SECURITY ENGINEERING, ARCHITECTURE, AND TEST OVERVIEW

Kip Boyle:

Hi, this is your Cyber Path. We’re the podcast that helps you get your dream cybersecurity job. And we’re back. I’m Kip Boyle. We have Wes Shriner, my co-host here. We have a guest here today, too. We’ll tell you about him in a moment. But first, I want you to know that we’re experienced hiring managers of cybersecurity professionals and we’re going to share with you what we know because we want you to get your dream cybersecurity job. We actually want you to be irresistible to cybersecurity hiring managers so that they’ll actually do backflips to try to figure out how to get you on their team.

So, this episode is available as audio only recording and your favorite podcast app, but now a new thing is we also are available as a video. So, go to YouTube and search for our channel, our playlist, it’s called Your Cyber Path Podcast, and then you’ll be able to see the slides that we’re sharing today. And why do we have slides? Because today is another episode in a series that’s designed to tell you all about the way that cybersecurity organizations are put together. We want you to know what the possibilities are and where the opportunities are so that you can make a great decision about your future cybersecurity career. Okay. And as I said, today, we’re going to dive deeply into one of the areas and we’re going to do it with the help of a guest. Wes, who do we have today?

Wes Shriner: 

I’m excited about today, Kip. It’s going to be fun. We’ve got Brad Gobble joining us. Brad comes to us from the greater Puget Sound area. I believe he’s on one of the islands today. Looks like at a library. Brad?

Brad Gobble:

That’s what we do here. We read and we stay out of the rain because south end of Whidbey Island, shout out to all of our Hansville inlet folks, if anyone knows where that is. Look it up [crosstalk].

Kip Boyle: 

And he’s on island [inaudible]. I can’t even believe you got him to put on clothes and come talk to us. [inaudible].

Brad Gobble: 

Oh, yeah. You don’t want to know what I normally wear. [inaudible].

Wes Shriner: 

We don’t want to know.

Kip Boyle:

No, we don’t.

Wes Shriner: 

There we go. So, Kip, I need to tell you that it’s been pretty wild on the farm this week. We had 60 tons of rock delivered to the property.

Kip Boyle: 

How do you do that? Is there a train?

Wes Shriner:

No, no trains. 60 tons so far, and we’ve got another 40 tons scheduled. This is dump truck loads that are then… I learned the word quarry spalls. Right? Because quarry smalls are the larger rocks that then go down before you put the medium-sized rocks, and then the small rocks in order to build a road. If you put the small rocks down first, you’ll lose them if you put the… into the dirt and into the mud. If you only put small rocks down, they disappear quickly and your road is gone. What I learned is if you’ve got the right architect, your road’s going to be very successful. And if you don’t have the right architect, it’s not going to work very well. And I think that’s going to be a lot of fun in today’s conversation because we’re going into security, architecture, and test. How about that?

Kip Boyle: 

What a lead in.

Brad Gobble: 

There you do. I’ve wanted to know where you could tie that in, man. Good job. Well done.

Kip Boyle: 

Life on the farm is a metaphor for cybersecurity and we are-

Wes Shriner: 

In every way.

Kip Boyle:

we are just plumbing that.

Wes Shriner: 

We are living life on the edge. All right, let’s jump in and see what we’ve got scheduled for today. I know that we’re in the new new journey in the new video, we’re looking at what is the greater cybersecurity organization. Today, we’re going to look specifically security engineering, architecture, and test, and glad to have Brad here. Brad, this is kind of fun. Some nice pictures of you there. Brad, you you’ve been at Microsoft, you’ve been at Oracle, you’ve been at HP, you’ve been at Expedia. You’ve been at some big places. You’re currently head of security at Zume, but Zume is spelled Z-U-M-E. Can you tell us a little bit about your story? What’s your background? And I see here you’ve been taking credit for engineers since 2004. Congratulations.

Brad Gobble: 

Yeah, as far as… Yeah. I’ll take full credit for that. Yeah. So, I started off and how I ended up in cybersecurity is after four years of college with a degree of history and English and wandering around Europe, I came home to find myself an exceptionally well-versed waiter. And I said, “I should probably do something more.” So, I went back to college ostensibly to pursue a PhD in contemporary America criticism, for like the New Yorker and stuff like that, and, hence, the books.I’ve read all of these this month. And had the argument with the Dean and said, “If you don’t let me start this September, I’m going to get an engineering degree.” I don’t know where I came up with that. She laughed at me. Three hours later, I have registered for calc I, chem I, and physics I. Five years later, I’m an engineer.

Of course I became an engineer during the economic downturn of the mid ’90s, so no one was hiring environmental engineers, so I got into IT. A conversation with a friend led me to moving out to the west coast and getting a job at Microsoft. And from there, LinkedIn says the rest of my history. But more importantly, the things that brought me here and why I do security is the guys who I hung out with and spent time with and respected and enjoyed them just as people just happened to be a bunch of security guys, so they needed an ops PM to run their hundreds of servers that we were using to scan, collect information, protect a company that was moving pretty fast. We were doing lots of cool stuff. And from there, curiosity, openness, and a service mindset is why I’m here and why I keep doing it and what fuels me and drives me each and every day.

