Chris Sienko: Hello, and welcome to another episode of the Cyber Work with Infosec podcast. Each week, I sit down with a different industry thought leader to discuss the latest cybersecurity trends and how those trends are affecting the work of infosec professionals as well as tips for those trying to break in or move up the ladder of the cybersecurity industry.
John Bree is the Neo Group, Inc. senior vice president and partner. He’s an experienced financial industry executive and former managing director of Deutsche Bank as well as a senior level risk analyst who is going to speak to us today about his journey as a security risk analyst, his step career steps along the way, and how aspiring security risk analysts can make the best choices to get their career off to a great start. John, thank you for being here today. Oh, lost your ear piece there. Your audio is out.
John Bree: Okay. There we go.
Chris: There we go.
John: Well, again, thank you very much. It’s a great opportunity to be with you, and I appreciate the chance to talk to folks about a interesting 45-year career.
Chris: Okay. Well, we usually start out with talking about your career journey. How did you first get involved in risk analytics, and how did that springboard from what you did in previous iterations of your career? Where did you go, and how’d you end up here?
John: Well, the journey started a long time ago back in 1974, but in banking and as banking started to evolve and we started to move towards automation, we realized that things were going to be happening a lot faster. What we didn’t think about is the whole world of hacking and cyber attacks and those kinds of things. The goal was to move data quicker. As we moved forward and I think we got into probably, oh, about the mid ’90s and we started to get into something called an online banking, which became a hot item, I mean, ATM is where the be-all end-all, of course, until we came up with online banking.
One of the things we saw as soon as we started to launch our online banking applications is that people were hacking them, spoofing them, and then that whole new world of phishing with a P-H started. It was a realization in that you could no longer use the old tried and true “an incident happens and we’ll go solve it and recover lost funds.” We had to get out in front and start to be more predictive and proactive than reactive. I know-
Chris: Yeah, when did-
John: … that’s been said before.
Chris: When did you start seeing these trends popping up for the first time?
John: Probably around in the late ’90s, early 2000. I know I experienced a major phishing attack on an online banking system for US Bank back in 2000, and it was new. No one knew what was going on. As we were changing it, as fast as we were correcting our website, they were spoofing it, making the changes on the spoof site. Then, of course, everybody was new. Everybody was hot and excited about their computers, and so everybody was answering emails and giving away data. Nobody ever heard of what they call keylogging software back then.
John: … and all of a sudden, people’s accounts were being emptied. Anyways, so where it led us then is that we had to move into a predictive world.
Chris: What got you interested in specifically risk analyst in a technical field like that. What were some of the major steps along the way in the progression of skill sets that got you to that point from previous positions and so forth?
John: Well, as we try to start to build, again, a behavioral analytic model so we could start to look for patterns, we really didn’t have the capability. We had a look to people who knew how to use the data. We had all the data, but they hadn’t had a pulse, so now that led us to this world of risk analytics where analysts then could specialize in identifying information data and start to pull it together so that we could do pattern matching, so we could see a change in a person’s behavior. As a result of that change in behavior, we could be predictive about what might happen.
John: Then, of course, what we started with then is we took older cases that we had and went and did a retro look and said, “Well, across these 30 or 40 key indicators, what was the pattern that eventually resulted in this fraud loss or this spoof?” It allowed us to start to take advantage, but again, it was very cumbersome because you had structured and unstructured data. Then all of a sudden, Hadoop came along and basically changed the world.
Chris: Right. Right. Right. The purpose of the Cyber Work podcast is to give people an inside look at certain career tracks or career paths or whatever. To start off, walk me through your average day as a security risk analyst. What time do you start work? Where does your work take you in the course of the day? How long into the day is it before your to-do list goes up in flames as emergency start piling up and so forth? What time do you clock out at night, or are you on call all the time?
John: Well, in the world of anti-trolling and loss avoidance, I had the luxury of managing a team of risk analysts, and we were fabulous. From them, I learned the abilities and the capabilities. A normal day would start usually at about 6:00 in the morning on a commute where you’re talking to other parts of the globe to find out what’s been going on and what the challenges are, and then get in the office at 7:00 or so after a reasonable train ride, and you have your great plan. “I’m going to spend the morning, I’m going to do my emails,” and so on and so forth. Then when you get to about the third email. It’s the one that says, “Gee, we have this problem. What do you think about it?”
You go after one of the analysts, and you have them dig into it and do some research, and next thing you know is you had a problem, you had a miss, you had a hack. I mean, not a major hack. I don’t mean where they get the main database where you have a client whose PC was accessed and now their account is empty, so you have to go back and recreate that. That then goes on during the day.
