How is the open exchange of information affecting cybersecurity?

Organizations may be hesitant to share attack vectors, data breaches and other cybersecurity information, but that siloed approach is holding cybersecurity back, says Cody Cornell, co-founder and CEO of Swimlane. On today's episode, Cody discusses the open sharing of security information, how it can transform cybersecurity from a source of consternation into an opportunity and ways to get your company to buy into this new way of thinking.

Cody is responsible for the strategic direction of Swimlane and the development of its security automation and orchestration solution. His passion for open exchange of security information and deep vendor integration drives him to pursue opportunities to maximize the value his customers receive from their investments in security operations. In 2011, Cody co-founded Phoenix Data Security Inc., a cybersecurity professional services organization known for their ability to blend strategy and engineering with an organization's business requirements. After beginning his career in the U.S. Coast Guard, Cody spent 15 years in IT and security, including roles with the U.S. Defense Information Systems Agency, Department of Homeland Security, American Express and IBM Global Business Services.

– Get your FREE cybersecurity training resources:
– View Cyber Work Podcast transcripts and additional episodes:

Chris Sienko: We at the Cyber Work Podcast recognize the COVID-19 pandemic and its resulting impacts to communities in every corner of the globe. Our thoughts are with everyone impacted during these unprecedented times. I want to assure our viewers and listeners that the instructors and staff at Infosec remain dedicated to you and your organization’s success, as well as to your continued health and well-being.

Now here are three ways we’re supporting our community as we weather this outbreak together. Opportunity number one, you can immerse yourself in a live online boot camp from the safety of your own home, help students in the stressful time. Infosec is extending our exam pass guarantee to all students and waving the normal requirements.

In addition after your boot camp, you'll get 90 days access to Infosec skills, where you can continue to learn with hundreds of on-demand courses, hands-on labs, skills assessments and more. Through the end of April, you'll also save up to $1,000 on any upcoming online boot camp enrollment.

Opportunity two, you can help reinforce good cybersecurity habits as employees transition to remote workstations, use our free remote working training module, infographics and e-mail template to help keep your employees and organizations secure.

Opportunity three, for listeners who are not yet in the cybersecurity field, or who are now finding themselves revising their career strategies, please see the link in the description to learn more about the Infosec Cares Scholarship. It's designed to cover the cost of the security plus or network plus training course and certification exam you'll need to qualify you for an entry-level cybersecurity position.

Stay safe, stay healthy and thank you as always for tuning in. Now let's start the episode.

Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week, I sit down with a different cybersecurity industry thought leader and we discuss the latest trends, how those trends are affecting the work of Infosec professionals, while offering tips for those trying to break in or move up the ladder in the cybersecurity industry.

Today's guest, Cody Cornell of Swimlane describes himself as a passionate advocate for the open exchange of security information, as with many other industries in which competition is huge in both terms of financial and reputational factors, it's easy to be siloed when thinking about your individual security concerns for your organization and think that as long as the bad guys aren't getting into my company, everything's fine.

As Cody said in an article written for Cyber Defense Magazine in February 2019, to transform cyber security from a source of consternation into an opportunity, everyone in the industry not just collaborative SOCs and ISACs must work together to share intelligence, best practices and lessons learned amongst a network of trusted peers.

We're going to talk today about how these collaborative information sharing initiatives work, some of the tangible results that have been reported, ways that you can get your own organization involved and even take the reins yourself to steer your security team through this intrepid new world of mass scale security and information collaboration.

As Co-Founder and CEO, Cody Cornell is responsible for the strategic direction of Swimlane and the direction of its security automation and orchestration solution. His passion for open exchange of security information and deep vendor integration drives him to pursue opportunities to maximize the value as customers received from their investments in security operations. In 2011, Cody co-founded Phoenix Data Security Inc., a cyber security professional services organization known for their ability to blend strategy and engineering with an organization's business requirements.

After beginning his career in the US Coast Guard, Cody spent 15 years in IT and security, including roles with the US Defense Information Systems Agency, Department of Homeland Security, American Express and IBM Global Business Services. Cody, thanks for joining us today.

Cody: Yeah, thanks. Thanks for being here and appreciate the opportunity, Chris. I know we're both doing this from home.

Chris: Oh, yeah, yeah. For the for the foreseeable future here I think, you're all going to get to spy in in the homes of the cybersecurity rich and famous.

Cody: Yeah.

