Purpose of Cybersecurity - Why We Need Cybersecurity

October 21, 2020

The Cyber Rants Podcast

Episode 4 - Ed Escobedo: Translating the value of CyberSecurity

This week - Ed Escobedo joins the podcast to discuss his journey to join the Silent Sector team as Chief Strategy Officer, the purpose of cybersecurity, and what lesson’s he’s learned while implementing programs for companies like PayPal and Apollo Education Group, plus the importance of translating the value of cybersecurity to CFO’s and other organizational leaders. This will help you understand why we need cybersecurity.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and

slightly embellished truths of corporate cyber security programs we're ranting we're raving

and we're telling you the stuff that nobody talks about and their fancy marketing materials all to

help you protect your company from cyber security criminals and now here are your hosts mike rotondo

zack fuller and lauro chavez hello and welcome to the cyber rants podcast this is your co-host

zach fuller joined by mike rotondo lauro chavez and our uh guest today ed escobedo

mike why don't you go ahead and kick us off with the news what's going on in cyber today

oh there's a lot going on this week um let's start out with the top of this

4.83 million ddos attacks took place in the first half of 2020 which is a 15 increase uh people are

taking advantage of the you know covered lockdowns basically um another exciting thing to find out

is that vulnerability in one and wireless router chipsets is prompting advisories this is qualcomm

mediatek and real tech chipsets basically there's an authentication bypass vulnerability that's out

there now microsoft xp leak would be less of an issue if it didn't if so many didn't use it the

source code is online apparently it still has a large user base and cyber criminals are using that

code base to go ahead and develop new exploits for it why anybody's using microsoft xp now i don't

know but apparently they are new tactic from the new old tactic from hackers is basically

they're they're setting up front companies to disguise their hacking and bar and which

is basically an old camouflage tactic so they're setting up a company like xyz insurance company

sending out email duping who they can and taking the cash lentil in the company later there's

a new ransomware out there called the gregor and basically what their thing is is that they release

the data if you don't pay they release all your data some kind of mass media mass media release um

nice of them um the fbi is warning spoil your working from home escape plan apparently what's

happening is a lot of people tired of looking at the same four walls of their office den bedroom

wherever they have to be working are escaping to hotels to work remotely the problem is

hotel security wireless security is not all that good never intended to be you know office

grade and so it's being exploited um from the truly scary and creepy uh kids smart watchers

can secretly take pics record audio or command on command by encrypted text apparently the brand of

chinese smart watch called explorer which is has a back door that was apparently deliberately put

in there so they can receive an sms to kind of check out the kids surroundings take pictures

and record conversations that are around and another note to have group groups chain vpn and

windows bugs to attack us government networks basically it's an additional of the zero login

and uh a weakness in fortinet which is allowing them to exploit that

from the we haven't talked about it in a while but it's something continually aware of uh cisa

is urging utilities to increase protections and warns of potential attacks from china it's again

you know tax on the grid uh the power grid and that sort of thing is is

ramping back up kind of good news men with a good news new ransomware vaccine actually vaccine kills

programs wiping windows shadow volumes it's called racine and basically what it does is when it sees

the ransomware trying to kill the shadow volumes it kills the ransomware so and with that i'll go

ahead and pass on to lauro for his vulnerabilities thanks mike well appreciate the information i

guess now i need to update my windows xp yeah oh yeah someday i've got to take uh i got to take my

website off of that that dmz xp server anyway you know it's still you know a workhorse yeah yeah it

is i you know as far as i'm concerned it's one of microsoft's greatest achievements anyway so

if you're if you're running an oracle database this week and you know in general i'm sure it's

going to happen again but if you're running oracle database 18 charlie there's some critical patches

you need to be aware of that include some command injection and remote code execution so those those

those are fairly serious so if you're running an oracle 18 char let me show you update that

um fedora got a few things uh included this week for samba if you're running slime on top of fedora

there's a couple command injection uh weaknesses in in in this version so make sure you update

your samba framework on fedora and then openSUSE again uh security updates for the dp dpdk packages

