Chrystal Taylor:
Welcome to SolarWinds TechPod. I’m your host, Chrystal Taylor, and with me as always is my co-host, Sean Sebring. And today we have a very special guest that we’re going to talk to about security fun things with Josh Vanhoose. Josh, can you introduce yourself?
Josh Vanhoose:
Sure. So my name’s Josh Vanhoose. I am the staff security engineer and the security architect for SolarWinds in the SecOps department, not in product. Many people kind of confuse those sometimes, and I have been in security 10 years. I’ve worked for the state of Texas and for high schools and for Tex-Mex food chains and now SolarWinds.
Chrystal Taylor:
Hold on. You worked security for Tex-Mex food chains, I have so many questions.
Josh Vanhoose:
It’s all about the free Mexican food.
Chrystal Taylor:
Yeah. Since you brought it up, let’s start there. How did you get into security in the first place?
Josh Vanhoose:
So I started probably my security journey pretty young. I worked for my own high school after graduation doing cybersecurity and IT, kind of general IT work and in that role I was able to tinker around a lot. You get a lot of downtime when you work for a high school and that’s where I really found that interest. On top of that, my uncle is a doctor in computer science and specializes in cybersecurity. So he started me very young and didn’t really go to school until much later, probably about 25. Went back and got a computer science degree and then started my real security journey there. Started at the Texas General Land Office of Texas and did a lot of GRC focused work for policy and for [inaudible 00:02:09]-
Sean Sebring:
For the audience, not me. What’s GRC?
Josh Vanhoose:
GRC is governance risk compliance. It’s more the policy work, audit work that you’ll see in SecOps. A lot of work around writing policy and that’s the big piece there. And the other big piece would definitely be your compliance piece, something that we all have to deal with in all industries. So did that and then went to Chuy’s Tex-Mex and did PCI security, which is payment card industry and did a lot of more policy focused work and tech work there. But that was a small team, so you got to really hop around a lot of different domains within security, which was really fun.
Chrystal Taylor:
You said something there which I kind of want to ask about, which is that you didn’t go get your degree until a little bit later. And just because I’m always curious, because I don’t have a college degree and I’m constantly talking about how I don’t think it should be necessary for a lot of roles. How do you think that it’s helped you going back to get your college degree a little bit later when you were already in your career?
Josh Vanhoose:
So I went and just got a two-year associates. I really just wanted to get something to get my career going. A lot of what I learned in school was directly contradictive to what I had seen in the real world and I continue to see that as a theme. I’m studying for a certification right now and I made a joke with our CISO that you’ve got to remember the real world application and then what the textbooks want you to learn. And when you go to take the test, it’s going to be about what the textbook wants you to learn. Whereas when you get into a real world situation, a lot of those techniques don’t work. So you have to really understand the business that you’re working with, the risk appetite, the culture and what you can do. A great example of that with Chuy’s was everything was really focused at keep the manager off the back computer.
Josh Vanhoose:
The manager should be on the floor of the restaurant helping the restaurant. So if you come up with a process or some piece of technology and you want the manager to do it, you’re doing it the wrong way. You have to go back and re-engineer your solution to keep them off the computer. So culture was a big aspect there. Real world experience is always going to be the best teacher and having your degree, especially if you’re talking about like a four-year, it’s great to teach you the technical principles and the technology and the terminology. But until you get in and have to hook up a port or have to hook up a firewall or have to do these things, it’s two different worlds.
Sean Sebring:
I have a question for you then, and I think this is great. I’m a bit jealous because my best friend, Ryan, he’s in security as well. He has a lot of our friends that are interested in career changes saying, “Ooh, I want to get into cybersecurity.” I’m like, “What about what I do, is my career… I’m doing well, do you guys not want…” Anyway, point is, my petty jealousness aside, for those friends that are saying, “I kind of want to do a career shift, I want to get into cybersecurity.” What would you recommend is the best first step, especially if they’re doing a completely different trade. For example, one buddy of mine, I’m talking about Will, he is a site project manager for construction, specifically electrical. So almost no IT except to do his specific types of paperwork on a computer. So where would he start?
Josh Vanhoose:
So I tell a lot of people, Google has some entry level certifications that are free. There’s a help desk certification, there’s things like that. But the number one thing I tell people is figure out what you want to do. If you are in security, it’s a very broad industry. Do you want to be a pentester? Well, if that’s the case, you should really start learning all the technical pieces and that’s going to take a lot of work. Especially that shift where you’re going from a manual labor or in-person or on-site job to this highly technical, highly nuanced role, that’s going to be a really hard transition. But when people are like, “Oh, I’m an office manager and I manage a team of people,” look at GRC, look at auditor, those tend to be roles that’ll transition pretty easily. On the other side of it, maybe you have a background in IT, maybe you have a background in networking.
