Secret CSO: Christopher Gerg, Tetra Defense

What advice would you give to aspiring security leaders? “Don’t burn bridges.”

secret cso christopher gerg tetra defense
Tetra Defense

Name: Christopher Gerg

Organisation: Tetra Defense

Job title: CISO and VP of Cyber Risk Management

Date started current role: January 2019

Location: Madison, WI

Christopher Gerg is the CISO and Vice President of Cyber Risk Management at Tetra Defense. He is a technical lead with over 20 years of information security experience. Gerg has worked as a Systems Administrator, Network Engineer, Penetration Tester, Information Security Architect, Vice President of Information Technology, Director and Chief Information Security Officer. He has experience in the challenges of information security in cloud-based hosting, DevOps, managed security services, e-commerce, healthcare, financial, and payment card industries.

What was your first job? When I was 15, I had a job as a corn detasseler. It was brutal – long story short, you pull the tassels off the top of young corn stalks so that they can selectively cross breed corn strains. It was hot and muddy and the corn leaves cut you to shreds. What made it worth it? I took the $400 I had saved and bought my first computer.

How did you get involved in cybersecurity? I started my IT career doing phone tech support for Microsoft. I then became a Windows system administrator and moved into networking. I worked with routers, switches, firewalls, and other networking gear and was asked by a good friend if I wanted to join him and a group of people to start a security team that did penetration testing. That was some time ago, and penetration testing was fairly new. It was VERY fun.

What was your education? Do you hold any certifications? What are they? I went to the University of Wisconsin – Whitewater and started out in Management Computer Systems (which focused almost entirely on programming. I was good at it, but I am more of a systems guy than a developer). Over the course of my career I have held a large number of Microsoft certifications (MCP, MCSE, etc.) and Cisco certifications (CCNA, CCNP, CCSP, and was almost ready to take the CCIE when I joined the pentesting team).

There were a few others as technologies came and went (Certified Citrix Administrator, for example). Security related certifications included CISSP and CHSP (Certified HIPAA Security Practitioner). Some of these certifications have changed over time.

Explain your career path. Did you take any detours? If so, discuss. I touched on it a little in earlier questions, but my path went from phone tech support, Windows system administrator and consultant, network engineer, senior network engineer, network security engineer (pentesting and consulting), network security manager, Director of QA, and then CISO (and various VP roles – and was a CTO at one point for a security startup).  Once I got on the technical path, I stuck to it. I think that my strong background in networking has helped my security career immeasurably.

Was there anyone who has inspired or mentored you in your career? I have worked with some incredibly intelligent and capable people in my technical career. My best friends are all former or current co-workers. We push each other (kindly. Maybe “encourage each other” is better) and their intelligence and know-how always inspired me to learn more.

What do you feel is the most important aspect of your job? Leveraging my experience to find a way to help organisations do more with less. IT departments chronically must wrestle with limited budgets and headcounts. Finding ways to make them more efficient and also establish a plan to mature their information security program is challenging but interesting work.

I am also a strong believer in risk assessment and communicating risks to management. Management needs to have a good picture of the risks and threats to an organisation so that they can make risk-based decisions around budgeting and prioritisation of projects (or make educated decisions about doing nothing or insuring against the risk).

What metrics or KPIs do you use to measure security effectiveness? The foundational security best practices are also the best place to look for useful metrics for most organisations with immature information security programs. Authentication (and user accounts), asset management, patching, anti-malware tool’s functions, and what services are exposed to untrusted networks (like the public Internet) are a good start. Once you have a good handle on the foundational aspects of your organisation, you can move to more in-depth instrumentation.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We are growing like crazy – mostly with our Incident Response team. We have hired a dedicated recruiter and have a large number of our team members working remotely (making it easier to find people since our geography is not a limiting criteria). It is hard to find people that are not specialists for our proactive side of the business. These folks need to not just be an auditor, or a network specialist, or a SOC analyst. They need a broad background to help our clients build a roadmap to maturing their information security program in a way that directly makes their technical assets an enabler for their business. 

Cybersecurity is constantly changing – how do you keep learning? I am lucky in that through my company’s experience with a variety of verticals on the proactive side and our incredible experiences on the Incident Response side, we keep up with the threats and risks as well as the attacker’s methodologies and techniques. It makes prioritisation a lot easier when you know what is being attacked RIGHT NOW and how.