Wes Shriner: 

Outstanding.

Kip Boyle: 

Great.

Wes Shriner:

I’m glad you’re here. I think it’s going to be really fun. So, let’s jump in and see what we’ve got. Well, or we can try again. There we go.

Kip Boyle:

Hey-

Wes Shriner:

Folks, this is-

Kip Boyle:

I’ve seen this.

Wes Shriner:

a place mat that you’ve seen before. This is from the last episode. This is very much a detailed diagram, and I’m going to ask you to spend a minute taking a look at it. Maybe even print it out, hang it on your wall. I’ll autograph it for you at conferences if you’d like.

Kip Boyle: 

When that ever happens.

Brad Gobble: 

I have it tattooed on my back.

Wes Shriner: 

There you go. So, folks, this is the place mat that describes the cybersecurity organization. There are four sub-organizations: the GRC, the product security, the security operations, and the engineering, architecture, and test. We’re going to zoom in today on one of those four organizations. So, as you can see on the right side of your screen, that is the five services… six services of a common security service catalog in engineering, architecture, and test. We also see that there are, it looks like, nine individual teams in there, and there’s a lot of staff involved in that. Many of those staff are senior folks and many of those staff are folks starting out. And so, there’s a real opportunity here to understand what are the roles? What are the teams? What are the functions? And where am I in that? Because if you understand the security organization, you can start to see where you fit in it, and that’s what we’re really trying to help with here.

Let’s jump forward. Now we’ve highlighted the engineering, architecture, and test disciplines specifically. We’ve got the six services and the teams. Do you guys have some experience in some of these services? Do you want to tell us a little bit about your experience in them? I know I’ve spent the last five years doing the IT project support, building a program at a large company. And Brad, I actually learned that from you. In 2006, I was in your organization hired by you to do IT project support, and I’ve made a career out of copying Brad. So, Brad, how about that?

Brad Gobble: 

Highest form of flattery. Highest form of flattery. Thank you.

Wes Shriner:

How about that?

Brad Gobble: 

So, yes, it’s a good place to start. And we looked through these different parts of the organization and remembering in the context of folks looking for their next big thing or where they want to arrive, ultimately, in their careers. We look at security, architecture, and strategy as the pinnacle of these roles, not because it takes the smartest or hardest, but the accumulation of knowledge and understanding IT operating environments, software coding practices and trends, and laying down where the industry is going next. It means you have to have a lot of experience to play in this arena. It’s less about intellectual horsepower and more about really depth and time in the saddle to be able to contribute in a meaningful way. Not to say it’s beyond anyone, but man, it takes a lot of living and learning to play a role in that security strategy and architecture roles. A lot.

Kip Boyle: 

Yeah. Yeah. There’s a big people dimension here. And the way you get to know people is just by working with them. Right? I mean, something that looks amazing on paper is completely impractical if you don’t have the right people.

Brad Gobble:

Well, and it’s interesting. We’ve got it rubbed right up against the solution, engineering, and architecture because that’s a little bit easier to play in the space. Strong practitioners who have a lot of time in assembling and building and making things tend to play in this role. It’s a good, strong role to move into and upwards because of the hands-on practicality. And there’s a natural, at least in my experience, there’s a tension between these two functions, these two roles, engineering and architecture. Because engineers tend to look at architects as having their head in the clouds not being able to deliver anything. Is that they talk it to death. Right?

I mean, how many times have, and nobody answer, we’ve had a meeting where the engineers got it all figured out, “Let’s go make it, do a thing,” and they’re already start to roll up their sleeves and log into servers and spin up VMs? And the architect comes over and says, “Yeah, we tried that five years ago,” craps all over it, and calls the CSO shuts down your project dead in the water. Not saying where that happened quite a bit, but that happens quite a bit. Conversely, architects-

Wes Shriner: 

And on the contrast-

Brad Gobble: 

Yeah.

Wes Shriner: 

Yeah.

Brad Gobble: 

Yeah. By contrast, architects-

Wes Shriner: 

The architect goes and invents a new idea and says, “We’re going to pontificate about the thing that’s over there,” and the engineer says, “That’ll never meet the road. The rubber will never arrive at road.”

Brad Gobble: 

Yep. They’ll talk it to death. We don’t have a thing or this stuff. I think one of the most successful projects led as a leader in IT security was at a former employer. We put together what’s called a vision to delivery strategy, and what it was is we paired architects with engineers and inside of a particular swim lane, be it identity and access management or network security or AppSec or mobile devices, and made them play out a three-year plan, five-year plan. Architects do this all the time. But then we made the engineers put together a Gantt chart of individual projects that assembled to make that… Okay. So, if we want in five years to have this overall capability, which the CSO loves, then we’re going to need these eight different projects in this order, and if you don’t fund this one here this year, everything is pushed by that year. The unifying of the practices, and also the peer mentorship that occurred there between the architects and engineers was a tremendous success and one of the things I’m most proud of, actually. That was a good year.