Josh Vanhoose:
Moving to a SOC tends to be very easy and SOC is a security operation center. You’re going to be monitoring logs, monitoring devices, understanding what risky traffic looks like. So it really depends on what you want to do. And even my mentees that are here at SolarWinds come to me with the exact same question of like, “Where am I going?” Where do you want to be? That’s really what you have to bring to me first before I can help you set that course.
Josh Vanhoose:
I have friends that have gone from project management into security. They tend to make very good managers once they understand the technical pieces. So that’s where I would tell people, start with some lower level certs, get a feel for the domains and what each kind of does. Then you can start to know where you’re going to be a rock star. My nephew, funny story, came to me and was like, “I want to get into IT, should I do security?” And I said, “No, you should not.” Because he loves to be the hero. He loves to be the guy that’s like everyone likes him, he’s very sociable and he’s very sweet. If he went into security, it would destroy him because you’re often not the good guy and you’re often the guy that’s bringing bad news. So find the role that fits your personality and your desires.
Chrystal Taylor:
I think that’s a really good point that there’s a lot inside of the security discipline even, even in IT, right? Like you don’t necessarily think about all of the different aspects of security. Everyone thinks, “Well, there’s a skill shortage,” right? You’ll see it all over the place. There’s a skill shortage in cybersecurity, but what does that mean? Are we lacking pentesters? Are we like… We don’t even know. I could name three security roles maybe. I don’t know. You’ve been talking about more than I knew, like to the 10 minutes before this I didn’t know some of this existed.
Chrystal Taylor:
So there’s extreme lack of knowledge of what roles are even available that you would want to get into to explore. And I want to ring up, you said to get some entry-level certifications and only because my brother just went through this. If you were in the military and you have left the military, they do have programs that will take you basically through boot camps for security certifications. And it’s like two to six weeks for each one, and really slam you through it, but it really will give you a jump start to getting your certifications.
Chrystal Taylor:
So if you’re in the military, go explore those programs and take advantage. You don’t have to go get a college degree, you can just go for the certifications and that will get you a step in the door. He just entered cyber security, so I’m really excited for him. He finally got in there. But yeah, he does something completely different. He works for the banking industry doing risk assessments, so that is completely different discipline. So I’ve learned more about I think cyber security disciplines than I previously ever knew in the last year just from my brother going through all of that, the boot camps and stuff.
Chrystal Taylor:
So keep an eye out for those things. I think that there is a lot of incredibly valuable information out there, even the free information, make sure you’re validating that the information is trustworthy. But there are certainly options to explore maybe with the pathways before you get into, “I want to go for a certification,” check out some of the free resources to see what they even do.
Josh Vanhoose:
And on that note, I would highly recommend going to your local security conference, especially if it’s a smaller one. There’s a bunch of them called BSides, and you’ll have BSides Austin, BSides Albuquerque, BSides San Antonio. Check out one of those and often they’ll have an area at the conference for mentorship where you can just sit down and talk to someone that’s been in the industry 15 years. And they can kind of run you through real high level, what each group does and what each role does. And then you can sit in on some sessions and hear people that are actively working in security and kind of the projects they’re working on. And you can get a feel for it. Because I’ve walked into a cryptography session at RSA, which is a huge cybersecurity conference, wildly over my head, wildly, like they’re talking about advanced math and theoretical math.
Josh Vanhoose:
And I was still able to walk away with that, like empowered with some knowledge on better cryptography approaches and things I should be looking at. But if a brand new person walked into that, you’d immediately be like, “Well, okay, I’m not going into cryptography. I don’t have a background in non-Euclidean math.” But if you’re at these smaller conferences, you might walk in and see someone being like, “If you want to pentest something, here’s how you can get started, here’s how you set up Burp Suite, here’s how you set up Fiddler.” And these are all tools for intercepting traffic and analyzing it on the web. So you’ll see a big spread there that’ll give you an idea of what you can start looking into.
Sean Sebring:
I’m going to ask from an ignorant perspective, but I would assume that in, let’s just make up an arbitrary number, in the last 10 years, getting into a security role may be easier because more things are application-based nowadays. That’s just an assumption because again, another example is a lot of SD-WAN, for example, even network management is now application-based in some respects. So because it’s application-based, we’re very visual and kind of app-oriented people now in 2024. I would imagine that an entry level position is way easier to start in and potentially even requires just less actual background knowledge before you would start. Would you say that’s fair enough? True, false?
