Cecil Payne - Director Security Operations Engineering at The Home Depot Artwork

Global CISO Forum Podcast

The official EC-Council CISO Forum podcast.

Global CISO Forum Podcast

Cecil Payne - Director Security Operations Engineering at The Home Depot

January 03, 2022 • EC-Council

Join us for a conversation with Cecil Payne, Director of Security Operations Engineering at The Home Depot where we talk cybersecurity career progression, diversity, and the skills gap!

Announer: Welcome to the Global CISO Forum, the podcast for information security executives.

Amber Pedroncel...: Welcome to the Global CISO Forum podcast. I'm your host, Amber Pedroncelli. With me today is Cecil Payne. He is the director of security operations engineering at The Home Depot. Welcome, Cecil.

Cecil Payne: Thank you, Amber. Thank you for having me on your podcast.

Amber Pedroncel...: Well, it's so great to have you. EC-Council is sort of starting continuing a relationship with The Home Depot. You guys were a great sponsor of ours at our last Hacker Halted, so we're thrilled to have you on the show. And I'm thrilled to have you on the show for other reasons as well, because you are obviously an accomplished security practitioner and I was wondering what kind of advice you had for our audience.

So, tell me a little bit about your history in security, how you got into cyber and how you got to be a director, at The Home Depot, of security engineering.

Cecil Payne: Wow, that's a long path. I started in IT as a lot of security practitioners start in IT, administrative or in development. So, I was an admin at a RBOC, or a telephone company. This was... Wow... dating myself a lot, but this was up until 2002 or so. And I moved into digital forensics and support of the legal department of that company. And from there, after I left that company, I went to Digital Forensics Consulting House, and I traveled all around the country doing electronic discovery, collections, investigations with respect to computer forensics. I left there after I got married and settled in DC. I'm in Atlanta, I'm local to Atlanta now. I was local to Atlanta at that time too. And in the DC Metro area, I worked for another forensics electronic discovery company and ran some computer forensic labs across the country. We had four labs across the country. And from there, I moved to The Home Depot and this was 2012 and joined their computer forensics department, which was embedded in their security department.

So, that gets me to Home Depot, and it's nine years. So I started off obviously doing computer forensics for Home Depot and I transitioned to an operations and engineering role within Home Depot, and that was also in cyber. And from there, I moved to various different teams across cyber, or IT security at the time, we're called cyber now. That allowed me to have a lot of experience in IAM, operations, the SOC, just all the different domains within cyber. I moved around and supported them or worked with them. And that was, I guess, about 2015 or so where I was bouncing around. And I moved back to computer forensics in 2016 permanently. Because before... Well, there's really nothing permanent in our careers, so I was in computer forensics around 2016. I started working with a EDR technology that Home Depot had acquired. And then from there, I moved to an another assessment role, I already had that in the past. And from there I moved on to vulnerability management and that was the previous stop to now being a director in cyber.

Amber Pedroncel...: That's cool.

And you say that your journey's kind of typical in that you started in IT, but I don't think I've talked to somebody before that started in forensics and specialized so much in forensics. How did you get into that and does that just interest you in a way that other parts of security don't as much, because it's always been fascinating to me?

Cecil Payne: It still is fascinating to me. It was a natural fit. I spent a lot of time in my admin days and in life taking things apart, putting them back together, trying to figure out how things worked. And as I worked with the law department at the telephone company, from an admin perspective, my name came up as, "Hey, we need a forensics person. We need to do collections." And at the time, this is 2004 when it really solidified as I had an official forensics position, I'd been doing these data collections since 1999, before there was a defined practice. And in support of the law department, they sent me to training, to computer forensics training. I was amazed. I was so happy. I was reading the books. It was amazing to me.

I was so engaged in the class that the instructor pulled me aside and asked me if I wanted to come work for them. I was just like, "No." It was an amazing opportunity, but here I had my current employer committed to me, sending me to this training to progress their program. So, I couldn't do it. I stuck with my current employer. But years later, I actually went back to that company with that offer. And it pretty much sat on the table. When I realized that I wanted to go work in that field, I called them and said, "Hey, are there any opportunities?" And their response was, "Send me your resume. When do you want to start?"

