Hey everyone, Ed Amoroso here.
Welcome to our lecture series.
And I'm here with a very good friend of mine John Popolizio.
He's long-time expert in risk and cybersecurity and
the founder of the Riverdale Group which is a group that is doing,
you do cybersecurity consulting, right?
Yes we do. We do interim chief security officer,
interim chief risk officer work as well as advisory in security risk counter crime.
Do you like step in when there's a team that needs help,
needs a chief information security officer or at least some period of time?
Right. Sometimes it's positive where you have
a controlled exit or retirement and we step in during that interim.
And other times it's sudden.
If something happens, we get a call, we're discreet.
We go in and we help out and we generally will like to see where the program is.
Help out to adjust it,
get things stable and then we're
often asked to be an adviser afterward which is really nice.
So, the opposite of positive is sudden?.
Yes.
Spoken like a true consultant. That's awesome.
You've been at this a long time.
Tell us a little bit about how you get into it.
Sure. I mean, early,
early career was quite technical.
It was more math, bioscience,
and went into looking at the combination of computing and biometrics.
And so, early days was wrestling around with
natural language processing and wrestling with not
enough compute power and not enough context in order to really
make the natural language and the communication really work for business.
So early on, it was really that science and the business combination.
And then went into all things banking and in insurance,
and got thrust into building.
The guts of banking systems which inherently is really about making sure that you serve
the customers properly and that includes keeping
their data in their private information safe.
And so, it was the combination of the risk to
that data and then the techniques in order to understand
if that data is coming under attack or what we
needed to do to make those systems stable and correct the data properly.
So, we do that for quite some time.
And then more recently,
really focusing in on the combination of
technologies and the combination of business expertise
that's needed in a modern day computing environment for enterprises.
A lot of young people watching and they look at your career and say,
"Wow, I'd love to do something similar."
What's kind of advice do you have,
are there some things that you would offer by way of things they should keep in mind,
the things they should focus on or whatever.
What will be your advice to people who want to do this for a living?
I think there's a few things that are
really important even early in the career and then through the career.
I think a multi-disciplinary approach to
learning as well as application is very important.
And you've done that in your career?
It's been a great journey.
I've been blessed with opportunities in order to learn and
that lifelong learning and that quest for going into a particular discipline,
seeing how it relates to something else that you have.
The combination of techniques and also very fortunate to lead and be a part of
great teams with folks that are
deep disciplinarians in their field like in forensics and analytics,
in network security and application security as well as to have
the interaction with broad teams such as risk, compliance, legal, business.
So, I think that the multi-disciplinary approach when someone
is thinking about this field or when they enter the field is extremely important.
It's not to say that you don't want to go and be an expert in a particular area.
So, if solving problems and digging in and investigating is your thing, well,
then maybe forensics or maybe some of the technical aspects
of going and looking at and saying, is something wrong,
what's wrong and going and then on that hunt,
if there is a an interest in communications.
Well, communications is a huge part of our job.
Yes, no question.
And so, I think there's a misconception that you have to
go into this from a deep technical nature. And I think.
Or hacking.
Or a hacking, yes. And so you have to go from that, not so.
I mean, there's so many ways of approaches.
You think about all the great people that we've worked with over
the years and the teams are built up from disciplines
and there's historians that come in and then there's
English majors and there are mathematicians and so, they all come together.
The whole collage of different background.
Right. So, follow a passion,
and if the passion is not deep tech,
don't think that you aren't going to make it in this field.
I think there is a way to do this.
Now, you do have to have a bit of a passion for digging in,
inspecting and if not going deep into a particular field
yourself knowing how to work with and interact with very technical people.
So, I think that's important.
And so the second piece is be a student of people,
and really get to know what it takes to work within a diverse team.
And apply that not only in the studies and in the study groups when you're learning,
but in the first engagements,
in the first jobs and whether those jobs are in corporate academia or in research,
you're going to be working with very diverse teams.
And so, being a student of people is extremely important.
I think that there's two other things that are one part at first.
In this field, there's something to be said about
an internal radar because in many cases,
when we're either trying to set up programs for companies that are looking at data,
protecting data, responding to events.
If it doesn't feel right,
it probably isn't right,
and so it needs to be inspected.
So, there's something to be said about that gut feeling that we have that
then augments all the learning
and all the technical and all the business nature that comes around it.
That a great advice.
