#41 - Building a Cybersecurity Career & Pandemic Security Gaps - Tony Jarvis

Episode Introduction [00:01:09]

Henry Suryawirawan: [00:01:09] Hello everyone. This is me again, Henry Suryawirawan. After one week break, Tech Lead Journal is back here again with another new episode of the podcast. Thanks for tuning in and spending your time with me today, listening to this episode. If you haven’t, please subscribe to Tech Lead Journal on your favorite podcast apps and also follow Tech Lead Journal social media channels on LinkedIn, Twitter, and Instagram. And if you’d like to make some contribution to the show and support the creation of this podcast, please subscribe as a patron at techleadjournal.dev/patron, and help me towards producing great content every week.

For today’s episode, I am happy to share my conversation with Tony Jarvis. Tony Jarvis is a CSO advisor and cybersecurity strategist, who has advised Fortune 500 clients across the world and served as a thought leader within the industry. He’s passionate about educating people on the risks posed by modern cyber threats and advises business leaders, as they undertake major cybersecurity transformation projects and initiatives. In this episode, Tony shared about how one could get started and build a career in cybersecurity. He shared about the importance of understanding the network and Operating System knowledge to excel in cybersecurity. We then discussed the awareness and changes of attitudes towards cybersecurity in enterprises and at the executive level. He also highlighted the risk of some of the security gaps that arise due to the pandemic, when many enterprises were rushing into improving their technology to support the remote work and working from home. Towards the end, Tony shared his personal mid-career crisis experience, why he thought of leaving cybersecurity space, and what made him decide in the end to stay in cybersecurity.

I hope you will enjoy this episode. And if you like it, consider helping the show by leaving at a rating, review, or comment on your podcast app or social media channels. Those reviews and comments are one of the best ways to help me get this podcast to reach more listeners, and hopefully they can also benefit from all the contents in this podcast. So let’s get this episode started right after our sponsor message.

Introduction [00:03:49]

Henry Suryawirawan: [00:03:49] Hey everyone. Welcome back to another new show of the Tech Lead Journal. Today I’m very happy to have with me, someone called Tony Jarvis. Tony is actually someone who is very specialized in cybersecurity. He has a lot of credibility in the industry. I’m looking forward to learn from him today, all everything about cybersecurity. Because I think this is a hot topic, and very important topic today, especially when technology has become so immersed in our daily lives. So welcome Tony to the show. Looking forward to have a chat with you today.

Tony Jarvis: [00:04:22] Thank you so much for having me really excited to be here.

Career Journey [00:04:24]

Henry Suryawirawan: [00:04:25] So first of all Tony, maybe you can introduce yourself telling us your background, your highlights, and your career journey.

Tony Jarvis: [00:04:31] Yeah, sure. Thank you. And it definitely has been a journey. I completed my university degree actually doing an Information Systems degree. This was a while ago, and back when I went through university, it was really a case of doing an Information Systems degree or a Computer Science degree or something similar. There weren’t any cybersecurity degrees back then. So basically what happened was, the formal process was you finish your degree, and you apply for, this was in Australia, so what we called graduate program. Graduate program was you finished your time at university, and certain companies would actually have vacancies where they actually take brand new graduates in, and put them through training, give them that initial introduction to the workforce. So I was actually pretty lucky. I was accepted into Telstra, the biggest telecommunications company in Australia. Ironically, it was a sales program. Now I am not a salesperson, but they did assure me that they had technology offerings and technology roles as part of that program, and they did. And so, I actually ended up in a networking role.

Now, the funny part with this is that there was only one subject in my entire university degree that actually covered networking. And to be honest with you, it was probably the one subject I liked least. And there was a good reason for that. It was not practical. It was 100% theoretical, and it was basically more or less, you’d be doing things like memorizing the physical properties of coaxial cables. So it wasn’t the most exciting thing in the world, but it gave me some background. I understood a little bit. I went into the role first day. I had a really fantastic manager, and we had a heart to heart and he said, what’s your background? What’s your skills? And look, I really didn’t bring much to the table other than my university degree. So what he did was he put a book on my desk, and for those who have been around the Cisco side of things with the networking, there are what we call self study certification guides. And these things are huge. I mean, there were two volumes. You literally had to read two books and then do an exam to get certified, and each of these books was roughly about a thousand pages long. So that kept me busy for not just days, but weeks. I’d go home and keep reading, and learn a lot about networking that I never knew before. Did my certifications. Got some basic skills. And then started hands-on. I was literally hands-on with some switches, with some routers, configuring things, having a great time. Telstra was a fantastic opportunity. Great people, really exciting work. That was my introduction to the workforce. I did start out as a network engineer. But from there, I very quickly found an appliance, which went by the name of Cisco PIX, the Cisco pix, which is the old version of what you would now call an ASA, their security appliances. So that was my introduction into security, and I went from instead of opening everything and letting everything talk to everything else, being very prescriptive in what is now allowed to talk to other things based on policy. And I really enjoyed that. So that was my time in Australia.

I moved from Australia to Singapore, where I am now, with Standard Chartered Bank. Found a role with them, I moved to Singapore for that role. Dedicated security role, helping them build out their security channels, protecting their internal users, their connections with third parties, and that actually evolved into a number of other things. I spent about six years there doing architecture, data center relocations, global load balancing, lots of really interesting stuff. That was six years. From there, I moved into FireEye. So first time with a vendor. And this was the point in my career where the lights really went on. My eyes were laser focused on exactly, I found my true passion. I went from network security to all of these amazing things like incident response and threat hunting and malware reverse engineering and threat intelligence. Lots of super, super smart people doing these things. They would go home and keep doing this in their own personal time, because it was their hobby as well as their job. They were passionate. And it was infectious, really contagious. We were talking with customers about nation state actors and the threat landscape and who was out to get them and why. And it was really exciting. So I was literally the person walking into the meeting, giving customers the story about, well, look, the bad news is we found evidence of intrusion activity in your environment. So bad guys are in. The good news is I’m here with you. I’ve got all of the resources of the company at my disposal. We are here with you until we get them out and we are in this together. So that was really interesting. Lots of really enjoyable conversations. Learnt an awful lot.

