Chris Novak is Global Head of Threat Research at Verizon and a world acknowledged expert on cybersecurity. His career of 20 plus years has given him insights and experience and a vast network of experts in the community. His team leads hundreds of cybersecurity investigations annually and they are consistently rated as leaders in the marketplace. Chris is passionate about cybersecurity and is hugely generous about sharing what he knows and in promoting training and education on the topic. He even helped create a cybersecurity badge amongst the girl scouts in the USA. At Stellar Labs we are hugely privileged that he’s on our advisory board for our Cyber Security programmes and we learn something valuable with every conversation we have with Chris.
Chris Novak is Global Head of Threat Research at Verizon and a world acknowledged expert on cybersecurity. His career of 20 plus years has given him insights and experience and a vast network of experts in the community. His team leads hundreds of cybersecurity investigations annually and they are consistently rated as leaders in the marketplace. Chris is passionate about cybersecurity and is hugely generous about sharing what he knows and in promoting training and education on the topic. He even helped create a cybersecurity badge amongst the girl scouts in the USA. At Stellar Labs we are hugely privileged that he’s on our advisory board for our Cyber Security programmes and we learn something valuable with every conversation we have with Chris.
Welcome to the Stellar Labs podcast. Future learning today. At Stellar labs, our mission is to bust the technology skills crunch with effective, measurable engaging training. We consult on design and deliver the technical and people skills and competencies you need in business. In these podcasts, you'll hear from industry experts and practitioners from the worlds of technology and training. They'll share their experience, insights and inspiration and their visions for the future with you. Keep listening to start your future learning, here today. Hello, welcome back to the Stellar Labs podcast. I'm Stella Collins and I am absolutely delighted to be talking to Chris Novak, the Global Director of the Threat Research Advisory Center and, more especially for us, the first of our advisory board on our cybersecurity deep learning track. Chris, it's really nice to have your here today. And where are you today?
Chris:It's a pleasure. I'm actually in San Francisco today, so it's a nice early morning, but good to be with you!
Stella:Great, and I hope it's not too foggy? It can be very foggy over there, can't it?
Chris:Yes, it can be, but no, it's alright.
Stella:Good. Well, we had snow when I got up this morning, so I'm sure it's going to be better than that. Chris, you know, we're really, really delighted that you offered to join our advisory board. We were incredibly pleased when you did that. I'm really interested and, quite curious really, what's different about us or about our cybersecurity training that interested you and encouraged you to join our advisory board?
Chris:Sure. I really saw it as a great opportunity to take what I've learned and experienced in the cybersecurity industry and really try to use it to help others grow. You know, I get a lot of questions. People reach out to me by e-mail, on LinkedIn, conferences,... All wanting to know, how do they get into it? What can they do to get better or what are the areas that they can most grow, apply and learn? And, you know, what is it that I've seen or been surprised by? And so, I find it a great opportunity to be involved with Stellar Labs with something like this, to be able to kind of, in some way, give back and make what I've been through, what I've learned, what I've experienced, useful to better educate others and be a mentor where I can.
Stella:We're certainly really pleased with the feedback and advice you've given us so far. That has really helped us to make it very focused on the needs of the organization, but also the individuals who are going to participate. What led you into the field of information security and what has changed?
Chris:Sure. So lots has changed. What led me there, to be honest, it was kind of almost an accident. So I started with a computer and electrical engineering background and kind of got into the".com boom". Everyone was building things, lots of great apparatus coming to life. And then there was the need that everyone realized: hey, when this big thing called:"the internet"started coming together and, systems and people and data started getting connected, well, now we have to deal with the security of that. What happens if something goes wrong? What happens if data leaks? What happens if someone gets hacked? That concept was really more for movies than reality at the time, but now it is much more for reality as well. And so I kind of happened into it and then just very much enjoyed the challenge and the change. And, honestly, the fact that, you know, you mentioned what has changed, honestly, I would say just about everything that I started doing is different from when I started to today. And honestly, that's one of the things that's always had me so excited about the field is that the change is constant and it's pretty fast. But you know, if y ou'd like something that is different and exciting and changing like that, that's ki nd o f o ne of the things that really draws me and I think others to that field.
Stella:So that leads me into thinking about another question. I'm interested in what technical skills people need, but also perhaps what are some of those people skills that people need, the competencies or the business skills they need to be in cybersecurity?