And I think that multi-disciplinary kind of approach not only makes
it better security but technology in general and certainly being a manager.
Now, let's talk a little bit about cyber because you're an expert in that area.
What's the big risks now?
What should we be worrying about?
Is it nation states?
is it ransomware?
is it criminals? is it all of the above?
I think it's all of the above.
And so if you can kind of chunk it up,
I think that we're seeing of late the combination of forces.
So, we have nation states and very well-equipped actors out there and groups of actors.
So, a nation state-
Well-equipped not always meaning well-funded because it doesn't cost much.
No, it doesn't.
And the computing power and
the availability of the resources that could be pulled together.
So, you've got nation states contracting
with criminal enterprises who are then contracting with
very smart folks and very disciplined folks that are
going after some of the technical exploits and the technical nature.
So, that's what you hear in the news.
You see you will hear about the combinations of forces sending out malicious encryption.
So, basically coming in off of an email, somebody clicks,
it drops something on a machine,
it tries to then go into memory or goes in to wait,
and then it can propagate across the network.
And one of the things that we see about ransomware in the encrypted nature of locking
up data and then the demands for ransom in some form or just for malicious destruction.
So, we're seeing the combinations of the resources that are available out there.
The ease of which some of this stuff can be purchased on kits and then propagated.
And that's what you'll see in the news.
The other pieces that you might not see in the news is the combination of
the technical resources but they're doing a lot of reconnaissance and two enterprises.
Because in this day,
remember years ago, we used to say,"Okay,
we're going to monitor that front door on the network,
we're going to see if something comes in,
we're going to act and then we're going to react."
Now, we look at and say, "You know,
something can get in and it's probably in already and it's sitting there lying and wait."
But it has to run and then it has to then fulfill a purpose.
So, by running if its purpose is to extract data,
that data has to go somewhere.
It's got to get out.
So, we've shifted our approach to saying let's have
visibility into that enterprise and whether it's networks or applications or databases.
And then if we see anomalous activity that's happening within that network
or trying to leave or if it's already left
in our partners out there because there's so many computing partners now,
you have to then work together.
So I think that's a shift.
And then lastly in counter crime,
there is generally a financial motive either for financial gain or financial disruption.
And so, back to the multi-disciplinary approach,
what we're seeing is where you have good old fraud techniques.
Basically, calling up and impersonating someone and trying to then get information out of
them either for a recon effort and
then applying that to other information that you know and then going in,
setting up, let's say,
a long con on a banking portfolio.
And you're going to try to set up accounts and
then do a big hit off of credit card fraud or loan fraud.
We still see that but we see it technology assisted.
So, cyber coupled with, you know,
just tried and through fraud techniques into the next stage of
crime and so then we have to combine our techniques for counter crime.
That's so interesting. You know,
are you more optimistic or pessimistic about the future of cyber, you think?
I'm more optimistic.
I'm forever an optimist.
Are worried about some big cyber catastrophe?
I do, but I choose to be happy.
Me too.
And, you know, you can choose to be miserable or you can choose to be the, you know the-
Have you in your professional life,
do you think the likelihood of some more catastrophic event might become?
Yes. I think so.
I think that the combination of the ease of computing,
the diverse nature of computing power,
the ability for people around the world to set
up an interaction peer to peer so you don't need big organizations.
You can have one person,
another person, another person.
All around the world decide I want to try to go do something.
Right.
And so, it's very difficult to fair it out
those small little pockets that are working and being below the radar and then hit.
The combination of those could be devastating.
I do think though that the recent ransomware and
the computer lockouts really go toward the the hygiene,
the IT hygiene that I think is just so important as a foundational element to cyber.
Patching.
Patching. It's understanding what you're trying to protect.
What data are you trying to protect.
What assets do you have?
What machines? What devices? What do they do?
How do they do it? Are they an open system or are they a closed system?
Knowing that enterprise which when
we're finding that people are getting hit and the companies are getting hit.
Organizations, agencies, they don't know their footprint.
And if they don't know their footprint,
they don't know how to detect.
They don't know how to respond and somebody is going to get through those weak defenses.
I can see why your clients like hiring you to come in and help them. A lot of experience.
Hey, listen on behalf of our whole learning community,
thank you so much for coming by Brooklyn and saying hello, it's been some time.
Thank you so much. I would love to be involved.
Thank you very much for asking me.
I wouldn't have done it without you. Thanks John.