Moved from there to Check Point. Spent five or so years at Check Point, primarily as a CISO advisor. So dealing with C-level executives, advising them on their path to securing their organizations, advising them about the threat landscape. APAC wide role, so lots of travel, which was exciting. Speaking at public events, working with the media, being interviewed, marketing and channels. Lots and lots of interesting stuff. No two days were ever the same. And more recently, I’ve now moved into Citrix where it’s early days, but we’re building out security from the ground up in some specific regards. Taking security solutions to market, so involved in go to market activities, and really excited to be part of that journey. So looking back, that’s been my journey so far.

Networking and OS Knowledge Importance [00:10:04]

Henry Suryawirawan: [00:10:04] Wow. Thanks for sharing your story. I think it really resonated with me, especially when you mentioned about learning networking. So I must say that networking is also one of my least favorite subject. I find it very difficult for me to understand. But yeah, I mean the interesting thing is that now I’m doing a lot of cloud and all that related stuff, so networking is really important, and for you as well, like going into cybersecurity. And you mentioned to me in the beginning, in the pre-call, right. That actually, if you have to point out for cybersecurity, there are two core important things that everyone should be aware of, which is one is networking, and the second one is Operating System knowledge. So can you share a little bit more about why do you think these two are the most important thing when you go into cybersecurity?

Tony Jarvis: [00:10:47] Yeah, absolutely. So, whether or not they’re the most important thing, I don’t know. I mean, the security itself is, of course, the most important thing. But if you had to choose two things that you would supplement that with, I would always keep coming back to the networking and the Operating Systems. It’s really super simple when you think about why. You really do have to understand how something works in order to protect it. If you don’t understand it, you don’t know what’s going on, you’re really not going to catch everything or think about all of the different situations. So that’s definitely important. And funnily enough, the original definition of what a hacker actually is somebody who would actually take these computers or these systems, and figure out ways of getting them to do things they weren’t necessarily designed or intended to do, and they would find interesting ways to use them. So you’ve got to have that hands-on knowledge about how things work. Super important.

Different people always give you different advice, and I think that’s a good thing. You can take information from lots of different sources, run your own internal filter through it and see what makes sense to you. I would just offer a word of caution though, that if you are getting advice from people who say, “It’s okay, don’t worry about that. Go straight to the good stuff, focus on the interesting stuff. Just be very tunnel vision and don’t try to go too broad.” That might get you ahead in the short term. But you do need to be mindful that this is a marathon. It’s not a sprint. There definitely will be times where this knowledge, this information, you will need to draw on at certain points in your career. Now, if you’ve gone in with very specific knowledge and you haven’t looked at the supplementary stuff, the networking, the Operating Systems, you will be put into positions, it might be early on, it might take later to uncover, where you’re asked to do things that you don’t have the prerequisite knowledge or skills to do. You’d have to go out and watch some educational content and come up to speed and ramp up. Now, if that’s going to take you a couple of days or a couple of weeks, and your employer is paying you hourly fee for that, you really owe it to yourself and your employer in terms of due diligence, that you’re getting your necessary grounding to really equip you for all of the potential things that might be coming up in your long term career.

So, if we look at networking. You do need to understand what does the three-way handshake look like? What is the OSI model? When people talk about, Oh, it’s a layer eight problem. What does that mean? And for those who aren’t familiar, there are only seven layers. So a layer eight problem is a human problem. It’s a user problem. You’ve got to understand routing. You’ve got to understand subnetting and subnet masks. So all of this stuff, you don’t need to go out and get certifications. But you do need to put in a little bit of due diligence. Understand that at least at a basic level. A really interesting case study here. I’ve been working on issues I can think back to my time at the bank. And my manager was super smart, really good troubleshooter. We were doing some load balancing and configuring a load balancer to make sure an application was running. And the application was an Apache web server. I could not have told you, looking at the logs myself, what the problem was. But based on what he saw in the Wireshark captures, he could understand it was Apache. He could understand the version and he remembered, “Ah, I’ve worked with this before. This specific version treats these sort of requests a certain way, and it has got to conform, or maybe it doesn’t conform with the protocol.” And he was able to solve the problem just by his experience, outside the pure sort of security area. So that’s the networking side.

And then you sort of got the Operating Systems. Especially in the security world, Linux is huge. Not saying the others aren’t. But having spent time at multiple vendors, what I can tell you is every single security appliance I have ever worked on, I’m not saying all of them, but certainly everyone that I’ve worked on, basically built on top of some version of Linux. So the command line is going to use those sorts of commands. You’ve got to understand the basics. If you have the basics, it will give you a foundation to build on. You don’t need to come in knowing it inside out, but you’ve got to have a starting point. So I really do think that’s so important.

Henry Suryawirawan: [00:15:02] I fully agree with you. Sometimes I’ve also found these, I would say, network expert or unicorns, they seem to be able to deduce something on top of their head, like just seeing patterns, data flying around using Wireshark or whatever monitoring tools. They seem to be able to deduce, “Ah, this is the problem.” While like for me sometimes it’s like, “What? How did you come up with that?” So I can really resonate with your story, just now as well.

Getting Started in Cybersecurity [00:15:24]

Henry Suryawirawan: [00:15:24] So I mean like for many people, cybersecurity is definitely a very interesting area, and many people want to go into cybersecurity. Any tips how should people start getting into cybersecurity, actually?

