Secret CSO: Sam Rehman, EPAM Systems, Inc.

What is the worst current trend in cybersecurity? “The worst is 'one click fixes' all type of solution. There is NO silver bullet, and anyone who claims that it can be a hassle-free single solution is not being truthful.”

EPAM Systems Inc.

Name: Sam Rehman

Organisation: EPAM Systems, Inc.

Job title: CISO and Head of Cybersecurity

Date started current role: June 2020

Location: San Francisco, CA

Sam Rehman leads EPAM's internal and external security functions as Chief Information Security Officer, SVP. In his role, he is responsible for all aspects of information security in the company, including the oversight of EPAM's internal controls, the CyberR&D Lab, the company's security research and insights arm, and EPAM's full, global Trusted Services model for customers. With 30+ years of experience in both software product engineering and security, he is a proven technology expert and evangelist with patented inventions in software security, cloud computing, storage systems and distributed computing.

What was your first job? My first part-time job was as a data entry operator at a large bank. It was a very boring job, really—I had to take the printouts from one program, take several fields, then merge and type them into another program. Super boring—and I hate redundancy—so I ended up writing a program to do it automatically and gave it to them as a parting gift.

My first full-time job was a start-up with my brother—we wrote a table-driven optimising complier that has code obfuscating capabilities and various runtime integrity checks and data hiding modules.

How did you get involved in cybersecurity? I fell in love with both defensive and offensive programming while working at the start-up mentioned (Quantum Development), and my next start-up (Newspager, a compression and encrypted wireless data network) and I got involved in a competition—and won back in the early 90s—called Shroud C (on uucp/nntp).

What was your education? Do you hold any certifications? What are they? I was in high school when I started. This is the late 1980's I'm talking about, but CEH and OSCP helped me a lot, I highly recommend it.

Explain your career path. Did you take any detours? If so, discuss. I've always stayed close to security, but I believe that in security, you cannot just stay in one domain or level. The bad guys will cut across and get to what they need to get to. So, I got deep in OS/kernel, I got deep in communication (both wired and wireless), I got deep in storage/filesystems, and code generation and crypto. If you look at my career, I jump to areas where I can learn the most, that' s always my goal – where I'm weak, so I can grow. That's by design. For every job, I go in with the intention that I would push myself hard to learn. Same philosophy I have in life – I go from one dojo to another when I practice martial arts and start from the bottom and work myself up. Once I got to a good level, I go to another. I want to be balanced and a "wide-T" – meaning a good breadth of knowledge, but mastery in one or two areas. And stay technical.

Was there anyone who has inspired or mentored you in your career? Or too many to name. Dennis Ritchie, Aho, Turning, Kirk Marshall, Jim Gray, Ken Thompson, Scheiner, Wozniak, Thomas Kurian, Tony Fascenda, my brother, Jacob Needleman—too many to name, really. Some of them I've worked with and learned a lot from, some I have a formal mentorship arrangement with, some I just was inspired by their work and books. Really, too many to name.

What do you feel is the most important aspect of your job? Always stay sharp and fit—applies to both cyber and physical defense.

What metrics or KPIs do you use to measure security effectiveness? Some I can share, but there are some that I would not be able to share because it will show where we are focusing on (sensitive). But in general

  1. Org strength(fitness): TTT, TTM, TTV, MTTD, IR count and funnel, Intrusion Count, ICN publish time, patch count and lag
  2. Cost: IR cost, false-positive responses, etc.
  3. Outside in: l1/l2 findings, footprint changes, ICP requests, etc.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We are very lucky. Because we have a pipeline and system in training and building up talent (that's our business, after all), we have been able to expand our talent pool in network, cloud, iam, offensive/red teams, and other areas. We do lateral hires to bring in experiences as well, but having a pipeline is critical. The most difficult is (defensive) culture honestly – not a specific role. But if I have to pick a role, I will say reversers and cyber intel (as always) are the hardest to find and hire.

Cybersecurity is constantly changing – how do you keep learning? By a) network (feeds, connections, etc), b) staying involved—we are constantly evaluating products in sandboxes, so stay on top. That way, once we see a real need and see a solution that meets our maturity standard, we can deploy with confidence, c) government liaisons and channels, d) analyst is very helpful for landscape (market movement, etc), e) roundtable and private groups—I host a couple of them, and I've been involved in a few others. Very helpful to hear from my peers in the market.

What conferences are on your must-attend list? Blackhat, Defcon, Gartner Security Summit, RSA, all the typical.

What is the best current trend in cybersecurity? The worst? The best is 'zero trust.' Honestly, we have all been pitching for this already, and ML-based solutions (although still a ways away before fully realised). The worst is 'one click fixes' all type of solution. There is NO silver bullet, and anyone who claims that it can be a hassle-free single solution is not being truthful.

What's the best career advice you ever received? Remember, you are always in control; you can always choose, never forget that.

What advice would you give to aspiring security leaders? Stay interested and hungry. It's an amazing field and there is plenty to learn and explore. Find your interest—your interest will make any hard work and difficult times meaningful. Don't just do it for the money. Trust me – security will always be hard.

What has been your greatest career achievement? Yet to come J But being able to have a great relationship with my two kids and wife while dedicated to my work to me is hard but something I'm proud of. I won't call it my greatest career achievement, but there is no career without your family. The rest, you will have to ask my peers – it's for them to say not me.

Looking back with 20:20 hindsight, what would you have done differently? Everything – why do it again when you have done it already.

If I had to pick one thing – let myself make more (small) mistakes. I learn so much from them, as long as they are not repeating or turn into habits, mistakes are gold nuggets.

What is your favourite quote? "In the beginner's mind there are many possibilities, but in the expert's mind there are few" – Suzuki Roshi.

What are you reading now? The Inner Journey – Edited by Jacob Needleman.

In my spare time, I like to… camp and bushcraft with my kids, train in martial arts, close combat sports and spar with people better than me, physical and mentally.

Most people don't know that I… will not tell them what they don't know about me so they will stay not knowin.

Ask me to do anything but… take a back seat.