the entire SOC herself. And so I think that's just, it's an awesome story. So it goes back to the career advice of like, anyone can be in this field. Don't get discouraged, continue to have that hungry, humble, passionate attitude. and it'll happen. You'll, you'll find the job. You'll find that right mentor, just like I had, just like you had.
Like we're in different career paths and that's okay. Like I had a mentor that just guided me. If I didn't have that, I probably would not be sitting here talking on this podcast today. Right? I'm a little scared of Might've been doing something completely different. Maybe, I don't know, as a police officer. So, and I think, and there's nothing wrong with that either. Right? And I think that's the cool thing. Like regardless of age, regardless of the way you look, the way you think, there is a position here for you in this industry. And so go for it. Take those risks, reach out.
The last thing I'll say on that is network, network, network, network. Like it's okay to stay behind in your house and code all night and on the weekends. It's okay. Everyone's a different personality, but you still have to network. And I think that's one of those last skills. Like reach out to people. If you listen to this podcast, reach out to me and ask for career advice. Reach out to Mick, right? Reach out to other people that Mick's going to have on his podcast. Continue to kind of be a sponge. But in addition to that, like make yourself known, right? And I know that can be uncomfortable, but it's definitely one of those skills that we look for, especially as you kind of move up the ranks in cybersecurity as well.
Mick Leach: Yeah. Yeah. And just to build on, because I love everything you said, Jeremy, I think in terms of networking, you know, too often as a new analyst or new into cybersecurity or maybe just even aspiring, you think, man, I got to get to Black Hat and it's so expensive or I got to go to RSA or Gartner. I got to go somewhere big DEF CON. No, no, no, no. There are so many grassroots organizations in every town that are popping up in every city in America and around the world for that matter. Um Bsides is a great example, um that are just local. We have a 614 con here in the columbus area that a dear friend of mine, uh helped helped start and run and friends of mine run it to this day and it's it's grassroots it's guys just getting together guys and gals who you know, just sharing what they've learned. The community is fantastic, but you're right. You've got to get up out of this chair and go out and actually meet people and learn and share. You know, I, I hear the phrase iron sharpens iron and I love that phrase because it does, you know, we, do make each other better. We do.
Absolutely. we can talk about all different stories about that, but I'll leave it on that too. Like the networking aspect. People ask me all the time, well, how do I get started? How do I get in this? How do I move to the next position? A lot of it, it's who you know, who knows you and that relationship. Again, that humble aspect of that hungry, humble intelligence part, that's what we're talking about, humble, right? And networking the relationships, the building the credibility and people know who you are and be a good person and you'll be very successful and no matter what you do.
Mick Leach: I love it. I love it. Jeremy, great advice. Thank you. I've got one final question here. If someone can only take one thing away from this conversation, what would you have that be?
Jeremy Ventura: Yeah, I think the one thing that I would leave everybody is put yourself out there, take that risk. Whether you're trying to get in this field, whether you're trying to be a CISO, whether you're trying to move up from a SOC Analyst Two to a SOC Analyst. No matter where you are in this kind of career, either starting out, trying to get in, or even at the senior, most of the executive level, even as a CISO, right? If I want to go become, you know, start working on cybersecurity boards, take the risk. Right. you never know by saying yes, what that can lead to. And, know, if you realize you said yes to something and it's not going down the path that you wanted it to, it's okay. Right. Like you learn, it's a learning experience, but you'll never know that unless you take that risk and kind of take that leap of faith. And take the risk, think outside the box, be humble, and reach out to people again even for the professionals that are listening to us that are the SOC analysts. Take the risk to do something different. Just because an organization has done it the same way all day every day for the last couple years, right? Bring that new fresh idea. Take the risk and present it to the board. Reach out to your engineers, reach out to the finance team, reach out to the marketing team if you're running a tabletop exercise, it always comes back to this concept of like taking.
I'll leave it with this, cybersecurity, we are in the business of helping organizations manage and enable that risk.
Mick Leach: So well said, well said. Well, this has been Jeremy Ventura. Thank you so much. I appreciate it. And folks, this has been SOC Unlocked: Tales From the Cybersecurity Frontline. I'm your host, Mick Leach, reminding all of you cyber defenders out there to keep fighting that good fight. You're the tip of the spear, so stay sharp. Thanks for tuning in. Don't forget to like and subscribe and check out our other SOC Unlocked episodes. We'll see you next time. Thanks again, Jeremy.
