It’s All About Merging Business and Security - Dexter Blakely, Information Security Manager @ GK Americas

It’s All About Merging Business and Security - Dexter Blakely, Information Security Manager @ GK Americas

It’s All About Merging Business and Security - Dexter Blakely, Information Security Manager @ GK Americas

Sep 29, 2024

Episode Description

In this episode, Adi interviews Dexter Blakely, an information security manager, about his journey in the security field and the challenges of balancing business and security. Dexter shares his experience starting from the help desk and working his way up to becoming a security leader. He emphasizes the importance of understanding the needs of different stakeholders and tailoring conversations to their language. Dexter also discusses the evolving nature of cybersecurity, the impact of the pandemic on security practices, and the future challenges and hopes for the industry.

Watch On YouTube

Episode Transcript

Episode Transcript

Episode Transcript

hi everyone welcome to the handson ciso podcast my name is and today we'll be talking to Dexter Blakeley Dexter's been

in the security field for a decade and is currently the information security manager at GK software as a security

professional on his way to becoming ceso one of Dexter's interests is emerging between business and security which

we'll dive deeper into in today's episode Dexter how are you doing I'm

doing good how are you today great really good I'm really interested in learning how did you end up the job

you're doing today what was your journey in security like yeah so it's actually a very

interesting journey I started uh working it operations um just on the the bottom of

the help desk working my way up and uh for quite a bit of that time on the help desk as the company that I was working

in um started getting a security team and and developing some security culture

it was very interesting because everybody hated the security team they were the PE the team that people went to

for forgiveness instead of permission because they just always said no if you ask them for something they

said no we can't do that and they were very straight laced and it just was

a not a good situation and so as I was trying to dream up of okay what do I

want to do with my it career security was nowhere close to that because I I

wanted to be able to to build things and H and provide business enablement I

wanted to be able to um build the things that's supporting the company and helping them grow and a lot of times

security was getting in the way of that and as I was working in that um career

path um I got going in and networking and got some interest in the network

security side of things and by that time we started getting some some better people on the security team um some

really cool Engineers that were really doing some some cool things within our

our network security with our firewalls that was actually doing more of enabling

the good guys and making it harder for the bad guys and had me a little bit peaked in interest I couldn't get a

network admin ad ministration position internally or externally and they had an analyst

position pop up and so I thought well maybe this could be a good stepping stone I can get some earn some more

money get a step away from the the help desk and and move along and very

interestingly in that first year um doing security uh full

time um the whole team turned over we we had some security leadership that had

changed a couple times and people were were jumping ship a lot

uh of the the team as well didn't trust the the executives and the way that the board was running of the company and so

was was just a a big kind of mess of things and so I went very quickly from

being just this little analyst on the totem pole to engineer and then

principal engineer and helping uh rebuild bu the team as as it was going

and finally as um we got stabilized we

got a a new ciso uh mot Copeland and she was a huge uh Mentor for me over the

years and and we were able to work together in helping change the security

culture a lot to um and really started a lot with our mission statement that we

were going to be the ad vate for the business to help them to make the right decisions on how we can move forward

properly and um because of the way that she was able to help instill the culture

change and um the the things that she did in in

her role it really enlightened my eyes to how awesome that security can be for

a company and how awesome the role of aiso is and and so because of that that

pushed me further on uh developing myself for uh leadership roles um

learning more business Acumen um shortly after she had left the

company I started to um get my MBA at Western Governor's and uh very excitedly I

finished that um earlier this year and I I've been very happy to be kind of on

this this route of further developing myself as a security leader and and

helping to have that that balanced approach with security wow that's so interesting how

would you say you approach the culture change because that's something that I know is really difficult from companies

when you go from a non-security minded approach to suddenly you have to

think about security yeah I think a lot of it is is

uh tailoring the the conversations with with different people um to make sure

that they they understand that you understand that their what their needs

are but like if um if we just talk about

vulnerabilities and threat actors and and things out there then we're just

going to kind of get the eye rolles from the business but if if we're talking with um the the chief marketing officer

and and we're helping them understand in in terms that that they're more familiar with like