Josh Vanhoose:
I would say that’s fair enough in your core security disciplines. And when I say core security disciplines, I mean vulnerability management, security operations center and GRC. You’ll see those three groups at most places that have a security department. It’s not until you get into specialty fields like software development or defense where you’ll start to see more advanced roles like pentesting, cloud security. For those core disciplines, absolutely right. Those are much easier to get into when you have this very mature tool set that you can go and deploy in your network. And have some basic understanding of IT and software engineering, computer engineering, things like that. If you have a basic understanding of those, you can get into it very quickly. When you get into things like application testing, that is a different story.
Josh Vanhoose:
You really need to have some background in software development. You really need to understand those concepts before you move into those. You’ll see a lot of bug bounty hunters and a lot of pentesters online. They’ll point a scanner at something and then just be like, “Well, this is the report and this is what I’m going with.” But then you’ll go talk to some of the best bug bounty hunters and you’ll be at DEFCON, which is a huge security conference. You’ll be at those. And they’re like, “I don’t even use those tools, I’m doing everything by hand.” And those are the people that are finding the really critical, real-world risk vulnerabilities, things that are like process and business logic flaws, scanners not going to find that for you. So for those core principles I think, or for those core pillars, I think you’re a hundred percent right. The transition over to application-based security functions makes it a lot easier to jump into.
Chrystal Taylor:
While we’re on the topic of learning and getting into the industry, and you mentioned there are tools. We previously had a conversation for THWACKcamp where you mentioned a variety of different tools and there’s a lot of low-cost or no-cost options. And I think right now if you’re in your learning journey, is the time to test out sort of those low/no-cost options, like knowing what are available. So do you have any recommendations for people who are in their learning journey for that kind of thing? What to look for, those types of things.
Josh Vanhoose:
So you really just want to keep an eye on the open-source projects that are out there. Those are always going to be easy to get into, easy to attain. And then there’s going to be some big names that have been around the industry for a long time. Like Rapid7 has Metasploit, and Nexpose which are their free tool set. Metasploit is incredibly famous. If you’ve done any pentesting, you will definitely know that name. Nexpose is their open-source vulnerability management solution that can do infrastructure scanning. So if you have a home lab or maybe an AWS lab that you are experimenting in, you can run those tools for free within your lab space. And there are also tools like OpenVAS is another one and Nessus is another one that has open source versions. When you get into some of the more advanced version, advanced software sets like Defender for Endpoint, it’s going to be a lot harder to test those out.
Josh Vanhoose:
So for instance, if you are trying to learn how to write malware for instance, so for an engagement and you’re trying to bypass antivirus, getting a copy of E5 Defender for Endpoint is going to be really hard and really expensive for a solo person to do. But you can go out and use VirusTotals, which has the signature databases on the backend for those tools and see how VirusTotals handles it. And that’s a great place to start. I would also say spend the 20 bucks a month to get a home lab. That is a great way to start. You can get them from AWS, from Azure are the two easiest. I have a home lab with Azure. I think it rents me about $10 a month.
Josh Vanhoose:
I’ve used it to bypass things like MAC I’ve used, which is a network access control. I’ve used it to test out security features at home before I recommend them here at the office. And I keep that as my personal lab so I don’t get reimbursed for it, but it’s not that much. And if you’re trying to learn… If you’re planning to go take a $3,000 test, which some of these certification tests are that expensive, 20 bucks a month to really test out and get some real hands-on experience is well worth the time.
Chrystal Taylor:
And if you need to add some false network data and traffic, you can look at tools like GNS3, which is a tool that you can create fake trails of network equipment. Because at home I don’t have a bunch of different network devices, but if you need that for your testing, there are definitely options out there to flesh out your lab. So it looks more like a real environment.
Josh Vanhoose:
Absolutely, and if you go to these conferences that I was mentioning earlier, a lot of them will have open bug bounty hunts there or they’ll have hackathons there, with that equipment that you can’t find anywhere else. A great example was two years ago at DEFCON, they had a challenge called, “Hack the satellite.” I’m never going to be able to afford satellite transmission equipment besides my Starlink connection. But they actually had everything there available for you and you were able to do the satellite tracking telemetry for the navy and show how hackers can actually go out and do these things themselves. So go to those conferences. Again, I cannot stress how useful those can be. Even my own team with our managers will ask me, “How are you getting all these connections?” Man, I go to conferences, I go and I sit and I talk to people.
