Sep 29, 2024
Episode Description
In this episode, Adi interviews Dexter Blakely, an information security manager, about his journey in the security field and the challenges of balancing business and security. Dexter shares his experience starting from the help desk and working his way up to becoming a security leader. He emphasizes the importance of understanding the needs of different stakeholders and tailoring conversations to their language. Dexter also discusses the evolving nature of cybersecurity, the impact of the pandemic on security practices, and the future challenges and hopes for the industry.
Watch On YouTube
hi everyone welcome to the handson ciso podcast my name is and today we'll be talking to Dexter Blakeley Dexter's been
in the security field for a decade and is currently the information security manager at GK software as a security
professional on his way to becoming ceso one of Dexter's interests is emerging between business and security which
we'll dive deeper into in today's episode Dexter how are you doing I'm
doing good how are you today great really good I'm really interested in learning how did you end up the job
you're doing today what was your journey in security like yeah so it's actually a very
interesting journey I started uh working it operations um just on the the bottom of
the help desk working my way up and uh for quite a bit of that time on the help desk as the company that I was working
in um started getting a security team and and developing some security culture
it was very interesting because everybody hated the security team they were the PE the team that people went to
for forgiveness instead of permission because they just always said no if you ask them for something they
said no we can't do that and they were very straight laced and it just was
a not a good situation and so as I was trying to dream up of okay what do I
want to do with my it career security was nowhere close to that because I I
wanted to be able to to build things and H and provide business enablement I
wanted to be able to um build the things that's supporting the company and helping them grow and a lot of times
security was getting in the way of that and as I was working in that um career
path um I got going in and networking and got some interest in the network
security side of things and by that time we started getting some some better people on the security team um some
really cool Engineers that were really doing some some cool things within our
our network security with our firewalls that was actually doing more of enabling
the good guys and making it harder for the bad guys and had me a little bit peaked in interest I couldn't get a
network admin ad ministration position internally or externally and they had an analyst
position pop up and so I thought well maybe this could be a good stepping stone I can get some earn some more
money get a step away from the the help desk and and move along and very
interestingly in that first year um doing security uh full
time um the whole team turned over we we had some security leadership that had
changed a couple times and people were were jumping ship a lot
uh of the the team as well didn't trust the the executives and the way that the board was running of the company and so
was was just a a big kind of mess of things and so I went very quickly from
being just this little analyst on the totem pole to engineer and then
principal engineer and helping uh rebuild bu the team as as it was going
and finally as um we got stabilized we
got a a new ciso uh mot Copeland and she was a huge uh Mentor for me over the
years and and we were able to work together in helping change the security
culture a lot to um and really started a lot with our mission statement that we
were going to be the ad vate for the business to help them to make the right decisions on how we can move forward
properly and um because of the way that she was able to help instill the culture
change and um the the things that she did in in
her role it really enlightened my eyes to how awesome that security can be for
a company and how awesome the role of aiso is and and so because of that that
pushed me further on uh developing myself for uh leadership roles um
learning more business Acumen um shortly after she had left the
company I started to um get my MBA at Western Governor's and uh very excitedly I
finished that um earlier this year and I I've been very happy to be kind of on
this this route of further developing myself as a security leader and and
helping to have that that balanced approach with security wow that's so interesting how
would you say you approach the culture change because that's something that I know is really difficult from companies
when you go from a non-security minded approach to suddenly you have to
think about security yeah I think a lot of it is is
uh tailoring the the conversations with with different people um to make sure
that they they understand that you understand that their what their needs
are but like if um if we just talk about
vulnerabilities and threat actors and and things out there then we're just
going to kind of get the eye rolles from the business but if if we're talking with um the the chief marketing officer
and and we're helping them understand in in terms that that they're more familiar with like
conversion and and fraud and and with the Chief Financial Officer talking with
them in terms of of Revenue and return on investment that that drives a lot more
with the uh the goals that they have so then they understand exactly where you
sit in um in the driver's seat that you're right next to them helping
navigate them as as they're driving and not just that that little kid in the back seat that that wants more M&M's or
can't open their juice box that's a very good analogy for