conversion and and fraud and and with the Chief Financial Officer talking with

them in terms of of Revenue and return on investment that that drives a lot more

with the uh the goals that they have so then they understand exactly where you

sit in um in the driver's seat that you're right next to them helping

navigate them as as they're driving and not just that that little kid in the back seat that that wants more M&M's or

can't open their juice box that's a very good analogy for

security interesting and and really I I hadn't even thought of that before that's

that's a new one I need to to uh make sure I I remember for the future fresh on my mind as we had just barely taken a

family road trip last week perfect what does your daytoday

look like um and really like the whole time that

I've been in security it's it's kind of been similar of there is no day today

it's always going to be different but um but I'm trying to as I evolve in in

kind of security leadership making sure that I'm putting in some of those those those building blocks each day the um

kind of time boxing to make sure okay am I still making sure to do um x amount of

time for vulnerability management every day x amount of time for compliance every day to make sure those important

things are taken care of but having that mindset of hey things are going to come

in and disrupt things be okay with it have the tools necessary to kind of

take note to adjust things within the the program plan and and roll with it

and um I think that was one thing that um kind of as I learned the agile

methodology a few years back really jived with me of have a

plan but also be okay if those plans change and have have things in place so

that things can change and you can make make adjustments and continue moving

along despite the changes

great how do you keep updated in a field that's changing like so fast there's

there's a breach on the news there's new technology coming out AI everything like

how do you have time to both actually do the job and stay updated and not go

crazy um I'm still trying to figure that out myself like I will be totally honest

sometimes I feel like I am constantly crazy with things because there is that that influx um but like a lot of that's kind

of the the way it is though um I think kind of one of the

easiest things to that is that kind of I I have a good network of people that

have embraced the crazy like we all know that it's crazy so we're there to help

you each other um I I stay in contact with um kind of that that First Security

team that I was with I'm I'm still in contact with them I'm still in contact with the the security guys from my

previous company and um just having that

um togetherness that we had of of knowing uh the things that each person

cares about were able to keep an eye out for each other and so then if somebody

doesn't see something or only like glanced over it we can kind of help uh

be more squeaky wheels for each other and um so that's that's an important thing is staying friends with uh those

those people in the past having a good support network and

um whether it's it's supporting people directly by kind of sharing articles and

and things um or just supporting them in in their

crazy um of of helping them um kind of relieve craziness or

understand how can they they they uh event or fix through the the crazy um I

don't have the a perfect answer for for working through the the influx of of

data but um I'm very grateful for kind of that Network that I have that's

helping me through it perfect do you feel like cyber security

is a field where people are very well connected to to each other or is what you're describing pretty unique and not

the norm no I I feel like um a lot of the

the community um which they they are pretty connected they want to be connected um

which is funny because I I I feel funny at least uh High iic way because a lot

of the people that I interact with in the community are a lot more introverted

and so they're they're not uh as outgoing of a personality but

because of the struggles that we deal with they they want to keep those connections and be connected with with

people so um it so it may not be as um

extroverted through like calls and things but they want to continue that

conversation at the very least like you know over text through um like Discord

and and teams and things to like have have that connection as as

we've seen um more resources are are are better

than than one if if we look at kind of doing vulnerability scanning if you got just one vulnerability scanner for your

whole network it doesn't doesn't work so great uh and so we want to be part of a

a huge cluster that is um working off of each other and and able to um do

exponentially greater things because we are fully connected very good answer

so in a slight change of

Direction when you're doing security for a company even if you're Ena

if you're even if you're thinking of enabling at the end of the day you have

to say no sometimes how do you navigate that without being like the bad cop or

are you okay with that title sometimes

um it it depends a lot upon the the situation I I like to make sure

that like I I try to avoid just saying no because to me like it's okay to say

no but you need more after that it has to be a it's kind of a of a no

but no you can't do this but if we have some other controls in place it could be

a lot better or um it just just know you

can't do this but we can work towards a way that

we can just uh to it's really about making sure that the the conversation

continues because if it's really something that um somebody is is

interested in we we should talk about it to make sure that we fully understand each other

and I think that's a lot of where like security misconceptions happen is because there's not that full