Wes Shriner:

So, if we keep going down the list just a little bit… Thank you, Brad. That was interesting.

Brad Gobble: 

Yeah.

Wes Shriner: 

If we go down the list a little bit, I’m looking at vulnerability management and application security, both as teams that take… While we just talked about engineering and architecture as very senior roles, vulnerability management and application security both have some room for the interns, for the new folks who are just trying to get their start.

Brad Gobble: 

Very accessible. And it’s cool, too, especially in vulnerability management. There’s some amazing tools out there that have been around for a while. Do we name company names and product names, or do we avoid that here?

Wes Shriner: 

We do. Because we hope they send us money.

Brad Gobble:

Oh, good. So, Rapid7 is absolutely a fantastic… I’ve worked with them often. And Qualis another very, very strong collection of products. Love them both. I’ll tell you one of the vulnerability management, though, it still required a level of skepticism on the operators part. And I’ll give you a one small short example. Years ago, we were scanning Linux systems because we were in a very heterogeneous environment, and for some reason, Debian was a huge choice. And in our vulnerability scanners, and I won’t tell you which one we were using, and it wasn’t their fault, they relied upon the manifest of what the version had and what was in it so we could scan for what was vulnerable. And the Debian manifest were the absolute worst, so the ocean of false positives. And caught, this was caught by very junior member of the team, because they were just trying to learn. They’re just trying to be diligent. They’re reading the manual. They’re double checking the books.

Wes Shriner:

I love that you’re talking about false positives because that’s the money in this one. It’s not about, “Can I get the tool running? Can I turn it on? Can I make it scan?” It’s all about, “Are the results useful or functional for my partners?”

Kip Boyle: 

Yeah, absolutely. And it’s not just about patches. Right? Patches are a big part of it, but it’s also about configurations. Right? Are configurations correct? Sometimes it’s about an obsolete piece of software that just like, “Hey, we just either need to upgrade this thing or tear it out because there’s no fixing it.” Right? It’s just done for. So, there’s a lot that’s goes on here. And when I’ve done vulnerability management, absolutely want to affirm that it’s great to have junior people involved here because they can be more tenacious, they bring that beginner’s mind, and quite frankly, it’s a wonderful training ground for them. They’re going to learn so much.

Brad Gobble: 

Yeah. Tons.

Wes Shriner:

One of my secrets to hiring is actually pairing the senior curmudgeon with the junior intern. Right? Because the senior curmudgeon has forgotten more than I’ll ever learn in my life and the junior intern brings all of the energy, enthusiasm, and excitement. And if you get them to blend, you actually get the energy and the wisdom at the same time and it levels up everything. So, if you were starting out your career and trying to figure it out, the energy, the enthusiasm, the excitement, the willingness to learn, the hunger is going to be a big selling point for your opportunities.

Kip Boyle: 

Yeah. Don’t let the curmudgeon tease that out of you, either. Stay hungry.

Brad Gobble: 

Yeah. And I’ll tell you guys, at a one employer I’ve showed up… Before I moved back into management, I was security solution architect working with the smartest, most experienced security people in the entire company. I think I added up amongst the 11 architects there was a 175 years of security experience, just security. There was more IT before that. And I ended up managing that group because I showed up with my hat in my hand and focused on what the overall mission was, which was delivering that vision action plan that worked so well, that these smart fellows, men and women, were so focused on delivering their particular thing that they lacked the ability to organize themselves to make it a story that could be used and consumed by the institution.

So, you don’t always have to be the top alpha nerd to be a high value to the corporation or to the role. Right? No matter if you’re corporate or smaller. So, please keep that in mind while you’re building your career. Be curious. Show up with your hat in your hand. And if you think you know the answer, you’re probably wrong, but that doesn’t mean don’t voice it. Just know how to say it to encourage a conversation with these folks who’ve been doing it for a really long time.

Wes Shriner: 

A lot of humility goes a long ways.

Brad Gobble: 

Oh God. That was a hard lesson to learn.

Wes Shriner: 

So, we didn’t talk about application security, but we’ve mentioned it before, that AppSec is one of the newer disciplines and very much an opportunity for a young code wiz to step into a security role and be really successful, or, for that matter, a senior code wiz can step into security and be really successful.

Kip Boyle: 

Yeah. Go ahead, Brad.

Brad Gobble:

I want to put a challenge out, anybody who wants to join AppSec. Since I’ve been in security for, what was it, 18 years now, cross site scripting and SQL injection are still a problem. Now, I came to security from an IT perspective, so rack, stack, build burn. Right? You know what? We’ve managed to get rack, stack, build, burn done right and safely, so why are we still seeing cross site scripting SQL injection? So, you young AppSec persons out there, figure out how to stop that because you’re embarrassing yourselves, you software developers. You have got to stop this now. All right? But there you go. There’s my rant.