Then, of course, in the middle of the day, you’re always trying to attend the meetings about how to prevent everything that you’ve been working on since 7:00 in the morning from happening. Then that day goes on. You have some more problems. There’s always a few at the end of the day. You try and close out your emails and move on, and you do. The cell phone… I mean, I go back to the days of pagers, but you never turn it off. The cell phone was there because in a global environment with teams in different parts of the world, you have to be prepared to support your team when they need help or take a transfer or a handle.
Chris: Is that pretty common, getting the emergency email at 2:00 in the morning?
John: Oh, yeah, it was because what’ll happen is it’s 2:00 in the morning in New York, but it’s 2:00 in the afternoon in Asia, and they just realized that somebody emptied out an account or fraud is occurring or a client has reported that there’s information or transactions that they never saw. Now, this is where, again, that risk analytics piece becomes important because you have to go back and recreate it.
Chris: What obligations does a risk analyst have to their company? Where do you stand on the corporate hierarchy chart, and who do you to?
John: It kind of goes two ways. If it’s purely on the infosec side or the IT side, it’ll roll up usually through the CSO because that’s where you’re providing support to the other group. If you’re on the risk side of the business or the ops side of the business, you’ll roll up either to a chief risk officer, or in some cases, the head of operations or legal if you’re in a loss avoidance, anti-fraud-
Chris: I see.
John: -role, so it sort of splits. You have the technical versus the operational.
Chris: Okay, and I suppose it’s possible to have lots of bold type at a company at different levels.
John: Oh, yeah, without a doubt. What will happen is, for example, if I was on the operational side, I would roll up to the chief operating officer, but the cyber team would roll up through CSO. We all wind up pretty much at the same place. What that did is it gives an ability to provide different tracks and then to support each other with different skill sets.
Chris: Okay. Now, on average, are more risk analysts employed by, say, a single company, or is it a primarily freelance consultancy position by nature? Have you done both?
John: Yeah, I think what happens is in a lot of the major corporations that you’ll have a team, an internal team that is hired and becomes part of the structure, and then what you’ll do is you’ll use contractors to support that function, but however, we are seeing a little bit of a change where centralized utility type organizations are being there to provides provide services. I think right now you have an excellent combination of both. I think a good place to start is if you can get into a corporation for a couple of years, that’s a great place to really hone your skills, get a feel for what clients are looking for.
Chris: Is there an advantage or disadvantage to a starting in a freelance… If you can’t find a corporation or you’re in a small town is, is it a sort of thing where you can hang out your shingle and get experienced that way?
John: I think you can. I think what’s at what we’re seeing is that as small-medium businesses start to grow and expand that obviously become more technical as the world of we were seeing digital convergence happening, but it’s not only happening at the Citibanks and the IBMs and the Boeings. It’s happening at small regional or local businesses. They will not have the ability to have an in-house staff, and I think if you’re a local and you’re good at what you do, you have an opportunity to support them and provide an external service.
Chris: Here comes a list of bests and worst. What do you think are the most interesting parts of security risk analyst as a position, and what are the most difficult and repetitive?
John: I think, really, the interesting part is when you have a situation and you’re on the hunt. You’re trying to find out exactly what happened, or from a predictive analytic point, what is going to happen, the challenge of getting data, using data. Data is available. The issue is how do you use it? How can you take advantage of it?
The other challenge is how do you use data without being intrusive? I mean, I’m a strong supporter of data privacy. How do you use information without reading a person’s email, without getting into their phone calls? Well, you can do it through volumes. You just look at volumes of activity so you don’t have to be intrusive. I found that to be the rewarding part. The real, I guess, disappointing part, the challenging, real challenging side is to stay with the process when you keep hitting roadblocks and it’s just not working out, and you came up with a pattern, you worked at, and another incident happened. It’s that you have to be committed to seeing it through. I always just say to people investigations are not like on TV. It’s not an hour episode.
Chris: Doesn’t wrap up in an hour. Yeah.
John: Yeah. There’s no commercials, and it’s probably going to take [crosstalk 00:12:26]-
Chris: It might not even ramp up cleanly in certain cases I would imagine.
John: Or it might not even wrap up.
Chris: Right. Right.
John: It also might wrap up with the problem being internal versus external, but again, those become the ultimate reward at the end is that you can help either your employee, your client, or a victim.
Chris: Now, I guess… Sort of makes me think of project load. Do you have a lot of projects right now that are in that limbo where it’s like, “I can’t sort of solve this, but I can’t let it go either.” Is there a lot of plates spinning in that regard where you have to just keep hacking away at longterm projects with clients while you work on stuff that’s more solvable or… I don’t know.