understanding between um like that business unit and and

security on the the initiatives and and the challenges behind it making sure

that we get fully down to what is the the root of the

problem um so that we can kind of fully address it and and make sure that we're

not overlooking it because of some some other type of solution and um it it

really can get um interesting with the different um sections of of Industries

just the different struggles that we um um can be going through um but there's a

lot of of enablers that we can continue to figure out together if we continue

those those conversations and not just just stick to a a solid no you

can't yeah interesting have you ever um obviously know names or companies but

will you ever did you ever see a breach happening because of some sort of

miscommunication or someone making a mistake like

without intending to create a security

issue um yes um I well and I like I'll

supplemented as well with I've I've seen um uh security incidents happened from

people that like consciously made a change that like they were trying to do

um Implement a certain architecture because they like they consciously had

um a uh we'll call it a marketing drive for it but they didn't realize the other

security implications behind it um and uh was was very interesting to um kind

of be part of those those dialogues as we kind of figured out okay what are the

um the kind of deeper technical things um that that could be exploited from

this and um that's that's one thing that like I I loved so much the the engineer

um that was was working for me at the time he he had a very strong pen testing background and he so he was um very

technological and very able to see very deep down in the weeds what could be

pulled from a a certain network connection um on this this web

application and um it was very very useful to be able to then um discuss um

with those other stakeholders of hey here's what's actually going on deeper

in the scenes and what these thread actors could be be trying to grab let's throw a couple other pieces

into the architecture so then we can um still continue to achieve the things

that we are are trying to but not divulging the the information that we

don't want to and and really that that further collaboration because um there

was more more to the equation that they couldn't

see interesting a lot like kind of that the analogy of the like the four um

blind men that are um describing an elephant and there's there's so many of

those situations with with every business that we all need to make sure

that we have that that collaboration so that everybody's getting the full picture of the ele

elephant perfect in your team right now are there a few people or is it just you

managing security um yeah a little bit of both so

um right now I I work for GK software um I work for the America's Division and um

in the America's Division I am the um information security manager um and I report to the CIO I

don't necessarily have kind of a a formal team under me um but there's

other uh security teams um from the the global headquarters um for for doing it

full-time and and to me I I see every everybody else in the America's Division and even the global

side they're all part of our team and I think that's an important thing that um

I've I've Loved with security culture like in in general with companies that

has been developing is helping everybody understand that they have a a part in

security and that we can all work together to make sure that um things are running well whether

it's um by just reporting a fish email we're helping to make sure that we're um

running better like uh patch and development processes so that we're we're not just constantly running on

Antiquated software but we're we're actually looking at a more holistic life

cycle for things so then um as as they're keeping things more up to dat

they're directly helping me um to avoid any any vulnerabilities or or issues

that we may come up into in the future interesting have you ever been in

a situation where things were sort of on fire and you had to like act in that moment and

fix the issue yeah it definitely and it's um

it's very interesting um I I very muchly

appreciate the um the work that ER doctors do uh my

father-in-law was one of them for for many years because while I may figuratively have been in situations

where something is bleeding and I can't tell where it's bleeding from I don't

have the blood literally gushing at me to to figure it out and so I I applaud

those guys but the it's it's a lot um kind of allegorically very similar of sometimes

you don't know um what's bleeding and and why it's bleeding and and it's it can be very

difficult to think about um why it's bleeding when you're in the process of of stopping the

bleeding but it's still um something that is important to have at least in

the back of your mind because um there's times that you may be

cutting off the wrong things um and and not putting the right um

emphasis in into place later because you you don't understand um particularly Li

just kind of for for more context like in the the situation of a a data

security incident let's say um there's there's a lot of of um bad traffic

coming in um we we want to block that bad traffic but if if it's not um very

readily apparent of okay what are what are they targeting um that's that's important to

um make sure that we're kind of thinking out about as well so then we can um make

sure that our efforts can be more more strategic and and surgical we're not um

just putting the um oh I'm drawing a a blank on the the

medical device for it we're not just putting the tourniquet over over the whole leg when we we can just sew up a

cut on the on the foot and and be okay that's

a it's a good now yeah

nice well that's something that um I I've seen too is is um just kind of over

over time there's so many scenarios that um you're you're just going to be so so

frustrated with and just making sure that you can open up to to having some

some time for for for laughter and and things making up funny analogies for for

things um I I applaud um one of my previous co-workers uh Brad Bennett some

of the analogies he could come up with were were pretty fire and um it was something that that

