Military vets share lessons that helped them build infosec startups
It’s always interesting to hear how security practitioners got their start and the many lessons they apply from their experiences outside the world of infosec. Some began their careers at a help desk; others began with the basics of network architecture. Quite a few started in the military.
J.J. Guy, co-founder and CEO of Sevco Security, was assigned to the Air Force red team as part of what was known as the Air Force Information Warfare Center when he joined active service. His position gave him an opportunity to explore the offensive and defensive sides of security.
“The Air Force was unique in that from an IT side, we were not only the red team but also the blue team,” he says. “One week I would go break into an Air Force network, then the next week I would sit down with defenders as part of the blue team to try to figure out, institutionally, how do I keep that from happening.”
At the time, he says, the Air Force had some 450,000 devices connected to the network across 132 separate enclaves.
“It was a major enterprise and all of the complexity that comes with that,” Guy adds.
As a part of this team, he learned what the industry now calls “inevitability of compromise”: Targeted attacks, now known as advanced persistent threats, occurred regularly.
“The Chinese were breaking into our networks every day, and we were playing a game of whack-a-mole trying to keep them out,” he notes.
Years later, private-sector defenders would begin to worry about fighting similar problems. Guy’s military experience gave him an “in-depth crash course” in defending against targeted attackers — years ahead of enterprise security teams.
Guy recognized the value of red team skills and experience and felt compelled to continue and broaden his mission to whole computer network operations. He was in the military as an active-duty member or contractor from 2000 through 2011, then left the federal sector to join Carbon Black — pulling its team together in November 2012, he says. A few years later, including another role as CTO at Jask, Guy founded Sevco Security.
Many of his military lessons translated to his enterprise roles, he says. A primary one is the inevitability of compromise that businesses now face.
“You cannot stop a targeted attacker from gaining access to your network if they want,” Guy adds. “If you or your organization hasn’t been compromised, it isn’t because you’re doing great work. It’s because it hasn’t been worth someone’s time to do so.”
Another lesson centers around accountability culture and the sense of personal responsibility. In the military, Guy says, he was in many operational situations that were time-critical and human lives were on the line. This brought an edge of “get it done, make it go, make it work” to achieving an objective. In a tiny startup, while not a life-and-death situation, there is a sense of personal accountability when a team of 10 to 20 people is building something from scratch.
“We absolutely, 100% count on the contributions of every single person around the table,” he says.
Aim for Best Based on What You Know, Not Perfection
The importance of putting the right team around you is something Andrew Maloney, co-founder and COO of Query.AI, learned during his time as a systems admin and security engineer with the Air Force. He spoke of the bond formed with his team in basic training and technical school.
To read the complete article, visit Dark Reading.