Tony Jarvis: [00:15:36] Yeah. So things have really changed. When I got my first sort of opportunity, it was super simple. Of course, we didn’t think so at the time. I thought it was really hard. But basically, it was a simple process. You did a university course, and even that isn’t necessarily a must these days. But you did a university course, you applied to a graduate program, and you hoped that somebody would accept you. And it was literally that simple. Wasn’t easy, but it was simple. Now it’s just completely changed. You’ve got so many things working against you, and I really feel for the people who are looking for their first role, they’re just coming through their training, maybe they’re switching industries. It is very difficult. There are so many entry level roles that you will find, and they will give you the list of prerequisite experience. And they will ask for certifications that you can’t even go and get that certification unless you can prove that you’ve been working in cybersecurity for five years. So it’s like a chicken and the egg sort of thing. It just doesn’t work. It’s difficult. I understand that. But some of those requirements are unrealistic.

There aren’t that many entry-level roles available. And so for the students out there that are trying to get in, you’ve really got to find a way to set yourself apart from everybody else. And not just set yourself apart, but prove what you bring to the table. You’ve got a resume, and that’s words on a screen or on paper, but what are the tangible skills you bring? And the good news is there’s so many ways you can do that today. So you can build your own lab. It used to be back in the day, you would do that physically. You’d have to go onto eBay and buy secondhand equipment and set up a lab at home. You can do that in the cloud today. It is an option. You can use environments that are pre-made for you. So if we’re talking about security, you’ve got sites like “try hack me”, you’ve got “hack the box”, and others. You can go out and get your own certifications. You can do things like CTF, Capture The Flags, and prove that you’ve got specific skill sets.

And I think on top of that, it’s also super important more now than ever before, to actually be networking with people. And I know that it’s work from home sort of time, and we’re not physically doing things as much as we used to. You don’t need to. You can even reach out on LinkedIn and make real legitimate relationships with people just based on that. So you’ve got to be reaching out to people. You’ve got to be networking. Because the thing is, if you’re looking for your first role and you send applications and resumes in, and the person at the other end doesn’t know who you are, that’s a cold application. And that has got a very low chance of turning out successfully for you. If you know somebody, and they can refer you into a role, you effectively go right to the top of that pile of applications, and you’re much more likely to at least get asked in for an interview or a pre-screen. That other good news, I mean, there’s a lot of events that used to be done in person, they used to cost money. Now a lot of these are not only available online, but free. SANS, just as one example, has a number of free courses running over the next few months that you can sign up for. And if you’re new to this, I would encourage people to do things like that.

So these are some of the challenges, but also some of the opportunities people trying to break in now. I try to give back where I can. I do have people coming to me asking for advice. Usually what it is a case of people doing all the right things. They just need reassurance that it’s going to be okay. There is room for all of us. And I think for those of us who are in the industry, we’ve been here for a while, it is so rewarding to be able to help people on their journey, bring that new generation in. And you’ve got all of these things at your disposal. LinkedIn, as an example, the posts you can put onto LinkedIn that you would take for granted, it’s nothing to you. You just assume everybody knows this. Not everybody does. This is really valuable information for people who are just getting in, and haven’t been in the industry for all that long. So there’s a lot that we can do to help. And one of the fantastic things about the cybersecurity industry is it’s a really great community. So many people who are trying to help, who are passionate about giving back and helping other people. So really, really happy to see that.

Henry Suryawirawan: [00:19:51] I must also appreciate your time, coming to this podcast and sharing your journey and your story. I think it’s also one way of giving back to the listeners here so that they can also understand what is cybersecurity. Any things from your experience that they should know about.

Mitigating Cybersecurity Risks [00:20:04]

Henry Suryawirawan: [00:20:04] So speaking from the entrance point of view, there are so many things for students to study, get used to it, get some hands-on experience. But on the other side of it, we are talking about maybe business owners, enterprise executives, who are now having a big challenge in mitigating cybersecurity. The first thing is, of course, they need to know what are the risks that are available from cybersecurity point of view. And it’s not necessarily that everyone understands what are the risks because technology moves so fast. There are so many new things. Many things are now being exposed through the internet. So it becomes a huge challenge for those people to actually come up with a mitigation plan. Maybe can you share something a little bit around here? How should an executive or business owners, plan to mitigate the cybersecurity risks?

Tony Jarvis: [00:20:48] Yeah, it’s actually a really good question and a really important question. So the good news is that attitudes are starting to change, and they are starting to change for the better. And I’m talking about attitudes from the very top, the board, the C-level executives. It used to be that they just expected the security team would do their thing, and they would keep everything secure, and essentially for lack of more specific security terminology, make sure bad stuff didn’t happen. That was top of mind for them. Now, they know that breaches are hitting the headlines. It’s making news. They know that’s bad for business. They certainly don’t want their name associated with these sorts of things. They know they need to make sure it doesn’t happen, but they don’t exactly know how. And that’s okay. It’s not their job. Their job is to run the business. But what we’re seeing is that they are now starting to bring in security professionals into the boardroom, and actually engage in these important business conversations about how do we ensure that the business isn’t negatively impacted by something like this happening.

So what that means for us in the security roles is we now effectively need to wear two hats. In our day job, we’re hands-on, we’re technical, we’re doing our job. But when we are talking with the business leaders, we need to change the language, and we’ve got to focus on that language. So we can’t be using technical terms. It just won’t be understood by this audience. Instead, what we need to be doing is to say things like, look, if a breach happens, this is what it would mean in a business context. Maybe we wouldn’t be able to operate. Maybe it would take X number of hours to recover from that. Maybe there might be a certain estimated cost that would be attached to that, or potentially it might damage our reputation, or any combination of the above. It’s always helpful to use examples. And I remember back in early 2016, ransomware was really becoming a thing. Unfortunately, it targeted the health industry, hospitals, for example, because there’s just so much at stake. It is an extreme case, but it’s easily relatable. So we saw the effects at the end of the day. We saw hospitals turning patients away. We saw doctors resorting to taking notes by hand instead of using computers, and there were many other implications as well.