Chrystal Taylor:
We’ve had conversations before Josh about humanizing security and you mentioned earlier that you recommended your nephew not get into cybersecurity because he likes to be the hero. So let’s dive into that a little bit more. There is a mythos around security, even in IT circles, if you’re not in security that security is an inconvenience or a lot of red tape or the people that work in security are grumpy, and they’re not nice and they’re not trying to help you. But I know from having many chats with you that that is not true. So can you illuminate, I guess, a little bit further what you would recommend to people outside security? Maybe they’re in non-security roles, maybe they’re non-technical roles, like if they have this kind of view of security, what you would like to say to those people?
Josh Vanhoose:
What I would love to say to those people is talk to us, talk to me about your business process, talk to me about what you find risky in your day-to-day activity. I’m always going to come to the table with some sort of ideas or, “Oh, I think this is a risk,” but often just talking to your customers can get you a long way to understanding the role far better than you ever did. One of my earlier bosses once told me, “Knowing your job is good, knowing the business is great.” Knowing the business is that human aspect of it, of how does this all work together and how do I make us more secure without hindering us? And a lot of people lose that concept of, “I’m not here to block you, I’m here to enable you.” And I think if more people in security had that mindset of like, “I’m enabling you through security to do your job better,” that would help with that department of no.
Josh Vanhoose:
And I think I said this on our last talk was, my favorite thing to tell people is “I’m not going to tell you no, but I’m going to tell you not like that.” “If you have a business function and it’s a requirement, I hear you, but let’s put this authentication portal in front of it.” “But let’s monitor this.” It’s about enabling the business to do what they want, but building those guardrails and bumpers around it to keep it secure. I also come from… I waited tables for seven years. I come from a very customer-centric environment, a very customer-centric background, and I think that really helps. I think if people in security started viewing the organization as your customer and not this thing that you have to restrict, it changes your mindset.
Sean Sebring:
Chrystal and I will actually often in many of our podcasts say the best entry-level job for any role is customer service. Because it’s going to translate to your next role with so much more empathy, so much more understanding, and compassion. So love hearing that translates to security too.
Josh Vanhoose:
Yes, it absolutely does. And we have people, we have interns that have come in and they’ll ask me like, “Oh, what job should I be looking at?” I tell them the same thing every time, help desk. Get on the help desk, learn your customers, learn how it feels to be under that gun. Learn how it feels to actually be required to get up at wild different times and help customers. Because after you go through that, when you move up to higher roles, you start thinking about, “Oh, I don’t want to do that to the help desk.” “Oh, I don’t want to do that to my customer set.” And it changes how you approach your work, thinking about the customer first, thinking about your parallel departments and how this will affect them. And I think the more you do that, the more you show your business value, not just your security value.
Chrystal Taylor:
Yeah, humanizing everyone, right? Like you will work with a human. When it’s just a faceless entity, I don’t know this person, it’s just the security team telling me, “No, I can’t do this.” If you humanize them and you get to understand them a little bit, as Sean said, have empathy for what they’re going through. You mentioned earlier you don’t get to be the hero. I imagine that for a lot of people that is really hard if you were to work in a role like that. Even working in the help desk, you don’t always get to be the hero in the help desk.
Chrystal Taylor:
You do often get to be the hero for little minimal things in the help desk. Like, “Oh, I replaced a keyboard today, and that person was really happy.” So for the help desk, you’re going to get both sides of it. But I think that what you’re dancing around here is the importance of collaboration between departments. And for those of us that work in technical roles that are not security-focused, I have a definitely begrudged security a time or two when I’m working on something, I’m trying to build something.
Chrystal Taylor:
I’m just trying to get this thing to work and there’s security protocols in my way and they don’t want to make changes and I can’t get the thing done. And that becomes more frustrating for me whenever they won’t work with you. Like you’re not explaining to me why I can’t do this thing. And like you said, if it’s a business need, that’s extra frustration heaped on my head if I’m the person trying to make this thing work. And you’re trying to work around it, and if neither party will work well with the other, you’re going to have problems. So being able to humanize the person on the other end of the line no matter what role you’re working in, but since we’re talking about security.
Chrystal Taylor:
I would say for me, personally, meeting you and getting to talk to you as much as I have in the last year has been really helpful for me humanizing the security department. And then also my brother going into cyber security also helped me a lot in humanizing security personnel and what they’re doing and what they’re having to deal with. And I imagine there’s a lot of frustration in dealing with end users sometimes that don’t want to work with you or aren’t very understanding.