Chris: Tell me a little about your security journey. We always like to ask our guests, how did you first get interested in computer techs and cyber security? Was that early going back to childhood?

Cody: As a kid, didn't do a lot of IT stuff as a kid. I mean, I grew up in the 90s, so much all the 90s. I'm not sure if I'm a Millennial or Gen X.

Chris: Right. Right on the cusp. Yeah.

Cody: Right on the cusp, right? A lot of gaming and things like that. I didn't really do technology much until I joined the service. I spent about five years in the Coast Guard. It was during that time, I actually was trained to do electronics, so radios and radar, but really towards the end of that five-year, or 10-years, started doing a lot of IT work. Some of it was just helping the organization with desk site support and things along those lines, but then slowly gravitated into let's build a few websites and let's work on this Solaris server over here and see if we can get it going and how is this going to serve up this webpage and things like that.

It was a tinkering start for me, but quickly realized it was a good career path from an opportunity perspective. As a kid, I told my high school guidance counselor that I wanted to be a burglar, but that probably wasn't a career path. Security was actually a pretty reputable secure path.

Chris: You flipped it 180 degrees.

Cody: Yeah. Here we are. There are some things about that that are somewhat similar. Yeah, that's really how I got started. For me, my first job, like anybody else, just working in a help desk. It just happened to be in the basement of a building in the federal space. Then, slowly moved into vulnerability management and system hardening and patching. That just continued to progress. I tried to do pen testing for a little bit. To be honest, I wasn't very good at it. Really migrated over to the blue team side of the house, which I really, really enjoyed.

It was the combination of security, but also the defensive component of building things, working with teams, making them collaborate. For me that was really, so I spent about 10, 15 years working in and around the SOC in one capacity or another.

Chris: Okay. I mean, just to circle back to this for a second, go into deep detail, but what do you think was something about pen testing that you said you weren't that good at it? What do you think was the thing that prevented you from fully going into that side of things?

Cody: I think for me, it was a personal interest thing, right? I was responsible for pen testing voice systems, like call managers and PDXs and things like that and we were doing that for the Department of Defense. Really what it was was we'd get in and we'd tell the vendor how I got in and why it was a problem and then we would move on to the next one. I always felt I was just churning through a situation where it's like, okay, if you can get into this and then you're done. There was no lasting building maturity process, for me at least what it felt like in that exercise.

What I what I wanted to do is build something and improve it over time, as opposed to just break something and then move on. I know that that's not what pen testing teams do and red teams do. There's a continuous improvement cycle for them as well. It just wasn't one that was filling for me, so I decided that what I want to do is build things. I always felt that would be harder and more challenging to be – keep people out all the time, because you have to be right all the time in every scenario, as opposed to right one time in history and one moment. It spoke to me a little bit more than breaking into things.

Chris: Okay. Yeah. I appreciate that. It's not something everyone says all the time, but I think it's as we have a lot of listeners who don't know quite where they want to get into in cybersecurity, I think it's worth noting what things don't appeal to people and what they eventually went with and so forth. That's very helpful. You mentioned a couple of the jobs you took along the way. Can you breakdown some of the skills you learned, the disciplines you studied, passions you pursued, search you took, whatever that got you from where you started in the Coast Guard to starting your own company?

Cody: Yeah. I think starting the company and becoming a security professional were two different narrative learning cycles for me. For me, going back again 2000s a little bit different than today and the way that people are adopting cloud and DevOps and things like that, where the software development skills are so important for security professionals now. Back then, you’d see the really good – the people that I respected were really good network engineers, network administrators, system administrators, they really understood the underpinnings of the technologies they were responsible for securing.

For me, I got a UNIX certifications, Solaris certifications. I'm dating myself. Cisco certifications. Microsoft certifications on Active Directory and things like that. I was trying to learn how to use the infrastructure and what would the capabilities of that infrastructure were. I did some IT administration and then really worked through the vulnerability management, patch management cycle, endpoint security.

It was the iteration of understanding how these technologies work. Then really understanding how to secure them. I think that was the skills that I learned along the way were how did the network worked, or how does systems work, how the Windows boxes worked, how does AD worked, how does DNS worked. Understanding that allowed me to probably be more effective as a security practitioner than I would have been if I – the first thing I would have done is taking my certified ethical hacking course. I think that helped me a lot, because I think I would have struggled had I not understood the underpinnings of that infrastructure itself.