helped us get through it a lot just kind of in that um that piece of connecting with

each other and and helping things understand interesting what are the

things that tend to be most frustrating about cyber

security um I think one of the biggest to to me is um intern

threats um a lot because like I I want to be trusting of people especially like

the the people inside of my country or my company I I want to trust them and so

things like um uh DLP or or other

controls I I can struggle with sometimes because

I I want to in inherently trust people um I I see there there is a high

importance for um for DLP controls and and for kind of those those least

privileged things um especially in in the case of somebody's account getting compromised

and so it's it's I I can still trust that internal person but because the

their account um has been uh controlled properly we're we're properly

controlling the the impact of things but um that was something thing I I dealt

with earlier in my um security career was um some new uh DLP controls that we

were putting into place that um it it felt too much like I was being

the the NSA and and snooping on on people internally and I I just I just

wanted to protect the company from kind of the threats on on the outside and and

I I didn't I didn't like doing as as much of that investigation

um and I that's that's one of the bigger pieces to me that I don't like about um

kind of security is is having to kind of keep my eyes on everybody else

internally um otherwise

um yeah I can't think of kind of other um situations that I don't like about

security that kind of doesn't um reflect in other

things interesting what is one thing about security that you think most people from

the outside don't really understand

um I well I I I laugh because um I this is something that uh kind of the what's

just coming to mind is uh something I've I've joked about with a lot of co-workers is um kind of the the thought

of of how do you describe a job badly and and so it as I was talking

with with uh a see so but before um it was Mada and Brad actually as we were uh

creating slides for a security presentation and I brought up H how do you describe your job as a ciso very

badly of well I make slides all day and and so it it just kind of made me laugh

as you were asking that question I was thinking about well I look at spreadsheets half the day and just kind

of like and so the the thing that just immediately

comes to mind that that people may not realize about security is it's not all

like the Matrix and and Technical a lot of it too is just very more simple

things like just looking at um spreadsheets just organizing

things um like I I talk with my wife about um about my job or other other

jobs in it in general and and she says I could never do some of the stuff that

that you're doing and um especially as kind of we've

talked with our our kids being in school full-time now and um her thinking about

like going back into the workforce I tell her you could do a lot of this stuff because a lot of it is just being

organized with things sorting out things finding the right priorities and uh cracking the whip at

things I tell her that she would be a great project manager um you should have seen the way that we moved our our house

um moving from from from Salt Lake to to Royal Utah she she had different colors

of of duct tape that we will put swatches on every single box she had an

inventory of where all the the boxes would be and and things and I I keep telling her like that translates

directly over into um project management she could do do great because it's

really not some of the things aren't that technical like you you can jump

right in and organize things into the right priorities and and poke the right

people and and things can be moving along very quickly um without much

technical knowledge and then as you you work through it you gain technical knowledge very quickly um so long as you

you keep your mind open and and constantly learn and um and that's that's something that I um

have been pushing my my kids as as there in uh first and third grade is um read

quite a bit like make sure you're a good reader and can understand um how you

learn very well because if you have those things that and that uh mentality

of of constantly learning then you're going to do immensely well in in

security and other it functions and in life in general um I joked around with

people that just as as I started it it of in in help desk even um they were

like how did how do you know all this stuff I like well half of it's Google

like I just research stuff and I I play with things and I get you just get get to to know it and like ask other people

oh how did you fix this issue and and so um granted I do have to divulge the

other half of it is black magic sometimes there is sometimes my wife has an issue on on her phone or her laptop

and she hands it to me and it just magically starts working um unfortunately I don't see as

much of that black magic in in security but yeah a lot of a lot of security and

it things can just come down to very very simple things that's so funny what do you think

what would you say to someone who wants to get into security or wants to advance in security but is maybe uncertain or

maybe not sure which what they should do um yeah I I kind of get this a lot

from from different areas and and so one of the the pieces that I um Point them

to very quickly is is you just YouTube YouTube is a wealth of of knowledge

right now um and has ex exploded over the the past um 10 15 years that that

I've been been working in in it and security and um like I got to give a shout out to Professor Messer um Network