Wes Shriner: 

Let’s just shame them into compliance. Sounds like a plan, Brad.

Brad Gobble: 

Yeah.

Kip Boyle: 

The white hot spotlight of shame. Let’s put it on those guys over there.

Brad Gobble: 

[inaudible].

Wes Shriner:

If I keep going down the teams, the security functional testing is going to be only in the larger organizations, and stepping into just a tester role, you’re probably not looking at security testing, you’re probably looking at functional testing in general. So, I’m not going to highlight that role as much. I know that the bug bounty programs are usually run by an individual who was running a bug bounty role, and usually, that’s outsourced. So, I wouldn’t pursue that one as much, but then, penetration testing is your next one and the internal threat hunting is right after that. And I think those are actually really interesting roles for the hot wiz. Right? If you’re the new hotness and you are bringing it at school, welcome to the big pond where the big fish are bigger than you’ve ever imagined and it’s a lot of fun.

Kip Boyle: 

Yeah. But at the same time, be careful because what I’m seeing is I’m seen a lot of people pursuing more jobs than there are people pursuing them. There’s a lot of competition to get those pen test jobs. And I’m not saying that to discourage anybody, I’m just saying it to make sure that you understand the reality of the situation. But I do want to say that if you want to get into AppSec, I just want to back up for just a moment, you can do a lot on your own. Right? So, you could learn how to code so that you could begin to appreciate why is it that we’re still dealing with cross site scripting vulnerabilities and SQL injections. Right? And so, you could actually go and build something yourself, and then you could go test it. Right?

So, there’s a lot you can do to come up to speed with application security before you ever get hired anywhere. So, that’s one of the things I just wanted to highlight. And of course, bug bounty. Right? You can sign up for a bug bounty program, many of them. So, anyway, just want to just highlight the fact that that is a very fertile ground if you like coding.

Wes Shriner:

I’m going to call out two things here, Kip, building on what you just said. The first is, if you’re sitting on the bench and you don’t have a lot to do right now and and you’re trying to figure out how I can grow myself, I got to recommend go to AWS and build yourself a web shopping cart. Right? And build that web shopping site to sell yourself a pack of gum. I need you to process at $1 transaction selling your mother a pack of gum, and then I need you to be able to draw an IT architecture diagram of what it is that you’ve created.

And then I need you to do a threat model, and I’m calling out the specific disciplines right here. Right? The threat model of your own it architecture diagram and where do you want to put your security controls in which layers? Do I want to do network security controls? Do I need to do identity security controls? What controls are appropriate for my sell a pack of gum to my mom over the internet for a dollar? Right? And then if I’ve done all of that, you probably can’t pen test it on AWS, but I bet there’s a way you can run it locally and do some testing against it. Right?

Brad Gobble: 

Yeah. And I’ll tell you, the cloud has made infrastructure security so much more accessible. It was literally almost impossible to acquire that kind of knowledge and understanding beforehand, whereas software development, you could. You could roll up your sleeves and then figure out how to break your own stuff. With the advent of cloud and the accessibility, incredibly low price, including a lot of student pricing, as well [crosstalk].

Kip Boyle: 

And free tier.

Brad Gobble:

Yeah, free tier. I think all three of us have our AWS accounts and our Azure accounts specifically because, frankly, I’ve gone into meetings and being unable to answer a question, I’ll take the hour before the meeting to try something out or take a look at it so I showed up prepared to, frankly, embarrass or belittle those people around me. I mean, deliver the best possible insight I can to the [crosstalk].

Kip Boyle:

Without stealing their credit.

Brad Gobble: 

Exactly. But be forewarned, though, you’ll learn a lot about bad things that can happen in the cloud, as well. So, be vigilant and use a credit card, not a debit card. Right?

Kip Boyle: 

Yeah. Yeah. But not somebody else’s credit card. All right? We’re not that kind of show.

Wes Shriner: 

Whoa.

Brad Gobble:

No, we’re not that kind of show. Not yet, at least.

Wes Shriner:

While we’re on that topic, bug bounty and pen testing is an interesting way to go. If you’re really serious, “I want to be a pen tester,” I’m not going to deter you. I’m not going to turn you away from it. I’m going to tell you that the pen testers that I hire have already made $30,000 in bug bounties in the wild. Right? So, if you’re really hungry to make that pen testing role, go make $30,000 as a bug bounty researcher and you are ready for the pen testing job.

Kip Boyle: 

And there’s nothing stopping you. You don’t need anyone’s permission to do that. Just do it.

Brad Gobble: 

Yeah. [inaudible]. Go for it.

Kip Boyle: 

Yeah. Just do it.

Brad Gobble: 

And a shout out to testing, as well. My very first job at hat big company in Redmond was a software test to [inaudible] Windows 98. So, it all starts somewhere, and test is a really good place to start.