Josh Vanhoose:
I am only doing my job. But I think you hit on something important there of telling them why. I was telling you all, I just got back from Poland and Czech Republic seeing our developers there, and I gave some presentations at all hands while I was on site. And one of the slides that I found very important was a slide that showed on the left a lot of work that I was asking them to do, a lot of work I’m asking them to do. And then on the right, it showed the business value of like, “Here’s why I want you to do this,” not just that you need to do it, but what do we get from this? And I think I’m a fairly rebellious person. Obviously, I didn’t go to college till late and I have issues with authority and all these other things. I will rarely do something because I’m told to just do it. It is just not in my nature as a person.
Josh Vanhoose:
So when I form my work and I start doing security architecture and architectural overlays and coordinating with different groups, I always try to be very clear on the why, why do we need to be doing this? And often what you’ll find is that the part that people… Well, what I have found, maybe others have different experience is the work that interfaces with other departments. So, “Oh, I need you to generate threat models so that data can feed back into a red team,” and then the data from the red team can feed into marketing. And then if marketing can feed into legal and it just kind of feeds everybody’s workflow, people seem to care the least about those. But when you paint that whole picture of, “Oh, when we do that and marketing releases these notes to the public that says, ‘Hey, we have this vulnerability,’ having that complete tail actually reduces work on your developers.”
Josh Vanhoose:
Now we’re not releasing an issue and now we have to scramble and get communications out and talk to legal and all these other things. When we do these processes correctly, it reduces that noise and actually frees up time for the developer. So when I can frame it like that to them and explain it like, “I’m actually helping you, you’re not just helping other departments,” they get much more interested in it immediately. So showing that business value tip to tail, so valuable.
Sean Sebring:
So what you’re saying is it’s like the thankless job of a parent to children of all ages where I’m not going to say no, but we should do it different. And yes, I have to explain why or I’m going to get asked a thousand times or you’re just going to grunt and not want to do it.
Josh Vanhoose:
That’s very, very close. That’s a great analogy of it. Thankfully for me, I do not have children. I don’t have to deal with that too often, but I do have to do that very often at work.
Sean Sebring:
And it’s children of all ages, right? I’ve supported employees where I have to explain the simplest thing and then some who just grunt and say, “Fine,” with attitude, but do it anyway. So I’m big on analogies here, so I’ve seen it.
Chrystal Taylor:
So we’ve talked a lot about the entry-level and the learning and all of that, but you’re pretty established in your career at this point. So do you have any advice for people who are kind of in the middle of their career and how not to limit themselves? You and I had a side conversation randomly at one point about going to conferences and you had to give a talk at one of the conferences and you didn’t want to do it. And I think that that for me speaks to the not limiting yourself, forcing yourself to go do the thing anyway, and the connections that you can make with that. So can you give some advice or speak a bit more about how do you progress your career past the entry level and not limit yourself to maybe one thing forever? Because most people don’t want to just do one thing forever.
Josh Vanhoose:
Yeah. So I would say the number one piece of advice I’d give anybody is to genuinely be curious about what your co-workers do. And I don’t mean like in IT, security and IT are so closely intertwined. You probably know what their day-to-day looks like, but get out and talk to people in marketing, talk to people in sales, talk to people in media. And figure out what they do because everyone is looking at their role through their specific lens. And the moment you start looking at other roles through other people’s lenses, you’ll start to understand how security is very intertwined with it. A lot of people will be like, “Oh, what is this specific group really, what’s their biggest risk and how is it on the scale of all of the risk in the company?” Well, to them it’s the biggest risk and be curious about that.
Josh Vanhoose:
So that’d be the number one thing I’d say. The other thing I’d say, and I tell my junior members this pretty often is go make a friend, go make an enemy. It doesn’t matter. Go outside of your role and meet someone. We all love to just sit in our little lane and do our job and that’s fine. But if you really want to grow as an individual, go expose yourself to new concepts. I grew up in a town, my graduating class at high school was 18 kids. It was very small.
Josh Vanhoose:
And if I would’ve stayed there, I would probably be somewhat similar to the person I was when I graduated, but I didn’t. I moved into a larger area, moved to Lubbock, and then I moved to Austin and I got exposed to so many new concepts and I got challenged on my beliefs and how I see the world. And without that, I would’ve not grown into the person I am today. And it’s very similar with your job. If you stick to status quo, you’ll never really change and you’ll never really grow. But by exposing yourself to different departments and different leaders and different types of thought, you’ll start to see a change in yourself.