Chris:Yeah, I always tell people when they ask, it's a combination of things. And honestly, I do this a lot when I talk to people about cybersecurity, I draw a lot of analogies to the medical industry. So you can have the best doctor in the world, but if you can't communicate with your doctor, if your doctor can't convey to you what your health issue is or what it is you need to do to get better or what the procedures you may need to go through are going to involve or what you can expect, side effects to be, y ou're g oing t o be very anxious or you may not even move forward. And like I said, maybe the best doctor in the world, but the communication is critical. And so, you know, when I'm talking to people about what it is that they need to be looking for from a kind of training, education, growth and development perspective, it is, you need the technical, but you also need the communications and the business acumen and you know, there may be different mixes or mixtures to the ratios of that based on where you are in your, your career journey but having all of those in some form or fashion, I think is really going to allow you to be successful over the l ongterm. If you're just focused on just pure technical, you kind of may pigeonhole your career into just one particular area. As you grow in the technical, you're g oing t o find that communication of what it is that y ou're, you know, your pen test has uncovered or what is that your forensic investigation has revealed. You're going to need to communicate that to others so they know what actions they can take and you're going to need to understand the business impacts of it. I see this a lot in my days that people will make recommendations not necessarily fully understanding how difficult that recommendation may be to apply. And so having an understanding of the business side of things as well can also help to make sure that the recommendations and that communication that needs to follow is appropriate and reasonable for the entity that you're working with.
Stella:That's really interesting and I guess like any of those skills that you start, if you can start learning them earlier in your career, they'll probably boost your career for the first place, but also it's easier to learn them when you're a bit younger. Well, younger, not necessarily, but earlier in your career, shall we say?
:Yes, I would say so. Okay. And, and what do you think the biggest gaps so far?
Speaker 2:I'd say, if you look at the biggest gaps, if you look at it at a broad level, there's just not enough cybersecurity practitioners out there. I see this all the time. Everybody is looking and organizations have trouble finding people with the right experiences, that well-rounded kind of individual that I mentioned. And then I think if you kind of narrow that question and look at it from the standpoint kind of more individually, you know, the things that I see as being a gap for a lot of either organizations or individuals, is how they apply the knowledge, the learning, the education and the training to the practical world. It's not enough to just have training or gone through a class. You need to understand how to actually apply it to the world around you. And you know, I think most people can appreciate this. I f you just go back and look at, when you were in university or your earlier years, you could go through classes and learn how to do things in a book or on paper. But you need to be thinking when you go through that or you need to be part of a training regimen that appreciates the fact that it isn't just about how I get one plus one equals two, but how do I apply the concept of what I'm learning to the world where it's actually g onna happen: on a computer o r a system or some kind of dataset.
Stella:I think that's really important. It's understanding the context of what you're learning. I can remember years ago, way back, I did an Oracle database course. It took two whole weeks. I didn't know why I'd gone, nobody talked to me about it before I went, nobody talked to me about it after I came back and said, which did you learn? And you know, I honestly know nothing about Oracle databases, but I spent two whole weeks there. So I think that whole thing about what is the application part of it that is really important, the work based application. And so for an organization you said that they're struggling to find people to fill these gaps because of this skills crunch that's coming up. What are the different benefits of having an inhouse set of cybersecurity experts or perhaps bring in people from outside?
Chris:So in my experience, I think it's important for organizations to have both. And the reason I say that is when you are inside the four walls of your own organization, there is a tendency for people to develop biases, patterns, habits, behaviors, or tend to kind of birds of a feather flock together kind of thing. And that may sometimes limit your awareness or understanding of other threats and risks. When we look at cybersecurity, we have to protect our assets and our data from every potential risk. It doesn't matter if it's an insider threat, an external threat, if it's a nation state or an organized crime group. At the end of the day, we're responsible for protecting those assets and that data from every possible risk and threat. And so the internal folks will probably know your own organization better than anyone else. So when you need to apply something where you need to do something, where you need to act quickly, they're going to know where things are. They're going to know who to call, they're going to know what the policies and procedures are. But the benefit of the external is that there's going to be experiences that they have from working in or with other organizations in other geographies, in other industries besides where you are, and they're going to be able to take that knowledge and experience and apply that to you. So if there's something, for example, and I see this a lot in my own world, where we may see a trend evolving say in the financial services industry, but that trend may not have emerged yet in healthcare or manufacturing. But the fact that people have already been immersed in it and understand how to deal with it, they can take that knowledge from one industry and start applying it to the others to either better defend and protect them so that that trend doesn't emerge in their industry. Or if they do see it pop up in those industries or areas, they're better prepared and know and have that experience on how to handle it.