John: Yeah, I think there’s tactical and strategic. What happens is you can start with a tactical issue because you have to come in and stop bleeding and provide a technical solution and from that may grow a strategic plan. While you’re solving the problem, you’re also helping build a plan. Sometimes it happens the other way. A company has foresight. They decide they want to do something. You’re brought in to be part of a team on a strategic plan, and as soon as you start with the plan that things start to happen. Now you’re juggling tactical with strategic.
The thing that I always used to encourage the analysts to keep in mind and the specialists to keep in mind is try and make every tactical solution something that we can build into the strategic plan. You can’t do all of them. Sometimes you just have to do a stop gap, but if you can always… What Steve Covey always said, “Begin with the end in mind.” If you go down that path, you’ll really have a better opportunity.
Chris: So anatomizing the task of security risk analyst to things that you do every day, what types of activities or projects or even just actions should you be really enjoying doing if you’re considering this as a career, something that… things that you’re… you’re going to be reading these types of files every day, you’re going to be doing… you’re communicating every day. What are the things that you really should like if you want to get into this career?
John: You have to like the minutia.
Chris: Yeah. Okay.
John: Yeah. You’re going to go through thousands and thousands of bits of information to try and find that nugget or the combination of bits that create the nugget. I think you have to be willing… and the other thing is you must not be easily defeated. It’s like playing baseball. If you strike out, you can’t carry it into the field, and if you make an error in the field, you can’t carry it into the batter’s box. I think that’s an important part of this. I have a high level of respect for the analysts that can keep their head down and can keep plugging away at it, even with the adversity and the failures because there’s going to be failures. It’s not going to work every time.
Chris: What role, if any, do you feel that professional certifications play in the enhancement of a career in risk analytics? Do you think there are any… Do you have any certifications, or do you feel that they’re important at all or?
John: I think they are. I mean, I’ve been in the business a very long time, so I kind of predate the certification process-
Chris: Sure. Sure.
John: … but I think if you’re going to get into the pure risk analytics, you’re going to work in that, I think you have to go through them. There’s a group of them out there. There is the cyber certifications are out there that they’re good. I think you should look in reverse, decide on maybe what field you want to go into. Do you want to be in finance? Do you want to be in healthcare? Do you want to be in technology? Then research that and find out which are the certifications that can help you. What they do is they give you a strong baseline, but there was… I was talking to a very good friend of mine earlier today, Bob Maley, who’s a CSO, and he said, “There’s nothing like experience.”
Having the certification is good, but you need the hands-on experience. Now, a lot of your podcast listeners are going to say, “Well, gee, how do I get the experience because I can’t get the job.” The certifications then help you have at least credentials that get you into a starter position into an organization whether they’ll then give you an opportunity to use those skills that you’ve learned and to hone those skills. Yeah, certifications are important.
Chris: Yeah. Now, speaking to that, if you’re right at ground zero and if you’re maybe not in a huge metropolis with a lot of corporations that need risk analysts or whatever, what are some early steps that someone just taking the first step up the ladder can do to make themselves desirable?
John: Well, I think it’s all about research. Find the course. Find the online course that can give you an understanding, and also, when you head in that direction, maybe you can do it through a local community college or a local college. They all offer courses and training sessions. You want to look for the ones where you will meet people from the industry, see, because that’s a great way to do it. You’re being taught by someone who does nothing but teach, and I think educated is the most important part of our society, but you need people in those classrooms who have been in industry or practical who can give you guidance on not only teaching you the technical skills, but giving you the guidance on how you take those technical skills and turn it into a career.
Chris: Yeah. What types of companies require a risk analyst? Are there certain sectors that are especially rich in this area? Obviously, finance and things like that, but what types of professional companies should you be trying to be employed at to make yourself desirable as a senior level risk analyst?
John: Well, you’ll get a lot of exposure in the financial industry because financial industry is covering everything, and there’s a tremendous amount of data, and it’s a cross section of issues.
Right in the moment there.
I think that’s a great place. Find your-
John: -you get a lot of exposure; however, think about the insurance industry, the medical industry because anywhere where it’s a regulated industry where they have confidential private data… so think about health care, think about insurance. Then, of course, there’s the purely technical side. There’s the firms that are out there building cyber programs or cyber avoidance programs or cyber incident avoidance. There’s a lot of them out there. There’s some very good companies, and there’s a lot of, there’s a lot of small companies that are really doing some very creative cutting edge stuff. I think that’s where you want to get into. Then the other side of it is there is a tremendous demand for analytics in the whole third-party vendor risk world-
Chris: Oh, yeah.
John: … because regulators becoming more, they’re demanding more from companies as opposed to a once-a-year review, and analytics is the solution.
Chris: Yeah. Okay. How so?
John: Well, for example, 10 years ago, five years ago, regulators would say to banks, insurance companies, “Once a year you have to go do a very detailed risk assessment.” All of your listeners probably familiar with getting those thousand-question documents from a potential a client who says, “You’ve got to answer all this. Tell me everything about yourself,” and they go through it, and it’s ongoing, and they come on-site. That’s the traditional what’s called risk assessment.