Chrystal Taylor:
I don’t know why, but Michael Jackson’s Man in the Mirror is in my head now.
Josh Vanhoose:
You know what’s funny, one of my favorite bands is a metal band called Gojira, and they have a line in a song that says, “Change yourself is changing the world.” And that’s what that makes me think about is if you want to change your organization, you probably need to start with changing yourself.
Chrystal Taylor:
Well, it’s interesting a couple of times now you’ve mentioned how important the company culture has been in your security roles. You mentioned the whole manager, you don’t want them ever to be in the back computer, earlier in one of your roles. And then just now if you’re the one that’s making changes, you want to see changes at your company, make changes in yourself. So how important is it in staying on top of company culture? I know especially as we get into larger corporations, you can sometimes get lost in if you’re not engaging with the company culture and there is layers to it for sure. You don’t necessarily have to go to all the happy hours and all of the whatever nonsense that they’re doing this week, “There’s a party at…” “They’re painting pumpkins.” “They did that last week.” Like there is… You don’t have to necessarily participate in all of those things, but how do you stay on top of the company culture and adapt with it. Because it is necessary unless you want to go somewhere else to adapt with your company culture or to help change and form it.
Josh Vanhoose:
So we have actively a large project to influence security culture in SolarWinds more and really start to ingrain it more deeply and we do that through several different initiatives. One of them was custom training. We all know and probably don’t like the annual compliance security training. It’s very boring. I am not the person that enjoys those things. So one thing we did was I personally met with the directors of all the departments and ask them the question I said earlier is like, “What do you think is security? What do you think is risk?” And then we built a training program around that, so that we’re addressing exactly the work you do, the exact workflow you go through and gave you guidance on what really matters.
Josh Vanhoose:
I think that’s a great first step, and that was our director’s kind of idea of making this very custom-tuned set of training. I think that’s really a great start for most people, but to kind of counter the point you made of showing up to these things, I’m a firm believer if you want to change culture, you have to be a part of it. If you want to change it, you have to change yourself with being within it. So show up to the events, do podcasts with the teams, really get out there to where you humanize it. Whenever you think, “Oh, I’m going to click on this email, you go, ‘Josh might be pretty pissed if I do that.'” Or “Oh, Tim and Eric, they’d be really upset,” but if you don’t have that personal engagement, they’re not going to think of that. So I think it is important to show up to events and be a part of company culture if you want to do that, especially as a leader.
Chrystal Taylor:
To be clear, I just said you don’t have to go to every one.
Josh Vanhoose:
Not all of them. Yeah.
Chrystal Taylor:
There’s a lot-
Josh Vanhoose:
Maybe the major ones.
Chrystal Taylor:
… in corporate culture like “a lot,” a lot.
Josh Vanhoose:
But I think that’s really important and we’re going to be doing a lot of stuff this year around all hands. We’re planning to do security all hands in 2025. I think I’m going to do another… Teach lockpicking session here at the office where you can come in and I’ll show you the basics of picking locks. So we’re planning that. We’re planning a lot of engagements too to really show people why, goes back to what we were saying. Show people why we want you to be thinking about these things. A big one is connecting to public Wi-Fi. Everyone hears, “Why? Why can’t you do that? Why shouldn’t you do that?” We’re planning an event to show people exactly how easy it is to sniff traffic. So if you are hooked up to public Wi-Fi, we’re going to show you on a big projector of exactly what I can see as you do it.
Chrystal Taylor:
I love this. What you’re saying is that you have to… Like any other relationship, you have to make an effort.
Josh Vanhoose:
Yeah, I know that’s a wild concept for anybody. I’ve been married three years. Yeah, you got to show up. You got to show up and do stuff with each other. You got to put effort into it because it won’t happen on its own. We all are worried about doing our jobs and that’s fine, that’s your job. But if I, as a security leader want you to care about something else, I have to give you a reason to care about something else. I have to interface with you and explain it to you, give you examples. If you don’t do that, people are just going to continue to do their job.
Sean Sebring:
Yeah, I agree. We’re all driven by our own feelings, perceptions. So it comes back to, “What’s in it for me?” Why would I care? Why would I want to, and I’m really hoping that you wear one of those 1940s burglar costumes when you host this lockpicking event. Just again, more human element. It would add to the event, my opinion.
Chrystal Taylor:
Well, we expect pictures.
Josh Vanhoose:
Hey, you know what? I like the costume idea. I was going to just show up in my normal horror movie shirt, but I like the concept of maybe you jazz it up a little bit, make it a little more fun.
Chrystal Taylor:
At least like a half mask.
