X

Easy Prey Podcast

Their Loss is Another's Gain

CISOs: The Ultimate Stress Test With Jill Knesek

“We have to figure out how to get more talent into the cybersecurity space at a younger age and early in their career path.” - Jill Knesek Share on X

The CISO role is constantly changing. With all the shifts in cybersecurity, it's crucial to find ways to attract new talent to close the growing skills gap. CISOs now juggle complex systems managed at multiple levels and handle burnout amongst many other responsibilities.

Today's guest is Jill Knesek. Jill is the Chief Information Security Officer for Blackline, a company that does financial SaaS solutions. It’s based out of the Los Angeles area. She’s been there almost three years now as the CISO, running the information security team.

She previously served as Chief Security Officer for BT Global Services. She has more than 15 years' experience directing security programs, including service as a special agent for the FBI assigned to the Cyber Crime Squad in Los Angeles Field Office, where she was involved in several high-profile cases, including Kevin Mitnick.

In this episode, we cover the CISO role evolving from low visibility to a C-level position, managing multi-cloud infrastructures and aligning with other teams and the ongoing cybersecurity skills gap and burnout. Jill also talks about incident response and crisis management and collaboration within the cybersecurity community to fill the blind spots and strengthen the defenses.

“A small incident is not that different from a big incident. It's just the level of stress and visibility that comes with it.” - Jill Knesek Share on X

Show Notes:

  • [01:23] She's now the Chief Information Security Officer for Blackline, a company that does financial SaaS solutions.
  • [02:00] She was also an FBI special agent for 3 and 1/2 years working cybercrime. She was super excited, because this was her lifelong dream.
  • [03:35] She loved the FBI, but she knew she could do more for the industry on the private side.
  • [04:21] Jill talks about how the CISO role has evolved. It's now a C-level position.
  • [06:26] Some of the boards were very interested in what was going on with security. There has to be a balance with funding and proving your success.
  • [07:39] Now complexity is an issue. 
  • [09:03] The cloud adds so many connecting services. 
  • [11:45] CISOs are getting more responsibility and need more qualified people in their teams. There's a gap with not enough people coming into the cybersecurity industry.
  • [12:30] How the idea of stress and working nights and weekends can deter some graduates from the cybersecurity industry.
  • [15:15] Boards and executive committees expect the CISO to be right in the middle of things. They want real-time updates and to know what everyone is working on right now.
  • [17:47] The importance of keeping a calm level-headed view when something goes wrong.
  • [21:41] We learn about the flow of straightening out curves or incidents. Learn during the small incidents and practice the process.
  • [23:57] The importance of not scolding the team for being too quick to react. It's better to have a false alarm than to ignore a serious problem.
  • [25:10] Jill does a one-to-one with everyone on her team each quarter. She tries to Mentor them with some of the things that she's learned.
  • [30:29] We hear about a couple of incidents where ransomware got into the environment. 
  • [35:01] When someone else reported that something weird was going on in the network.
  • [38:27] To help with the talent gap, we need to start introducing cybersecurity at the high school level.
  • [42:15] It's important for CISOs to be connected with other groups and events.
“We need to quickly identify and assess the impact of an incident to determine whether it requires escalating and mobilizing the team during off-hours or can it be managed through standard security operations and monitoring.” -… Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Jill, thank you so much for coming on the Easy Prey Podcast today.

Thank you for having me.

Can you give myself and the audience a little bit of background about who you are and what you do?

I’m currently the Chief Information Security Officer for BlackLine, a company that does financial SaaS solutions. We’re based out of the Los Angeles area. I’ve been here almost three years now as the CISO running the information security team. Prior to that, I’ve had a couple of different roles as CISOs at a private equity company. I was also at Mattel for a few years and British Telecom, BT Global Services, for about 10 years.

My claim to fame and the interesting part was I was an FBI special agent for about three-and-a-half years, and I worked in cybercrime. Prior to that, I was in the computer science field. When I had the chance to apply for a special agent position, it was my lifelong dream, and I was super excited. I had no idea what I was going to do. I just wanted to have the FBI credentials.

When I got there, they realized I had a computer background. The obvious choice is to put me in cybercrime. That is how I ended up in this world. Once I started doing it, I realized I was quite passionate. Since then, I’ve just continued to pursue it, and I’ve really enjoyed my career path.

Is that what you got to go from the FBI to do the CISO role as your experiences there and prior?

Yeah. I would say it was bittersweet for me because it was a lifelong dream to be an FBI agent. I plan to retire. I already had 11 years in the federal government working in the computer science side of the house. I planned just to stay in the federal government and retire. Unfortunately, the pay wasn’t great in the federal government.