security interesting and and really I I hadn't even thought of that before that's
that's a new one I need to to uh make sure I I remember for the future fresh on my mind as we had just barely taken a
family road trip last week perfect what does your daytoday
look like um and really like the whole time that
I've been in security it's it's kind of been similar of there is no day today
it's always going to be different but um but I'm trying to as I evolve in in
kind of security leadership making sure that I'm putting in some of those those those building blocks each day the um
kind of time boxing to make sure okay am I still making sure to do um x amount of
time for vulnerability management every day x amount of time for compliance every day to make sure those important
things are taken care of but having that mindset of hey things are going to come
in and disrupt things be okay with it have the tools necessary to kind of
take note to adjust things within the the program plan and and roll with it
and um I think that was one thing that um kind of as I learned the agile
methodology a few years back really jived with me of have a
plan but also be okay if those plans change and have have things in place so
that things can change and you can make make adjustments and continue moving
along despite the changes
great how do you keep updated in a field that's changing like so fast there's
there's a breach on the news there's new technology coming out AI everything like
how do you have time to both actually do the job and stay updated and not go
crazy um I'm still trying to figure that out myself like I will be totally honest
sometimes I feel like I am constantly crazy with things because there is that that influx um but like a lot of that's kind
of the the way it is though um I think kind of one of the
easiest things to that is that kind of I I have a good network of people that
have embraced the crazy like we all know that it's crazy so we're there to help
you each other um I I stay in contact with um kind of that that First Security
team that I was with I'm I'm still in contact with them I'm still in contact with the the security guys from my
previous company and um just having that
um togetherness that we had of of knowing uh the things that each person
cares about were able to keep an eye out for each other and so then if somebody
doesn't see something or only like glanced over it we can kind of help uh
be more squeaky wheels for each other and um so that's that's an important thing is staying friends with uh those
those people in the past having a good support network and
um whether it's it's supporting people directly by kind of sharing articles and
and things um or just supporting them in in their
crazy um of of helping them um kind of relieve craziness or
understand how can they they they uh event or fix through the the crazy um I
don't have the a perfect answer for for working through the the influx of of
data but um I'm very grateful for kind of that Network that I have that's
helping me through it perfect do you feel like cyber security
is a field where people are very well connected to to each other or is what you're describing pretty unique and not
the norm no I I feel like um a lot of the
the community um which they they are pretty connected they want to be connected um
which is funny because I I I feel funny at least uh High iic way because a lot
of the people that I interact with in the community are a lot more introverted
and so they're they're not uh as outgoing of a personality but
because of the struggles that we deal with they they want to keep those connections and be connected with with
people so um it so it may not be as um
extroverted through like calls and things but they want to continue that
conversation at the very least like you know over text through um like Discord
and and teams and things to like have have that connection as as
we've seen um more resources are are are better
than than one if if we look at kind of doing vulnerability scanning if you got just one vulnerability scanner for your
whole network it doesn't doesn't work so great uh and so we want to be part of a
a huge cluster that is um working off of each other and and able to um do
exponentially greater things because we are fully connected very good answer
so in a slight change of
Direction when you're doing security for a company even if you're Ena
if you're even if you're thinking of enabling at the end of the day you have
to say no sometimes how do you navigate that without being like the bad cop or
are you okay with that title sometimes
um it it depends a lot upon the the situation I I like to make sure
that like I I try to avoid just saying no because to me like it's okay to say
no but you need more after that it has to be a it's kind of a of a no
but no you can't do this but if we have some other controls in place it could be
a lot better or um it just just know you
can't do this but we can work towards a way that
we can just uh to it's really about making sure that the the conversation
continues because if it's really something that um somebody is is
interested in we we should talk about it to make sure that we fully understand each other
and I think that's a lot of where like security misconceptions happen is because there's not that full
understanding between um like that business unit and and
security on the the initiatives and and the challenges behind it making sure
that we get fully down to what is the the root of the
problem um so that we can kind of fully address it and and make sure that we're
not overlooking it because of some some other type of solution and um it it
really can get um interesting with the different um sections of of Industries
just the different struggles that we um um can be going through um but there's a