Sean Sebring:
Yeah, yeah, I mean you’re burglaring.
Josh Vanhoose:
So the last time we did this, everyone was just very shocked that I was teaching lockpicking. Everyone showed up and they’re like, “You’re doing what?”
Chrystal Taylor:
Well, I do have a follow-up question for all of this. There are quite a few companies out there these days that are remote first or 90% remote workforce at this point. We’re not one of those companies, but we do have several fully remote employees and one of the things that is really difficult for fully remote employees is making that connection back into the culture. So we’ve talked about sort of like, you have to make more of an effort and it can be really challenging to kind of take yourself out of the box. I’ve worked remotely for 14 years now, and the challenge is that there’s not someone in your face talking to you about whatever’s going on. There’s not… Like in the office, they’ve got TVs and banners and there’s somebody walking by and like, “What’s going on over there?” You’re hearing the noises and stuff and when you have a remote culture, you don’t have those things.
Chrystal Taylor:
And something that helped me at the last company that I worked for a lot was we had dedicated non-work areas of our chat channels and stuff. Anybody could go in there and talk about anything and we talked about movies and whatever. And I think that efforts have to be made differently in remote work forces in order to establish that connection to culture and actually form a culture beyond, “We just all work from home.” So do you have any advice for them, as we’re talking about changing culture and influencing the culture of a company? Do you have any advice for the companies that are in like, everyone that they work with is also fully remote and they see each other once a year? What do you have for that?
Josh Vanhoose:
No one’s going to like this. Turn your camera on, turn your camera on in meetings, let people see your face. Let people humanize the voice on the box. No one’s going to like that, but it is what it is. The second is we did exactly what you were talking about where I have a social call set up for the entire SecOps team, including our GRC team. It’s once a month and it’s three hours. Drop in, drop out how you can make it. If you can only make it for 10 minutes, that’s fine, whatever. The only rule is we can’t talk about work. It’s the only rule. I’m playing Silent Hill 2 right now. That will probably be the topic of conversation for me when it comes up. Other stuff is me and our SecOps director are very avid campers and outdoorsmen, so we’ll talk about that often.
Josh Vanhoose:
But my favorite conversations are culture discussions. We’ve got teams in India, in the Philippines, Ireland, Czech Republic. It’s really fun to sit and talk to the guys about what’s the next upcoming holiday. Something I’ve never heard of probably. So I would say internal to your team that’s real easy to do is set up that time. Remind your leaders that we are people and we should have a good time together sometimes. It shouldn’t all be serious all the time because that gets real easy to end up in the situation you’re talking about where you just work remote, you’re feeling a function. So I think that’s good. On the bigger picture across a large enterprise, I would say set up social events like hackathons or security meetups and people often hear the term hackathon and they’re like, “Well, I’m not a hacker,” or “I’m not technical.” Think outside the box.
Josh Vanhoose:
Think about people bringing risk to you that is non-technical. We’re having a hackathon and the focus is spotting issues in media. I’m just pulling an example out of nowhere. Like, “Everybody, go on the website and look for something that you think might not be there, might not should be there.” Maybe it’s an IP address in a background. Maybe it’s an image that was loaded that you think could have an issue with it. Think outside the box to get those teams more engaged, but do it with your camera on. Back to my first point, do it with your camera on so that people can start making a connection.
Josh Vanhoose:
I think doing those events and having them be across departments is a great way to bring in that engagement where maybe a person can’t necessarily come in. We were planning an event that we’re still trying to figure out the technical pieces for of Corporate Jeopardy. Where we’re going to have a Jeopardy game and we’re going to invite multiple groups or maybe make it an all-in situation where you can come in and for appreciation points or for recognition, play this Jeopardy game with us. Do things like that. Again, to go back to like, I’m not a standard authoritarian figure. I don’t like work-
Chrystal Taylor:
Who does.
Josh Vanhoose:
I would much rather have a good time than be serious. So find time to have fun with your co-workers. Find time to go out and do an event or do one online so that people feel more brought together. Anything you can do to make people feel like they’re not a function.
Chrystal Taylor:
As you said, make a friend or an enemy. That’s my favorite. I want to go make a new enemy.
Sean Sebring:
So this doesn’t have to be the last question and you don’t have to only give one answer, but I’m going to ask it as if there is only one answer for you to give. To give you an example in context before I ask. In phishing campaigns or attempts, even just internal security ones I have caught and also missed. Don’t tell my security team, missed in these campaigns, the “rn” trick where “r” and “n” looks like an “m” in an email address. So that’s a super easy one when they’re doing phishing stuff, because it looks like it came from somebody, it looks like the right email address with the “r” and the “n” together, it looks like an “m.” So they tricked me because it’s not really the right email address. Something like that. What is your biggest simple security tip for the regular end-user?