Stella:Oh, that's an interesting one for me because I think we often get that in training that we're trying to encourage a particular sector to perhaps develop some new skills. And you often find that other sectors might sort of say,"Oh, well, I don't know if we need that yet." And that's where those persuasion skills or some of those competencies, business skills that you were talking about are actually really important because you need to then be able to paint a picture for potentially another sector to say,"you actually could could have this challenge too". So it's kind of common for everybody isn't it? That you need to be able to switch sectors, in the middle. At what point do you think an organization or a company needs to think about building an internal c ybersecurity team?
Chris:I think today's day and age, every organization needs to have one pretty much from the get go. If you're going to deal with any kind of sensitive data, especially something that may be of a regulated data type, you need some kind of cybersecurity program because the reality of it is, in the early days or the old days, you could potentially get by in a business that relied on papers and locked file cabinets and maybe at that point you didn't need a cybersecurity program. But the reality of it today is, if you have a business and you have an employee, you probably have PII data on that employee. You probably have pension or retirement information on that person, payroll information, a home address, members of their family, things like that. And my guess is there's probably not many businesses left that don't have that information today in a computer system somewhere that then needs to have some kind of cybersecurity, even if basic, needs to have something. And obviously as you look at, you know, going from a business with just a couple of people to a business with a few dozen people to a few hundreds to thousands to tens of thousands and beyond, you now have a much larger pool of sensitive data to be concerned about. And obviously as any business grows, it's not just then about the PII data you have on your employees, you may have sensitive intellectual property about what you do and how you do it, that you don't want to leak out into the market or to competitors. Or you may have transactions that you perform, that obviously you want the integrity of those transactions to be sound so that you don't want to move$100 but instead$1 million moves that can be very impactful to the business. So I honestly think that there's not an organization today that can really survive without an internal cybersecurity program.
Stella:That's really interesting and possibly quite scary. We're actually incredibly lucky that one of our colleagues, there are still only three of us in the business, seems very aware of what's happening in cybersecurity and has been very useful, even at teaching me, some really basic stuff that has been helpful I think in helping to protect us. So that's been an exciting part for me, that learning journey on that. Chris, one of the things that is sort of a personal question or personal interest to me; I know you promote diversity and inclusiveness in cybersecurity and I'm really interested to know a bit more about how you do that and whether there's anything we can do within training to help with that mission you have?
Chris:Sure. So I'd say that there's a couple of different things. One, I try to do a lot of mentoring, so I really try to make myself available to the public. At the end of the day, my LinkedIn is open, my Twitter is open, so if people want to reach out to me, I try to be as accessible to them as I can. Even people I don't know, just to give them guidance and feedback. I try to surround myself with various different types of people that come from a broad array of backgrounds because I look at it as: if we're going to be successful in anything, we're going to be most successful if we have diversity of that team, diversity of thought because the challenges that the world faces are also very diverse in a number of ways. And I also look at it from the standpoint of: we want to try to get people involved early and we want to try and make it as easy as possible. When I first started, like I said, there wasn't really a program. There wasn't really a track record. You couldn't go to university for cybersecurity. There weren't degrees for it, but even still with that today, there's a lot of challenges, barriers to entry, people thinking that they can't do it or it's not for them. So the mentoring is a big piece. I also try to get involved with elementary school programs like the Cub Scouts- my daughter is in the girl scouts- trying to promote their cybersecurity programs. Even down into that, anywhere from say six, seven, eight, nine, ten year old range, trying to get them understanding of what cybersecurity is even at a high level. And then even within the workforce here at Verizon, one of our new leaders had actually introduced a program called"WOW" or women of the world. It's a phenomenal developmental and empowerment program for really kind bringing our entire workforce and getting everybody included in what we do and really setting them up for success. And so I think things like that are really helpful and I try to stay as plugged into all of that as I possibly can.
Stella:Fantastic. Well, I think it's really important that we do get more diversity within most business, but certainly within that cybersecurity sector, so thank you. Chris, it's been as always a real pleasure to talk to you. So thank you so much for sharing your thoughts and for always being so very open. I think it's phenomenal the way you are so open and share so much. So thank you so much. And I hope we didn't get to you too early in San Francisco.
Chris:Always a pleasure. Happy to be with you and hope to do it again soon.
Stella:Great. Thank you so much Chris, and we look forward to talking again. Bye. Thank you for listening to today's podcast. Please share it with your friends and colleagues and visit our website, stellarlabs.eu to learn more about what we do and how we do it. Tune in to the next episode.