Secret CSO: Lenny Zeltser, Axonius

What’s the best career advice you ever received? "If you notice that you’re becoming too comfortable in your role, if it’s starting to feel too familiar, or too easy, it might be time to look for a new role"

IDGConnect_secretcso_suppliedart_lennyzeltseraxonius_1200x800
Axonius

Name: Lenny Zeltser

Organisation: Axonius

Job title: CISO

Date started current role: October 2019

Location: New York City

Lenny Zeltser is the CISO at Axonius and Faculty Fellow at SANS Institute. Prior to Axonius, Zeltser led security product management at Minerva Labs and NCR. Before that, he spearheaded the U.S. security consulting practice at a leading cloud services provider. Zeltser also helps shape global cybersecurity practices by teaching and sharing knowledge through writing, public speaking, and community projects. He has earned the prestigious GIAC Security Expert designation and developed the Linux malware analysis toolkit REMnux.

What was your first job?  I was a lifeguard at a summer camp during my high school days. In college, I worked as a Unix system administrator, which was the job that directed me toward a career in information security.

How did you get involved in cybersecurity? When working as a system administrator, I was tasked with hardening servers and workstations against attacks. I enjoyed anticipating malicious actions and setting up defenses, so when I had a chance to learn how to deploy firewalls and network intrusion sensors, I jumped at the opportunity. Gradually, one project at a time, I found myself deeper and deeper in the domain of cybersecurity.

What was your education? Do you hold any certifications? What are they? My undergraduate degree is in Computer Science Engineering — a program that built the foundation for acquiring practical, hands-on IT skills when I entered the workforce. Later, as I was progressing toward managerial and business-focused roles, I earned a Master of Business Administration (MBA) degree.

I earned a lot of professional certifications over the years. I started with vendor-specific ones (Microsoft and Check Point) then shifted to security credentials, including CISSP and a variety of GIAC certs, including the prestigious GIAC Security Expert (GSE) designation. Pursuing certifications has allowed me to focus on an area of IT and security where I wanted to increase my expertise. The certs have also helped me signal to employers and clients that I possess the requisite knowledge.

Explain your career path. Did you take any detours? If so, discuss. In my career so far, I’ve enjoyed catapulting into different roles in the cybersecurity ecosystem. I began with system administration and security engineering. Later, I was in consulting — performing security assessments and advising on cloud security matters. I also had business and product management responsibilities for security software and services. And now I’m a CISO, building a security program to support business objectives of a young, fast-growing company.

When I took time off work to pursue an MBA degree, I briefly considered leaving the security industry. I thought maybe I’d get into management consulting or perhaps become an entrepreneur. I didn’t know what I wanted, but I felt the need to extract myself from the security industry bubble. At the end of the program, which exposed me to many disciplines and individuals outside my comfort zone, I realised that I enjoyed security too much to leave it behind.

In parallel to these activities, I’ve been researching and teaching at SANS Institute, focusing mostly on malware analysis. I appreciate being able to switch out of my regular work environment for a bit to periodically connect with other security professionals in a classroom setting. This has motivated me to keep learning and has helped me avoid burnout.

Was there anyone who has inspired or mentored you in your career? My participation in the SANS community — as a student, author, and instructor — has been a source of inspiration for many years. I recall attending my first SANS class around 1999. It covered network intrusion detection and was taught by now-legendary Stephen Northcutt. I thought I knew the topic pretty well even before attending the class and was surprised to discover how much more there was for me to learn. Later, Stephen drew me into the SANS community and inspired me to want to not only continue to learn, but to also share what I’ve learned with others. Over the years, SANS faculty members and many of the students I’ve met while teaching have been my source of awe, knowledge, and inspiration.

What do you feel is the most important aspect of your job? As the CISO at Axonius, I support our business by addressing customers’ trust and security expectations and safeguarding our own data. I lead our cybersecurity program, which we’ve established and are continuing to mature. Infusing security into our culture and processes, collaborating with colleagues, understanding customer requirements, keeping up with attack and defense trends, staying on top of business goals… all these activities are key aspects of the role.

As an author and instructor at SANS Institute, I research and communicate the security skills I’d like myself to develop and maintain. This allows me to empathise with my readers and students, while also helping me grow as a security professional. As I shifted toward management and business responsibilities at work, my SANS efforts allowed me to maintain some technical hands-on skills.

I’m grateful for the motivation and opportunities to share what I learn with members of the community. Doing this has been an important aspect of my professional activities.