There were, and this is going back a few years now, but there were major incidents that hit certain banks. It was unfortunate for that bank, but every other bank saw that happen, and then suddenly all of these other banks have got all of this budget becoming available because they don’t want that to happen to them. And now suddenly they’re talking to their security team saying, “Okay, here it is. Here’s the money. What should we be doing with it?” So look, I’m not saying you should go out and try to scare people. I don’t believe in fear-mongering. But if it’s a valid example, if it points them in the direction of, this is what you need to be cognizant of, this is what we’re trying to prevent, then it makes it relatable. And it goes back to speaking that same language. So I am in favor of that. Definitely never scaring, but trying to get it across in terms of business impact.

Executive Awareness About Cybersecurity [00:24:09]

Henry Suryawirawan: [00:24:10] So I’m also wondering, like for example, if I sit on the executive board. So hearing all these breaches stories, risks about cybersecurity where people can suddenly, you know like what you said, ransomware, take over your data, for example, and ask you for ransom, because data is so important. Or for example, the common public case such that your customer data, or credit card data is leaked over the internet, being sold underground. So it seems that the life of an executive is not easy, right? And it can happen anytime of the day, such things suddenly affecting them or their company. So what do you think as an executive, what you should actually do? There are probably infinite amount of potential breaches, but what should they do in order to start come up with a plan to actually maybe reduce those probability happening?

Tony Jarvis: [00:24:56] Yeah. Well, I think you could probably trace this back to how has security evolved. Because it’s certainly the case that if you’re trying to secure your enterprise today, the way that maybe would have worked out for you years ago, it’s just not going to work anymore. The risks evolve, and their security has to evolve in order to keep up. If we look at these ways that we used to do it, we used to talk about concepts like defense-in-depth, and we still talk about that. But we used to talk about analogies, like a castle and a moat, and you want to build a big wall around things and try to keep bad things out. And then you’ve got other layers in between, and then the intellectual property, or the really sensitive information are sitting securely in a data center somewhere. And there’s lots of different layers of protection keeping that safe. Now there’s a problem with that today. So the problem is that we all carry smartphones with us, and they move around. They can be in the office, they can be home or anywhere else. The laptops that we’re using, they’re portable, they’re highly mobile. We used to walk into the office and use dedicated workstations that never left the desk they were sitting on, and they were physically cabled into a wall somewhere, and there was no Wi-Fi. And now we’ve got Wi-Fi, VPN. People are working from coffee shops, airport lounges, even the other side of the world. And then to add to that, we’ve now got everything moving to the cloud. So things are definitely changing.

There’s been a lot more attention on this lately because the pandemic and work from home. But a lot of people are also using their personal devices for business reasons. And this opens up a lot of other risks as well that we need to definitely appreciate, and try to get on top of. So there is no perimeter anymore. We used to talk about a network perimeter. The segmentation between the outside, the internet, and the inside. The people inside the four walls. And we’d say that outside is untrusted and inside is trusted. Well, now today, nothing is trusted. We don’t know where stuff is coming from. We talk about things like zero trust. And it’s true. You’ve got to be double-checking everything. So the old ways definitely aren’t working. It’s not enough just to have network perimeter firewalls. It’s not enough to simply ask people if you’re working on sensitive information, please don’t send that outside the organization. Because it happens, and it might just be a simple accident. So instead of just asking people to not do these things, not sending information out, what if we could actually embed security into those documents, and make sure that we can control who reads them, what they do with them, whether they can forward them on or not. That is possible today.

Another thing that’s really getting to a point where it’s definitely got visibility, and we are starting to see things actually taking up is mobile, and I’m talking about smart phones. Mobile is a little bit of a bugbear for me because I have been talking to people about mobile, and the risks posed by mobile devices for years. And typically, somebody would say, “Well, that’s very interesting. I wasn’t necessarily aware of all that. Definitely food for thought. Leave it with me. But we’ve got other things, other priorities competing for budget. We want to get through those first.” It never really gets prioritized. Some companies do a fantastic job. But a lot of them tend to view it as, “Well, it belongs to the employee. It’s not our personal thing. What’s the worst that could happen?” There is a lot of stuff that could happen. So there definitely are those risks. And if you think about it, you’re using a tiny little screen. If something is trying to send you to a fraudulent website that looks really similar to a legitimate website, and if you’re used to your big 30 inch monitor, you can see that nice and easily. On a little six inch screen, you’re much less likely to pick that up. And then you’ve got other things like, if you’re on a proper computer, you can just hover over a link, and it will show you the URL of where it’s going to go to. You can make a decision. Does this look good or not? If you’re on a mobile, you really can’t do that. So mobile really is a very lucrative target for attackers because we all have them. There are lots of them out there, and typically they are under protected. We’ve typically got more protections on our laptops than our mobile. So it really is an area of risk for a lot of organizations. So coming back to the original question, you’ve got to be evaluating how things are evolving over time? Where those risks are? What the attackers are trying to do? And make sure that the things they’re going after and the things they’re trying to do, we do have protections to guard against.

Some Cybersecurity Tips [00:29:24]

Henry Suryawirawan: [00:29:24] Maybe to understand a little bit, when you say about mobile, it’s very interesting. These days everyone is on the mobile. Sometimes even you could have more than one mobile, right? Because one for office, one is for personal, or maybe so many, you have tablet as well. So maybe some of the tips on how to secure mobile usage?

Tony Jarvis: [00:29:42] Yeah. there’s a number of things you can do. There’re different ways of looking at security. We always come back to the three fundamentals: people, processes, technology. And because so many of us work in technology, and we’re super passionate about technology, it’s the first and sometimes only thing we like to talk about. And yes, there are technology solutions. Vendors do create protections that you can install. And if you’re using MDM, Mobile Device Management, you can roll out to all of the devices that your users are using. That is definitely an option, and something that I would encourage. It’s definitely serves a very valid purpose, reduces the threat. But you also need to be focusing on the people. The best protection in the world is going to be severely let down, if people are doing the wrong thing.