We do a lot of sharing between our team members and keep up to date with industry sources of threat information, but if I need to get caught up with what is going on in the industry, a few sources have bubbled to my short list of information sources to constantly monitor: theregister.co.uk, bleepingcomputer.com, arstechnica.com (not entirely infosec related), us-cert.gov, badpackets.net, and various vendor websites (like SentinelOne, Secureworks, etc.).

What conferences are on your must-attend list? I used to attend DefCon when it was at Alexis Park and there were no more than a few thousand people in attendance. Right now, the main conference series my company is involved with are related to the insurance industry: NetDiligence. BlackHat is still one of the most important, as well as the RSA conference, although I prefer the smaller conferences that are less vendor-heavy, and at which the folks at my company are often asked to speak.

What is the best current trend in cybersecurity? The worst? This is a sword that cuts both ways. The best trend is the incredible improvements in the tools that help monitor, alert, manage, and prevent. For example, the advanced threat protection tools from companies like SentinelOne, Carbon Black, CrowdStrike, and FireEye are incredible. The worst trend is that with all these tools, managing them cohesively is difficult if not impossible. You end up with dozens of point solutions.

What's the best career advice you ever received? The short advice was “Don’t burn bridges. You never know who you’ll be working with again or maybe who will be your boss somewhere else.” The long and underlying message was to foster relationships. This has been valuable particularly as an information security leader in organisations. Effective infosec leaders are able to communicate risks and get consensus on the importance of a change necessary to address a risk. It’s also something to keep in mind where instead of saying a flat “no,” to instead take the time to understand what they are trying to do and find the “gray” – the middle ground that allows the thing to be done in a secure way. While I believe that compliance obligations and auditors live in a black and white world, “reasonable” and “appropriate” lives in the gray instead of the black and white. You’ll never get there without communication and collaboration (the relationship).

You know… There IS another thing. When you’re mad don’t send the first draft of that email torpedo you’ve crafted out of rage and vengeance. Sleep on it. When you’re calm either delete the email and work on the relationship and communication failure that caused the issue or rewrite it (and work on the relationship and communication failure).

What advice would you give to aspiring security leaders? Don’t burn bridges. Foster relationships. Communicate. Don’t start with the assumption that the person you’re talking to is incompetent, stupid, or selfish. Most people are trying their best and earnestly trying to do their job and meet their expectations. The problem is that information security training is lacking in most technical training. Be an educator. Be a collaborator.

This makes me think of a picture I saw once that shows the difference between a boss and a leader. The boss is sitting on top of the stone block and pointing while the workers are pulling the rock. The leader is down with the workers helping pull the rope (https://i.redd.it/hie5nf98o1fy.jpg). Be the leader.

What has been your greatest career achievement? One of things that I am most proud of is a team of people that I led at a company that shall remain nameless. I was tasked with bringing together the IT teams from several companies that were brought together through a merger/acquisition. Both teams were understaffed, had countless point solutions and the whole thing was falling apart. We came together and rebuilt pretty much everything – standardising, consolidating, and automating along the way. When we were done the team was cohesive and motivated – they also had the time to actually get projects done on time and on budget. In the process we saved the company millions in the first year – and the efficiencies continued past my time with the company. I use what we accomplished as a model for companies I work with now. 

Looking back with 20:20 hindsight, what would you have done differently? I would listen to my own advice, and not leave the damaged path my anger (and pride) sometimes left. Realise at a younger age that I am not the smartest person in the world (which is hard for a nerd). I look back and like the path my professional life took. I took some chances (and some organisations and people took chances on me) and don’t regret sticking my neck out a little and betting on myself. It didn’t always pay off, but it usually did.

What is your favourite quote? “Make sure you like the person who’s looking back at you in the mirror.” – My Dad.

What are you reading now? It’s going to sound strange, but… The new entry in “The Murderbot Diaries” (Network Effect: A Murderbot Novel (The Murderbot Diaries Book 5)) is the first full-length novel in a series of novellas by Martha Wells. I am a voracious Sci-Fi reader. My go-to is the Dune series, but I get sucked into well written series. ANYTHING by John Scalzi is INCREDIBLE. Reading Sci-Fi is my escape.

In my spare time, I like to… I am a HUGE premier league fan (English soccer) – I watch every game I can. (CHELSEA CHELSEA CHELSEA!)

Most people don't know that I… Fly old Cessna airplanes (I am hours away from my private pilot’s license). It has been a lifelong dream and has been an exciting challenge to learn to get my license to fly.

Ask me to do anything but… Lie or cheat. That’s no way to live.