Kip Boyle: 

Yep.

Wes Shriner:

It is. Folks, I’m going to call out that threat intel is the last one on this list, and I’m not going to direct you too much to that direction because while that’s a really interesting part of the security story that is really for folks who have been doing and studying the dark web for a long time. Would you guys disagree with me there? Would you say there’s some spots for starters in the threat intel space?

Kip Boyle:

Okay. So, the problem I have is I’m not sure we all know what threat intel is. It’s so new and unstructured. And the people that I see doing it most more than anybody else, to be honest with you, is former FBI agents. I don’t know. I mean, unless you’re going to get coffee for the former FBI agents, I don’t know what you can do there.

Brad Gobble:

I’d say I got a good one. I know a few people are familiar with Reddit. It’s a little website that some people have tried out looking on for high brow content. Reddit, R/netsec-

Kip Boyle:

[inaudible].

Brad Gobble: 

Yeah. The R/security basically is all about selling stuff. But our R/netsec is a fantastic resource for what is actually happening in the wild today and what people are talking about. And my very short story was, before I wandered into work on a Monday, I wandered [inaudible] and said, “Oh hey, what’s going on in netsec?” [inaudible] click Heartbleed something, went to this beautiful page… Y’all remember the Heartbleed page with all the information and the big picture of a bleeding heart. And it’s really informative in what’s going on. Super cool.

I finished up my day Monday in my normal role, and Tuesday morning, first thing in the morning, I’m having a meeting full of senior executives of cybersecurity and product management at a very, very, very big company. At the end of the meeting, I played my role, I was a technical solutions architect at the time, I attended these meetings to contribute to the conversation, and I said, “Hey, just to remind everybody today, it’s 8:47 and pretty much all your IT team’s going to be pretty busy [inaudible] for this Heartbleed thing because it’s a big deal.” I’m sure y’all know that, just reminding you to forget [inaudible] keep it on the engineers. And they’re like, “The heart what?”

Kip Boyle:

You were Paul Revere, weren’t you? Nobody knew.

Brad Gobble: 

Honestly, I was… And again, I don’t want to throw my former employer under the bus, but I was the first reporter for Heartbleed in a Fortune 50 company, all because I was wandering around on Reddit looking at I Can Has Cheezburger memes.

Wes Shriner:

I think it’s great that Brad can read so I think we’re winning.

Brad Gobble: 

Well, memes, you know.

Kip Boyle: 

That’s an old meme, Brad. Just so you know.

Brad Gobble: 

I know. I know.

Kip Boyle:

It might’ve been one of the first.

Brad Gobble: 

That’s the best thing about it. It never gets old.

Wes Shriner: 

Good stuff.

Kip Boyle: 

Brad, that’s a good point. Threat intel doesn’t have to be a dedicated role in the way that I had described it a moment ago. Right? It could just be you doing your job and keeping your ears open.

Brad Gobble: 

Yeah. Agreed.

Wes Shriner: 

Literacy is a big part of the role. All right. Thank you, folks, for walking through some of this service catalog, some of the common services in engineering, architecture, and test. I’m going to remind you… Oh, we’ve got a whole lot more content. We’ve got to move.

Kip Boyle: 

Okay. Let’s do it.

Wes Shriner: 

Some of the common functions and tools, the processes and standards that you might run into when you’re doing engineering, architecture, and test might be a reference architecture or threat models that you might be using Metasploit in your pen testing. You might be vuln scanning tools. There’s a lot of scanning and reporting and not enough automation, so if you can bring automation to this space, that would be awesome.

Brad Gobble: 

Agreed. You’re teeing me up for the architectural design review. We’ve done a lot, a lot of that. And what it is, what started off as a practice of the smartest people in security shouting at the smartest people in the software development team, instead has become a much more of a Q&A session in a practice you need to develop and mature wherever you’re going. So, when you’re doing it want to be part of it, it’s more about talking through what your aspirations are for the product or the system that you’re evaluating, the resources you have to assemble and snap together, and finally, does that make sense and have you considered how this can be attacked or tipped over? And this is the role of security practitioners we will play time and time again.

My competence at doing this waivers depending on when the last one I did was, but even when Wes and I worked together again recently, he had me doing roll up your sleeves, hardcore architectural and security engineering design reviews, and remembering how a thing can be broken and what they’re thinking is a big, big part of that. And so, you can do this. Matter of fact for, again, people just growing into this industry, in the segment, you can start doing this yourself. Find diagrams of how a thing works. Like Wes said, get yourself an AWS account, take out a piece of paper and draw what you think you’re about to make. When you draw a line from a thing to a thing… Can you tell me how your web server is going to talk to your database server? Right? [crosstalk] protocols.

Wes Shriner: 

So, Brad, if you’re going to do that, that diagram needs to have beer cans and lightning bolts, I believe.