So training people, what is a phishing email? Some people have never heard of the term. What does it look like? What are the telltale signs? What should you do if you’re not sure? All of these sorts of things are things that should be covered ideally, by training that an employer provides. And not necessarily advising staff just how to keep the corporate assets protected, but also how to protect themselves and their family, maybe their children at home. And part of that is because it’s just the right thing to do. But part of it is because a lot of attackers will do their research on people working in a company that they want to break into, and they will find out who works there, get their Facebook profiles, find out things like the email addresses. And they’ll just do very simple reconnaissance. Maybe you’re involved in a certain organization, and you’re posting something on Facebook saying I was doing a specific event last week. They then pretend to be someone from that organization emailing you saying, “Thank you very much for your work last week. It was fantastic. You might be interested in this. Please click here to find out more.” And suddenly someone clicks on something they shouldn’t have. It takes you to a website that might even look legitimate, but it’s actually putting into effect a chain of events which do infect that machine that you’re using to connect from. So you’ve got to be training the people. You’ve got to forget about this demarcation between corporate assets and personal assets. Security is security, and it needs to be comprehensive, and we need to be addressing all of these different moving parts.

Henry Suryawirawan: [00:31:55] So, I mean like these days, I don’t know if other listeners in other parts of the world, in Singapore, definitely for me, I keep getting these calls every few days. Maybe it’s automated kind of bot person behind it. So these kinds of things, if people are not aware, and they are not trained to handle it. I think, yeah, it is a potential risk, definitely. Because they might be led into something like open an internet banking website that looks legitimate, and then, you key in your pin, then everything taken over by the hacker.

Security Gaps Due to Pandemic [00:32:22]

Henry Suryawirawan: [00:32:22] So, speaking about the pandemic, you mentioned to me as well before that due to the pandemic, many enterprises actually rushing into improving their technology to support the remote work and working from home. Be it like the VPN for the mobile. So people who are used to working on the desktop, now they have to bring mobile and all that. Because of this rush, there’s a certain gap of security that are not handled properly. Simply because they just want to operate normally first. They want people to be able to work remotely. So what is your take now? I mean like, the pandemic has been more than a year now. What kind of security gaps you start seeing from these people trying to improve and accelerate the working from home?

Tony Jarvis: [00:33:01] Yeah, that’s an interesting one. So the keyword there is what are we starting to see now? And what we’re starting to see now has really got its roots in things that happen 12-ish months ago. So back when work from home became suddenly virtually overnight, it was a case of moving out of the office into your bedroom or kitchen or wherever you’re working from home. What happened was that businesses were scrambling. They needed to keep the lights on. They needed to keep business happening, and it was all about enablement. It was enabling the business to continue. And security took a backseat. And at the time, I understand, I appreciate it. You’ve got a business that you’ve got to keep running. So what they typically did was they would increase the number of VPN licenses they had. So that instead of maybe 15% of their workforce working from home, now it’s more like 100%. So they’re getting on top of that side of things. And we also saw a huge shift to the cloud. The cloud was really one of the main ways that businesses survive the pandemic. It enabled a lot of the stuff that had to keep operating. So Microsoft came out at some point through 2020, and advise that they had seen two years of digital transformation take place within the span of two months. So that was really telling of exactly what was going on.

And what we know is that the existing solutions, the security solutions, the on-premise solutions that a lot of organizations were using, suddenly weren’t protecting their users because the users were not physically onsite. They were remote. Because of that, and because of other reasons as well, we’ve seen a lot of an increase in phishing attacks, phishing emails, and they do get very creative. They tune, they tailor their message to things that are topical, and people want more information in or on. So definitely the case of Coronavirus and vaccines and all sorts of information, people are hungry for. A lot of this move to the cloud unfortunately was rushed out of necessity, but the focus was on speed. The focus was not on security. So we’ve got to take a bit of a step back here and realize that the simple act of moving to the cloud does not guarantee any security. But there is this assumption with a lot of people just because they aren’t necessarily trained in this, or don’t have the experience that they think they can move something into the cloud, and suddenly they no longer have that responsibility to secure it. Because, oh well, the cloud vendor is going to do that for us. Now, those of us in the industry are all too familiar with what we call the shared responsibility model. There are certain things that the cloud vendor will do, and there are certain things that the customer has the ultimate responsibility for doing themselves.

So security, yes, there are elements from both sides. But as the customer, you’ve really got to be on top of at least understanding what it is you need to be doing, and make sure that gets done. We’ve seen cases of organizations not following best practices, making configuration mistakes. We’re seeing exposed buckets in the cloud. And what you’re going to be seeing is over the course of the coming months, and definitely the next couple of years, attackers are actually probing that information, that side of the cloud, where customers information, and they’re set up in the cloud is hosted, and looking where the vulnerabilities are. And they’re gradually starting to find and exploit those vulnerabilities. And we’re going to see these come out more over the coming months and years.

To paint a picture of what we have in store, let’s look back a little bit. Heartbleed. I mean, Heartbleed was a huge thing back in 2014, I think it was. It was all over headlines. Everybody was talking about it. Five years later, in 2019, we still had 90,000 vulnerable devices vulnerable to Heartbleed, actually on the internet.