Josh Vanhoose:
Don’t click the link, go to the site. So a great example is we just pushed out your standard end-user agreement where you have to go and confirm that you read some policy. I did not click the link in the email to take me to it. I went and opened my browser, went to our HR site and did the training from there. Same thing with Amazon, same thing with Microsoft, whatever it is, don’t trust the communication but check the message. That’s what I’m kind of getting at is if you get an alert that you won a $500 gift card from Amazon, go to Amazon, you’ll have an alert there if it’s real. It’ll have that little pop-up in the corner with a bell, go check that. That is the best piece of advice I can give people for phishing is the email you got, it was never intended to be secure. That technology was never intended to be secure. So why would you trust it? Trust the sites that you know are valid and follow up there.
Chrystal Taylor:
I give that same advice to literally everyone I know and that’s for phone calls and text messages and all kinds of other forms of communication. Because my mom called me one time in a panic that her bank had called her about this thing and I was just like, “Call your bank back with the number you know or check the app. Don’t give them anything. What are you doing?” And that’s like frequently, it’s a thing, especially for people who are non-technical is that they by design try to induce a panic in you or an excitement. Or something that’s going to make you have an emotional response that forces you to make a mistake and not question what they’re doing.
Chrystal Taylor:
So I agree for any kind of phishing, I constantly… I’m glad, I feel validated right now because you said that. I’m constantly telling people the same thing. “Don’t click on that stuff. Don’t check it.”
Sean Sebring:
Trust no one.
Chrystal Taylor:
I have been gotten one time by one of our phishing things here and it was probably one of the letter swaps where it’s like a Cyrillic letter instead of the English keyboard letter or something like that. But only one time, every other time I get it and I get such satisfaction out of the follow-up email that’s like, “Congrats, you got it.”
Sean Sebring:
Man, I got caught one time-
Chrystal Taylor:
It’s like a game.
Sean Sebring:
… while trying to be a good boy. I went to right click on the link to inspect the link, but even that in our phishing campaign still triggered the, “Uh-oh, you have to take another compliance.” So I was being cautious. I was going to check out what the link was and then go to said site, but I got got, and I’m a little sore on it, ding in my reputation.
Josh Vanhoose:
We recently have seen some no-click malware from phishing where it’ll load a GIF and then that will end up triggering a URL link and a bunch of backend issues. So as the landscape evolves, we have to evolve with it. I get it’s pretty and there’s these marketing pieces and these colorful interactions and animations, but sometimes you need to be a little skeptical of that. Check the email they came from first and then go from there. And in the example of what we recently saw, highly sophisticated, compromised a company’s email, sent it from the actual company’s email, had no click malware in it. Very advanced.
Josh Vanhoose:
It was a great campaign and it got some people, but we were able to effectively respond to it in time and had no real issues. But as you see the landscape evolve, having that mentality of like, “Oh, I got an email from Amazon. Let me go check Amazon. I’m not even going to open the email.” That type of mentality is going to have to be more of a part of our culture, not just as a company but as a society.
Chrystal Taylor:
Thank you for joining us. I hope that this is going to be a multi-part series where we dive into security, like every time we talk to you, we have a different deeper conversation about security. Because I get to learn during these things and I enjoy that. As you said, having a passion for learning things is like A, a lot of IT people have that already. They like learning, they like taking things apart and putting them back together. And you have that energy to try and learn things. And if we’re always trying to grow our world experience. I’m never going to probably go into a security field myself, but I like learning about it. I have, what I like to say is an enthusiasm for security. I am enthusiastic about it, but I am not an expert.
Josh Vanhoose:
I’ve found myself in that boat of I’m really becoming interested in the business aspect and how business works and how all of this kind of moves and flows together. And it really has not only helped me move up in an organization, but it also helps me do my job better. So often what I’ll learn similarly, you’re like, “I’m a security enthusiast, but I’m not professional.” That’s fine, and that’s fantastic to be honest. You’ll learn how to be more secure just by the inherent interest. So I highly encourage people to, again, be curious about what everybody’s doing around you and you will definitely change how you look at your role and how you affect your organization if you do it that way.
Chrystal Taylor:
And thank you listeners for joining us for another SolarWinds TechPod. If you haven’t already, rate and subscribe us wherever you listen to your podcasts. Talk to you next time.