Chris: Yeah. You mention a lot of certs there and you've obviously got a lot under your belt, but it sounds like each of them was pursued with a specific purpose in mind, rather than just collecting 15 certs and feeling you're on top of the world or whatever. When you hit a roadblock, you get to the next thing and you get to the next thing and then you have a whole tool belt to build.

Cody: Yeah. I mean, absolutely, right? I always consider myself like a systems security person. That's where my expertise. It wasn't really super strong. I didn't do IDS management a lot, or I didn't do firewall management a lot. Some people come up through the network ranks. For me, I took the CCNA courses and I took the GCIA from Sam's, not because that's what I was doing every day, but those were spots where I felt I could be a lot stronger if I understood pack analysis a little bit better, and if I understood how routing and switching worked a little bit better and why everybody keeps asking me about port security.

I spent a lot of time doing endpoint security and HIPS and data loss prevention at the endpoints and things like that. Being able to expand out and look at some of the other aspects that I wasn't spending my workday in, I think give me a better perspective of what was going on around me and why my peers were asking the questions they were asking about what we were doing and why were we doing that.

Chris: Nice. Walk me through your average every day running Swimlane. What are some things that someone in your position, CEO, what's something you can expect to be doing every day? Things like what time do you get up in the morning, what time do you go home? Are you on-call? What test do you love? What do you wish you could delegate? Is there anything that keeps you up with worry on Sunday nights, anything like that?

Cody: Yeah. I'm not a worrier. I do spend a lot of time thinking about what we're doing and it never really shuts off. That's one thing that I actually wish I could change a little bit is I’ll check, I’ll flip a switch to at least give myself a few hours a day where I'm not thinking about Swimlane, I think it would probably, honestly help my personal relationships and everything else.

If there's a wall that's probably longer than 30 seconds, my mind starts drifting back to solving a problem at work. That's who I am and the people around me know that and they make fun of me for it in all honesty, because they're like, “Hey, you're doing it again.” I'm sorry, I'll come back and I need to be more present. That's true and that's not a good thing. I'm not proud of that. I wish I could shut that off.

For me, usually a little bit different now, because we're all working at home, so things are a little different. Typically, I was up in 5:30, generally in the office by 8:00, 8:30. That's when I would get there. I spend most of the day on the phone. I'm talking to department heads. I'm talking to staff. I'm talking to the product team. I'm talking to the board. I'm talking to potential investors. I'm talking to partners.

I spend the great majority of the time talking to the point where my 11-year-old son gives me grief, because now that he hears me at work, he's like, “All you do is talk on the phone all day. That's all you do. I thought you did work.” I was like, “Well, that is my work.” No, he thinks I just talk on the phone, which is I mean, it's honestly true. That's what I spend a lot of time doing.

Chris: Yeah. Now not everyone has reacted the same way, but do you feel any regret that when you get to a certain level of management, like you get to just this top-down view where you're just talking with clients, you're just talking with people, but you're not doing this nuts-and-bolts work that you've got into it in the first place. Is there a gift-take there? Are you still be able to get dirty and work on system securities and things like that? Are you fine with letting that go and thinking about it in a more global, holistic way?

Cody: Yeah. I mean, there's definitely moments that you cherish that you really get a, for lack of a better term, geek out. You get to talk about. For me, it's different. I don't spend as much time hands-on obviously. Thankfully, the team that's when mine is significantly better and almost well, in every facet of what we do than I am. The security people are better. The developers are – I could never code to save my life. They're all substantially better than I could ever dream to be. That is really exciting, because that enables you to do things you could never do yourself.

The fun part is we built Swimlane, because we struggled in security ops. There was too many alerts, too much technologies for all, surface area was too much for us to manage. I struggled with that as a practitioner when we built teams, when we deployed technology. To see people use Swimlane and to make their lives better and that they're getting the fulfillment that we really wanted for ourselves as security folks is probably more rewarding than anything I ever did from a, “I'm going to secure this infrastructure,” perspective.

To see somebody actually – I see their day and their lives are better, because they're not doing mundane repetitive work all the time. That is really, really fulfilling. That for me is replaced the hands-on work that I used to enjoy.

Chris: That's great. I want to jump right into the thesis of our talk today. This is something that I had a bunch of guests possibly lined up. There was some particular lines in your bio that really intrigued me. We spoke previously with a previous guest, Michael Figueroa about a project he's involved with called the collaborative defense simulation. It’s related to what we're discussing, but markedly different in that his is a temporary – be a yearly event where security groups collaborate and share knowledge related to specific types of disasters, such as nation state attacks and infrastructure. They're disaster movie type scenarios. What happens if something falls apart? How are we all going to collaborate and save it?