lot of of enablers that we can continue to figure out together if we continue
those those conversations and not just just stick to a a solid no you
can't yeah interesting have you ever um obviously know names or companies but
will you ever did you ever see a breach happening because of some sort of
miscommunication or someone making a mistake like
without intending to create a security
issue um yes um I well and I like I'll
supplemented as well with I've I've seen um uh security incidents happened from
people that like consciously made a change that like they were trying to do
um Implement a certain architecture because they like they consciously had
um a uh we'll call it a marketing drive for it but they didn't realize the other
security implications behind it um and uh was was very interesting to um kind
of be part of those those dialogues as we kind of figured out okay what are the
um the kind of deeper technical things um that that could be exploited from
this and um that's that's one thing that like I I loved so much the the engineer
um that was was working for me at the time he he had a very strong pen testing background and he so he was um very
technological and very able to see very deep down in the weeds what could be
pulled from a a certain network connection um on this this web
application and um it was very very useful to be able to then um discuss um
with those other stakeholders of hey here's what's actually going on deeper
in the scenes and what these thread actors could be be trying to grab let's throw a couple other pieces
into the architecture so then we can um still continue to achieve the things
that we are are trying to but not divulging the the information that we
don't want to and and really that that further collaboration because um there
was more more to the equation that they couldn't
see interesting a lot like kind of that the analogy of the like the four um
blind men that are um describing an elephant and there's there's so many of
those situations with with every business that we all need to make sure
that we have that that collaboration so that everybody's getting the full picture of the ele
elephant perfect in your team right now are there a few people or is it just you
managing security um yeah a little bit of both so
um right now I I work for GK software um I work for the America's Division and um
in the America's Division I am the um information security manager um and I report to the CIO I
don't necessarily have kind of a a formal team under me um but there's
other uh security teams um from the the global headquarters um for for doing it
full-time and and to me I I see every everybody else in the America's Division and even the global
side they're all part of our team and I think that's an important thing that um
I've I've Loved with security culture like in in general with companies that
has been developing is helping everybody understand that they have a a part in
security and that we can all work together to make sure that um things are running well whether
it's um by just reporting a fish email we're helping to make sure that we're um
running better like uh patch and development processes so that we're we're not just constantly running on
Antiquated software but we're we're actually looking at a more holistic life
cycle for things so then um as as they're keeping things more up to dat
they're directly helping me um to avoid any any vulnerabilities or or issues
that we may come up into in the future interesting have you ever been in
a situation where things were sort of on fire and you had to like act in that moment and
fix the issue yeah it definitely and it's um
it's very interesting um I I very muchly
appreciate the um the work that ER doctors do uh my
father-in-law was one of them for for many years because while I may figuratively have been in situations
where something is bleeding and I can't tell where it's bleeding from I don't
have the blood literally gushing at me to to figure it out and so I I applaud
those guys but the it's it's a lot um kind of allegorically very similar of sometimes
you don't know um what's bleeding and and why it's bleeding and and it's it can be very
difficult to think about um why it's bleeding when you're in the process of of stopping the
bleeding but it's still um something that is important to have at least in
the back of your mind because um there's times that you may be
cutting off the wrong things um and and not putting the right um
emphasis in into place later because you you don't understand um particularly Li
just kind of for for more context like in the the situation of a a data
security incident let's say um there's there's a lot of of um bad traffic
coming in um we we want to block that bad traffic but if if it's not um very
readily apparent of okay what are what are they targeting um that's that's important to
um make sure that we're kind of thinking out about as well so then we can um make
sure that our efforts can be more more strategic and and surgical we're not um
just putting the um oh I'm drawing a a blank on the the
medical device for it we're not just putting the tourniquet over over the whole leg when we we can just sew up a
cut on the on the foot and and be okay that's
a it's a good now yeah
nice well that's something that um I I've seen too is is um just kind of over
over time there's so many scenarios that um you're you're just going to be so so
frustrated with and just making sure that you can open up to to having some
some time for for for laughter and and things making up funny analogies for for
things um I I applaud um one of my previous co-workers uh Brad Bennett some
of the analogies he could come up with were were pretty fire and um it was something that that
helped us get through it a lot just kind of in that um that piece of connecting with