Chuck David bomble they've got some really great channels that you can learn a lot and um you you don't have to pay

for like big subscriptions big like textbooks and and things there's there's

still a lot that you can gain there to at least get that that understanding of of things of and that's kind of that

nwork next thing is what is starting to interest you and why does it interest

you and um and then kind of furthering from there so like um somebody that's

that's interested in in pent testing

um understanding um why that that interested them of well is that

interesting to them just because they they want to have that title of being a hacker and and they've seen the the

hackers movie and and people in there they want to be that guy that's um

that's got the the 20 different computers and they can say I'm hacking into the firewall and five seconds later

I'm I'm in or do they they want to do it so that

they can help a company understand how they can improve things better and then

kind of as as they understand um kind of

the and look into pentesting more and and things there it's it's important to

recognize too of okay the the more the better route is kind of is with that

mentality of you're helping the company well and because you're helping that company it's not super glamorous 100% at

the time you're going to have to be spending spending spending a lot of time in a spreadsheet and in a Word document

trying to um describe all of the things you may only be spending 5% of your time

actually trying an exper an exploit and then the other uh another 60% of the

time just documenting about it and um the other uh 35% of the time

researching how to do more things and and so um really understanding then of okay

because this isn't so So Glamorous is this still something you you want to do and and kind of continue forward if if

it's not that's that's okay um it's it's F if that's that's great to find the

things that you you don't like so then you can kind of continue onward and you could still play in some of those things

I I have a lot of fun um with uh my old cooworker workers doing capture the flag

events um that have some some pieces of of pentesting that then I don't have to

write the documentation afterwards but I can can still have have fun in in it um

keep the fun things fun and look for kind of those those areas that um can

continue uh my love doing as as a career basis and expanding on those and for me

that was that was um security leadership and really helping um companies develop

that that higher strategy and and moving forward amazing what do you see as one

of the biggest problems in cyber security

today oh that's that's difficult to kind of see like the the very biggest because

there's there's a lot of things kind of running rampant with with in

terms of like old old software technical debt

um being able to uh just being able to tr trust other people like and kind of

with identities and and spoofing and um even some of the the crazy way

that um people are able to to bypass MFA through different

exploits um I think it's it's very uh difficult to kind of really nail

like what's the the kind of most difficult thing um I think the closest

that I can get is is kind of the understanding and capabilities that

companies have to have kind of a a total cost of

ownership um because there's there's sometimes that companies understand what

uh total cost of up ownership is they they understand which updates that they need to

do but they don't have the the resources and other other constraints get get

thrown into place they need to scale up way faster than their their resources allow and um makes it very difficult for

them um and and then what's what can be very difficult even is those that don't

even understand the total cost of ownership and don't even give uh their

internal resources that like their their security Personnel the the the time to

help them try and understand and try to develop a strategy um that's that's an interesting

thing that I've I've seen is companies that um they may have a ciso because

they're they're a public company and they're required to but they just kind of shove them off into a closet and they

don't really even try to include them with understanding the the business and

and the total cost of ownership that they need to have and and having a good

strategy interesting what do you think is something

that maybe maybe security Prof professionals

and cesos tend to overlook in their

everyday um I think for me sometimes um like I'll even kind of take this as a

place where I like I don't do as as good sometime with just um understanding the

the efforts that other people are are actually doing and being able to to recognize them um that was something

that um I I kind of had had a rough learning experience from one of my

Engineers but um I appreciate it so much because um it helped me to kind of

solidify it more of like I need to watch out for those times I had

an engineer um that he was spending a lot of time with um the CIS admin team and

trying to help them get the this uh uh migration taken care of and make sure

that it's it's done in in a secure fashion and and also completing the like

operational needs the business had and so as I was looking from my

perview I I Only Could see kind of what were the the security checkpoints that were were getting done and I I was

looking looking at the operational ones at all um but kind of I was

getting uh very annoyed with this engineer because the security checkpoints weren't getting done and I

could see that the Project's moving along but his his piece wasn't as as much and and I hadn't been talking with

him I hadn't been asking the important questions myself to understand what he was contributing so that I could give

him proper recognition for kind of the the business things that was going on uh

and to understand um how um pressured he was to

help with those other areas that had I known beforehand I could have talked with other other people in in leadership

to um to move resources around so that we were being um fully efficient in all

the ways that we could be and so um it helped me understand that there's a lot

of questions that I need to to make sure that I'm I'm asking from the the

people um under me not just the people laterally or above me um to make sure

that that we're working properly um and there's there's so many

times that um we are going to run into those um

assumptions and sometimes they they work out great

sometimes we we run into the the classic um assume analogy that I I won't

detail out but we'll um just kind of give that that wink to the listeners of of what an assume can can turn into that

