Secret CSO: Brian Wrozek, Optiv Security

What advice would you give to aspiring security leaders? “Leverage and build upon what’s already available. Reuse and repurpose.”

Optiv Security

Name: Brian Wrozek

Organisation: Optiv Security

Job title: Chief Information Security Officer

Date started current role: December 2018

Location: Dallas, TX

Brian Wrozek is a seasoned cybersecurity executive with 20+ years of experience in IT and information security and management. As vice president of corporate information and physical security at Optiv, Wrozek oversees all corporate security functions including cyber operations, incident response, vulnerability management, and security governance activities. Prior to assuming this role, Wrozek was a managing executive director at Optiv who worked closely with security executives to provide c-suite advisory services defining cyber strategy, roadmaps and solutions to meet clients’ security objectives. As an adjunct professor in the Satish and Yasmin Gupta College of Business at the University of Dallas, Wrozek teaches graduate-level cybersecurity courses. He is also a board member for the Texas CISO Council, an Information Sharing and Analysis Organization (ISAO).

What was your first job? My first paying job was shovelling snow in Michigan. My first real job was computer programming with Texas Instruments.

How did you get involved in cybersecurity? I got involved in cybersecurity as my career progressed from programmer to system administrator, because there are security elements in any IT job. My career actually shifted when I provided Unix expertise to our internal investigations team. They needed some help on a case, and I provided the technical forensics support. They realised it was handy to have someone who could fill that role. Since I enjoyed the challenge of the investigation, I was officially a security professional from then on.

What was your education? Do you hold any certifications? What are they? I have a B.S. in Computer Science from Michigan Tech. Ten years into my career I pursued and completed my MBA at the University of Dallas. I also have an information assurance certification from the University of Dallas and a CISSP certification.

Explain your career path. Did you take any detours? If so, discuss. My path went from programmer, to system admin, to cybersecurity. I started out as a forensics investigator and then moved into a CISO role and have been in that type of position ever since. The role has expanded over the years to include privacy and physical security responsibilities.

Was there anyone who has inspired or mentored you in your career? Absolutely. John South. When I met him, he was the director of security at Alcatel. He also went on to be the CSO at Heartland Payment Systems and has been a professor at the University of Dallas for many years. He was, and remains, instrumental in my career.

What do you feel is the most important aspect of your job? The most important aspect is giving people the confidence to securely do what they need to do in this digital world. I like that I help my organisation and my clients worry less about security so they can concentrate on their job.

What metrics or KPIs do you use to measure security effectiveness? I treat security metrics and KPIs like a doctor would respond to me asking, “Am I healthy?” There isn’t one metric that says I’m healthy. Is it my weight? My blood pressure? There are a lot of factors to being healthy. The same goes for security. I look at it as a collective view that changes over time, because there are no vulnerability or compliance metrics that tell you explicitly if you’re “secure” or not. At the basic level, look at fundamentals. As an organisation matures, they can look at more advanced metrics. Obviously, as in health, we zone in if there’s something really wrong. If there isn’t, we look to keep the whole body, or business, moving.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? It is in the sense that 1) it’s made it harder and takes longer to find people in an extremely competitive landscape, and 2) we have to be more creative with our hires and be more willing to train and give people a longer runway to come up to speed.

Some of those very application-specific technical roles are very difficult to fill because they have to be an expert with the underlying technology. It’s a double whammy where we’re looking for someone with the specific skillset first and then making them go an extra step to secure it.

Cybersecurity is constantly changing – how do you keep learning? I’m an avid reader of books, articles, blogs and thought leadership pieces. I also find it key to interact with peers in industry groups, such as ISACA and ISSA.

What conferences are on your must-attend list? OptivCon! I enjoy industry analyst events and the big ones, such as RSA and Black Hat, because they draw great speakers. I also really enjoy local events. It’s important to give back and interact with local professionals and others who are simply interested in cybersecurity.

What is the best current trend in cybersecurity? The worst? The best is hands down – the increased awareness. Five years ago, we would never hear about cybersecurity on Good Morning America. Now, ransomware, identity protection and other cyberthreats are mainstream. This is great, because it will also help attract people to the profession.

The worst is 1) Point solutions – It boggles my mind that a lot of start-ups try to solve a very narrow, niche problem, which creates massive technology sprawl, and 2) we’re still making the same mistakes year after year after year. There’s very little movement on the OWASP group’s top 10 vulnerabilities. That has hardly changed. We know these are issues and still make the same mistakes. I can still pull lists of compromised passwords and the top choices will still be the go-tos like “123456” or “password” or some form of “seasonyear.”

What's the best career advice you ever received? It is my job and my job alone to balance work, life and stress. A lot of us get into this because we’re driven, and most companies will gladly allow us to work 90 hours/week. We’re responsible for our own health, our own well-being and our interpersonal relationships. Time goes by fast, so don’t miss the rest of what life has to offer.

What advice would you give to aspiring security leaders? Leverage and build upon what’s already available. Reuse and repurpose. Rather than creating your own new framework, use the NIST framework. Make the improvements you see fit, but don’t try to recreate what doesn’t need to be recreated.

What has been your greatest career achievement? That I’ve lasted this long in cybersecurity. It’s an industry where everything is changing and you’re constantly under attack. It’s stressful. It’s a tough industry to have a long, fulfilling career in, so I’m proud of the success that I have had and that I have stayed in it this long. Oh, I’m not done yet.

Looking back with 20:20 hindsight, what would you have done differently? I certainly would have asked for more help in managing the stress levels that come with the job. Again, CISOs tend to think it’s all our responsibility. If I had to do it all over again, I’d approach different departments and teams to support our efforts.

What is your favourite quote?“Evil triumphs when good people do nothing.”

What are you reading now? I just started a book called Cyber War by Richard A Clarke.

In my spare time, I like to… Run.

Most people don't know that I… I’m actually quite good at baking all kinds of bread – bagels, loaves, English muffins and pretzels…hence why I run so much.

Ask me to do anything but… Anything that involves tools. I can’t use a hammer or screwdriver. Don’t ask me to do a home improvement project.