Five Minutes With: A Field CISO

With 25 years of industry experience and a bouquet of industry certifications (including CISSP and CISM) under his belt, Dirk Schrader works to advance cyber resilience as a modern approach to tackling cyber threats.

Eleanor Dallaway quizzes Dirk about his industry insights and asks how the SolarWinds lawsuit will affect the CISO talent entering the industry.

What was your route into cybersecurity?

It wasn’t a straightforward journey. My first device was a Commodore C64, which ultimately led me to work for the Commodore company in technical roles for a while. Later, in the 90s, I got into networking and security, obtained some Cisco certifications, and then earned CISSP certification in 2004.

Cybersecurity is a broad field, and I’ve had roles including sales, marketing, tech, and support, which led me to the research role I hold now.

If you could retrain for a dream job, what would it be?

Helicopter pilot. I have had a few opportunities to fly in one as a passenger, and I love it. What I admire the most is the pilot’s ability to handle the helicopter in its relative position in the air, that level of hand-eye coordination.

Who do you admire in the cybersecurity industry?

I can’t call out one person. You have interviewed a few of them, like Lisa Forte. Other names are Daniel Card for his in-depth views, Manuel Atug for his work on critical infrastructure security, and Lisa Ventura for her ability to look behind the tech at the humans of cyber and connect them.

What’s the biggest misconception about cybersecurity?

There are two.

• Cybersecurity can be solved by tools.
• The employee is your weakest point.

Both are so basic that they lead to so many misjudgements and conceptually wrong approaches to cybersecurity that it drives me crazy. Tools do support or enable a thorough security process, but no amount of them can make a company completely secure.  The tools must be used with a good concept of cybersecurity, a solid architecture, and processes based on a trusted framework like NIST CSF and operated by trained security staff.

Of course, employees are the prime target for cyber crooks, but that doesn’t mean they are your weakest link. If you treat them this way, though, they’ll become your weakest link. We have all seen awareness training that makes you feel like you’re seen as ‘numb and dumb’. We should talk about enablement, encouraging interactions with support and security, and thought-through guardrails that provide flexibility to do daily tasks.

What’s the best thing about your job?

I love learning new things, talking to people, and exploring new ways of addressing cybersecurity risks from both a process point of view and technical capability development. The topic of cyber resilience exemplifies what I love in my job.

And the worst?

Repetition. Sometimes, it’s tiring to repeat the basics of cyber hygiene. It must be done, but it’s not the most vibrant part of my day.

 What advice would you give to industry newbies?

Take nothing for granted, ask, and ask again, and don’t neglect your previous job experience if you’re coming in from a different field. The core reasons behind this are simple:

• Follow Professor Richard Feynman’s learning technique and keep asking until you can explain it yourself.
• Those being asked questions are forced to reconsider their ways of doing things and might see room for improvement.
• Your experience broadens the view of how things are done in cybersecurity.

What’s the biggest as-yet-unsolved problem in cybersecurity?

We are not handling cyber as a risk to be managed but as a computer problem to be solved. It’s the ‘bright, shiny object’ syndrome. Take some recent or current examples: blockchain, AI, fusion power technology — they are hyped, grounded, dismissed, or slowly brought into reality. If we rely on tools without orchestration and architecture, we will not manage cybersecurity as the risk it represents. Companies should seek solutions, which include tools, processes, and education. I am talking about the broad-scale application of cybersecurity for risk homeostasis or compensation, not the frameworks and recommended policies.

What industry or sector do you think cyber could learn from?

I’d rather name two research fields: biomimicry and history. Biomimicry is the idea of copying how nature solves specific aspects to make technological progress. This field is in a very early stage, but I think it has a lot to offer to the technology industry. When talking about history, a prominent example of how it has already impacted cybersecurity is a Trojan horse story. And there are still a lot of lessons for security specialists.

Do you think the SolarWinds lawsuit will deter people from taking a CISO role?

In the short term, yes. At least, as long as it remains an unsolved situation in legal and organisational aspects. Specialists will look at the role and the assigned responsibilities and ask the board about the powers they need to handle these. If the data or identities related to a vital business process have become vulnerable due to external circumstances and a breach can be expected to happen imminently, does the CISO have the power to say, ‘Shut it down, fix it, and bring it back online afterwards’? It is one of those aspects of cyber resilience that is underdeveloped so far. Aspiring CISOs will know about these shortcomings in the mid to long term, and organisations will react to them.

What’s a CISO’s biggest headache?

The lack of a proper management approach to cyber risks influences many day-to-day decisions about leaving a process and digital assets vulnerable and exploitable. Communication is critical here but causes headaches as you tend to see no consequence, no change in behaviour or mindset.