When you’re doing cybercrime, back then, there were no CISOs, so it was pretty early days. I’d usually go whenever we’d have a victim company in the area. I’d interview the CEO, the COO, or the CIO. As I’m talking to them and trying to help them figure out what’s going on, they’re like, “Man, we could use someone like you.”

Eventually, the teasers started getting a little more realistic. I realized I could probably do more for the industry on the private industry side. There weren’t as many requirements, bureaucracy, treaties, and things that were keeping me from being able to chase down and find the hackers. My knowledge and expertise and training I got through the FBI I knew would be very valuable in private industry.

It was a very hard decision. My supervisor retired, and I ended up following him to exodus at the time. I don’t regret it, although the FBI did give me a safety net to come back if I changed my mind. But once I left, I was very happy and was able to at least help the FBI find the hackers from the private industry side of the house.

How has the CISO role evolved since you entered the field, and what is it now?

In the beginning, like I said, there was no CISO. It was really a CIO. It was probably the one that would have some security people. They started off as firewall engineers or something that just inheriting the roles. As it got more and more visibility, they started increasing the visibility, the role.

Once they made it a C-level position, I think that’s really when you started seeing a lot more individuals across the business looking to say, “This is something that I would like to be involved in.” You have people from the financial side. You have people from the business side, COOs come in. A lot of CIOs might decide to divert into cybersecurity.

What I’ve seen is there’s not a lot. I came up strictly through computer science and through security. That’s not always the case. You could debate what’s the right path. I don’t think there’s a right or wrong path, to be honest. It’s just really about passion.

Today, what you see, which is great, is there’s so much visibility. I present to the board quarterly. I have a lot of exposure to our executive committee. I talk regularly with the CEOs about how we’re addressing some of the security threats and cyber risk in general. It really elevated into a true C-level position, where you get that access and exposure.

When you first started, was there much partnership with the board? A number of CISOs, they had almost a more adversarial role with the board. They’re, “We want to do this, or we need the money to do this.” The board was, “No, we’re not going to give you the money. We don’t think security is important.”

Yes, in the early days. First of all, you weren’t even invited to the meetings. You would brief the CIO in case he got a couple of questions on security. He’d go represent you. What I found that was interesting is that some of the boards in the early days were very interested in the topic. They thought it was cool and sexy, I guess.

I would be in the board meeting, and I would see them all on their phones just to not really paying attention. As soon as I started talking, they all put their phones down, and were very interested in what was going on. I think they just wanted to go home and tell stories maybe.

There were times when you really had to make a case, because if you’re really good at your job, nothing bad happens. It’s hard to tell the story. When something bad happens, you don’t have credibility to go ask for more money, so… Share on X

It was really hard to be able to balance that out, explaining like, “The reason nothing bad happens is because I’m making the right investments, and you’re giving me the right budget to do that.”

As we sit today, that’s not the problem. As a matter of fact, there are many times when the board is like, “Do you have enough budget? Are you getting the right level of support? Is there more that we can do to help you make sure we drive cyber risk down to the right levels?” The story has changed over time, for sure.

What’s the challenge now? You said that getting the money wasn’t the problem before. Now that you’ve got the money, what’s the new problem?

I think the new problem’s complexity. There are so many different parts and pieces. In our organization, we obviously have products. We have a SaaS solution, and that’s really a separate entity. It’s very complex. We have multiple products on multiple clouds. Then we have the corporate infrastructure, which is also very critical.

I think the complexities of being able to manage across all those pieces and coordinate with the CIO and the CTO to make sure they’re aligned and they’re not getting ahead of me and some of the things they’re trying to accomplish, just staying aligned with them.

I always like to refer to the security and the CISO role as the watchman on the watchtower. If we’re not standing up, looking out into the future, and getting really connected with our business partners and making sure we know where they’re going, then it’s hard for us to be able to budget for the right projects, the right tooling, and the right investments.

I think for me now, I can get the budget if I need it, and I can make the case. I’m just always trying to figure out, “Where do I need to invest next?” That’s the big question.

Some of the challenges is that just more and more things are becoming internet-connected, and more and more services are in the cloud so it’s not as much under your control?

Yeah, it’s very much that. When I was in the data center, it was easy to put a perimeter. You can start the firewalls and work your way in. That’s not the case. Now with the cloud, there are so many different pieces that are constantly connecting all by itself. Servers come up and down. You don’t really know what you’re protecting on some days. It’s a constant battle to just keep the perimeters and understand what’s your external facing threat risk and attack surface.

I think for me and the team, we’re always trying to stay. We have very good working relationships with both the corporate IT organizations. I actually report to the CIO, but also I work closely with our cloud engineering and operations teams to make sure that anything they’re doing, they’re thinking about growing or changing the way they implement new systems that are right-aligned with them. I talk a lot about shift left. We always have to be very early in that development pipeline.