So just because something comes out, and people say you need to be doing things, and people acknowledge it as a risk, doesn’t mean that it’s going to quickly get taken care of. More recently than that, WannaCry. I think everybody has heard of WannaCry. I’ve seen people just give pretty standard advice of things like, well just patch. All you gotta do is patch. There are problems with that. It’s not that easy to patch everything. There are certain servers you can’t take down. They are mission critical. Maybe they’re operating, they’re serving electricity grids, or they’re working in hospitals, life support systems, whatever it might be. Even if you could take it down, you’ve got to test it. You put it in a test and development environment and make sure it actually works and doesn’t introduce any more problems. And then depending on the versions of the operating systems you’re running, maybe that’s an outdated unsupported version of Windows as an example, and there just isn’t a patch available. So it’s never as easy as what people might say as a knee-jerk sort of reaction in terms of advice. That there is levels of complication. And what businesses really need is advice from people that they can go to and they trust in order to, " This is the situation today. This is where we want to be. What are our next few steps in order to get ourselves on that path?"

Henry Suryawirawan: [00:38:03] Thanks for sharing the interesting statistics. I didn’t know, like for example, Heartbleed, five years after it was found, there are still thousands of devices available out there, waiting to be hacked by the hackers. And also, yeah, speaking about upgrading Operating System or whatever dependencies, I literally sometimes hate doing that. Because the amount of uncertainty that could happen, the upgrade could fail, or some incompatibilities with whatever dependencies. So yeah, definitely it’s tricky, and it’s not so easy to do. Patching is not that easy.

Interesting Cybersecurity Case [00:38:32]

Henry Suryawirawan: [00:38:32] Speaking, you know, about your experience, you have work in the industry for many years in cybersecurity. Is there any interesting cases that you would want to share? I mean, if it’s not confidential, for sure. Any kind of interesting case that you think are worth for listeners to hear about? Either like it’s interesting, it’s funny, or it’s just scary.

Tony Jarvis: [00:38:50] Yeah, definitely. Quite a few, but if I was going to choose one, there was a customer. I had a meeting arranged with them. This was a banking customer. Walking into this meeting, I very quickly became aware of the fact that they had a huge number of security solutions that they were already using in their environment. I do not exaggerate here. They literally had approximately 40 different security solutions. Not just network solutions, but security solutions. And with big banks, that’s not uncommon. There are lots of different places where things can go wrong. Lots of different protections that they would be wanting, and they do invest. So I realized early on in this conversation with the customer that it wasn’t necessarily a case of, they had an appetite to add on. Because they were running everything, they had network security, they had cloud security, they even use Artificial Intelligence. So they really had it all.

What they really had was a concern. They did open up to me, and they said, “Look, our concern is that as we add more solutions, as we’re adding more products into our environment, is it actually helping our security? Or is it creating areas where more things can go wrong?” And they had some very valid points for making, at least posing that question. Because as you add more, we call them point products, products that go in designed to do one specific thing and do that well. Not all of these solutions are designed to integrate with all of the other solutions that you might have in your environment. And this leads to a number of problems. Obviously, you’ve got the cost of acquiring all of these different products and solutions. You’ve got the cost of headcount. You need somebody to actually run and administer those solutions. You’ve got to train them. And then you’ve got operational problems. So if you see something going wrong, if you see an alert or something that’s not quite right, and you pick that up in the management console of one of these solutions. And then maybe it transitions, it moves from one area of the organization to another, and that tool you were just using no longer has visibility, but another tool that you do have will have visibility. You’ve got to figure out what new tool you need to be pivoting to actually see where it left and where it’s going into. And we call that a swivel chair sock. It’s literally somebody sitting on their chair, looking at all these dashboards, swiveling in their chair, going from screen to screen, trying to keep up with things.

So that is an issue that we do see, and it comes down to this integration. It does pose a very valid question around, and it’s an age old question, do we go with the point product solution, and try to get all these different things that do one thing really well? Or do we try to consolidate and use fewer things that do more of those functions more broadly? And look, at the end of the day, it’s always going to be a different answer for different organizations. It’s a very specific thing to your needs and your existing environment. Most of the time, it will probably be somewhere in the middle. You’d probably consolidate in some cases where it makes sense, and if you have legitimate need for specific point products to do something really important, and do that really well, you’ll probably do that.

But at the end of the day, with this customer, what we found is that what they needed wasn’t another security solution. What they needed was visibility. Are we doing the right thing? Are our configurations configured according to best practice? Maybe we spun up database servers, and those admin credentials we use to actually configure them and set them up, we forgot to revoke them. So we’ve now got excessive privileges and permissions. Maybe we’ve got shadow IT, and sprawl in the cloud. So what they really wanted was compliance. So we actually worked with them in order to give them better visibility in terms of how they’re managing, and administering their comprehensive company-wide security, and give them that level of confidence that things are configured according to the way that the policies and the baselines say that they should be. So that gave them the confidence they needed, but very interesting conversation.

Henry Suryawirawan: [00:42:56] So I think, yeah, it’s one key takeaway lesson here. More doesn’t mean more secure. More solutions doesn’t always mean more secure, because you have to think about the cost of integration, the cost of acquiring people’s skills, not to mention the cost of the licenses for those products as well. And I think like what you said, sometimes they are really not integrated except by a human in the middle, like a bridge, seeing one solution and then move to the other solution. So that is always one of the biggest challenges as well. Because how do you correlate a certain things happening if you use two different tools that can only be used by human? So I think it’s one key takeaway from me at least.

Tony’s Mid-Career Crisis [00:43:30]

Henry Suryawirawan: [00:43:30] So, moving on to more like a personal story. Tony, you also mentioned in the pre-call that you had midlife, mid-career crisis, so to speak, right? When you are talking about, thinking of getting out of cybersecurity. What was happening then? Maybe you can share your thought process, and what made you in the end decide to stay in cybersecurity?