each other and and helping things understand interesting what are the
things that tend to be most frustrating about cyber
security um I think one of the biggest to to me is um intern
threats um a lot because like I I want to be trusting of people especially like
the the people inside of my country or my company I I want to trust them and so
things like um uh DLP or or other
controls I I can struggle with sometimes because
I I want to in inherently trust people um I I see there there is a high
importance for um for DLP controls and and for kind of those those least
privileged things um especially in in the case of somebody's account getting compromised
and so it's it's I I can still trust that internal person but because the
their account um has been uh controlled properly we're we're properly
controlling the the impact of things but um that was something thing I I dealt
with earlier in my um security career was um some new uh DLP controls that we
were putting into place that um it it felt too much like I was being
the the NSA and and snooping on on people internally and I I just I just
wanted to protect the company from kind of the threats on on the outside and and
I I didn't I didn't like doing as as much of that investigation
um and I that's that's one of the bigger pieces to me that I don't like about um
kind of security is is having to kind of keep my eyes on everybody else
internally um otherwise
um yeah I can't think of kind of other um situations that I don't like about
security that kind of doesn't um reflect in other
things interesting what is one thing about security that you think most people from
the outside don't really understand
um I well I I I laugh because um I this is something that uh kind of the what's
just coming to mind is uh something I've I've joked about with a lot of co-workers is um kind of the the thought
of of how do you describe a job badly and and so it as I was talking
with with uh a see so but before um it was Mada and Brad actually as we were uh
creating slides for a security presentation and I brought up H how do you describe your job as a ciso very
badly of well I make slides all day and and so it it just kind of made me laugh
as you were asking that question I was thinking about well I look at spreadsheets half the day and just kind
of like and so the the thing that just immediately
comes to mind that that people may not realize about security is it's not all
like the Matrix and and Technical a lot of it too is just very more simple
things like just looking at um spreadsheets just organizing
things um like I I talk with my wife about um about my job or other other
jobs in it in general and and she says I could never do some of the stuff that
that you're doing and um especially as kind of we've
talked with our our kids being in school full-time now and um her thinking about
like going back into the workforce I tell her you could do a lot of this stuff because a lot of it is just being
organized with things sorting out things finding the right priorities and uh cracking the whip at
things I tell her that she would be a great project manager um you should have seen the way that we moved our our house
um moving from from from Salt Lake to to Royal Utah she she had different colors
of of duct tape that we will put swatches on every single box she had an
inventory of where all the the boxes would be and and things and I I keep telling her like that translates
directly over into um project management she could do do great because it's
really not some of the things aren't that technical like you you can jump
right in and organize things into the right priorities and and poke the right
people and and things can be moving along very quickly um without much
technical knowledge and then as you you work through it you gain technical knowledge very quickly um so long as you
you keep your mind open and and constantly learn and um and that's that's something that I um
have been pushing my my kids as as there in uh first and third grade is um read
quite a bit like make sure you're a good reader and can understand um how you
learn very well because if you have those things that and that uh mentality
of of constantly learning then you're going to do immensely well in in
security and other it functions and in life in general um I joked around with
people that just as as I started it it of in in help desk even um they were
like how did how do you know all this stuff I like well half of it's Google
like I just research stuff and I I play with things and I get you just get get to to know it and like ask other people
oh how did you fix this issue and and so um granted I do have to divulge the
other half of it is black magic sometimes there is sometimes my wife has an issue on on her phone or her laptop
and she hands it to me and it just magically starts working um unfortunately I don't see as
much of that black magic in in security but yeah a lot of a lot of security and
it things can just come down to very very simple things that's so funny what do you think
what would you say to someone who wants to get into security or wants to advance in security but is maybe uncertain or
maybe not sure which what they should do um yeah I I kind of get this a lot
from from different areas and and so one of the the pieces that I um Point them
to very quickly is is you just YouTube YouTube is a wealth of of knowledge
right now um and has ex exploded over the the past um 10 15 years that that
I've been been working in in it and security and um like I got to give a shout out to Professor Messer um Network
Chuck David bomble they've got some really great channels that you can learn a lot and um you you don't have to pay
for like big subscriptions big like textbooks and and things there's there's
still a lot that you can gain there to at least get that that understanding of of things of and that's kind of that