Brad Gobble: 

Beer cans and lightning bolts, baby. That’s the official nomenclature for… And some of the designs that we’ve received have been laughably over simple. Some are grossly overcomplicated. Remember that the document that someone is showing you and sharing with you is a path to arriving at understanding between the two of you so that you can laugh and point at them with your friends later when they aren’t around, but provided fantastic feedback to make you look like a genius in front of the boss. And then a lot of this is very accessible. So, even though you may be an AppSec person, do you know what ports and protocols are? Does your SQL database talk to your web server on what port? What protocol are they talking? Can you have that conversation? Because if you can’t, you need to go back to the drawing board and learn how to do that.

Wes Shriner:

Is that a mutually authenticated and encrypted API?

Brad Gobble: 

Yep.

Wes Shriner: 

Yeah.

Brad Gobble: 

Absolutely.

Wes Shriner: 

Good stuff.

Brad Gobble: 

Are we talking about zero trust. We’ll talk about zero trust later. Big fan. Big fan.

Wes Shriner: 

Do you want to call out that these teams have real good partnerships with your policies and standards management. They’ve got partnerships with your risk management because everything they find is either remediated immediately or put on the risk register. You can’t find it and forget it. That’s one of the rules. And then, lastly, there’s a strong partnership with incident response because this is the team that’s working to protect the environment, and then when bad things happen, we’ve got a feedback loop so we can work to protect the environment better. Right? So, that’s very much how these teams work together. There’s also some enterprise dependencies here. Right? Dependencies outside of the security team that are key partnerships for these teams. Right? So, if you’re going to be in an architecture engineering function, you probably want to have a strong partnership with your IT infrastructure teams. Right? Your networking team, your CIS admins, your database admins, and your cloud administration, those are your best friends.

Brad Gobble:

Your very best friends and the ones who’ll make you look the worst when you get it wrong. Do not think they don’t know security. They just choose not to do it, not be secure, but to perform the function.

Wes Shriner: 

They choose not to be paid for that title specifically. I hope they’re doing it.

Brad Gobble:

Exactly. But I’ll tell you what, networking teams or incented to get things connected to make them work. You are incented as a security practitioner to block anything that shouldn’t be occurring, so that tension exists. Get to know these men and women quickly, understand them, bring them coffee, bring them donuts, because they’re what’s going to make you look really good. When they’re asking for you to join, you’re winning.

Kip Boyle: 

Yeah. Brad, you’re right. There’s tension. Keep that tension as healthy as you can possibly keep it because when that tension devolves into sneering and muttering under your breath about what a bunch of jerks they are, and you really believe that, you’re done for. That’s the beginning of the end. Because these are real relationships. Oh my God, I can’t tell you how many times I’ve seen people just destroy their ability to work with others. And then when they wake up and realize, “Oh my God, I really need them,” it’s too late.

Brad Gobble: 

And a reminder to everyone who’s getting into security, you are not a paladin. You’re not saving anyone from themselves, even though you kind of are. And if you show up with that attitude and you’re saving them, trust me, the networking guys, you will lose. The first volley, matter of fact, the first couple of rounds, you’re going to lose. You’re going to be right, but you’re going to lose.

Wes Shriner: 

You’re going to be right and wrong.

Brad Gobble: 

Yeah. And then the company will get popped and you’re suddenly back into the limelight year. You’re right and everyone’s listening to you. That’s got a really short period. It lasts for a very short window because the company is in business to connect and get things done, and therefore, it’s not there to be secure. Security is a risk.

Kip Boyle: 

You’re going to work in a silo, but you can’t work alone.

Brad Gobble: 

Yep. Exactly. Exactly.

Kip Boyle: 

Right.

Wes Shriner: 

I don’t even need to say more because you guys just said it, and I love it. It’s well said. Simply put, you don’t own the networks, the databases, the systems, the cloud, you don’t own the code, but you only influence for security, the advocacy for security. And if you lose that influence by undercutting it in a relationship category, that’s expensive. All right. Let’s keep jumping here because I know we’ve got a lot more to cover today. We did see last week, look at the staffing swagger and the budget swagger for this area. I want to call it out here. We’re looking at a 27% of your overall security headcount is actually in the engineering, architecture, and test function. Right? If I’ve got a large budget for security organization, 18% of that budget is actually in this engineering, architecture, and test function. Right? If you’ve got the video version, you can see it on the screen and see where the details of that go. Understand this is our best guess.

Kip Boyle: 

Yeah. And you can go back to last week’s episode because we did a deeper dive on these two diagrams and we showed them to you in a much larger setting so you could actually read the words on there. But we just want to make sure that we remind you that you should be paying attention to budget and staffing.

Wes Shriner:

I would ask you, Brad, and you, Kip, the estimate of 27% of your staff and 18% of your budget, does that sound about right for engineering, architecture, and test in the functions we’ve talked about? Or would you like to see more money or more staff or less money, less staff in this area?

