Secret CSO: Etay Maor, IntSights

Name: Etay Maor

Organisation: IntSights

Job title: CSO

Date started current role: August 2019

Location: Boston, MA

Etay Maor is IntSight’s Chief Security Officer, an industry recognised cyber security researcher and keynote speaker. Previously, Maor was an Executive Security Advisor at IBM where he created and led breach response training and security research. Prior to that, he was the Head of RSA Security’s Cyber Threats Research Labs where he managed malware research and intelligence teams and was part of cutting-edge security research and operations.

What was your first job? My first job was working at a small bookstore as a kid. I worked there for two summer vacations and while the job itself mostly involved fetching schoolbooks and notebooks for people, during quiet times I could sit and read books and magazines. I started my first full-time job in 2000 as a security product trainer at Camelot, a Softbank backed security start-up which I started two days after I finished my military service.

How did you get involved in cybersecurity? I have always been around computers since my father bought a Commodore-64. I started by playing games (which I still do to this day) but when I wanted to learn more I had three great resources: a brilliant neighbour down the street from where I lived who explained to me what an OS is and how it works (he also introduced me to the internet in late 94); a Bulletin Board System which I would connect to every Friday night (or when my parents wouldn’t notice I was using the phone line) from which I learned a lot; and my group of friends at school who had a similar interest and we shared ideas.

My first encounter with the power of cybersecurity (or lack thereof) was when I gained access to my school’s database and changed my grades. Not the ideal way and I wouldn’t recommend it today – but all I got was a slap on the wrist – I am sure that if I had broken into the school and changed my grade on a piece of paper, I would have a police record. That got me thinking what else can be done via computers…

What was your education? Do you hold any certifications? What are they? I was never a good student. My parents would always push me to study harder, but I couldn’t find any interest in school and preferred my three “go to” activities – computers, playing bass and dungeons and dragons. Without studying much I did graduate (to my parents’ surprise), did my military service, and then started working.

In 2003, I wanted to get a degree in business but my dad (very wisely) convinced me to first learn the technology and then study the business aspect. I did my bachelor’s in computer science while working in the field, and in 2013 decided to go and get a master’s degree in counter terrorism (with a special branch in cyber terrorism). I have always toyed around with the idea of getting a CISSP or CEH but never really saw a need for it. I do hope to get some free time and go for an OSCP certification – the test looks like a lot of fun!

Explain your career path. Did you take any detours? If so, discuss. While I started what would lead to my career in school, it was during my military service that I gained more of an interest in computers and training. When I finished my military service, I started working for Camelot which had a product that (I think) was ahead of its time. I learned a lot of things during that period and when the company closed, I completed a short role as a security advisor.

During my studies, and to the vocal dismay of the dean at the school for computer science, I worked in technical support roles and as an Oracle system trainer, mostly homing in on my presentation and teaching skills. Just before graduation I joined a company in the printing field, this time with slightly more product involvement but with a lot of customer engagements and flights around the world (that is where the flying bug got me).

In 2007, after five years, I finally came back to the security world when I joined RSA Security (ex-Cyota) as project manager, then I became manager of the knowledge delivery team and finally, I became the head of the cyber threats research lab. After 6 years at RSA I joined Trusteer who were later sold to IBM. I started as a technical product marketing manager and then moved to a security advisor role. Following my move to the US with IBM, I helped create IBM’s cyber range and trained companies in responding to breaches. In 2019 I joined IntSights as chief security officer where I created our services offering. I also conduct strategic research, regularly write for the IntSights blog, and do all the things I love. In addition, I am an adjunct professor at Boston College where I teach cyber security. 

Was there anyone who has inspired or mentored you in your career? I was lucky to have several great mentors during my life. My first mentors are my parents who always tried to push me to succeed in what they saw was the best path, and while we had significant arguments, I know they always wanted what was best for me and I am sure this is my main reason for success (that, and perhaps the drive to show them emails that are sent to me that start with “Dear Prof. Maor” when they were not even sure I would even finish high-school).