nwork next thing is what is starting to interest you and why does it interest
you and um and then kind of furthering from there so like um somebody that's
that's interested in in pent testing
um understanding um why that that interested them of well is that
interesting to them just because they they want to have that title of being a hacker and and they've seen the the
hackers movie and and people in there they want to be that guy that's um
that's got the the 20 different computers and they can say I'm hacking into the firewall and five seconds later
I'm I'm in or do they they want to do it so that
they can help a company understand how they can improve things better and then
kind of as as they understand um kind of
the and look into pentesting more and and things there it's it's important to
recognize too of okay the the more the better route is kind of is with that
mentality of you're helping the company well and because you're helping that company it's not super glamorous 100% at
the time you're going to have to be spending spending spending a lot of time in a spreadsheet and in a Word document
trying to um describe all of the things you may only be spending 5% of your time
actually trying an exper an exploit and then the other uh another 60% of the
time just documenting about it and um the other uh 35% of the time
researching how to do more things and and so um really understanding then of okay
because this isn't so So Glamorous is this still something you you want to do and and kind of continue forward if if
it's not that's that's okay um it's it's F if that's that's great to find the
things that you you don't like so then you can kind of continue onward and you could still play in some of those things
I I have a lot of fun um with uh my old cooworker workers doing capture the flag
events um that have some some pieces of of pentesting that then I don't have to
write the documentation afterwards but I can can still have have fun in in it um
keep the fun things fun and look for kind of those those areas that um can
continue uh my love doing as as a career basis and expanding on those and for me
that was that was um security leadership and really helping um companies develop
that that higher strategy and and moving forward amazing what do you see as one
of the biggest problems in cyber security
today oh that's that's difficult to kind of see like the the very biggest because
there's there's a lot of things kind of running rampant with with in
terms of like old old software technical debt
um being able to uh just being able to tr trust other people like and kind of
with identities and and spoofing and um even some of the the crazy way
that um people are able to to bypass MFA through different
exploits um I think it's it's very uh difficult to kind of really nail
like what's the the kind of most difficult thing um I think the closest
that I can get is is kind of the understanding and capabilities that
companies have to have kind of a a total cost of
ownership um because there's there's sometimes that companies understand what
uh total cost of up ownership is they they understand which updates that they need to
do but they don't have the the resources and other other constraints get get
thrown into place they need to scale up way faster than their their resources allow and um makes it very difficult for
them um and and then what's what can be very difficult even is those that don't
even understand the total cost of ownership and don't even give uh their
internal resources that like their their security Personnel the the the time to
help them try and understand and try to develop a strategy um that's that's an interesting
thing that I've I've seen is companies that um they may have a ciso because
they're they're a public company and they're required to but they just kind of shove them off into a closet and they
don't really even try to include them with understanding the the business and
and the total cost of ownership that they need to have and and having a good
strategy interesting what do you think is something
that maybe maybe security Prof professionals
and cesos tend to overlook in their
everyday um I think for me sometimes um like I'll even kind of take this as a
place where I like I don't do as as good sometime with just um understanding the
the efforts that other people are are actually doing and being able to to recognize them um that was something
that um I I kind of had had a rough learning experience from one of my
Engineers but um I appreciate it so much because um it helped me to kind of
solidify it more of like I need to watch out for those times I had
an engineer um that he was spending a lot of time with um the CIS admin team and
trying to help them get the this uh uh migration taken care of and make sure
that it's it's done in in a secure fashion and and also completing the like
operational needs the business had and so as I was looking from my
perview I I Only Could see kind of what were the the security checkpoints that were were getting done and I I was
looking looking at the operational ones at all um but kind of I was
getting uh very annoyed with this engineer because the security checkpoints weren't getting done and I
could see that the Project's moving along but his his piece wasn't as as much and and I hadn't been talking with
him I hadn't been asking the important questions myself to understand what he was contributing so that I could give
him proper recognition for kind of the the business things that was going on uh
and to understand um how um pressured he was to
help with those other areas that had I known beforehand I could have talked with other other people in in leadership
to um to move resources around so that we were being um fully efficient in all
