Brendan Kotze On Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry

An Interview With Fotis Georgiadis

Above all, passion and curiosity are underlying necessities for success within the industry.

As a part of our series about “How To Give Honest Feedback without Being Hurtful”, I had the pleasure of interviewing Brendan Kotze.

Brendan is a highly accomplished security professional with extensive experience in the space. He is the CEO of Encore, a cybersecutiy platform that visualises information that can be confusing and often overwhelming, providing accurate and action-based reporting and visibility across numerous security controls, through one secure portal.

Thank you so much for joining us! Our readers would love to “get to know you” a bit better. Can you tell us a bit about your backstory and how you grew up? (Inspiring book & funny mistake)

I was born and raised in a small town in the Western Cape of South Africa and began my career by working for large telecoms companies in Cape Town. I broke into IT security through my work at NGS, where I was employed as Service Delivery Manager alongside providing Data Loss Prevention solutions at a global scale. This was my first foray into the world of cybersecurity, and I became deeply passionate about making people and companies safe. As NGS expanded into more security domains, so did I. Following this experience and seeing the huge demand for quality providers, I co-founded Performanta alongside my long-standing partners Guy, Lior and Attie.

My move into cybersecurity was inspired by a multitude of experiences. Coming from a fundamental network security base, moving into cybersecurity was a natural progression, as I was already working in Data Loss Prevention. At a more personal level, my passion for security only grew as I came across it in different mediums, including the short story by Isaac Asimov, ‘Let’s Get Together’. This is a Cold War-based spy story, focused on how the Russians created robots to look like US citizens, and the Americans must find a way to keep up with and combat this technology. Also, the movie ‘Hackers’ came out when I was young, which further sparked my interest in the field as it just seemed so “cool.”

A funny mistake I made when starting out in security centred around the concept of ‘Beta’ versions. When vendors release software for testing, they call it a ‘Beta’ version. In my youth I thought this meant a ‘better’ version — so I ended up deploying a ‘Beta’ version into a production environment. There is no substitute for experience, I guess.

Are you working on any exciting new projects now? How do you think that will help people?

Through Encore, I hope to help organisations understand and identify gaps within their security, speeding up reporting of attacks and increasing collaboration between teams. By integrating a company’s entire security stack into one simple interface, Encore provides a clear insight into security information and risk in real-time. Our goal is to give time back to security professionals to focus on genuine security, not spend hours compiling reports and data.

What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

For me, security has always been exciting. In terms of the current developments within cyber though, the fact that attacks are becoming a lot more widespread is concerning, but fascinating. These types of attacks are attracting a lot of media attention and are impacting people on an individual level, where historically they predominantly impacted businesses. This change in the scope of cyber attacks brings a lot of new, exciting challenges.

The Ukrainian war as an example is shaping a new age of cybersecurity, one which is directly impacted by personal values, beliefs, and politics. For example, the Ukrainian Cyber Army is a global outreach of hundreds of thousands of people who do not necessarily work in IT security yet are getting behind a political cause. This expansion of the cybersecurity landscape is leading to a new wave of attackers and defenders; the Ukrainian Cyber Army sharing tools and tactics with the wider public is a prime example. If you have a PC at home, you can download a tool they share with you, and your infrastructure can be used to perform denial-of-service attacks.

Skills that are collated over years of genuine experience are being transferred to a much wider audience. This is both exciting and extremely concerning. These skills may not be used for good. Instead, we could unwillingly be putting dangerous and malicious tools into the hands of the public. On the positive side, cybersecurity is becoming more accessible, with more people learning how to defend against dangerous attacks.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

A big concern of mine in is the significant gender bias within the cybersecurity industry. Social media platforms are overwhelmed with content on how women are consistently treated poorly in the industry, perpetuating the perception that the field exists predominantly for men.

Secondly, there is a tremendous reliance on technology and regulation that does not necessarily support implementing effective security. Compliant does not mean secure. Most industry regulations should be treated as baseline security, implementation and application is what really counts.

Finally, the skills gap and recruitment crisis. The industry is full of skill and passion that is currently sitting on the bench thanks to a common belief that employees must have a degree and certifications to get through the interview stages. Media headlines are being dominated by the growing skills shortage, but the incredibly high gates being put up by organisations are preventing genuine progress. Personally, I would rather hire someone who’s got experience, and has played around with coding and used open-source platforms to learn and grow their skills and be self-taught, rather than someone who has shopped around for certifications.

The conditions for securing an interview are creating huge barriers to entry for the market, all while the industry complains about the widening skills gap. Training programmes should be implemented to develop the sought after skills, and hiring managers should communicate the need for genuine passion and demonstrated experience, not just a list of certifications.

You are looking for a skillset, not a validation that the skillset exists.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

At a macro level, I believe that the same threats exist. The only thing that has really changed has been the attack landscape. The ability for an attacker to adapt faster than defenders means that organisations should keep an eye on threat intelligence and ongoing developments from an attack perspective. This has been driven by the surge in cloud adoption and IoT, which means that the problems that we had on-site have now moved to the cloud, and at an individual layer we are allowing IoT into our business and homes.