Amber Pedroncel...: Wow. Okay. So, as someone who works for EC-Council, I just need to highlight sending an employee to training created loyalty, opened up new possibilities and made you better at your job. So, everyone, send your employees to training. It's great for everyone.

Cecil Payne: Yes. Yes, that's what started me. And after that, I went to multiple training classes but I'm very loyal to my employers. They take care of me, I take care of them. But that was, I guess, my first fork in the road into forensics. I kind of went the long path, because being in corporate and working in forensics, you pretty much see the same thing day in, day out. As a consultant, it's more like you have a parachute on your back and you jump into one site and it's a completely different environment. And you're maybe there for a few days, or two or three weeks, then you leave and you go to the next engagement and it's completely different. So, I've been all across the country, coast to coast, north to south, east to west, and I haven't seen similar environments. We use similar technology, but just the way people operate, the way they engage with their consultants and their vendors and their employees, it's different company to company. I learned a lot. It was pretty exciting time in my life. Traveled a lot, that's not fun.

Amber Pedroncel...: Well, yeah, probably less and less last couple of years.

Are you interested in staying in engineering, is that where you see your path?

Cecil Payne: For now, yes. And I say for now yes, because I've moved around security so much, there's so many interesting things to do all across cyber that it's always an amazing journey day to day. So, for now, I am satisfied, happy, excited every day to wake up and get engaged with the engineering challenges that we have and solving for those, but who knows what tomorrow brings? Something may crop up someplace else and someone may say, "Hey, we need some help here." And I'm more than happy to go and help wherever I can.

Amber Pedroncel...: Well, that's a really great answer.

So, you're very accomplished, you've done so much in your career already, what are your goals going forward?

Cecil Payne: So, I'm going to challenge you on the accomplished thing, I'm pretty humble about some of the things that I've done and I've worked on, and the things that I've been involved with. I don't see myself as being accomplished, it's more just like responsible. I like working with Home Depot associates and our vendors, and I don't see myself as having risen to a level that I can say, "Hey, I am accomplished." There's just so much to learn, so much to do. And I know and work with some amazing and smart people that I learn every day. So I couldn't wake up and say, "Hey, I'm accomplished." I think I wake up and say, "I accomplished that." But there's just so much more to do because we, as a security industry, just have so much further to go and so much to learn from different parts of IT and from different parts of the businesses that we support, that I would never wake up and say, "I'm an accomplished individual." I'm still working on it [crosstalk].

Amber Pedroncel...: It's the journey. Yeah.

Cecil Payne: Yes.

Amber Pedroncel...: That's great.

So, what are you still working on? What do you see in the future? What are your goals? What do you want to do?

Cecil Payne: So, from a career perspective, I would like to continue to grow. I know engineering very well because I've been in the space for a long time. I would see myself wanting to learn a lot more about risk and compliance. And we have an amazing leader, [Elise]. If we were use the word accomplished, I know what I am not, and I know where she is, and I would like to just get to maybe like 30% of her knowledge and abilities. So I see myself branching off and learning more about that space. We also have some other amazing leaders in our IAM and engagement areas in cyber, and I see what they're doing. I hear them talk about what they're doing, and I'm always fascinated and I just want to learn more. That's my goal is, just to branch out.

And I say this about security vendors, security vendors tend to have a core set of functionality and they branch. It's like you look at them and they're best to breed in a specific area. But as they try and diversify, they're not that good in the other areas to the left and to the right of them. But they start to get better and they take their brilliance in the area that they excel in, and they try and focus that into the other areas. I see myself with that too, as I look at all the areas that I've worked in, but I happen to be lucky enough to work with some folks that are very skilled and adept in those areas and just to continue to learn from them and grow in those areas.

Amber Pedroncel...: Wow, that's great.

So, you've been at Home Depot, it'll be 10 years next year, how have you seen security... And you don't have to speak specifically to Home Depot, but security in general, how have you seen it change over the last decade?