so if you've got those uh up and operational make sure you're you're running those updates so again

microsoft stayed the list again this week that's two weeks in a row uh my money is on they'll be on

the list for a five next week and that's it that's all i got zach all right thank you lauro and mike

um today uh like i mentioned earlier we have a special guest ed escobito for those of you don't

know recently joined the silent sector team as their chief strategy officer so it's real

pleasure to have him work with him and ed brings just a a deep deep uh base of knowledge with him

and experience and through a lot of different companies held executive roles uh like the

um head of of uh technology risk management for paypal is cio of apollo education group he's been

vp uh in various forms for multiple companies like charles schwab and

dhl uh so tremendous amount of experience really has a great lens um at the the executive level of

cyber security for large organizations and so it's a it's absolutely a pleasure to have them

and ed thanks for coming on the show thank you zach it's good to be here

are you great well ed what else would you tell us about your background i mean i gave

the high level overview but any anything in particular you want to share any highlights

um don't be afraid to brag a little bit here sure well let me start with how i got started in the

industry so i got started back in the late 70s when i joined the air force out of high school

and i ended up getting a job in the air force as a computer operations mls and so um that

that launched my career and i ended up out of the air force uh becoming what i thought was like the

best job you could ever have in technology which was an mvs systems programmer back

on the days when mainframes were the hot ticket item for computing and uh you know just a couple

of things that we did back in the early 80s as an mbs assistance programmers we had a thing called i

mean security and business continuity and disaster recovery were a key part of what we did back in

the 80s i mean a couple examples is if anybody knows anything about z os mvs there was a security

product that i installed back in the early 80s called ecf2 which had kerberos security and

you know did a lot to restrict access for critical accounts and the other thing i remember doing back

you know a long time ago back in the 80s was our disaster recovery plan was mag tapes you

know where we would take backups of disk drives across the mainframe complex put them in our car

drive to a cold site load them on a tape drive restore these tapes and make sure we brought up

the operating system to test our environment so i mean that's how far back my experience

goes well before you know the current way of thinking about security and cyber and

risk management uh and then you mentioned uh michael mentioned uh windows xp i remember back

one of the roles i had at schwab after i moved to california from the east coast you know i remember

fondly dealing with windows xp as a desktop i ran desktops for our call centers back in the

day at schwab and i think we had 10 000 desktops you know using where we had windows xp was the

endpoint but we had a product called i think it was sms microsoft sms we had to distribute

patching to vulnerabilities i remember doing like two or three nights of full-time non-stop

work to patch windows xp devices uh just trying to find those on our network was problematic and

having to go through and get those systems passed back in the day you know 15 20 years

ago was was hard to do and it's interesting to find that people are still running windows xp

today so very much uh very much resonate with the idea that those things will need to be patched

because we had trouble back in the day patching them and it's interesting to see the people still

running those systems so the most recent role i had was running technology risk management i think

a large part of what i did with paypal is helping our senior leadership on the first line of defense

understand the importance in the context means to have a mature operational shop that that has

operational excellence and processes around risk management and security best practices and so

i kind of felt i had two roles there paypal most recently one was i felt like i was the

general counsel for all things risk management so helping protect the cto and his leadership team on

the things that relate to you know how do we make sure that we're translating the expectations from

external auditors to ensure that we're appropriately applying best practices and

their operations to support the things that would come our way from from external auditors internal

auditors and second line of defense and then the other role that i played there which i think

because i ran technology at apollo education group which was a large online university university of

phoenix i felt like the other role that i had the other hat that i wore and the other role that i

played was that of educator and helping all of our i.t operational folks basically understand

the various nuance of security risk management i think one of the things i realized is

it's it's in some ways it's the language of risk management and security is you know it's kind of

a niche language right people they talk about things uh that that are hard to understand and

so helping people understand how important these things are were clearly the role that i played and

what i'm hoping to do with silent sector with clients that we have that's great i appreciate you

sharing um what you know with all that uh large corporation experience what made you make the