Your interest, if I'm reading correctly, moves towards an all-year round collaboration process in which security departments of various companies share their data on an ongoing basis. I thought of it as maybe police departments sharing homicide data across counties or states to help track, or begin to identify large-scale trends or patterns that could predict related security attacks. Is that the gist of it? Can you tell me more about the root of this initiative?

Cody: Yeah. I mean, I think the goal is it's even probably faster than police departments data sharing, right? I mean, the goal is to get as close to real-time as possible. I obviously didn't pave the way for this. I think the ISACs, the threat intelligence community, the sharing of information is really was the trailhead for this exercise.

What I think that we would benefit from is not just sharing the ability to detect when things are happening inside of our environments. It's super beneficial, right? If somebody else identifies a piece of infrastructure, or campaign, or whatever it is they might be targeting my vertical, or my geographic region, or whatever it might be, and to know that in advance before it actually hits my environment is super beneficial from a prevention perspective.

What I think organizations would also really benefit from is what do I do when I see this? Yes, if I can add it to my perimeter, if I can add it to my endpoint and it doesn't affect me, that's obviously ideal. Let's say, I do search through my logging data, through my SIM and I find that yeah, I am – someone in my environment or multiple people in my environment are connecting to this infrastructure are affected by this. What did you do?  How did you mitigate this? What was your response? What does that look like?

From an automation perspective, how do we start sharing more and more of that information in real-time, so that we're not responding and figuring things out for ourselves every time? No organization, no matter how big, how big their budget is, has all the expertise they need in the moment they need it. The more we can collaborate, the more that we can share that expertise across organizations, I think the more secure we can be is.

It's a community-based defense model. I think that the threat intelligence community really started pushing this out. I think the automation community can extend it in a way that helps organizations not just see when bad happens, but what do you do when bad happens?

Chris: Have you begun building these coalitions of connected security groups, or organizations already – have there been organizations that have, I guess have there anyone that have balked or resisted the sharing of their own security data? If so, why?

Cody: There's always going to be people that hold back information, right? I mean, you see it within the ISAC people sharing intelligence information, you see it where people don't want to upload payloads, or malicious data to a virus total because of the attribution effects of doing that. There's always a give-and-take on sharing data, but we do see where people are collaborating and it's having a positive effect.

Again, if you look at the sticks standard, there's a portion of that standard for intelligence sharing that includes course of action. What do you do when you see this? It's there. People are starting to leverage it more and more over time, but we do see in these places where it really works out well is where you have those trusted circles, right?

Maybe it's inside of an industry vertical, right? Maybe it's US-based electrical urgent and energy organizations or distribution, or maybe it's inside of a government agency where there's multiple components inside of that agency. Those places are because they already have an infrastructure where they have a trusted circle, they feel they're a little bit separated from just general sharing, it allows them to accelerate that a little bit. I think that's places where we're seeing it already and we're seeing it in a way that is moving faster than it is in general population.

Because of the wins that they're getting, it's examples that we can share back with a broader community to show why we should be doing this more in these pockets, but be doing it much more broadly.

Chris: How is the outreach been going for this thing? Do you have to go company to company? Do you have any coalition building going on? Or how does the word get out about this particular method?

Cody: I would say it's more word-of-mouth than it is – there's no non-profit that we've started that that does this. I think there's a place for this. It's something that we've looked at a little bit and trying to figure out how we would facilitate it. I mean, being an automation company that does integrations, we – I'm pretty cognizant of the fact that if we go out and say, “Oh, we should be doing sharing and we should all be interconnected,” it sounds very, very self-serving.

Approaching it in a way that doesn't feel like it's not basically a sales and marketing exercise on Swimlane is something that I want to make sure that we do. Yeah, we've been trying to figure out is it a coalition of vendors? Is it a coalition of vendors, government and industry? Or is it someone totally separate that is fairly objective? We're trying to figure out a good way to do that. I do think the future, I think if we look five, 10 years in the future, this is going to be the status quo. There will be a mechanism which we can share this information, so that the adversary to defender dynamic is not what would I call it asymmetrical, where you have all the attackers are – they are collaborating in many capacities and they can use that effect against a single organization. The organization's need to band together and be able to push back as a banded group as well.