the ways that we could be and so um it helped me understand that there's a lot
of questions that I need to to make sure that I'm I'm asking from the the
people um under me not just the people laterally or above me um to make sure
that that we're working properly um and there's there's so many
times that um we are going to run into those um
assumptions and sometimes they they work out great
sometimes we we run into the the classic um assume analogy that I I won't
detail out but we'll um just kind of give that that wink to the listeners of of what an assume can can turn into that
I even had one just this morning um that just kind of blew into to my face a
number of assumptions that I had that were completely inaccurate thankfully
there wasn't a big um impact from this but it's important that anytime there's
any impact from and an assumption or things we um take that note of okay
we're we made a mistake let's let's make sure that we we learn from things and
and it's very important everywhere just to learn from from each other and learn from our own mistakes and um continue
moving onward and that's um I'm excited to kind of do that in in this scenario
and um and just continue uh learning and
growing amazing okay so I have two final questions
one what do you think is the difference between the way cyber security is looked
at and dealt with today and let's say five years
ago and after you answer this one I'll ask a second
okay um I I think and I I appreciate that you
said five years ago partially because there was a whole pandemic in between this and so it's very interesting
because like there there's a huge difference there that I I can talk about now because um interesting it
changed what did the pandemic specifically change well like cyber
security um is something that it it evolves with the nature of just how we
do business with things and and so it like it flows just as much as as things
change so as people went um to working from home more with with a pandemic we
had to change things with with cyber security um with different um compliance
things um um and kind of the the way that we we do things um it's definitely
made it's made um a data more available in more places um where we're not tying
as much to the the office um some companies are kind of reverting back
that way to kind of get back into the office and and kind of Performing that
that way but we've seen um a lot that are still kind of embracing that and
thankfully there's other there's new companies and and things features that
are developing to help make sure that we can Embrace that that remote remote
lifestyle and um keep it secure at the same time um
and um a lot with the um sorry I'm I'm drawing a blank on
the the other facet that I was going oh compliant side there is a lot that's
that's pushing more companies to to at least have a very basic framework of
okay what is your security and like let's let's continue um raising the bar
I um have a LoveHate relationship with the the transition from uh PCI version
three to version four because I I I love it exponentially because it's going to
force company to actually reduce the scope of their where they keep credit card information
where they keep this sensitive data we've needed this for so long I hate it because I hate the
companies have kept that waste for so long so it's going to be so um difficult
for them to kind of embrace that that change and and and be able to to move
onwards I I kind of wish that um um like
the it wasn't as kind of drastic of a change that that the kind of PCI Council
had went through that they were able to kind of push more through um but it's it's something that
we really need for any types of of sensitive data people need to um have a
lot more awareness of of where it sits and and how it's protected and so that
we can really Pro have a that like you said earlier that proper ownership of of
what we're doing amazing so before I ask my last
question who's that is sort of the other way the other side of this question I
want to say thank you so much for your time and I think this has been super valuable for anyone who's in security
like your knowledge is really like forgot the word but like
very broad like you have a lot of different things that both on the actual security but also on team and team
building and management and I think it's really cool and thank you for joining us um I'll ask my final question for having
me of course what do you think cyber security is going to look like five years from
now um it it's it's interesting I I think a lot about um just the future when
especially further out from five years most of the time because I think about like what's the future going to be like
for for my kids and um I I think it like it it ties in a lot with kind of what I
talked about with kind of the the change of things is is like the the hopes that I have is that um companies are going to
be able to have a a better hold on to um
kind of their their sensitive data have but better resources to help them with
um with keeping that secure um I I hope that we can see a lot
less of the like the huge breaches um going on with with things I I hope that
we can get the right resources in in the right places the right understanding with
things it's very daunting to me though to to know if that's going to to happen
well I I see so many areas with the economy where um there's there's so many
budget cuts people getting laid off and uh a very difficult job market
that um I I have some hope for the future but
it's uh it's very concerning that um uh we we really need to to make sure
that we're we're working together to to try and solve and and make sure that the
the next 5 years has positive growth and and we're not just looking at even even
a larger pile of technical debt as as we uh arrive five years from
now amazing thank you so much thank you