Now that’s mature, and that’s a good document. It’s a great way to do it. For example, an organization called Shared Assessments has an excellent standard information gathering tool. But the regulators were also saying now, “Well, that’s wonderful, but what are you doing the other 364 days a year?” Now what we have to do is take that information and use continuous monitoring, realtime continuous monitoring so that you can look at things, so if you see a financial change in a company, well, you don’t necessarily have to go do an infrastructure review. Maybe just look at the financials, or if you see something that… governance, all of a sudden, they’re getting regulatory. Well, you want to take the governance program. Continuous monitoring, risk and analyzing all that data, the risk analytics of it will allow you then to do targeted-focused reviews.
The other things it does is the opportunity side. But people look at analytics as a way to catch a bad thing. You got to use analytics to find good things also. Analytics can help you find opportunities. You can say, “Well, maybe there’s a better way to do something,” or, “Maybe there’s a more cost-effective way to do something,” or, “There’s something new out there,” so analytics should be about finding both opportunities and challenges or potential disruptions.
Chris: Okay. That’s interesting. Can you elaborate a little bit on the opportunities that you can find via analytics?
John: Sure. Yeah. I mean, for example, I’m part of an organization at Neo Group where we actually do monitoring of countries, cities, and suppliers, and we do it over a very sophisticated 350-key indicator set. Well, one of the things… so we look at things, and we’ll see changes in currency in a jurisdiction. Well, if the currency situation exchange rate is more favorable, why should you, in one country, have to pay an annual COLA increase when the currency is in the other favor so that you can actually look for a deduction.
You might see a company all of a sudden announce or turn through their financials that they’ve automated. Well, if they’ve automated, you should be able to go back and say, “Well, gee, the service you’re providing at X dollars, now that you’ve automated, maybe you can provide it at X minus 10%.”
John: Again, all of that, remember, it’s just data. If you’re looking at clients’ accounts, well, people have more money in their accounts. All of a sudden maybe they’ve gotten a new job or maybe you should sell them other services. I mean, marketing has been doing this for years.
Chris: Sure. Sure. Sure. Okay, so as we wrap up… As we wrap up today, where do you see the role of risk analysts going in 2019? Are there any procedural changes that you’re seeing in the years to come?
John: Again, I think what’s going to happen is you’re going to have organizations like Shared Assessments, for example, that has a very sophisticated complete certification program. It’s called CTPRP. It’s a certified third-party risk professional. As people are coming through that course, they’re getting an appreciation for the importance of analytics and how you could use information and data.
I think you’re going to see the change… Well, we’re seeing the change now where people are moving more towards predictive analytics, predictive behavioral analytics as opposed to looking at reactive analytics. “Here’s what happened this month and what do we have to think about,” as opposed to, “Here’s what happened in the last 24 hours, and here’s what is happening right now. How do we then use that to predict what’s going to happen next?” I think that that’s coming.
Chris: Yeah, that’s definitely coming. One last question here. Tell me a bit about Neo Group, Inc. and some of the projects your organization is working on at the moment.
John: A Neo Group, Incorporated is a sourcing advisory firm. We work with only buy-side customers. What we do is we work with all-sides organizations to help them review their internal operations that they think they might be able to SOAR, so they’re thinking about a better way to do it. Through our constant realtime monitoring and analytics that we have, we can guide them to is it cost-effective, what will it cost them to do it, and if it turns out it is cost-effective to SOAR something, we find that best locations for them because we’re constantly monitoring cities, countries, and suppliers, so we know what’s going on in the industry.
We also work with companies what’s on something called a benchmarking and credit card analytics, and we work with them… We actually generate 15, 20% savings just through looking at roles, technology role, taxonomies, and we consolidate the roles down. It’s a matter of using available data to then help companies take a better look at what they’re doing and guide them down the path so they can operate more effectively, efficiently, and possibly being a bit of value proposition.
Chris: Okay. If our listeners want to know more about Neo Group, Inc., where can they go?
John: You can go right online to neogroup.com.
Chris: All right, John Bree, thank you very much for your time today.
John: All right, thank you. Have a great one.
Chris: All right, and thank you all for listening and watching. If you enjoyed today’s video, you can find many more of them on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews, and past webinars. If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast catcher of choice.
See the current promotional offers available for podcast listeners and to learn more about our Infosec Pro live boot camps, InfoSec skills on-demand training library, and InfoSec IQ security awareness and training platform, go to infosecinstitute.com/podcast or click on the link in the description below. Thanks once again to John Bree, and thank you all for watching and listening. We’ll speak to you next week.