Chris: That really makes sense. Yeah, I didn't think of that in terms of you have these banded attacking groups. It seems insane that we're all fighting them singularly in our own silos. Can you give me some, any examples of situations in which this type of security collaboration has helped to predict future attacks, or mitigate recent attacks more efficiently? Or is this still in the speculation stage?

Cody: No. I think we've definitely seen it. I mean, you see it with the ability to identify threat actors. You see it when people are sharing searches. I mean, we see it like with people that are sharing electrical hunting patterns and things like that. Yeah. I mean, it's definitely paying off. I don't know that I have – I don't think we see it across industry, right? After you see it in places where people have similar architecture decisions where they've made similar technology decisions, we see where we have industry and vertical alignment.

I don't know that there's an example we're seeing it broadly across every distributed vertical, but we're definitely seeing it in a pockets where it works. It's I think still at a – it's still nascent in what they compare to what it's going to be over time.

Chris: Okay. As a point, can you give me any examples of people who have fallen prey to hacks or breaches or security failures that might have had a better chance of withstanding the attack if they had known that piece of information that other organizations could have imparted on them?

Cody: It's like a false negative. You don't know what you don't know. I mean, I would assure every day that there's somebody that is conditionally compromised that would have been better off if they'd had known something that one of their peers did. I can't point to one, because it's one of those, like you don't know what you don't know scenarios.

Chris: Yeah. There’s nothing like where there's a hacking group that systematically hit one bank after another. Then after you're like, “Oh, now I see the pattern now that it's already done.”

Cody: Yeah. I try to avoid the armchair quarterbacking of if you would have done this, you would have been better off, because I think people underestimate the work that goes into keeping an adversary out of an organization. It's easy to look back and say, “Well, if you would have invested in this piece of technology, or your procedures would have included this step that wouldn't have happened.” You're not accounting for the thousands and thousands of times they were right with the technology decisions they made and the procedures that they've built and things like that.

Chris: Got you. For listeners who are hearing this idea and are excited by it, what are some ways that they could maybe get their own company, or security team, or C-suite body in the concept of this type of security collaboration?

Cody: I think it's always good to have an example, like a small example, right? It's like anything else. Don't eat the elephant in one bite. Don't try to go set up a global network of distribution of automations that will help from a defensive security perspective. Whose the group that you already work with? There's probably an organization that's down the street and you guys happened to be friends because you go to the same bar, or you know them because you work together because you're in the same industry. Get something going between those two organizations.

I think one of the things that the security ops teams specifically struggle with is there's so much that's coming at them at any given moment, that they don't have time to stop and go who else would benefit from this? If someone else could benefit, how would I package this up in a way that's not disclosing too much information about my company, but it would also benefit them? How do I package that up and share with them? Think about that, right? There's ways and obviously, being an automation company, we talk to folks a lot about there's a lot of intelligence that you're curating and a lot of telemetry you're curating out of your organization. You're just letting go, because you don't have the time to normalize it, standardize it and share it.

With automation, you can do that a lot better, because it allows you to capture that information from a similar, or from a phishing e-mail, or from an endpoint alarm. There's a lot of good symmetry that you could gather and share with people, but you don't have time to do it. Having automation take over that and that could be an automation platform, or that could just be a bunch of scripts if you wanted it to be, that could capture that information.

Then you go, “Okay, if I packaged this up, who could I share this with?” Pick somebody that's easy to work with that you already have some level of engagement with and give it to them and see, what would you do with? Is this packaged in a way that's beneficial for you? If I give it to you in real-time, how would you capture it? Can you leverage it in a way that's not burdensome for your team?

Really, it's not going to happen overnight, but there-there are people that are doing this and some people who are doing it through pub/sub models, right? Using something like a Kafka, or some people are using in their ISAC, or some people are using, “I'm just going to dump the stuff to an S3 bucket and you can pull it down.” There's lots of different ways that you can do this.

I think the trick is what can I share? How do I share it? Is it easy to leverage? Again, don't try to eat the elephant in one bite. Try to do a little bit. Just do the smallest thing possible. If it works, build on it.

Chris: Right. Okay, so that leads into my next question here. You're saying, basically collaborate with the company down the street. I just get it started on a one-to-one basis like that, but I was going to ask, are there regional groups that are doing this security sharing that you can meet up with, or join? Are you really advocating for this to happen on a one-by-one? Or is there a security sharing data consortium or something out there that you would want to look into and join?