Cecil Payne: It's matured. I would say the biggest thing in security right now, I think, are the budgets. Companies are spending a lot on their security programs and they expect a lot of those security programs. So over the past 10 years, it's the level of maturity and skill sets that I see candidates bringing to the table as they join the company. It's the interest that I see in security specifically, folks want to be involved. They want to get engaged and help, and it's a never ending battle. I know that tomorrow will bring a new set of challenges in the security space. And I want to highlight for your listeners that those challenges, if you don't understand them, they are a click away in reading and learning. And everyone faces those challenges in learning, even people well versed in security have to learn and rise to the occasion to understand a new set of challenges. That level of interest I see is much different today than it was 10 years ago, and it's more defined today than it was 10 years ago.

Amber Pedroncel...: Right. And so with that, it's kind of mainstreaming of security almost, are you seeing a more educated, a better prepared end user? Like, has that gotten easier? Because we always talk about that's the biggest problem, the biggest hole in our security is the end users clicking on stuff. Has the needle moved at all on that, or are we still in the same place?

Cecil Payne: It has. So comparing 10, 15 years ago, people received emails. They clicked links. They would receive phone calls and provide information. The security programs now have a much more mature awareness facility. And as part of that awareness in communicating to our end user community, these are the things to look for, these are the things to be suspicious of, that has helped. So, you see end user awareness. And then 10 years ago, 15 years ago, the level of threats that companies faced looked different to what people saw when they went home and they were on their ISP or America Online, if you go far enough back, but that's kind of merged. That threat landscape really applies to both environments. I get spam messages on my personal email and I get them at work.

So, between those two, the awareness and just the ubiquity of the threats that have moved across the landscape, has forced the education of users. If your company doesn't have a good awareness program, start one. But if you do, that awareness that happens at work goes home and it's shared with family members and friends, and you help the community.

Amber Pedroncel...: Yeah. I mean, just trying to make the criminals' job harder and harder seems to be the goal. And you're right, I mean, now we don't have the same level of people clicking on stuff, but there's some of that still. And I'm not sure we'll ever truly get rid of it, but...

Cecil Payne: Over the years, I have spoken to friends, colleagues and I have heard the horror stories of, "My wife clicked this...", or, "My kid did this...", or, "Someone in the company clicked this. Someone left something exposed on the internet and the bad guys got in and got into the company, and they deleted, and spread ransomware." It happens right. Like hygiene and awareness go hand-in-hand.

Amber Pedroncel...: Right.

Cecil Payne: We're all in this together. So, most companies have a security department, but most companies don't look at their end users as being responsible for IT or identity access management. But a lot of companies look at their user population as also being part of their security department and being responsible for security, because it really starts with their behavior and their actions. And it's the same for Home Depot, it's a big priority for us.

Amber Pedroncel...: Yeah. So what's your favorite part of your role at Home Depot? What gets you the most excited to get up and probably get into your home office most likely?

Cecil Payne: Home office, what gets me most excited, working with the different teams and solving for complex things. I leave my office after however much time, and sometimes it's 10 hours, sometimes it's eight, sometimes it's 12. I know I had a really good day when I leave my office after eight hours and I am tired, because it means that I've been mentally engaged in solving for issues all day long. You can be physically tired by... I could sit in this chair for 15 or 20 hours and just get tired from that. But eight hours engage with some of the most brilliant people in the industry, Solving for security challenges, be in the cloud or at the desktop level, that excites me day in, day out.

Amber Pedroncel...: Very cool.

So, we have this purported skills gap going on, endless articles have been written about it, we don't have enough cybersecurity professionals geared up ready to go to fill all these needs that we have. It's just an exploding industry. Do you have any solutions, how do you see the future of cybersecurity unfolding?