We’re getting there, but the complexities continue to add to that. I think there’s so much connectivity happening in so many different parts of the business that you have to be really making sure you’re monitoring all those different external touch points.

I look back at my own business. When I first started, part of the fun of doing what I was doing was I was hand-coding and doing everything myself. All the network stuff was done by myself. All the programming was done by me. That was really fun.

But I realized to scale and to be more effective with my time, I started having to rely on more public sources for things. “OK, well, there’s this library that does rather than me writing something from scratch, here’s a library that does that. OK, I’ve now introduced an attack vector into my system because it’s not something I have control over anymore.”

You’re right. Bruce and I used to work with him years ago. I think he referred to it as outsourcing trust. When you do that, you have to know that the vendors and your supply chain are companies, products, and tools that you can trust because you’re bringing them in, expecting them to do a certain role, not to increase your vulnerabilities, and instead reduce that.

A little bit of that comes with trust, but it also comes with the whole trust but verify. You do all your checks and balances to make sure that you don’t have some unknown holes out there. You have to monitor for vulnerabilities for all those other partners you have in the supply chain.

From a CISO’s perspective, they’re touching more and more parts of the business and are getting more and more responsibility. Do they have the teams, the talent, to be able to manage all this? Or is this an industry where, “Sure, I can get a talented person, but now I’m robbing it from someone who does the same thing there. One of my clients, I’m pulling in one of their people onto my team. Now they’ve got a gap, and there’s no one to fill that gap.” Are there enough people out there to fulfill the roles?

I think right now there’s a huge skills gap. I think there are just not enough people coming into the cybersecurity industry. -Jill Knesek Share on X

Part of that is some of the stress that you will probably talk about later.

There are a lot of folks that come out of maybe the colleges, and they’re thinking about their career paths. They’re reading about the cybersecurity, ransomware attacks, the stress, people working nights and weekends, and not having enough resourcing and budget. They’re like, “Eh, maybe not; just going to cloud. That sounds cool or something.”

I think what’s happened is we just don’t have the youth coming out of colleges with that mentality of, “If I get in there, I think I can do a job where I can make it better, and I can find opportunities to automate things so we don’t have so much stress.” Instead, people would rather just find a different path that’s not going to be so stressful and cause them to lose weekends and evenings with their families. That’s the biggest issue I see.

What I’m doing here, to be honest, is when you talk about stealing, not stealing because it’s a relationship, but there are people in the corporate IT side, the cloud engineering, even our products, and some of the development teams or SecOps team work closely with my teams for application security or security operations. They’re like, “Hey, I love the cloud, but this security stuff seems cool.”

I ended up transferring some internal resources, which is great because they come with all the knowledge of how things are connected and work, and now I’ve just got to train them up on some of the security tooling. It’s such an easier path. But I leave gaps in other places in the business where I have to keep my relationship with those leaders to make sure they don’t get frustrated that I’m stealing all their talent.

It’s a balancing act. I think we just have to figure out how to get more talent into the cybersecurity space at a younger age, early in their career path, so they can start building on that.

You alluded a little bit to burnout nights, weekends, and time away from families. Why is that happening at the CISO level? Normally, the CEO goes to Cabo, he comes in, has a rally session with the salespeople, and then he goes out golfing with his buddies. Why is the CISO not getting to do that fun stuff?

Part of it is the CISOs really are such a hands-on leader, at least I know I am. I’ve been doing security forever; I’m extremely passionate about it. I’ve been through so many incidents in my career where I have a little bit more expertise and experience. I can help calm folks.

The other thing is that the executive committees and the boards expect CISO to be right in the mix of it, and they want real-time updates. They want to make sure that everybody’s working in the right direction. You’ve got the right teams, the right support, the right outsourced consulting capabilities.

I’ve been in situations where I’m that communicator. I’m communicating down to the teams that I run. I’m communicating across to my peers, and I’m communicating up to the executives and the board all in a single day.

I’m that one link that has all of the different parts and pieces. I don’t want to distract my engineers and the people on the ground doing the work from being able to continue to monitor and make sure if we have an incident, they’re on top of it. I’ve been able to, over the years, learn to articulate technical problems into very business-level conversations.

There are really not many people in the organization that can do that job as well as the CISO. Then you add on all the new disclosure requirements and the responsibilities that the CISO carries for the company as part of that reporting. I think you have a much-increased pressure on the CISO to be a bit of everything in the middle of those crises.

What are some of the things that a CISO can do to mitigate some of the burnout?

For me personally, I think the thing is that not everything can be a five-alarm fire. I shouldn’t be talking about fire and what we’re doing out here in LA. I think what happens is every incident is like the sky is falling for some security organizations. Actually, for folks outside of cybersecurity, they have an incident and they think, “Oh, my gosh; this is the big one.”