Cody: Yeah. I mean, I think right now that the easiest thing to rally around would be your ISAC. I mean, because you've already kept the infrastructures in place. They're standing meetings. The standard for sharing of response data is in the standard. It's really about leveraging it. I think it's probably the path of least resistance right now. I don't know that it's the end-all be-all to where we're going to be from a sharing perspective. Right now if you want to get something done, to get something done quickly, it's probably the fastest way to do it, because you already have the infrastructure in place. Take advantage of it.

Chris: Okay. Are there any stats or arguments that you could share with a resistant company to change their mind?

Cody: I mean, I think the overwhelming number of activities the security ops team has to deal with on a day-to-day basis, it's not a stat. It's more of an anecdotal or experience. There's all the things that I know I need to do and the things I know I'm not getting to. Then there's all the projects that I should be doing that I'm not doing. There's all the activities that are best practices that our team is not getting to.

The ability to get through those is super important and will have a positive impact on the organization you work for security posture. I don't have a stat. I mean, there's so many thousand alarms a day, or they so many IoT devices are coming in the environment. It’s death by a thousand cuts. It's not one thing, it's a lot of little things that are adding up to be overwhelming for organizations. How do you start making your – it's time management like anything else. How do you start making your time more productive? How do you start allowing yourselves to work on higher value tasks, as opposed to being bogged down with just the rote work that's required to keep the lights on?

Chris: Yeah, constant fire to be put out and so forth. Let's imagine a world in which security collaboration is near-universal, all the security orgs, all the information sharing analysis centers, or ISACs, this whole global network is connected, like your optimized version of what you're hoping for where everything's connected with open sharing and security info, best practices, breached data, you name it. What does the security landscape look like in this optimizing space in your opinion?

Cody: I think what we move away from is static infrastructure, as opposed – static infrastructure from a configuration and protection perspective to a highly dynamic, fairly organic infrastructure that it's always mutating to respond to what's going on, right? I think that's what happens is you have instead of my security team is responsible for this bucket of people, this perimeter is a lost term now, but this, I'll draw the circle around these are the things I'm responsible for, these applications, these networks, these users, these devices.

It becomes a yes, I'm going to continue to focus on what's going on, but the work that I'm doing is having a positive impact on someone down the street. This is where I think enterprise organizations really have a opportunity to have a really positive impact on organizations that are smaller. They can't make these big investments, because if the infrastructure in which they're a part of is more secure in general, I mean, not so related to current events, but if everybody is more secure, it's better for everybody. There's less jumping off points. The business world is highly interconnected. Third-party vendors are always at risk.

If everybody in the group is more secure, is more safe, we're better off. The more that the organizations that have the resources to invest, that have the experts on staff, that are doing the deep investigations and forensics and all of these things, the more that information can permeate their peers, can permeate their suppliers, can permeate their downstream partners, it has a positive net effect on everybody.

Industries in general is more secure. I think that that's the positive thing that happens over time. Security people are paranoid. They don't like to share all the time. I do think the future is sharing and I do think that the community in general is coming around to that. It's got to be in a way that is as effective for them and isn't burdensome.

Chris: Okay. The name of the podcast is Cyber Work, and so we want to talk a little bit about the career and the job aspect of this type of work. What kind of career tips, or skill study tips, or other advice would you have for listeners who are trying to break into the cybersecurity industry, whether as security analyst, or pen testers, or any of the other career positions around this open sharing of security info, the security systems, creations and so forth, where would you have someone start in 2020 if they're trying to get on the ladder?

Cody: Yeah. I mean, there's so many resources that are available now that are great to use. I think one of the things that's always super important and what I love about security is it's a great profession. Honesty, it pays fairly well. It's been fingers-crossed, fairly recession resilient through the housing crisis and things like that. It's a great profession that doesn't require you to have a PhD here, or a master's degree, or really even a degree of any kind. If you can prove to people that you're proficient at what you do, you can probably get a job and get a pretty good job.

For me, it used to be go set up a lab, go buy some really cheap PCs and install some ESXi boxes on them and install one of everything. Make sure you know how Active Directory works, make sure you run a Windows server and Apache server and NGINX, whatever it is and know how they work and then try to understand how the logging works, what happens if you create a user and what does that look like if you create a user in a non-authorized way? Just how does data loss work? That used to be the exercise.