Similarly, there has become a shared responsibility model, between what the cloud provider does and the business’s own responsibility, which has not yet been defined throughout the organisation. Companies need to return to basics to an extent, rather than jumping feet-first into new technology. The foundations need to be laid, rather than frequently buying new tech which only resolves about 20 percent of problems.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

In my experience of cybersecurity, if there is a gap, it will be found. It may take years to discover and remediate, simply because an attacker’s feedback cycle is very quick, whereas a defender’s feedback cycle is slow. In other words, an attacker knows whether he has got in or not whilst a defender may be oblivious for some time.

Throughout my career, most breaches I’ve come across are caused by the basics being exploited — weak passwords; lack of multi-factor authentication; open ports; critical patching; lack of monitoring traffic out of the organisation, rather than traditional firewall models which block traffic coming in. Once attackers exploit the very basic defences at the perimeter, then comes the internal tactics, which can be very difficult to detect.

This comes back to the attacker model. You have what are called ‘initial access brokers’, who are the people that scan and spray all over the internet, and then sell access to a more advanced group. The chances of being hit, simply due to not having the basics in place, are therefore much higher.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

There are of course signs that any individual can be trained to identify, but ideally organisations should focus their defence efforts earlier in the cycle — by the time a layperson detects an anomaly, it’s already too late.

Companies need to focus on prevention, ensuring all employees working from home have patched devices, and are keeping all accounts secured, including personal ones. It’s becoming more common to see attackers exploiting users’ social media platforms and personal profiles, rather than going through their workplace identity. Adversaries are opting to attack an individual, instead of the whole organisation, to gain access to the network.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Above all, it is vital that a company follows a process that has been agreed beforehand and tested frequently, both within internal business and across the board. The very last thing you want to be thinking about during an attack is who needs to do what, who to get on the phone, and who you can trust in that situation.

Moreover, transparency with customers is key. Organisations often try to keep the news of a breach on the down-low, but they always come to light eventually. Our society has almost become desensitised to cyber breaches, to the point that news of one will not necessarily sway individuals from engaging with a company or using their services. However, companies are more likely to lose people’s trust if they try to hide breaches, as opposed to offering transparency around the risks.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

First of all, not having a clear picture of what has been deployed and where. You cannot manage what you cannot measure.

Secondly, not trusting internal IT security. Companies hire expensive, external consultants to come in and write a report that tells you exactly what your internal team has been trying to inform you of for years. But because it’s been written on paper with a fancy letterhead, it somehow carries more value than the word of the people stuck in the trenches.

Another mistake is buying tick-in-the-box technology for services, and not investing in solutions that will truly benefit your business. The industry has taken advantage of perhaps ill-informed or regulatory requirements, for example the need to run an annual pen test. A pen test is a skilled adversary, or ethical hacker, who applies intelligence to attack your network and identify gaps in security. A lot of companies are instead trying to run vulnerability scans, which is an automated tool, in place of a pen test. Both are very different approaches and will likely deliver inconsistent results when swapping one out for the other.

My last one is blindly buying into marketing. Don’t get me wrong, there’s some fantastic services and providers out there. However, companies need to ensure that it is fit for purpose and aligns with the overall objective, and not buy it simply because it has AI on the tin, misguided by the belief that it will solve all problems.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

To start, it’s not like in the movies! Attackers require a lot of time, effort, and skill to hack a network — not like the Hollywood personas who hack into governing organisations with the click of a button. Another big myth is that attackers only go after large companies, which is not the case at all.

From an industry wide perspective, there’s an assumption that you must be an expert in cybersecurity to make a difference, which links back to the recruitment crisis we discussed earlier. Furthermore, security needs to be a layered defence, which is delivered through trusted parties that actually know what they’re doing — not just a basic piece of tech wrapped up in clever marketing.

Thank you for all of this. Here is the main question of our discussion. What are your “Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry?

1. Above all, passion and curiosity are underlying necessities for success within the industry.
2. Secondly, relationships in your inner circle are as important in tech as they are anywhere else. Having a close network that you can call on, ask questions, and rely on for support is invaluable. When people buy security, they buy trust, and trust comes through positive relationships.
3. I also recommend not jumping directly into security because it seems ‘sexy’, or because you want to break into and hack things. Have a good understanding of basic IT, right down to operating systems and understanding networking. It sets you up to become a far more well-rounded IT security person.
4. You must create an understanding of the opposite side. If you’re a defender, you need to understand attackers. If you’re an attacker, you need to understand defenders. Ultimately, you’re on the same team, but realistically, it’s much harder being a defender than it is an attacker.
5. Be a sponge. You’re not going to immediately land your ideal job, particularly with current HR processes, but it’s important to learn and grow from every experience. This may mean putting your hand up during an incident, or simply asking somebody to give you an hour or two to help better understand their area. The more you know, the more knowledge and information you can leverage down the line.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

Probably Elon Musk, I’d really like to get a deeper insight into how his mind works.

Thank you for these great insights! We really appreciate the time you spent with this.

---

Brendan Kotze On Five Things You Need To Create A Highly Successful Career In The Cybersecurity… was originally published in Authority Magazine on Medium, where people are continuing the conversation by highlighting and responding to this story.