Cecil Payne: I'll tackle the, "Do I have any solutions and how I see the future unfolding?" And I'll use an analog. Years ago when technology was expanding and there weren't these dedicated security departments and technology, like IT was just IT. It was looked at as this one big thing that solved for every computer related issue. There were different levels of engineering, and you had help desk and you had admins and something in between. Security hasn't really gotten to that point yet where it's been commoditized. It's still highly specialized. And the question is, how do you solve for that? And there's a skills gap that people talk about, "I need someone that is skilled in IAM", or, "I need someone that is skilled in Linux, or understanding file systems, or for file integrity monitoring. I need that skillset. Give me, give me, give me." If we continue to look for people with that skillset, we are going to be fishing in a diminishing pool because there's not a lot of them.

The solution that I'm embracing is a tiered model, and you can look at it from like a pyramid model where there is a skillset at the bottom of the pyramid that you can fill with a lot of folks. And as you go up, you get into the highly specialized. And the challenge is how do you deal with the bottom of the pyramid? And my solution that my team and I have kind of hashed out is what I call routine items. Security is focused on securing the environment, but it still relies on technology and the same processes that have been hard fought and learned in IT in general.

So following along with that thread, if I can define tasks that people have to do at that bottom of the pyramid, I can create entry points for people moving into security, into technology. Because if I say every day or every other day... and I call them routine tasks, daily, weekly, bi-weekly, monthly, quarterly, bi-annually, yearly type tasks that people have to do. If I can define what those tasks are, I don't need a highly qualified fish out of that very small pool. I can use resources like interns, people new to the industry, to really help in that space. And a lot of what we do day to day in security is maintaining the systems that we have that are in place to guard the company, while also trying to expand that capability.

So, that maintenance of those systems is the same thing that's happened in other parts of information technology for the longest time, and that's where the skill sets grow. You get folks that come in and they start, and they're doing these routine type tasks day in, day out. Within six months, they're an expert and they're looking to move up. They're hungry, they're looking for other opportunities in the department. And now you've created a path for success for someone to go from having a low skillset to a very specialized or high skillset organically to your organization, instead of having to continue to try and look for someone in this diminishing pool.

Amber Pedroncel...: That's a good point, because I think as security gets more formalized and more established, it can seem like you need a bachelor's in this and then a bunch of certifications. But the method that you just outlined, it's like, no, you actually just need knowledge and on-the-job training.

Cecil Payne: Yes.

Amber Pedroncel...: And that's a good way to recruit people in who maybe didn't start out... I mean, who actually knows what they want to do with the rest of their lives when they're 18?

Cecil Payne: I didn't.

Amber Pedroncel...: I mean, it's a guess. It's a shot in dark.

Yeah, yeah. I mean anthropology degree here. So it's getting people in who might have the right skillsets or the right interest, that seems like a great way to do it.

And you have kids, right?

Cecil Payne: I have two kids, yes. A boy and a girl.

Amber Pedroncel...: Yeah. So, are they interested in this? Are they thinking about a career in cyber?

Cecil Payne: My son freaks me out when he's doing these hacker test websites, or playing games that has him hacking. My daughter freaks me out when I see her bypassing things like screen time on her iPad.

Amber Pedroncel...: Mm, okay.

Cecil Payne: She plays games and there's a pretty popular game called Roblox, and she's always, "Daddy, come play with me." And I remember playing with her once and there was a door that had to be unlocked. It could only unlock it from inside the room. And she rotated her camera and pressed a button from the other side of the room, and the game hadn't built-in logic to detect where the button was being pressed from. It registered the button was being pressed, and she figured that out. She was maybe like five or six.

Amber Pedroncel...: Oh, wow.

Cecil Payne: So they are interested. And I see them just taking the concepts of thinking outside the box to another level in their day-to-day activities. And of course, they're on their computers, they're on their devices a lot and just problem solving, and just thinking differently. And that is kind of one of the hallmarks of folks that want to get into security and that stick with security. So, they're good at problem solving and looking at things differently than others.

Amber Pedroncel...: Yeah, that sounds really promising. And I mean, I'm sure your kids are amazing, but the things that you've just said aren't super unique. This generation is kind of full of kids that have grown up that way.