Brad Gobble: 

Yeah. I’m going to be [greazy]. It depends. My current role has an army of one. Do I spend a third of my time on this? Yeah, actually, it’s a pretty good swagger budget-wise. Depending on the maturity of the organization, you need people to build and test more or less. It depends on the philosophy of the company and how much change there is. The more change there is, like we moved, when we spun off services to create a whole new company called DXC Technology, we had to move a portfolio of 1,100 applications in less than one year completely into a new operating environment and model. I swear we probably doubled this for a eight month period to get through that entire portfolio, but it went back to normal. It depends on the swag. The less change, the lower you can make this budget.

Kip Boyle: 

Yeah. And I also think that the industry that you’re in is going to matter, as well, because if you’re in a tech industry or a tech heavy industry, then these are probably the right numbers, but if you’re in a manufacturing space, then these numbers are probably too large or the money is spent differently. In other words, you’re paying contractors or consultants or outside companies by the project instead of putting those people on your payroll so it could look different.

Brad Gobble: 

Yep. And so, when you’re heading into this industry, if this is going to be your trajectory, that’s one way to sniff around and find the opportunities and find the jobs. Look for companies that are M&A work, too, mergers and acquisitions work. You’ll see a lot of opportunity for architecture and [inaudible] because you’ve got to connect these companies together, and that’s a chance for employment, as well. So, target that.

Wes Shriner: 

That’s big. All right. And that brings us to what kind of jobs are available in these roles. Right? Some of the senior positions might be that architectural roles, an enterprise architect, a solution architect, and a strategy architect. Brad, can you tell us what the difference is between those three?

Brad Gobble: 

Yeah. So, an enterprise architect has responsibility for the multi-year plans on the control sets for the particular discipline or swim lanes. There’s usually more than one because there’s usually more control areas. An example is networking, mobile devices, endpoint protection, which is the security of your laptop, computer, what have you, and cloud architect.

The solution architect is much more pointed in [inaudible] and is responsible for designing very specific solutions that meet the company’s enterprise goals and longer term projections, but are wrapping controls around that specific type of technology or that specific large project such as your big data solutions or your… which I own that reference architecture for Hewlett-Packard for a couple of years. And so, what was really interesting about that function in that role is that you had become an SME, you’re so tempted to become an engineer and design the widget or the tool to protect it, but you can’t. You’ve got to back up and you have to specify the attributes of the controls.

Then, finally, is the strategic architect, our strategy role. That’s when that next layer of [inaudible] takes on that much more importance. You need to talk and listen to the business objectives of the C-suite and their immediate reports to understand where the corporation is going, how security heavy or not heavy are you, and what are other potential controls are resolutions to security issues or upcoming security problems that can be addressed in other ways, either, say, illegally or otherwise. And so, that strategy on it isn’t that we want to do a thing in this amount of time, but we want to become the biggest maker of waffle and fuzzy hats and, therefore, I see a big push in this area to meet the protection of this hat designed by…

The further you go, the further away you get away from the nuts and bolts of designing. And it’s really hard. Some people really want to stay engineers. They still want to build and that you’ll be much less effective. So, when you’re choosing your career and as you grow in your career, architect isn’t necessarily the next biggest step from being an engineer because you stop making stuff and you become more and more disconnected from the, frankly, pretty darn interesting nuts and bolts of security. As security strategist, I did the least amount of security in my entire career. It was all about business relationships.

Wes Shriner: 

Interesting. Some of the other senior positions might be software engineer or penetration tester. I think we’re going to see those actually also in the junior positions because that’s where the curmudgeons and the juniors come together to really light things up. And some of the entry-level positions, we see the scanning tools and the reporting tools. We see the junior pen tester, we see the threat intelligence and reporting function could be a junior role, or as you said, Kip, maybe a DOD transfer type role. And then we also saw some application security opportunities there.

Brad Gobble: 

And to senior positions, too, can I add infrastructure engineer? These are the folks who got [inaudible]. That’s the path that my teams came up, rack, stack, build, burn, which is we’re becoming more and more cloud so you have your cloud and your… Can you set up and configure and connect the pieces of the system without actually writing code to reside upon it to accomplish the business function? And so, that’s a real round up. And particularly with the advent of cloud, you can get really good cloud configurations, learn the security to it, with probably a heavy dose of identity and access management to that, and now you’re very valuable to me and I want to hire you.

Wes Shriner:

Outstanding. And I think that is where we’re going to end this slide and take us to some last words from Brad. Right? What have been the keys to your success and what would you say to a mentee? And what do you wish you knew then that you know now?