We have to be able to very quickly identify and quantify, what is the impact of this particular incident, and does it require me raising it up to the level of bringing everybody out? If it’s evenings or weekends, bringing people online. Or can we manage this through our standard security operations, queue, and monitoring capabilities?

I try not to overreact, and a lot of that comes with years of experience and knowing when to start escalating. When you do escalate, you keep the right tone. It’s about making sure that there should be a lot of muscle memory here. We shouldn’t be doing things that are completely outside of our comfort zone.

I try to keep that calm, emotional, level-headed view. When I come into calls, I try to bring that, “Look, we have urgency, but at the same time, this is what you do every day. Don’t overthink it. Keep it simple. Get to the bottom of it. Let’s manage this.”

I think it’s really something I have to learn how to balance. Again, it comes with been-there-done-that kind of experience.

The CISO plays a very critical role in maintaining the attitude and the emotional stress level of the team as well as the company. As long as I’m calm and I’m handling it well, my team is like, “OK, we’re all right.” My leadership… Share on X

I think the firefighter analogy is actually pretty good, in a sense. We’re both in the Southern California area when we’re recording this. There are some big fires going on, which is why we’re hesitant to use the word fire.

But you see with firefighters, when they roll up to a scene, they’re urgent, they’re moving quickly, but they’re not panicking. It’s like, “No, we know what to do, we know how to put out this fire.” “Hey, it’s getting bigger; we just need to call some more people in. What they’re doing is very organized and thoughtful. It sounds like that’s the way we need to approach our incident response as well.

That’s exactly right. Years ago when I would talk about security, when we talk about outsourcing managed services stuff, we talk about the fact that not every company can afford to have their own fire department, but every company needs to have their security team trained up to react and respond to fires. I think that’s where muscle memory comes in.

Whenever we have a small incident, we talk about the lessons learned because a small incident is not that different from a big incident. It’s just the level of stress and visibility that comes with it.

That’s creating the muscle memory to say, “Look, you’ve already been through this. You did this. It’s maybe a little bit bigger or maybe externally facing, potentially, but you’ve already been doing this day in and day out. Let’s just go into the scene, let’s be prompt with some urgency, but at the same time, like you say, not panic and not stressed out.”

Your brain doesn’t work well in a crisis mode. I think you have to be able to really feel like, “I know how to do this; I just need to revert back to my muscle memory and allow myself to work through this as if it was just an everyday event.” I think that’s what I try to do. You said you like stories. I love telling stories too. That’s my favorite thing.

I have a friend of mine who was telling me—because I live in a canyon in the North LA area. Her husband loved motorcycles, and they would drive this canyon. We would go in and out of it.

She’s like, “My husband always says a beautiful thing about riding a motorcycle so you can straighten out the curves. Instead of doing the hard, back and forth like you have to in a car and stuff, in a motorcycle, you can just lean into it.” I started thinking about that and I’m like, that’s exactly what I need to be for this company. I need to help straighten out the curve.

We shouldn’t be on roller coaster rides. You can’t get too high, but you also aren’t going to get too low. Let’s just straighten out the curves; keep it balanced.

That’s where I can bring my years of experience, really my personality and style to a situation, and help keep things not going over the top and not getting on the rollercoaster ride, which is exactly where burnout exists and all that level of stress.

Are there some incident response processes and flow that you’ve developed that helps you straighten out the curves?

Again, every time we have a small incident, treat it as if it could have been a big one. And let’s learn from it. Let's remind ourselves that this is exactly what we would do in the middle of an incident. We’re practicing our incident response process all the time.

We’re practicing our incident response process all the time. -Jill Knesek Share on X

When you work in a company—we’re providing SaaS solutions—there are always little incidents that are happening in the background that aren’t necessarily security. They may be operational, but we get called into those. We monitor them. We watch how other teams handle incidents, how they manage through it, and their calmness. Sadly, the more you do those, the better you get at them.

The key for us is always figuring out how it happened and why it happened so we can be proactive in the future. You have to learn from all those small incidents and treat them in a way that is a learning opportunity as well.

The key for us is always figuring out how it happened and why it happened so we can be proactive in the future. You have to learn from all those small incidents and treat them in a way that is a learning opportunity as well. -Jill… Share on X

That’s what we’ve done here. After the event, we sit down, we talk about lessons learned, what we could have done better, and how we can apply what we learned here to future events.

 

Is there a specific conceptual lesson learned that was a big a-ha moment for you and your team?

I think in general, we sometimes don’t see the incidents for what they are fast enough. What I like for my security operations folks is to, when in doubt, pull the alarm to get some of the more senior people in the team involved quickly.