Really, as people are moving to the cloud, you can do this inside of AWS, or you can do this inside of Azure. There's lots of ways that you can do this similar thing. The concepts are the same, right? It’s how do the services come online?  How are they built? How are they hardened? How do you patch them? It's a little bit different, because you're building infrastructure. There's code and you have to understand git repositories and you have to understand how VPCs work.

The concepts are the same. Go build on a lab, understand how it works. Can you stand it up? Can you tear it down? Can you make it work? Then if you break it, what happens? I think the difference is you don't do that on a stack of PCs in your bedroom. You do that in the cloud, which is probably great for your spouse. They don’t have to listen to the home of those – using in your bedroom every night.

Yeah, it's probably a better way to do it. There's cost-effective ways of doing that. I still recommend that that's a great way to get started. Then look at what's available from a projects perspective. Even if you can't code, updating documentation for an open source project that's really popular is a great way to put yourself in front of people that can help you become a good developer, a good security practitioner.

Just be active. I think your resume is important, but the contributions you're making to the community and being able to point to them and say, “Hey, look. This is where I updated the installer documentation for bro and this is helping people in our community,” I think that resonates with folks a lot. I think it's a great opportunity to demonstrate. Now this isn't just a job for me. It's a passion.

Chris: Yeah. I mean, that's great advice, especially if you're somewhere that's not in Silicon Valley, or you're not in a major center. Conceivably, anyone in the 50 states can get on the path and everyone has a local coffee shop or something that needs security help or something and you can add that your resume.

Okay, so as we wrap up today, let's talk a little bit about Swimlane and some of the current projects or initiatives that you're working on. How does your organization tie in with these other things that we've been discussing today?

Cody: Yeah. I mean, I’ve mentioned it throughout the conversation. For us, Swimlane is really focused on some of the major pain points that organizations struggle with and I talked about it. Availability of qualified staff, the time that I need them. I think there's a lot of people out that there that could be security folks. The staff shortage, it's a real pain that people deal with, but I think if we look to another place, we could find more people.

There’s the number of technologies that I have to secure from the cloud virtualization, containerization, serverless, edge computing, IoT. All these things are creating a lot of surface area and each one of these have new technologies that we have to monitor and manage and respond to and making them work together is obviously important. That surface area and security technology sprawl is really difficult for folks.

What we're really focused on is how do we make the investments that you've made in security technologies, be it cloud, prem, or otherwise, more effective by making them talk together. Because we know that each one those technologies you decide it was best for you, but you know they're better if they actually work together. If I can take the people that you have that are responsible for managing not only the infrastructure, but the alerts that are coming from those and allow them to work on the most valuable tasks all day, instead of that real work we discussed earlier. You're just getting a lot more value out of the investment you make and you're also more secure.

There's the cost savings that's associated with that, but there's also the improvement in your overall security posture. We contribute to a lot of different things. We've been part of the different oasis standards in the past. We've contributed to OpenC2 in the past. We have customers that are using automation to contribute to their ISACs. We're supporting a lot of different things in that capacity. We do a lot of open source work. I mean, you can check out the Swimlane github page. We have projects for hunting fish kits and we have projects for using miter attack framework and things along those lines. There's a lot of stuff that we're doing on that front as well.

Chris: Thanks. One last question. If listeners want to know more about Swimlane or Cody Cornell, where can they go online?

Cody: It’s always the easiest. I'm most active on LinkedIn. While I'm on Twitter or any other social media platforms, LinkedIn is where I'm most active.

Chris: Beautiful. Cody, thanks for joining us today. This has been a lot of fun.

Cody: Thanks, Chris. Appreciate it. Thanks for the time.

Chris: Thank you all for listening and watching today. If you enjoyed today's video, you can find many more on our YouTube page. Just go to and type in Cyber Work with Infosec. Check out our collection of tutorials, interviews and past webinars. If you'd rather have us in your ears during your work day or at home at this point, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice.

For a free month of the Infosec skills platform we discussed at the top of today's show, just go to and sign up for an account. In the coupon line type ‘cyberwork’ all one word, all small letters, no spaces for one free month.

Thank you once again to Cody Cornell and thank you all for watching and listening. We will speak to you next week.

Join the cybersecurity workforce

Are you a cybersecurity beginner looking to transform your career? With our new Cybersecurity Foundations Immersive Boot Camp, you can be prepared for your first cybersecurity job in as little as 26 weeks.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.