Jack Daniel of Tenable Network Security & Co-Founder, BSides Security
Date: 6 December 2017
Amar Singh, CEO and co-founder of Cyber Management Alliance, had the pleasure of talking to Jack Daniel from Tenable Network Security and co-founder of BSides Security, about how he started in information security, why he believes it’s important to engage and share information within communities and, if you’re looking to enter the information security industry, how to make your achievements discoverable to a potential employer.
“I took an approach into information security that I wouldn’t recommend!”
Jack Daniel is often asked how he started out in information security, and the answer is not necessarily one you’d expect, and it’s also not a route that Jack himself would recommend. He started his working life as a motor mechanic in the late 70s/early 80s at a time when cars were starting to become computerised. Drifting towards diagnostics, becoming a Renault specialist and working in dealerships with parts and more computerised systems were Jack’s decade of poor decisions before, as he puts it, ‘dumb luck’ landed on his doorstep.
“I worked for companies that didn’t have a lot of resources and low margins; bad things happened which I fixed, and learnt how to stop it happening again. I used local user groups to train, learn and share information about technology in the Boston area.”
On leaving the motor industry, Jack went into firewall security and the company he worked for supported his involvement in community networks, which then became part of his job, which continued when he joined Tenable Network Security. But ultimately, he always remembers an important lesson he learned early in his career – get engaged with the community, learn from other people and share that information.
“Why did I start BSides…?”
It was at a time when Twitter took off and there were people that were meeting up at these security events everywhere, then connecting and tweeting via Twitter. Whilst the talk and information being shared was good, it was repetitive and not ‘black hat’ discussion. So, Jack got together with a group of people who wanted to learn about and share other aspects of IT and data security and co-founded BSides – named after the bygone era of 45rpm records. A community member rented a house and suggested gathering a group of people together in the ‘big room’ of the house to talk about various topics on security, with speakers and group talks, and it worked. BSides grew from there; more events followed around the USA and they have just had their 277th event since 2009. The idea behind it is that the events are community-led and easy to run. The concept of the events is based around Jack’s 3 C’s – Content, Community and Conversation, with a 4th C added recently, that of Career.
It’s not so much an opt out; how do we get people in to security?”
"There are a whole set of problems in getting people in; we’re not going to solve these problems with just technology as fundamentally they are people problems. But we also can’t downplay the impact that technology can have.”
In Jack’s opinion, everyone is talking AI and machine learning but that can only go so far; it can help improve things and the more we can automate, the better, but it’s about people too. Go back a century or more and major cities around the world had a shortage of people to handle the horses. The problem wasn’t solved by throwing more people at the problem, but by the automobile so, without doubt, technology plays an important role. But Jack is a great believer that there are some things that need to be approached from a people’s perspective.
The challenge is to make money when you can’t always invest in training the people you need to do that. Governments spend a lot of money on education and college programs, which is fantastic but Jack also points out that the young have a tendency to change their minds – which is the great thing about being young and being able to try out different skills. Companies need to sit up and take notice of the network and system admins out there that have been automated out of jobs through migration to the cloud or other economies of scale. Agreed, not all of them will transition to security but many of them will be happy to retrain into a new skill, and career. It’s important we don’t lose diversity and we need to be more forgiving.
“What do I look for when hiring?”
For Jack, this varies depending on the job. Some companies may be looking for medium C-level programmers who can write clean and concise code; but there are roles for those that have a different specialty.
“The key is to look around the edge; look at the grey areas; look for the things that show you are able and willing to learn. Above all, make what you do, even if it’s not technical, make it discoverable.”
To Jack, if you’ve done demos or videos, if you’ve automated something or built a set of tools, even if it’s an event you’ve attended and you demonstrate the takeaways from that event, make it discoverable.
A path that is overlooked is technical support; it is a learning job. For example, with firewall support you will not only learn how to deal with the technical problems, you will also learn how to deal with people, how to communicate with others. It gives you the experience that a technical person may not have and you don’t need to be a security expert.
For more information on Cyber Management Alliance, their GCHQ Certified CIPR training and other courses, webinars, Wisdom of Crowds live and virtual events, and their Insights with Cyber Leaders series of executive interviews, contact us today.