There’s this window of time when you can really manage and mitigate an incident. I think the sooner you get people who are very experienced, because obviously, if you’re doing your security operations, you may not have as much experience as, say, the director of the SecOps team or the CISO.

Don’t be afraid to pull the alarm bell. I’m not going to penalize you for a false alarm. What I’m going to be frustrated about is if you saw something, didn't say it, thinking it was no big deal, and now I’ve got to deal with the ramifications of that.

I think just having it open and not punishing the team or scolding them if they are too quick to react, I’d rather them quickly react and just let’s get eyes on it very quickly and go, “No, no, no, it’s nothing big. We can go back to our normal routine.” In the event we do find something, I think the sooner that we identify and start reacting, responding, usually the better things turn out for us.

In most organizations, that tends to be, whether security or even outside of security, the tier one, the first people, the sharp edge of the sword usually have the least amount of experience.

That is the case. Anybody doing 24/7, on-call duty, they feel like it’s a punishment. They’ve got to earn their wings, so to speak. I think that is the fact. What I’m really keen on doing is making sure that we always have tier two, tier three people sitting on the side able to help, the right culture and environment for them to learn under so they don’t feel like they’re out there on their own.

One of the things that I actually do to really help my team is I do a one-to-one with everybody on my team at least once a quarter. In some cases, if people want to meet with me once a month—I have a team of 30 people right now—I can do it, which is nice.

I like spending a good, focused half an hour talking to them, not just about work but also about their personal life, about how they handle things. I try to give them stories and mentor them on some of the things that I’ve been through, what I’ve learned, and how they can apply it, maybe, in their future and their career pathing.

I think it’s really important that they don’t feel like it’s a big deal to call the CISO. I’m just one of them. I love this stuff, I’m passionate, and I’m geeky about it. I think that creates an environment where they’re not afraid to pull the alarm.

Over time, they’re learning. At some point, they are able to do their own analysis and maybe just do a second check with a tier three person. Creating a safe environment for them to make mistakes in if they need to or overreact is the environment that I like to create.

You definitely don’t want your frontline people afraid to raise the alarm or ask for help.

That’s right. Yes. They need to understand that we hired them into that role because we knew that there’s a growth opportunity. I like bringing in more junior engineers. I like having folks anywhere from entry level to 3–5 years’ experience, but then I have a couple of seniors that I know have been through the firefights, and they know what to do.

Having that mixture, it allows for a career pathing. I don’t have too many seniors that are like a ceiling and blocking them from promotion. At the same time, they’re surrounded by other people that are at their level and they’re learning together. It makes it a little easier for them to not just learn on their own but learn from what their peers are doing.

Do you find that the new hire, less experienced people come with a different approach that maybe your more seasoned people didn’t have because they’ve grown up in a different time of connectivity?

Yeah, for sure. Most of us in more senior roles, we didn’t grow up with the cloud. We were all on-prem data centers. We had firewalls on the egress points. We have a different world.

I like bringing in folks, especially if they’ve had some experience in cloud in general. I think they understand how the cloud works in a way that maybe we’ve had to backwards learn it, if you will, on a security front, jumping in and saying, “OK, this isn’t a firewall, but it acts like a firewall.” They don’t have that reference point like we do.

I love bringing in the folks that come from a different background. I always tell people, “Look, I’m a problem solver. That’s what I do. I can solve any problem.” I tell them, “You bring me a problem, I’m going to solve it. But that doesn’t mean my solution is the right way.”

Engineers can solve things a thousand different ways, but you may have a solution that’s actually a much better solution than I could think of because your exposure and your access is different than mine.

Solve your problems. If it’s something that we can learn from, we should learn how to put that into effect. If it turns out that maybe it’s not exactly 100%, then you can talk to others and see if there’s a better way to solve those problems.

Learning how to solution and learning that they can be a problem solver at their level, they don’t have to escalate just to solve a problem, I think empowers them to be able to think more outside the box.

I know when I managed a group of developers, I was always really inspired by the way different people solved things differently. If someone would hit a roadblock and they’d find a solution, it’s like, “Oh, my God. I want to be and have thought of that solution to this issue.”

I’ve had that in the middle of an incident. Again, I like to be on these incident calls sometimes just to hear how people think. I always like to study how people react in a crisis. You have the fight or flight. You always want to know who’s going to fight and who’s going to run-for-the-hills thing. If you don’t know and you put the wrong people in the wrong places, then you’re going to have problems.

I’ve seen some of the most creative out-of-the-box thinking because they’re like, “Hey, what if we did this?” It’s like, “Oh, my God.” You see all these light bulbs going off. You’re like, “Wow, that’s really ingenious.” Then you see that person and you’re like, “This is a person who really can think well when they’re under a little bit of stress and in a crisis mode.”