Brad Gobble: 

Keys to my success. If we can simply start with my dazzling personality, I think the most important things to being successful is an unabiding desire, curiosity [inaudible] flourishing with everything. Security in particular the weirdest stuff comes from the weirdest place from [LUN] hopping to SQL injection, all these are very interesting, very tightly well-defined things. You’ve got to be curious. I was talking to a data architecture courseware class at UW last year, and the one thing I really wanted to land with these folks is whatever you’re learning today, please know that in three years you may be the world’s outstanding expert at something and what you’ve learned is completely worthless. So, if you’re looking to…

And making, as well. Whatever you’ve built this year, five years from now no one cares. Not a bit. No matter if you put your heart and soul into it, get over it. You want that kind of thing, go be an artist, go be an author. You always have to be driving and learning and doing more. All of us on this podcast, I’m sure at some point today or tomorrow we’re going to spend two, three hours reading something about something. That curiosity. That curiosity necessarily feeds listening. All three of us are talkers. Let me tell you how much not talking we are continually training ourselves to do. Because there’s always something more someone can teach you.

And if they’re in school currently and looking at the field, I would [inaudible] focus on… I have an openly stated bias towards traditional engineering roles only because from mechanical to electrical to whatever, only because it’s such a vicious beating and a massive amount of work. I think doing Wes’ driveway, they move one stone at a time, and that’s part of the engineering curriculum. So, those people who are willing to do that to themselves and endure that I know can work through to completion. You don’t need a piece of paper to get a job with me, but the fact that you completed and got a piece of paper means you started and finished something. And man, I cannot tell you how many times people don’t finish stuff in business in general. So, complete them. Focus, cloud, cloud, cloud, cloud, cloud, cloud. Servers are kind of cool because you can [crosstalk].

Wes Shriner:

I’m not clear on that, Brad. I wasn’t clear on that. What was the focus you recommended?

Kip Boyle: 

Something with a C. A certain word, starts with a C.

Brad Gobble:

[inaudible] cloud, there you go.

Kip Boyle: 

[inaudible].

Brad Gobble: 

It’s our future. The naysayers are going the way of the Dodo and the various permutations of it. And it’s so accessible. There’s so much great online instruction that is truly high quality. Everything from A Cloud Guru. Look at Udemy, U-D-E-M-Y, website. These educational packages go on sale for 10 bucks. Honestly, best bang for your buck. It’s fantastic. High quality stuff. Love it.

And then, finally, what do I know now that I wish I knew then? I mentioned it briefly. I was trained insecurity by Boy Scouts, by paladins, by heroes, so you, you have the ability to say whatever you say because it’s true. Right? Let me give you this. Before you open your mouth, is it true? Is it necessary? And is it kind? And if it fails any one of those choose to keep your thoughts to yourself. I’m not joking. Had I followed that more, my road would have been a little less bumpy. You will appreciate it. Is it true? There are other places that have co-opted that. I didn’t write it, didn’t come up with it, but buddy, that would have really helped.

Wes Shriner:

[inaudible].

Brad Gobble: 

Yeah, yeah, yeah. Because security is just another function inside the corporation. It holds no higher nor lower place. I had a conversation with a CEO this morning, literally on this exact topic, security is another necessary function, but so is marketing, so is sales. The moment you think you are somehow above as opposed to in support of the business and the mission of the company, you have lost. So, those two things are absolutely critical and very essential, all joking aside.

Wes Shriner: 

What’s that? What are those three criteria again?

Brad Gobble: 

True, necessary, kind, in that order. Before you open your mouth, is what I’m going to say the truth? We’re in a security, so integrity and honesty is a paramount importance. Is it necessary? Do you really have to say this right now? Does this information need to be in this conversation at the moment? And finally, can you say so with kindness? That is recognizing and acknowledging the importance of the relationship with the people around you. And it can be applied to other places of your life, of course, but trust me, here in the workplace so many… Yeah. Too many stories [crosstalk].

Wes Shriner: 

Brad, I really you coming on with us today. You’ve dropped some wisdom on us here at the end and some knowledge along the way. It’s been really fun to hear from you and your experience in the engineering, architecture, and test space. And I hope that our listeners picked up a little bit on that and maybe they can see themselves in one of these roles.

Brad Gobble: 

Thank you very much.

Kip Boyle: 

Thanks, Brad. Thanks so much. All right, Wes, next slide as we wrap it up here. So, listen, if you like our podcast, if you enjoyed what Brad shared and what Wes shared, then I’m going to suggest you grab a free guide that we’ve put together just for you. It’s called Play to Win: Getting Your Dream Cybersecurity Job. It’s a downloadable PDF. It’s about 20 pages. And on the screen, if you’re watching this on our YouTube channel, you’ll actually see an excerpt of this PDF, pages six and seven, and so it’s a real visual guide. And what it’s going to do is it’s going to teach you what’s standing in the way, honestly, between you and the dream cybersecurity job that you want, but it uses a capture the flag metaphor to walk you through what are those four blockers and how do you overcome them? The URLs on the screen, if you want to go grab yourself a copy, it’s yourcyberpath.com/PDF. Right. So, until next time, I just want you to remember one thing. You’re only one path away from your dream cybersecurity job. Thanks. We’ll see you next time.

Brad Gobble: 

Thanks, all.