Tony Jarvis: [00:43:50] Yeah. So this is an interesting one, and I’m sharing this because if it can help others, then that’s the best outcome. When you work in a given field over an extended period of time, you do inevitably have these moments where you feel like the grass is greener somewhere else. I’ve definitely had my time of going through that. I think a lot of us have. For me personally, I think what led to it is that this is the Catch-22 of working in security. A lot of us do it because we love it, and it’s really interesting, exciting work. All of that is true. But if you do your job properly, if you do it well, ideally, you want to be invisible. You want nothing to happen. At the end of the day, if nobody knows what you’re doing, you’ve probably done your job properly, outside your immediate team, of course. Because there are no incidents, there are no alerts, there are no breaches. That’s exactly what you want to be happening. If people come running to you, and you’re their number one priority, something is potentially very wrong. So you definitely want to avoid that. That’s really how the security world works.

As a technologist, I started toying with the idea of maybe moving into an area where I could build something. I love building things, both at work and outside of work. The idea of pointing to something and say, “That’s mine. I built that. Look at that.” You can see it, you can touch it. There’s a lot of satisfaction involved with that. And security as I was talking about, it’s almost like this invisible thing if it’s done properly. And security is a huge area, and this is not true of all facets of security, but definitely part of my experience there. What I did was I actually looked at cloud computing. Cloud computing was, it’s been a thing for quite a while, and only ever getting bigger, and everybody’s talking about it. What I actually did was I started investing some time learning some AWS, getting involved with Azure, playing around on GCP, doing certifications, and learning how it works. And actually, one of the things that I really enjoyed about that is all of my initial foray into my career in terms of network engineer, and that’s where it all started. Suddenly you’re talking about VLAN and subnets and routing and all this sort of stuff, all it say it’s exactly the same thing, but new because it’s in the cloud. So it was a really interesting sort of feeling for me. It’s, hey, deja vu, but it’s different. So I did enjoy that. That was something I enjoyed quite a lot.

I did a lot of contemplation at some point after sort of doing this initial learning, and going through these certs and doing study. I really asked myself, is this something I really want to commit to or not? And if I committed, it probably would have been going down the path of really going deep into the weeds, getting into cloud architecture and that sort of thing. And I was happy where I was at, and having this base knowledge of how cloud works in general. You can relate that back to other things, and talk about security at the same time. And what I found was that the more I understood about cloud, the easier it was for me to wrap my head around how we secure the cloud, and have those conversations and explain that to customers who may not necessarily understand it and draw those conclusions themselves. So what I realized was the thing I really love about security is the fact that it doesn’t exist in isolation. You are not securing security. You’re securing something else, and usually that’s some sort of technology. So you do get to play with all of this other technology. It could be networks, it could be the cloud, it could be IOT, it could even be critical infrastructure. So there’s so much you have that it really never gets dull. It’s always exciting. You just need to maintain that perspective of really understanding, this is how lucky I am, because I do get visibility across all of this.

So, I still play with the cloud, and it’s a hobby of mine. I appreciate that, and I continue to learn more as we all should as technologists. But, instead of going into that deep dive, I really enjoy what I’m doing right now, where I am talking with business leaders about security, advising them on their journey, and translating all of these what might be super complicated concepts to people who aren’t necessarily in the industry, to put it in a language they understand. At the end of the day, if you really want that hands-on, and you’re not getting it in your nine to five on your job, you do have passion projects you can throw yourself into outside of work. So that could be playing with cloud. It could even be something as simple as going out, and getting an inexpensive Raspberry PI, and start playing with things like coming back to our earlier conversation about Operating Systems. Install some flavor of Linux on that and play with it and see how it works, and you can have so much fun. So I think it’s important to really have that mindset about, yeah, sometimes the grass might look greener, but let’s just take stock of really how lucky I am now, and not throw out all of that knowledge and experience I have, if it’s not unwarranted.

Henry Suryawirawan: [00:48:36] Definitely the grass is easier to be green from the outside perspective. Because you hear news, you saw on LinkedIn even like, okay, this person achieved something, celebrate something, new certifications. And then you always thought that, okay, I should follow that person. And I think you are right that it’s very important for someone to always look back on their background, their history, what they like about their career so far, their expertise. And whether you can actually move to the adjacent instead of switching totally. So like what you mentioned in security, you can play with so many things, because security is like a centerpiece of many things. It’s not like the only thing that you need to master. So I think this is a very good story.

Out-of-Comfort Zone Career Principle [00:49:13]

Henry Suryawirawan: [00:49:13] The other thing that you mentioned to me is that, you have maybe this is called principle right in your career, you always deliberately choose for every single job or new role that you are doing, right, to scare you and push you out a little bit of the comfort zone. Why do you think it’s a good principle to have in your career?

Tony Jarvis: [00:49:31] Yeah, so this is a very personal thing for me. It’s something that I really put a lot of importance in, and I can really trace this back through, I think my entire career. So I do like to be challenged, and I started off as a network engineer. I could have left that job, and walked into another job of a very similar role and continued that indefinitely. Some people do, and there is nothing wrong with that at all. You continue to develop those skills. That’s fantastic. For me, I definitely wanted to be pushed. I wanted a challenge. I wanted to feel uncomfortable. Because I know that’s the only reason you’re going to grow. So if I trace back my experience, my move to Singapore. My life experience was in Australia my entire life. And I went to university or worked with people who had done backpacking through Europe, that gone to Japan and taught English, and they had some life experience. I didn’t. So moving to Singapore, and finding that role for me was an opportunity to really, it was sink or swim, a different country, a different culture, see the world differently, and an employment opportunity to go with it. So that was something that I embraced, and I had no guarantee it was going to work out. It did. I remember telling my parents, “Hey, look, I’m thinking of going to Singapore, it’s going to be 12 months. And then I’m coming back home.” Well, that was 12 years ago. So didn’t quite work out the way I expected, that’s life.