You share those stories and let people know, “Look, it wasn’t the seniors; it wasn’t the people with all the experience. It was that guy who just had his fingers on the keyboard all day. He came up with this crazy idea and I’m like, ‘Oh, my God. That’s so simple and clean; let’s just do it.’” You’re right. It’s fun to watch engineers solve problems like that.

Were there any incidents in your career that as the incident was unfolding, you thought, “Oh, my gosh. This is the big one. This is going to be the gnarly, we’re going to get in trouble with everybody, that actually turned out to not be an incident?”

I think there've been a couple where we’ve had ransomware get into our environment. It was several companies back. We had a ransomware attack that hit our finance department. It was towards the end of the quarter. The first thing that we do when we see any ransomware in the environment is we just start unplugging things. I say that in the physical terms, but with the data centers in the cloud, you just start disconnecting things because you want to make sure you isolate and not have it spread.

We literally had a team in the building that were running to the finance floor, just grabbing laptops off desk, and unplugging them. Everybody’s very upset with me because they’re trying to close the books and I’m like, “I’m sorry. We can’t afford to have this get across our environment and jump into the production side of the house.”

The fast acting that we did and the ability to quickly respond and clean up those devices, it was a non-event. Nobody actually knew about it. We were down for maybe a couple of hours while we just cleaned off some of the finance machines. We went and scanned all the servers.

Ultimately, we might’ve lost maybe a few hours of data that got overwritten, but it turned out to be nothing. It taught us some really good muscle memory because now everybody knew that they could react and respond. We had to call a lot of people.

I refer to them like they do in airplane mode is a near miss. They could have been disastrous and one of the worst days in your life. All of a sudden, you just veer off and miss each other, and it’s just an interesting story to tell. There are always a few of those out there. That’s the ones we prefer.

Any stories of unexpected reports, like someone outside of your organization says, “Hey, I think there’s a security issue here, or there’s something weird going on”? I’ll give you time to think and I’ll tell a story.

I run whatismyipaddress.com. I get support tickets saying, “Oh, I want to report a vulnerability with your platform. It’s an earth-shattering vulnerability.” I’m like, “Oh, my gosh. What is it?” They’re like, “Oh, well, your DMARC record is set to quarantine, not reject.” I’m like, “OK, yeah, that’s not a real issue.”

I got an email from someone saying, “Why is your website doing crypto mining in my browser?” I thought, “I’m not doing that.” I know there are ad plugins that would do that. I’m like, “Oh, I’m definitely not doing that.”

It came in on the weekend and I was like, “Do I want to spend the time looking at this or not?” I thought, “OK, I better look at it and do a little deep diving.” It’s like, yeah, when I’m on my website and the browser, there’s crypto mining going on.

My first thought was, “Oh, my gosh. Someone has compromised one of my platforms.” I start at the server level, like, “OK, there’s nothing going on here. No files have been modified.” I’m like, “Well, how can it be doing crypto mining if nothing’s been modified?” The guy was like, “Oh, it just started yesterday.” I’m looking further, but there’s nothing anywhere, my code, nothing about the crypto mining.

It turns out that a library that was being three or four partners down on some stack that had been compromised. They got a cryptocurrency miner to incorporate their code and it rolled up the chain. It was just a matter of disabling this. “OK, disable that.” It went away. I’m like, “OK, well, that’s where it is.”

It was one of those, I wouldn’t have even thought to look for that at the moment, but some random person was nice enough to notice that something was weird and reported it.

I’ve definitely had that occur. A previous couple, we had a bug bounty program. Bug bounty programs are very specific normally to a certain product or a certain URL, but some of these researchers will push outside the envelope. We’ve had reports of someone that started looking at maybe our corporate sites and found some unusual activity. At first, it’s like, “Hey, that’s out of scope.” It’s like, “Oh, my gosh. This is actually extremely important information.”

I think sometimes when a researcher gets an email or a call from a CISO, it probably makes them feel pretty valued. I was like, I’m going to talk to this individual and find out, first of all, are they legitimate? Are they messing with us? I’ve had a couple of occasions when I’ll email and then say, “Can I talk to you on the phone?” We’ll get on a call together and I’ll tell them my background with the FBI and some of my cases. I start building a rapport with them.

Actually, they end up being individuals that I have a relationship with. When they’re like, “Hey, if you want to do a private bounty, I know a lot of good researchers that we can do with you.” You build a relationship, but sometimes it’s those types of events that it is a blind spot.

We’re looking at so many things. We’re looking at really big problems, we’re looking at our production environments. Sometimes it’s the little sites, like somebody turned on a server that they needed access to, and it’s running somewhere you didn’t even know existed. Some random person finds it, then you go and chase it down, and you find out, “Wow, I didn’t even know that site was there. I didn’t know that those particular ports were open and exposing us to some leaks.”