I have already mentioned my second mentor, Itamar Laron who was my neighbour, and as a kid got me interested in how things really work and what can be achieved.

The third and fourth was two high school teachers – Asher Geva RIP in computers and Meir Gan-Or who taught Drama classes but his approach to life was inspiring.

Last but not least – I had several people at work who mentored me in different ways – Uri Rivner who persuaded me to get on stage and share my knowledge; Yishai Yovel who showed me how the smallest of details can change the entire picture, and my two best friends, Hanan Bercu, and Itamar Kunik who constantly challenge, aid and keep me sane.

What do you feel is the most important aspect of your job? Enabling. This field has so many great minds from so many different backgrounds and competencies, so I feel that helping these different and diverse approaches allows the individuals to reach their potential and ultimately serve as a force multiplier for the organisation and its clients. 

What metrics or KPIs do you use to measure security effectiveness? There are several good approaches to measuring security effectiveness, however, it ultimately boils down to risk management and mitigation. This means we have to measure the controls based on what they can prevent or minimise in terms of data, brand, monetary loss etc, but we must not forget that we don’t just deal with the bottom line successes/failures – we have to take into account time and effort to get a clearer picture of efficacy. This type of analysis helps with understanding and/or defining the organisational risk tolerance.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? As a start-up, the main challenge I see is not finding someone who can do a specific job but finding people who can do multiple roles and have the start-up mind set. I worked for both big companies and start-ups, and while it ultimately boils down to personality, larger companies usually have specific roles they need to fill, and some people feel very comfortable in those positions.

What we look for are those who constantly look to challenge and improve the organisation, can quickly adapt to new challenges and don’t feel comfortable just doing the same thing over and over – finding those types of personalities can be hard.

Cybersecurity is constantly changing – how do you keep learning? I always have to stay up to date – that comes with the job but it is also a personal interest of mine (I’m the type that sits and reads about cyber security after the workday and on weekends). I also force self-learning by teaching my students new things every semester.

I am lucky to be part of several instant messaging groups with other researchers and cyber security professionals and I also get to go to many events and hear other professionals update on their findings and research.

What conferences are on your must-attend list? Full disclosure first – I am part of the RSA conference and QuBits conference CFP committee. I have always enjoyed RSA, I know it tends to be bashed for turning into a vendor based event but the talks are actually top notch. I have also always liked BlackHat and DefCon. Recently I started to go to smaller and regional events, like ISACA for example, and found some of the discussions to be great.

What is the best current trend in cybersecurity? The worst? Instead of solely focusing on technology in this answer I will address it as a combination of people, processes, and technology. The best, after years of screen and alert fatigue, is the rise in demand for consolidation of capabilities. Practitioners don’t want a dozen screens from a dozen products in order to do their job. The result is that (some) vendors are picking up their game and are starting to offer more holistic solutions, ones that easily integrate with other products and allows the practitioner to do the job in a much more streamlined fashion.

The worst trend is one that has been around for way too long – passwords. We are seeing many of the more nefarious attacks use credential stuffing and easy to guess passwords as well as social engineering to obtain other static passwords. This needs to change.

What's the best career advice you ever received? You can’t do everything yourself. As much as I love researching, training, writing etc, I had to learn to entrust other people with these tasks.

What advice would you give to aspiring security leaders? When recruiting it’s not all about technical skills. My mantra is that I can teach and train almost anyone, but I cannot change their personality. It’s all about their approach and hunger to learn, succeed and challenge the current state of mind.

What has been your greatest career achievement? I can’t really point to one specific big achievement because I love the little achievements. A client that contacts me back and says we just saved him from a significant attack, to a student who said to me “I can’t believe I just succeeded in this”, it’s all the “small” things that show you have made a difference.  

Looking back with 20:20 hindsight, what would you have done differently? I consider myself lucky to have worked with some great people. The one thing I would have done differently is perhaps pay less attention to negative and arrogant people I met early in my career. Those that instil doubt and confusion. Today, it is very easy to identify and ignore negative people but early on in my career that was not the case.