I even had one just this morning um that just kind of blew into to my face a

number of assumptions that I had that were completely inaccurate thankfully

there wasn't a big um impact from this but it's important that anytime there's

any impact from and an assumption or things we um take that note of okay

we're we made a mistake let's let's make sure that we we learn from things and

and it's very important everywhere just to learn from from each other and learn from our own mistakes and um continue

moving onward and that's um I'm excited to kind of do that in in this scenario

and um and just continue uh learning and

growing amazing okay so I have two final questions

one what do you think is the difference between the way cyber security is looked

at and dealt with today and let's say five years

ago and after you answer this one I'll ask a second

okay um I I think and I I appreciate that you

said five years ago partially because there was a whole pandemic in between this and so it's very interesting

because like there there's a huge difference there that I I can talk about now because um interesting it

changed what did the pandemic specifically change well like cyber

security um is something that it it evolves with the nature of just how we

do business with things and and so it like it flows just as much as as things

change so as people went um to working from home more with with a pandemic we

had to change things with with cyber security um with different um compliance

things um um and kind of the the way that we we do things um it's definitely

made it's made um a data more available in more places um where we're not tying

as much to the the office um some companies are kind of reverting back

that way to kind of get back into the office and and kind of Performing that

that way but we've seen um a lot that are still kind of embracing that and

thankfully there's other there's new companies and and things features that

are developing to help make sure that we can Embrace that that remote remote

lifestyle and um keep it secure at the same time um

and um a lot with the um sorry I'm I'm drawing a blank on

the the other facet that I was going oh compliant side there is a lot that's

that's pushing more companies to to at least have a very basic framework of

okay what is your security and like let's let's continue um raising the bar

I um have a LoveHate relationship with the the transition from uh PCI version

three to version four because I I I love it exponentially because it's going to

force company to actually reduce the scope of their where they keep credit card information

where they keep this sensitive data we've needed this for so long I hate it because I hate the

companies have kept that waste for so long so it's going to be so um difficult

for them to kind of embrace that that change and and and be able to to move

onwards I I kind of wish that um um like

the it wasn't as kind of drastic of a change that that the kind of PCI Council

had went through that they were able to kind of push more through um but it's it's something that

we really need for any types of of sensitive data people need to um have a

lot more awareness of of where it sits and and how it's protected and so that

we can really Pro have a that like you said earlier that proper ownership of of

what we're doing amazing so before I ask my last

question who's that is sort of the other way the other side of this question I

want to say thank you so much for your time and I think this has been super valuable for anyone who's in security

like your knowledge is really like forgot the word but like

very broad like you have a lot of different things that both on the actual security but also on team and team

building and management and I think it's really cool and thank you for joining us um I'll ask my final question for having

me of course what do you think cyber security is going to look like five years from

now um it it's it's interesting I I think a lot about um just the future when

especially further out from five years most of the time because I think about like what's the future going to be like

for for my kids and um I I think it like it it ties in a lot with kind of what I

talked about with kind of the the change of things is is like the the hopes that I have is that um companies are going to

be able to have a a better hold on to um

kind of their their sensitive data have but better resources to help them with

um with keeping that secure um I I hope that we can see a lot

less of the like the huge breaches um going on with with things I I hope that

we can get the right resources in in the right places the right understanding with

things it's very daunting to me though to to know if that's going to to happen

well I I see so many areas with the economy where um there's there's so many

budget cuts people getting laid off and uh a very difficult job market

that um I I have some hope for the future but

it's uh it's very concerning that um uh we we really need to to make sure

that we're we're working together to to try and solve and and make sure that the

the next 5 years has positive growth and and we're not just looking at even even

a larger pile of technical debt as as we uh arrive five years from

now amazing thank you so much thank you


Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel

Ensure SOC2, HIPAA and GDPR compliance across all your SaaS tools

Built in Tel Aviv, Israel