For sure you have those. That’s why I’m really big on bug bounty programs. I also keep a very strong relationship with the FBI. Still, I’m part of FBI InfraGard. I reached out to the cybercrime supervisor here in the Los Angeles area, just so I have that relationship because you never know where the data is going to come from. Sometimes the call will go to the FBI before it comes to us directly. I think they’re such an important piece of the intelligence that you get from those types of contacts.

I think that’s the phone call you don’t want to get. “Hey, this is agent Bob from the FBI. Can we talk?”

Yes, 100%. That’s the bad day. It’s usually Friday, 4:00 PM, and you’re about ready to start your weekend. It’s like, “Oh, no.” The good news is sometimes you get information and intelligence that hasn’t gone out to the public yet, because they might have an undercover operation or something going on that they can feed you information to get ahead of the curve. That’s why it’s really important to have that relationship, because they trust you and they know you’ll react and respond appropriately.

There are always blind spots in every company. You should never just get like, “I don’t want to hear from them.” If we get these emails, I always read them and I’m like, “I wonder, is that legit?” I’ll go have my team do a little digging and make sure it’s not a legitimate concern.

Yeah, that’s always interesting. Is there anything that we’ve missed in talking about? I know we talked a little bit about the talent gap. Do you see any potential solutions for the talent gap?

What I think we need to start doing, personally, is I think we need to start introducing cybersecurity at the high school level.

What I think we need to start doing, personally, is I think we need to start introducing cybersecurity at the high school level. -Jill Knesek Share on X

I know it’s complicated, but there are a lot of computer classes. There’s a lot of training that goes on at the high school level now. Most students have either computers or iPads. They have Gmail accounts. They’re working online using cloud environments.

I really think there’s an opportunity to get in earlier because once you get into the college age, you might already have decided what you want to pursue. And If you’ve not been exposed to something like cybersecurity, you probably don’t even know what kind of environment.

You probably think it’s either too complicated, you can never do it, or it sounds scary and you don’t want that kind of lifestyle. If you can introduce it maybe earlier in high school-age students, maybe they’ll start thinking about an interesting career path.

I know for me, I love what I do for a living. People ask me, “Are you ever going to retire?” I’m like, “I don’t know why I would; it’s not heavy lifting. As long as I can keep my brain sharp, I think I can do this job forever.”

The longer you do it, the better you get at it, the more muscle memory it is, and the less time it takes. It’s like anything, I don’t have to work nearly as hard as I did 15 years ago because it’s very natural.

I’m hoping that we can start really encouraging those types of programs into the high schools, maybe early and junior colleges and stuff, where people that are still not deciding what they want to do with their career have a chance to pursue something or at least entertain the idea of moving into cybersecurity.

We have tons of open positions, not enough people to fill them. I think the salaries are really good. Most of these jobs, I’m perfectly happy having remote workers. They don’t need to come into an office all the time. We can do our job sitting in our homes as long as we’re dedicated and focused. Hopefully, we can start filling up some of those skills gaps as we move forward.

I think being fully remote has probably made a number of listeners’ ears perk up and go, “Wait, what?”

Right. I love working remotely. It was a change in my career. I actually put in a lot more hours at home because it’s here for me. There’s a pro and a con to it, but for me as a CISO, as an employer and a leader, I want to make sure that I get the most of my team. If they’re in an environment where they can pop on at 7:00 AM or 10:00 PM because they’re available, there are a lot of benefits to that too.

My wife is 90% remote now. She works more hours, but she’s less stressed out.

Exactly.

She’s like, “Look, when I need to talk to somebody in the UK or in Australia, I could make that phone call, and I don’t feel like I have to stay at the office, wait till they’re available, or get in early so I can catch them.”

That’s right. Yeah, it’s a much better work experience, at least for me. If you have the right self-discipline, it works very well. I think that’s the only thing. You just have to be very disciplined because there are always distractions, especially at home. I love working remotely. It’s been, for me, a Godsend.

Are there any particular resources that you think would be of value to CISOs that you have available?

That’s a tough question. Not off the top of my head. I obviously am a member of FBI InfraGard. I think it’s really important. I think it’s super important that CISOs be connected with local CISO events, activities, and groups, if they have them.

There’s so much that I learned from other CISOs in the Southern California area. I’m like, “I don’t know what tool to use here. There are so many good ones out there.” I’ll talk to some CISOs and they’re like, “Oh, my gosh. I tried this, I tried that, but this is the one I like.” It saved me so much time. I don’t have time and money to make mistakes on investments. Having a group of individuals that you can reach out to anytime there are questions, I think that’s really important.

I think membership in those types of groupings would certainly bring value. LinkedIn is always a good place to go as well. I'm there a lot and make sure I reach out to other CISOs that are going through similar issues that I am.

