The LogRhythm Champions Network is an exclusive community of LogRhythm’s most passionate and strategic customers. This elite group of customer leaders in the InfoSec community are experts in all things LogRhythm. The LogRhythm Champions Network works to recognize these leaders for their advocacy efforts, connect them with fellow experts, and empower them to reach their personal and professional goals. Learn more about the people who choose to partner with LogRhythm.
This Champion Profile showcases Seth Shestack, deputy CISO at Temple University. Here is Mr. Shestack’s story, edited and condensed from a recent interview.
What organization do you work for and what is your current role?
I work as the Deputy CISO at Temple University.
I understand you’ve been in the InfoSec industry for over 20 years, what is the most important you gleaned over the years?
When it comes to security, we’re always in catch-up mode. Think about it, we can’t defend against something until threat actors figure out a zero-day attack or vulnerability. Once the attack becomes public, we can defend against it. But until then you can’t defend against something that doesn’t exist. To make things even more complicated, we’ve got to protect everything from all angles while the attacker only needs to find one way in. Cybercrime isn’t going away; the same way physical crime has never totally gone away. It has peaks and valleys, but since cybercrime can result in a gigantic revenue stream it’s always going to be sustainable for someone.
The truth is we need to rethink security from the ground up. The principles contained in Zero Trust We move security controls to users, devices, and applications giving us the ability to define and implement conditional access policies to further protect our data.
True words, and it’s probably only going to get worse…
That would certainly be my conjecture. The most important thing that we can do for the future is to train the next generation of security professionals and to train them better than we were trained. By and large, when it comes to my generation that is starting to retire, we were all self-taught, pretty much had to figure it out, and learn our skills on the job.
There are some security professionals that came into the industry between me and the current crop of recruits that we’re trained correctly. But in a lot of ways, now is the first time I’m seeing young men and women coming out of school with appropriate skills and training. Universities are offering undergraduate and master’s degrees in cybersecurity. Temple is offering multiple degrees in our Business, Engineering, and Computer Information Systems (CIS) schools all using LogRhythm in the classroom. Plus, there are more opportunities for young professionals to participate in internship programs. I have an internship program in my shop. As a result, I see some really sharp individuals that have both formal education and practical experience.
Aren’t you also championing a student-run SOC?
Yes. That is the next thing that we’re proposing, a full student-run SOC that will act as the capstone class for our master’s course. It will be a great way for students to acquire hands-on experience with live data and real-time events.
As it sits today, the final approval for the capstone class (where they work in the SOC) is still before the Provost. But, we’ve been able to get the prerequisite threat hunting class approved, as well as secured space allocation, an equipment budget, and received general administrative approval.
Temple seems to be at the forefront of security education. I’ve only heard of a handful of universities, such as Norwich, pulling a curriculum together. Who else is doing good work from a security education perspective?
Purdue is already doing it too. They are probably the biggest and at the forefront of security research. It’s not an easy thing to implement these security education programs. It’s a long process with lots of approvals that must come from the administrative side and the academic side (because it’s going to be graded). The Department Chair, the Dean, and the Provost all must review and sign off. I’ve been able to partner with some great people here at Temple that can navigate the academic side and build off one another to expand the program into different areas and into different schools. This is all really cool, interesting stuff that serves the fundamental principle of training the next generation. It will provide them with proper tools so that they can be successful and become individual contributors from day one.
Tell me about your journey as an InfoSec professional. What personal experiences motivated you to get into this line of work?
My background looks a little different. In fact, I’m not an academic, I don’t even have a degree. I actually started my career as a paramedic and went to trade school. I was always interested in the field and joined the local Ambulance Corp when I was 16 years old after I received my first aid merit badge through the Boy Scouts. Once I graduated high school in 1977, I entered a program at Thomas Jefferson University Hospital to begin training to be a paramedic. I successfully completed the training and fulfilled my dream of becoming a Certified Paramedic and went on to be a state-certified EMS instructor.