Cecil Payne: Yes.

Amber Pedroncel...: And so what they need is encouragement and some guidance. And obviously, with you as their dad, they'll get that.

Do you see that they have ample opportunities? Is that something that's kind of built into kids experience nowadays where they are shown this kind of path or what they could do in the future?

Cecil Payne: There are ample opportunities out there. I think it's a responsibility of mentors, parents, guardians to drive their kids into those directions if they're interested, or to provide the opportunity, to give it to them, to pick them up and drop them off at the programming class, or put them in the camp that they can express their interest in different things. And it's also our responsibility to kind of test their edges, push their comfort level... "You're in a robotics camp this week in the summer." "But I don't know anything about robotics." "Well, you come back and tell me. I don't know either." And the smile or just the face that you see when they come back and it's like, "Today, we flew a drone and we did this, and we learned the difference." And the day before, you didn't have that knowledge, but just providing the avenue for the learning is going to be key.

Because again, as you mentioned, the entire generation now is pretty much starting off at the same level set and acceptance in use of technology. As they start to mature and express interest in technology, as some do and some don't, just building those neurons and those mental pathways at an early age that shows how to problem solve, how to figure out different things. They're either going to lead them to being great technologists in the future or break something, because the skills that you develop, they can be applied almost anywhere.

Amber Pedroncel...: And so you have a boy and a girl... women insecurity has been a problem since the dawn of time. Do you see any differences in the access they have to things, or is that going to be better in this next generation?

Cecil Payne: It's going to be better in the next generation, I say that because I really hope it is. And it's a pretty emotional topic for me, I want to see my daughter have the same opportunities that my son would have or I would've had, and those opportunities not to be denied because of her gender. That's a big thing for me. So, talking to her about technology and pushing her with technology... I don't want to poison the field by, "My dad just kept talking to me about this and pushing me with this, and I'm so tired of it." But the interest that she has, just fostering it. And I see women in cyber as being like a critical path for leveling the playing field. And I'm a big advocate for that and I always have these ideas on how do we do this? If you're recruiting and you want more women as part of your recruitment efforts, could we recruit from a all-female school? I guarantee you, you'll have a 100% success in getting a female, all-females, if you go to a all-female school and look for folks that are interested in cyber.

Because the routine task thing that I spoke about earlier, people will pull away from an industry in a male dominated industry because they don't have the skillset. But if they are shown and they're told that it doesn't make a difference what you know, or, hey, you understand that you can spell TCPIP and you know this, you know how to log into the computer, let's take it to the next level. And this is how we will get you there. If we can show that path, we can start filling in those gaps.

And the amazing thing about cyber is that we have some amazing female leaders and I see them working on the cyber security women's council and the initiatives that they're doing, but they can't do it alone. This has to be an intentional effort by all leaders to ensure that these gaps don't exist for the future generation, for our kids, for diversity. Being able to look at things differently, it's going to be key and critical to us being able to defend our companies in the future.

Amber Pedroncel...: Right. I mean, and it goes back to the skills gap conversation, as you were saying, I mean, if we're continuing to recruit and promote and hire the same people from the same pool, like you said, there's not enough obviously and that's how we ended up here in the first place. So I really like your advice about recruiting from an all-women's school. I mean, if you're serious about it, then that seems to be sort of a no-brainer. And yeah, I love your passion on this issue. And obviously, it's one of the reasons that we've enjoyed partnering with The Home Depot on our different initiatives.

And I would just want to thank you for coming on to talk about it, and it's been a pleasure.

Is there anything else, before we sign off, that you want our audience to know, or any last words?

Cecil Payne: Happy holidays. Patch your stuff, don't click the links, and hug your local security person. They need help.

Amber Pedroncel...: Oh my gosh, that should just be the tag at the end of all of our episodes. I love it.

Thank you so much, and happy holidays to you. And thanks for all the work that you do at The Home Depot.

Cecil Payne: Thank you, Amber.

Announer: Thank you for tuning in to another edition of the Global CISO Forum, the podcast for information security executives.