Secret CSO: Tim Bandos, Digital Guardian

What is the best current trend in cybersecurity? "The best trend in cyber security today is the notion of automating and integrating your security solutions through orchestration type software and available API’s."

Digital Guardian

Name: Tim Bandos

Organisation: Digital Guardian

Job title: CISO & VP Security Managed Services

Date started current role: October 2020

Location: Tampa, Florida

Tim Bandos, CISSP, CISA, CEH is CISO and VP Managed Security Services at Digital Guardian and an expert in incident response and threat hunting. He has over 15 years of experience in the cybersecurity world and has a wealth of practical knowledge gained from tracking and hunting advanced threats that targeted stealing highly sensitive data. A majority of his career was spent working at a Fortune 100 company where he built an Incident Response organisation and he now runs Digital Guardian’s global Security Operation Center for Managed Detection & Response.

What was your first job? My first position starting out of college was working for a manufacturing company in their IT Audit organisation. I got to travel the world and assess IT controls at all of their facilities and various business units. This job gave me a solid framework for cybersecurity with understanding IT management & risk, technical configurations of operating systems and network devices, physical security, compliance, penetration testing, and much more.

How did you get involved in cybersecurity? My first job out of college was where it all started for me in cybersecurity within IT Audit. It was my launchpad into the industry!

What was your education? Do you hold any certifications? What are they? I attended the University of Delaware and obtained a bachelor's degree in Finance and Management Information Systems. I initially thought I was going to have a career in Finance and even applied for a job at DuPont in their Finance Field program. The field program rotates you to various finance-related positions, however, the first job they placed me in was within IT. This is where I fell in love with cybersecurity and acquired various certifications such as CEH (Certified Ethical Hacker), CISA (Certified Information Systems Auditor), CASS (Certified Application Security Specialist) and CISSP (Certified Information Systems Security Professional).

Explain your career path. Did you take any detours? If so, discuss. After working in IT audit for 6 years, I transferred to an internal security department and had the opportunity to build an Incident Response (IR) / Security analyst team. This organisation was focused on detecting and preventing advanced cyber attacks from state-sponsored entities. The skills I gathered there were in IR, Forensics, Log Analysis, Reverse Engineering, and Threat Intelligence. Personally, I love Incident Response more than any other field in cybersecurity. Of course, it’s not ideal conducting breach investigations, but secretly it is the most exhilarating.

Was there anyone who has inspired or mentored you in your career? I’ve had a countless number of people inspire me in my career from great bosses to even not so great bosses, security consultants, and other co-workers as well. I think it's important to always strive to develop new skills in your career and progress as far as you can learning about as much as you can. Cybersecurity is so vast and can lead you in a ton of different directions but I do think it's important to have focus as well.

What do you feel is the most important aspect of your job?  The single most important aspect of my job is keeping both our customer’s and Digital Guardian’s data safe from attackers. Data protection is critical along with continuing to mature your controls in this area to provide you with an appropriate level of assurance that your organisation can deter a cyber-attack.

What metrics or KPIs do you use to measure security effectiveness? When it comes to risk mitigation, I think the two most important KPIs to measure are Mean Time to Detect (MTTD) and Mean Time to Contain (MTTC) and Resolve. If you’re not able to detect a successful breach within minutes, then you need to adjust your security posture and gain the right level of visibility across your environment. Visibility is key. That goes for containing a breach as well. Ensuring you have controls in place to move quickly with implementing blocks or segmenting endpoints from the network will drive your MTTC down significantly. I think it's important to measure Cybersecurity Awareness. Have all your employees been properly trained? How many employees clicked on a link or an attachment during a Phishing Exercise? Often times employees may inadvertently open up the gates for an adversary to come in by falling victim to phishing so it's critical to ensure everyone is trained on what to look for and avoid. Patch Management is also another key KPI to measure in terms of days to patch and the existing number of high/critical vulnerabilities that need to be fixed. 

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? At my current employer, we’ve spent a lot of time building out a team with the appropriate level of skills to deliver Managed Security services. A lot of companies today though face these challenges with hiring the right folks with strong capabilities. I think the most difficult positions to fill in cybersecurity are computer forensic examiners and reverse engineers. These skills take years to develop and can be critical during incident response engagements.

Cybersecurity is constantly changing – how do you keep learning? I arrive to work one hour early every day and spend my time reading blogs, catching up on cybersecurity news, and even tinkering with new tools released to stay on top of my game. It’s important to not only continually educate for awareness but also to retain hands-on experience.