It’s got to be interesting. I think CISOs are one of those roles where there’s not a lot of competition against your competitors, so to speak?

Right. We’re all in it together, right?

You’re all doing the same work. It doesn’t matter if we’re selling competing products or not. That’s not what we, as a CISO, do. We just try to keep our company safe. Even if the CEOs are adversaries, the CISOs are going to be good friends.

That’s exactly right. It’s a small community; it’s a small circle. When you help someone out in the community, they will reciprocate that for sure. And you’re right: we’re all fighting the same battles. If we’re in the same industry and we’re competitors, we’re probably facing the same hackers and attack methods. By having that relationship and it not being adversarial, I think it really brings value.

I don’t have any problems sharing as long as it doesn’t compromise any of our intellectual properties. For the most part, this is just common stuff out there. If we can help each other do better, I think that’s what we want to do.

That’s awesome. If people want to find you online, where can they find you?

I’m on LinkedIn under Jill Knesek. I don’t really do much on X or anything like that anymore. I used to be active, but I’m not so much anymore. Certainly reach out to me on LinkedIn; I’m always very active there.

The blackline.com—we have a lot of smart people here. Our marketing team is great about getting us connected into interesting topics. We’re always looking to help the community and help share some of the knowledge and expertise we have here. Yeah, happy to do that.

That’s awesome. Jill, thank you so much for coming on the podcast today.

Thank you so much, Chris. Appreciate it.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Notified When We Release New EpisodesALERT ME

X

Logo

Get Notified

When we release
new episodes

We will only send you awesome stuff!

Privacy Policy

×

 
×

Easy Prey Self Assessment Cover

Are you safe or at risk? Find out.

We’ll send you instructions to download the self-assessment right away. It takes only a few minutes to complete.

We hate spam and promise not to spam you.
Unsubscribe at any time.

Privacy Policy

×

Hire Me To Speak

Privacy Policy

×

Privacy Policy

Your privacy is important to us. To better protect your privacy we provide this notice explaining our online information practices and the choices you can make about the way your information is collected and used. To make this notice easy to find, we make it available on every page of our site.

The Way We Use Information

We use email addresses to confirm registration upon the creation of a new account.

We use return email addresses to answer the email we receive. Such addresses are not used for any other purpose and are not shared with outside parties.

On occasion, we may send email to addresses of registered users to inform them about changes or new features added to our site.

We use non-identifying and aggregate information to better design our website and to share with advertisers. For example, we may tell an advertiser that X number of individuals visited a certain area on our website, or that Y number of men and Z number of women filled out our registration form, but we would not disclose anything that could be used to identify those individuals.

Finally, we never use or share the personally identifiable information provided to us online in ways unrelated to the ones described above.

Our Commitment To Data Security

To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online.

Affiliated sites, linked sites, and advertisements

CGP Holdings, Inc. expects its partners, advertisers, and third-party affiliates to respect the privacy of our users. However, third parties, including our partners, advertisers, affiliates and other content providers accessible through our site, may have their own privacy and data collection policies and practices. For example, during your visit to our site you may link to, or view as part of a frame on a CGP Holdings, Inc. page, certain content that is actually created or hosted by a third party. Also, through CGP Holdings, Inc. you may be introduced to, or be able to access, information, Web sites, advertisements, features, contests or sweepstakes offered by other parties. CGP Holdings, Inc. is not responsible for the actions or policies of such third parties. You should check the applicable privacy policies of those third parties when providing information on a feature or page operated by a third party.

While on our site, our advertisers, promotional partners or other third parties may use cookies or other technology to attempt to identify some of your preferences or retrieve information about you. For example, some of our advertising is served by third parties and may include cookies that enable the advertiser to determine whether you have seen a particular advertisement before. Through features available on our site, third parties may use cookies or other technology to gather information. CGP Holdings, Inc. does not control the use of this technology or the resulting information and is not responsible for any actions or policies of such third parties.

We use third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. For information about their specific privacy policies please contact the advertisers directly.

Please be careful and responsible whenever you are online. Should you choose to voluntarily disclose Personally Identifiable Information on our site, such as in message boards, chat areas or in advertising or notices you post, that information can be viewed publicly and can be collected and used by third parties without our knowledge and may result in unsolicited messages from other individuals or third parties. Such activities are beyond the control of CGP Holdings, Inc. and this policy.

Changes to this policy

CGP Holdings, Inc. reserves the right to change this policy at any time. Please check this page periodically for changes. Your continued use of our site following the posting of changes to these terms will mean you accept those changes. Information collected prior to the time any change is posted will be used according to the rules and laws that applied at the time the information was collected.

 

×
close
Embed this image

Copy and paste this code to display the image on your site