switch to uh to more of a boutique firm dealing in primarily in mid-market and emerging companies

i worked at some of the greatest companies in the world charles schwab i had a long career there

paypal was one of the largest fintech companies in the world dhl i think we had 300 000 employees

because we were part of the global deutsche post world net ecosystem and then obviously

running apollo education group which was at the time had 500 000 students online students and

was a significant player and disrupter to the industry um so i i've spent you know my 40-year

career all of it in large companies and i've had some of my best friends in my personal life have

been entrepreneurs and i've always admired sort of their tenacity with with with what it means to

be an entrepreneur and i've and we i i always just talk to them about the just in terms of

personal relationships you know the things that they did to sort of help grow their business and

and they all have had really successful businesses and so i've always admired it from from the

outside and you know as i was transitioning from paypal i realized that you know i've never done

that before i've never worked at a small company i've never you know learned the skills of what

it means to to help grow a company from from a certain size to a larger size and what it means

to serve to serve a market i've always been and this is i think the training from schwab

focused on customer first schwab taught me that you know as i grew my career there you

know paypal obviously reinforced that with the focus that we had on customers and their mission

uh and so i thought well this this could make sense and let me let me let me give my energy

and efforts to this venture and see how we can help grow the business the mid market obviously is

something that because i'm a big company guy sort of bringing that perspective to companies that are

growing and need to build maturity and process to to support their growth i think you know i kind of

have a unique vantage point to that uh with ceos and cios and csos as they're trying to establish

best practices around uh around how to mature their capabilities so i thought it was a good fit

and you know i'm excited about the opportunity the other thing i'll say is um you know when i asked

asked you all zack mike and lauro you know what your mission was you know the idea of protecting

companies and protecting the us economy i think to me resonated at having been a veteran with the

air force many years ago and so that that mission resonated with me as well and then um you know the

idea that uh you know most of us are veterans and minorities i think also resonated with me having

my personal back background and story being both veteran and hispanic so those are the reasons

we're glad to have you you know that's that's um something we really uh we don't take lightly you

know these mid-market and emerging companies are absolutely the backbone of the american economy in

our way of life i mean without without them uh we would we would not uh be you know blessed to live

like we do in the united states and um so we we absolutely have to protect them because they are

under attack or under underserved and under attack constantly um they're just it's hard

for them to find good options and support there's everybody's quick to sell them tools and products

but there's not a lot of hands-on you know boots on the ground expertise uh for them to work with

out there so um it's it's great to be able to bring that large corporate experience um to

those organizations of course mike and lauro also have backgrounds and working with large corporate

within large corporate environments so we can take and and understand you know what's what works what

doesn't where there's uh traditionally a lot of waste um and where where resources should be put

and um and really bring best practices into these organizations so where are you seeing

you know throughout your career at least you know over the last 10 years or so i mean where

do most companies struggle with their cyber risk management where what what are the kind of the big

factors or the big problems that you run into you know i think it's just sort of an understanding

of the importance of cyber security and risk management as a practice that's critical to both

revenue and sort of core business operations i mean when i was the cio at apollo education group

i mean i know enough i've always been a like an i.t infrastructure guy data center guy and

a big mainframe guy running operations for large companies and did a lot of work on

desktop collaboration back at schwab but i always knew that obviously you needed to have a

like a somebody that paid attention to security and so i ended up hiring a person and knew enough

to build a sock and the importance of that and you know putting eyes on glass to monitor our network

but that's kind of i just sorry take care of it let me let me turn it over to you

sort of your baby to to drive and i used to have to represent the security uh progress

program to the risk oversight committee which was connected to the board of directors and

so i i knew that i had to make pay attention to them but i never really understood the importance

of it when i went to paypal i worked for the cso there and had a global role running a large

security practice for him faced after the business and one of the things i've learned at paypal

is as i said earlier is that people don't quite understand the the terminology and the importance

and the expectations and so a lot of what i found at paypal is helping uh practitioners that are