What conferences are on your must-attend list? I attend the RSA Conference, BlackHat, DefCon, and various B-Sides events. To me, these conferences provide a ton of information and opportunities to learn, along with the chance to connect with others in the industry. Of course, there are a ton of other solid choices but these definitely offer the most exposure to the industry in my opinion.

What is the best current trend in cybersecurity? The worst? The best trend in cyber security today is the notion of automating and integrating your security solutions through orchestration type software and available API’s. I love the fact that all of our security investments no longer have to sit in separate silos requiring individuals to log into each specific console to take action. Today we have the ability to initiate a single request that’ll propagate throughout your entire stack if you choose to do so. Want to block a specific IP address? Bam: request sent to your firewall, proxy, and local endpoint for real-time prevention.

The worst trend in cyber security is the lack of security used in IoT type devices, specifically, medical devices. It’s a pretty cruel world when we hear about pacemakers or insulin pumps having vulnerabilities that have been targeted by a cyber threat. The same goes for Ransomware operators that target hospitals and put human lives at risk for the collection of some Bitcoin. This is one trend I wish would go away forever.

What's the best career advice you ever received? I had been working for my last company for close to 12 years, which is a considerable amount of time nowadays to stay with a company. One day I received a call to take a new opportunity with Digital Guardian. At first, I dismissed it because I loved my job and the people I worked with but someone close to me said that it's important to be open to change in your career. It’s easy for us to settle in and be content, but you may miss out on other opportunities. I didn’t know what all I’d achieve coming to DG, but I can say it was the best decision I’ve ever made with my career.

What advice would you give to aspiring security leaders? It’s important for aspiring security leaders to learn as much as they possibly can and continuously build up new skills. If your current role doesn’t provide an opportunity to progress or give you the experience you need to evolve you can also create opportunities for yourself. When I started off in IT Audit, they would have a checklist of 200+ items to audit for. It was the same each time and extremely boring. I took a more proactive approach to the job and demonstrated how various vulnerabilities could be exploited using tools or techniques by adversaries. This was something that was never done before but was considered a significant improvement over the traditional approach and it made the job so much more interesting. Who doesn’t love hands on pen-testing? 

Put in the effort and you will be rewarded. Managers will always know who on the team is a clock watcher and who is there to go above and beyond. If you’re only putting in the bare minimum, then don’t expect to have a rewarding career. If you’re not waking up before your alarm clock goes off because you’re excited about work, then find something that does in cybersecurity. Once you’ve identified your area of interest set goals, both long/short term and achieve them.

What has been your greatest career achievement? My greatest career achievement is becoming a CISO. 15 years ago when I started out in cybersecurity it was my ultimate goal. I dedicated all of my time to learning this field. Spent countless hours even on weekends researching and reading about all the various domains in security. It’s been my passion for quite some time now and only continues to grow stronger.

Looking back with 20:20 hindsight, what would you have done differently? I probably would’ve mined some Bitcoin but that’s about it. I do believe that everything I’ve done in the past has led me to where I am today. There have been times in my career where I had to work on projects that I didn’t specifically want to do but in the end, it always taught me something new.

What is your favourite quote? “If you are the smartest person in the room, you are in the wrong room.” When I hire folks for my team, I always look for the smartest people I can find. Not only will this allow me to learn from them, but it also bridges any gaps that I may have and provide a well-rounded organisation.

What are you reading now? Right now I’m reading Drive by Daniel Pink and Myths & Realities of Cyber Warfare.

In my spare time, I like to…  play pool, chess, coach baseball, play tennis, and spend time with my family. I also love to cook, but more importantly, I love to BBQ. Everything from brisket to pulled pork, smoked wings etc. I own 9 different smokers. My wife tells me I’m at my limit but 10 grills sound so much better than 9, right?

Most people don't know that I… I’m a black belt in Tang So Doo. I grew up with martial arts and even took first place in a world championship for fighting. Karate taught me so many life lessons that I continue to use today. Concentration, respect, discipline, humility, etc. These are all qualities we should have and will only drive you further in your career.

Ask me to do anything but…  eat something with mustard on it. I despise that condiment more than any other food. In all seriousness, though the one thing I’ll never do is quit or give up on something. When I was a freshman in high school I made the basketball team and I was so excited. During the second game though I was elbowed in the nose, tripped, and received several bruises. Instinctively I wanted to throw some roundhouse kicks but I ended up quitting the team. I gave up over a bloody nose. There is a part of me that wishes I could go back and change that decision, but it was the decision that moved me forward to never throw in the towel again for something I was passionate about. Whether it's sports, a new job, or even a project you’re working on you need to give your all and that goes for cybersecurity too. Dedicate yourself to this field and I promise it’ll be highly rewarding.