I enjoyed that part of my career immensely. Saving lives is an amazing thing. I can’t convey the feeling of what that’s like. It’s a great job, unfortunately, it’s also a very underpaid job. I was married. I had two kids and we were making the best of it. We weren’t rich, but our bills were paid. In the late 90’s Medicare changed policy and forced this consolidation of ambulance companies. During this period our company along with three other companies in Philadelphia were bought then merged. At that time, the new parent company was modernizing systems, such as a computer-aided dispatch system as well as an integrated billing system with a backend collection. They quickly realized there was a void because they had no one to manage their computers.
This is where my tech career began. The original plan was to wear a “second hat” for a couple of months until they could hire another resource. During that time, I was practically living in the back room of the dispatch office where I had a spare station to set up systems and troubleshoot problems. Eventually, they made me the Director of IT for the entire area. I was a one-person department, but I did some cool things. The role expanded and I ended up flying all around the country building and implementing systems similar to what we installed in Philadelphia. In some places, we had to do things differently because of regulations. For example, in California, we had earthquake code that required a triple redundancy. But, all in all, it was basically a replication with some customized mods for different business cases.
As I implemented these systems around the U.S., I wasn’t doing anything with security. At the time the firewall wasn’t even invented yet. But, very quickly security started to happen. The first thing that hit was more privacy than security, but we viewed it as security in its infancy. It all had to do with knowing someone had AIDS, particularly in the pre-hospital environment. The concern from the community was, if a first responder knows that somebody has AIDS, they’re not going to want to treat them because they think they might get infected.
After several years of implementing first responder technology and systems, the company I worked for began to outsource different aspects and my team began to be disbanded. So, I left the organization to start my own consulting company. I did that for a couple of years until I really saw the drastic flaw in my business plan, which was I could not be the only person that both sells and delivers services to customers. When I got a big job, I’d be heads down in it and when it ended, I’d be in a period of selling with no money coming in. Ultimately, it was just not sustainable and that’s when I went to work for the first of two national consulting firms.
Is this the point where your career really began to focus on security?
Yes, we did some really cool stuff back in the day. This is where I designed all of DuPont’s global DMZ infrastructure. Plus, we were on the ground floor of threat research and white hat hacking. Now they call it Red Teaming. We didn’t have a name for it back then, we were doing security audits for GLBA. I had a friend at work named TJ, he was a lot of fun and his specialty was threat intelligence. He never admitted it, but he used to be a Spook. At a point he worked for Booz Allen Hamilton in their government division and before that he was in the military overseas. He taught me some very useful stuff and then I taught him some in return. Together we’d work together to run pen-tests for clients to map their entire network and show their exposure. An interesting use case we ran into frequently was around wireless access points. The technology was so new at the time that most of what we found was rouge wireless devices with no security in place that was created by employees to make their lives easier. Once we were able to identify the risk, we mapped out a plan to achieve the adoption of company supported WiFi with proper controls. We were doing really cutting-edge, strategic stuff with emerging technologies.
When did you make that transfer to Temple? How long have you been working for them?
I’m closing in on 17 years. I never thought I was going to be at Temple for very long. I got here and it was such a big culture shock, I didn’t think I was going to last six months. The culture in academia was so different than anything I’d been exposed to in the past. I’ve been around long enough that I put in our first firewall back in 2004. I’m just going to let that marinate a little bit.
What is your cybersecurity philosophy?
It’s not about technology. It’s about changing our culture to a security-first mindset. This means a culture where security is baked in and enables the business by default. Then we don’t have to go back and retrofit things that don’t fit. It’s essential.
As we as security professionals look to change our workplace cultures, it’s crucial to communicate in simple terms without jargon. If I say, “have a security-first mentality,” I turn people off. It’s the same thing with Zero Trust. As soon as I say, “Zero Trust,” the immediate reaction is defensive, and they wonder why we don’t trust them. By the time I go through the explanation of what Zero Trust is, I’ve lost the person.
Where I have more success is communicating that we need to change our culture in order to better protect ourselves and each other. The same way we wear masks to protect ourselves and each other. It’s about providing the context of the session in a clear and simple way.