they they all want to do the right thing but you know prioritizing you know when you've got

so many things on your plate the the importance of best practices around vulnerability management of

access management configuration management asset management you know making sure that those are

integral into how you run your operations and and in some ways you know way to differentiate

companies from the rest of the competitors that are in their space you know i found that that was

something that that that i saw paypal and and we did a lot of work helping people understand

the importance of things and putting in processes and dashboards to help put us by learning that but

i i suspect that many companies that are not practitioners that are not you know smes and sort

of from the academic lens of security uh cyber security and risk management just don't quite

have an awareness of what it means and and so i feel like part of the opportunity that i have with

the silent sector is to help sort of translate and help all right let me just put a language that a

cio or ceo or cfo can understand you know why why you have to pay attention these things because

eventually you know um this could come back to buy you so just to me it's the role of translator and

helping people have the context and the business understanding and business context to sort of help

prioritize the things that need to be put in place uh consistent with other things that

are going on in the operations to support growth and protecting their assets yeah translation is

critical because uh you know without without the right resources and budgets uh it's very hard for

security practitioners to get anything done so um you know it's just one of those things that

a lot of times we see these organizations that it's kind of out of sight out of mind right and so

they'll just just uh you know won't put the time and attention in at the executive level to really

truly understand what the risk management means to their organization the benefits it brings and and

how it supports the longevity and so um critical critical area to be and i think there's not enough

translation going on out there otherwise we'd probably have far fewer cyber attacks happening

so what do you hope to see in the cyber security industry moving forward yeah i mean i think i mean

so i i kind of view this chapter of my career in the top of the first inning you know just

there's nlcs i was watching the game last night so i've got a baseball metaphor here man sort of

just at the very top of the first inning and i kind of view this as a long journey a nine-nine

game and so it's just getting started but i'm really excited about the opportunity to serve

the clients that are currently in the in the book of silent sector and then also growing our

our portfolio to include other clients and particularly those that you know are looking

that that are in highly regulated areas like healthcare and financial services and fintech

you know where you have to basically build the foundation and the core capabilities

to serve clients so you know i'm just really excited about um about it's really just serving

clients at the end of the day just being a servant to ceos cios cisos and cfos to help

establish that capability great and you mentioned veterans and minorities earlier

yeah i know you have some some plans some ideas uh to really use cyber security as an opportunity

for for young people that uh don't have a lot of options tell us a little bit about that

yeah you know i i mean when i was a kid i mean i never would have thought back growing up in in

the middle part of california and fresno that that i would have a career in technology that spanned

you know multiple decades and then i would just feel so blessed with the opportunity that i had

to be in technology and cyber security has been a part of my career and so the idea that that

we could help close the skills gap with those that are living in disadvantaged communities in

let's say south phoenix and and giving young people men and women people of color you know and

everybody that has the energy the opportunity to sort of get into the career that for me has been

just a blessing to to to feel like uh my life was turned around i think to me is such an important

personal mission of mine um you know one example of that is been asked to serve on the arizona

tech council support with pipeline az to sort of help close the skill gaps for those that are going

to school and and have an aspiration to get into cyber security and how we connect them to jobs in

the state and so you know i'm excited about that uh serving on their advisory council and so those

are the kinds of things that i just personally have paid attention to in my career and then

i'm going to continue to do that and obviously as we grow silent sector the opportunity to

to bring in uh and mentor and apprentice to bring in apprentices that can help and help them

understand what it means to be a cyber security professional is something i'm excited about

yeah absolutely um we've already had a couple uh a couple students work with us on various projects

and uh that just you know they were absolute rock stars and you know ready to get going and

growing in their career and so it's a lot of fun and we certainly need more security practitioners

in this country um so it's great great opportunity winning winning opportunity for everybody i think

so well thank you so much ed for joining us today thank you mike and lauro uh for your insight and

uh we will wrap it up and see you on the next show

Episode 4 - Ed Escobedo: Translating the value of CyberSecurity

Send Us Your Questions & Rants!

Categories

Archives

Transcript