But every other experience I’ve had in terms of employment has been a similar sort of story. So FireEye, I was suddenly walking into boardrooms, and addressing the business leadership team, and that was legitimately scary. I was not comfortable with doing that at all the first few times I did that. With exposure, with repetition, and looking back over the first couple of times and saying, “Look that wasn’t so great, but here’s one thing maybe I could improve the next time.” And you gradually do get better. Tracing that through to Check Point. Suddenly I found myself not only engaging with the C-level, but developing my soft skills. Public speaking, standing on a stage and giving presentations, dealing with the media, getting interviewed. I really enjoy that now. I can tell you the very first time I did that, I did not enjoy it, and I wasn’t particularly good at it. But it is not something you’re either born with or without, in terms of being a specific skill set. It is definitely something you can learn. We are all capable of so much more than we think we are. Our only real limitation is the self imposing beliefs we put on ourselves.

And that really comes full circle with Citrix, where I am now. Really building out a security function from scratch. New solutions which we’re taking to market. Being involved in the GTM there. And that’s the challenge that appeals to me being one of the first hires in the region, in the specific team I’m working with. So, an amazing opportunity. I’m really grateful to be there. At the end of the day, for me, what it really comes down to is I do like the saying that says comfort is the enemy of progress. If you’re too comfortable, if you’re in your comfort zone, you’re probably not being pushed. You’re not expanding your horizons. And to me, that’s something I don’t want to have regrets. By the time comes, when I can look back on my career and say, this is what I’ve done. I want to say, yes, I’ve taken chances. I went in directions I thought maybe unnecessarily wouldn’t have been any good at. And I made a go of it and I did okay. It’s definitely made me a more well-rounded individual, not just professionally, but personally as well. So I would definitely recommend it to anybody.

Henry Suryawirawan: [00:52:56] Wow. I really like the phrase “comfort is the enemy of progress”. Speaking of comfort, I think many people, I mean human by itself, has a tendency to seek for comfort, seek for normal condition. They won’t be necessarily always look for dangers and risks and things like that. And sometimes also there’s this thing called imposter syndrome, in the technology space, especially. People just feel like, “Oh. I have this fear that I’m not good enough in terms of my skill set, my experience, my knowledge about a certain technology.” Maybe one of the biggest challenge for them to actually try out and move out of their comfort zone and being challenged, and learn new things. So I think it’s a very good story from you to remind ourselves, always seek for going out of your comfort zone in order to make progress. Sometimes yes, the things that you do, you didn’t like it. But hey, maybe over the time you actually enjoy it and you become good at it. So I think that really is a good story.

3 Tech Lead Wisdom [00:53:47]

Henry Suryawirawan: [00:53:47] So, thanks Tony for being on the show. But before we end the conversation, normally I have this one question that I normally ask for every guest, which is for you to actually leave us with three technical leadership wisdom for us to hear about, and think whether we can also apply it in our career. So what will be your three tech leadership wisdom?

Tony Jarvis: [00:54:05] Yeah. So if I was going to think of three things, three pieces of advice I wish I could give myself years ago, what I would probably come down to is first and foremost, soft skills. Not everybody likes that terminology, but people facing skills. Even if you’re working in technology, even if your hands on keyboard in your day job, you still need those personal skills. You still have stakeholders you’re dealing with. Even if it’s your own specific team, you will be influencing people. You will be taking ideas to people, and asking them to buy into them, and to approve them. So having that level of being able to relate to people, and really develop that familiarity with how to make a business case? How to engage in specific sorts of conversations and express ideas? Super, super important.

I’d also probably add to that, that you really have to look more high level than just the technology itself. You’ve got to learn to see things from the business perspective. How is the things you’re doing right now? The projects you’re working on, how do they map back to the business requirements? What value is it providing? And this is really important in security because too often in security, the actual act of security is viewed as a cost center. It’s something you’ve just got to spend money on, and it can be difficult to articulate a return on investment with that. But we do need to turn it into changing the language. It’s not a case of there’s bad things out there and our job is to protect against them. Yes, that’s all true. But you’ve also got to be saying that it’s a business enablement exercise. It’s keeping the business operating. It’s making sure that the risks posed to the business by outside forces and inside forces mitigated and dealt with, and we have systems and controls in place.

The last piece of advice I would probably offer is that you really should be taking an active interest in other facets of technology too. Maybe your job is in a specific area, and you do need to be an expert in that. Totally understand that. But there is usually a lot of overlap with other areas as well, and they will have codependent relationships. So if you understand these other areas, then it’s going to better enable you to do the job you’re doing. But also, nothing is static. Nothing stays the same. It’s always evolving. And all of these other things, these other technologies that we interact with are evolving too. So if we understand and we keep ourselves interested and invested and up to date with all of these other things going on. We better understand those interdependencies, and we’re better able to maintain and build on our skills for not just our own professional and personal development, but also to protect the organizations that we’re working for as well.

Henry Suryawirawan: [00:56:58] Wow. Thanks for a great wisdom. I think I really resonate with the intersection of many different facets. Technology these days will become more and more immersed in our daily lives. Like the other episode I just had as well. He was talking about how all these new technologies like 5G and all that will just make things become more immersed to us. Self-driving car, for example, or the AR VR, and things like that. So I think, yeah, it’s definitely crucial, find the intersections between the technology and other facets of your life.

So Tony, it’s been a great conversation. So if people want to know more about you, where they can find you. Maybe online?

Tony Jarvis: [00:57:33] Yeah, definitely. So, LinkedIn is my number one place where I post what’s going on, and I do try to give back to the community, put advice out there that people in my shoes where I’d been years ago, it would have helped me back then, so I hope it would help others, and really just contemplate the security industry in general. What are we doing? Where are we going? What are we getting right? What are we getting wrong? So all of that is out there, and happy to connect with anyone who sees my profile on LinkedIn.

Henry Suryawirawan: [00:57:57] So thanks for sharing all your cybersecurity knowledge. I feel that I am a little bit more educated in terms of securing myself. So I hope to have another conversation with you in the future about cybersecurity. So thanks again Tony, for being on the show.

Tony Jarvis: [00:58:10] Thank you so much. It’s been a pleasure.

– End –