What metrics or KPIs do you use to measure security effectiveness? We defined high-level objectives for the security program at Axonius with the expectation that they won’t change often. In contrast, our efforts to support these objectives differ from quarter to quarter to account for the company’s broader initiatives during that time period. This approach allows us to continually mature the security program while aligning it to business goals. Each security project has its own performance indicators, such as achieving certain security agent coverage, addressing vulnerabilities according to a particular timeline, or attaining a specific certification.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? To me, the challenge of staffing the security team hinges on automating as many processes as practical. I’m thinking of managing the IT asset inventory, identifying and remediating security gaps, provisioning users and assigning privileges, configuring applications and systems, and so on. Automating such efforts allows the organisation to focus the attention of its people on the tasks that truly benefit from human attention and insights.

Another aspect of building a high-performing team involves creating an environment that attracts motivated, capable individuals and encourages them to stay and evolve with the organisation. Automation plays a key role in this, because it allows people to avoid repetitive tasks that unnecessarily draw energy and dull senses. We must also learn to take chances on people who show propensity to succeed if they receive training, so they can grow.

Cybersecurity is constantly changing – how do you keep learning?  To keep learning, I try placing myself in situations that force me to acquire new skills or otherwise motivate me to leave my comfort zone. This might entail seeking roles where I can apply security expertise in a different context, take on new responsibilities, or work in an unfamiliar industry.

I read a lot of blogs and follow many industry practitioners on Twitter. The posts and discussions help me stay on top of security trends. When I encounter particularly enticing content, I learn from it directly and earmark the topic for deeper exploration. I try to set time aside for independent research, which I view as my extracurricular activity. One example of such project, which gives me plenty of learning opportunities, is the REMnux toolkit for malware analysis, which I developed.

What conferences are on your must-attend list? As a Faculty Fellow at SANS Institute, I participate in a fair number of SANS conferences, which I enjoy tremendously. They offer so many learning opportunities through formal training and additional morning, lunchtime, and evening activities. I also very much enjoy the RSA Conference, because of the opportunities it offers to connect with so many security professionals.

What is the best current trend in cybersecurity? The worst? I’ve seen a lot of positive activity to incorporate “zero trust” principles into security programs. Instead of immediately granting access because the person connects from a trusted network, organisations are starting to make granular authentication and authorisation decisions based on the person’s validated identity and the state of the connecting system. I’m glad to see this.

The worst trend? Many of us continue to be easily distracted by cool new technologies, which we try to install even if we lack foundational security measures. It takes discipline to implement essentials such as asset management, which will ultimately allow us to be more effective and efficient with other aspects of the security program.

What’s the best career advice you ever received? If you notice that you’re becoming too comfortable in your role, if it’s starting to feel too familiar, or too easy, it might be time to look for a new role.

What advice would you give to aspiring security leaders? Take the time and exert the effort to understand yourself. What do you enjoy doing? What frustrates you? What are your strengths and weaknesses? Consider what opportunities might be available to you in the short term, based on your current skills, location, or other considerations. Such “situational awareness” will help you decide which roles to pursue, how to position yourself for success, and what knowledge gaps to cover to achieve your longer-term goals.

As you grow professionally, connect with members of the community, so you can share what you’ve learned and solicit advice. All members of the cybersecurity community have valuable insights to share to help each other in our individual journeys.

What has been your greatest career achievement? I see my career so far as a series of incremental milestones. The achievements that stand out in my mind include:

  • Earning the GIAC Security Expert (GSE) certification as part of the first two-person group to ever attempt it.
  • Turning around and growing a managed security service suitable for small restaurants and retail businesses.
  • Creating a malware analysis approach and training that has helped thousands of professionals expand their expertise in this field.

Looking back with 20:20 hindsight, what would you have done differently? I’m pretty happy with the choices I’ve made so far and have been fortunate about the opportunities that life presented to me. I cannot think of any major decisions that I would’ve changed.

What is your favourite quote? “Activity suggests a life filled with purpose,” proclaims a character from the movie The Sound of Music, chiding himself for engaging in inconsequential tasks. This quote reminds me to eschew busywork, which makes me feel active, but ultimately distracts me from the more meaningful tasks.

What are you reading now? I’m enjoying the sci-fi book A Town Called Discovery by RR Haywood. It offers an unusual take on time travel, which I appreciate. I also appreciate the intensity of its story and the humor of its characters.

In my spare time, I like to… Cook meals for family and friends. I like eating the food, too. The cooking process takes my mind off my day-to-day tasks and offers a productive distraction opportunity. Maybe it’s a form of meditation.

Most people don't know that I… Used to do ballroom dancing competitively.

Ask me to do anything but… Eat boiled onions in a dish. They’re the worst.