Secret CSO: Brian Grayek, Cosant Cyber Security

What do you feel is the most important aspect of your job? “I LOVE contributing to National Security or helping a great cause. I was fortunate enough to know some things that I was invited to teach to the FBI at Quantico in 2005.”

Cosant Cyber Security

Name: Brian Grayek

Organisation: Cosant Cyber Security

Job title: vCISO & Member of Leadership Team

Date started current role: March 2021

Location: Tempe, Arizona

Brian Grayek builds and leads security teams focusing on Applications Security, Threat Management, Vulnerability Management, and Security Operations Center for some of the largest enterprises on the globe, including Motorola, Apollo Group, Computer Associates, and Verizon. Grayek possess strong capabilities in managing Security Architecture and Engineering, Security Operations, Cyber Security Incident Response (CIRT/SIRT), SIEM, Identity & Access Management (IAM), Risk Assessments, Governance (SSAE18/SOC1, PCI), Vulnerability Management, NAC, DLP, DRP, BCP, MMC, penetration testing, web traffic monitoring, security investigations, forensics, and physical security. Most recently for a large security consulting company, Grayek created a Security Operations Center from the ground up including recruiting and building the team, initiating operations, policy, and procedure development, and established all functions to support major clients all over the United States.

What was your first job? Painting beehives for a beekeeper at 13 years old.

How did you get involved in cybersecurity? While in College, I found out that some students were able to get in to view their student records. I reported it to the IT Professor, who told me I was mistaken. Then I reported it to the Dean and proved to her it was true. She rewarded me by putting me in charge of the school’s RACF/ACF2 security.

What was your education? Do you hold any certifications? What are they? I started off getting an Associate’s Degree in Computers and Engineering, then received what equates to a Master’s Degree in high tech from Motorola. During that time, I was also going to night school to get my Bachelor’s Degree in Business. I have received a LOT of certifications over the years, but the ones most important now are CISSP, CCSK (Certificate of Cloud Security Knowledge), ITIL, and I’m also a TUF member of the FBI Infragard.

Explain your career path. Did you take any detours? If so, discuss. I started and owned an Upholstery and Automotive custom interior company when I was 15. By the time I was 18 and getting ready to go to college, I had to make the choice between continuing the Upholstery/Car work which was thriving (making a bundle of money at the time) or go to college to pursue my dream of working with computers. To many people’s shock and dismay, I sold the company and went to college.

Was there anyone who has inspired or mentored you in your career? The most important mentor in my life was one of the few, female Executives at Motorola at the time, her name was Randine Hoefer. I was lucky enough to learn so much from her in almost 10 years that I tell people that Motorola (and she) basically made me what I am today. I remember an article years ago about how many Motorolans have later in life led other major companies and it’s easy to see why. Motorola did such an awesome job of educating us in ways that few other companies have ever or will ever do. I could write a book on how much they did and why it’s such a good investment in the people.

What do you feel is the most important aspect of your job? I LOVE contributing to National Security or helping a great cause. I was fortunate enough to know some things that I was invited to teach to the FBI at Quantico in 2005. While there, they allowed me to take a course in Personality Profiling which I’ve then used to help almost every team I’ve managed to learn about themselves. At Computer Associates, we were lucky enough to work with John Walsh, who’s famous for the TV series, America’s Most Wanted. John was working with the National Center for Missing and Exploited Children. We were able to work with John on building a program to help keep children safe online.

What metrics or KPIs do you use to measure security effectiveness? Every company I’ve worked we’ve maintained security metrics and while they’re important to show to Executive Management, so they know you’re constantly improving, the one most important metric is breaches. If you and the security department are keeping your company safe from any breaches, then you’re doing a good job.  

Next, my focus has always been on looking at a Risk Assessment rather than focusing on security metrics. The analogy I’ve used is like protecting your house. Why look at how many people come to the door or how good your door locks are if you keep leaving the garage door open at night? I work with too many companies that are focused too heavily on patch management that they have NO time for doing anything else. While patch management is extremely important, it’s not the only thing to worry about and while it’s one of the most prevalent methods of intrusions, it’s not the only one.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes, there is a severe shortage of skilled security professionals, and I don’t see it getting better for quite some time. We need a consolidated effort at the highest levels of government, industry, and education if we’re going to impact this in our lifetime.

Cybersecurity is constantly changing – how do you keep learning? READ, READ, READ!!!  I must be on 10-12 security threads, I receive and read 3-4 security/industry magazines, and I’m constantly looking at new technology, attending security conferences, and talking with industry leaders about what’s on their mind.

What conferences are on your must-attend list? It’s been a while since we’ve had any physical conferences, due to COVID, but I’ve been finding more and more online, Web casts that have kept my interest going. The conferences I personally like are the Security Industry Conferences and the FutureCon Security Conferences.

What is the best current trend in cybersecurity? The worst? Best trend in cybersecurity is GRC; Governance, Risk, and Compliance. I’m starting to believe that more can be achieved through GRC then through any other single methodology.

The Worst trend is everyone claiming that their AI is the industry’s best and will catch it all. No one seems to have yet found the silver bullet and while there are some good AIs out there, they still need to have other layers of a good, security defence.

What's the best career advice you ever received? Randine, my mentor, told me that I was one of the smartest Engineers that she’d ever known, because I could talk to people and explain things like most Engineers couldn’t. She told me to go back to school and get my business degree, which I did.

What advice would you give to aspiring security leaders? Easy, find someone to mentor. You will be contributing to our industry in ways you can’t imagine. I have people contacting me saying that they saw me give a presentation 20+ years ago that was the Ah Ha moment that changed their career path to Security. You can be that Ah Ha moment creator.

What has been your greatest career achievement? I was asked to present with the FBI and industry leaders at the presentation of the White House National Strategy to Secure Cyberspace. I got my picture taken with the Presenters and Staff and it’s one of my most, prized photos.

Looking back with 20:20 hindsight, what would you have done differently? Nothing. 2020 was a year of learning for me and I spent the year learning like I’d never done before. While most people were locking themselves away to protect themselves from COVID, I used all my spare time to read and learn more about things that have always interested me.

What is your favourite quote?Alber Einstein said one of my favourites, “If you can’t explain it simply, you don’t understand it well enough.”

What are you reading now? Edgar Cayce, Story of the Soul.

In my spare time, I like to… Build old classic cars into HotRods. I have a 1940 Ford Tudor that just received a Chevy 400HP engine. It is my next project car that will be like no other out there.

Most people don't know that I… Love to teach people about their personality, and how they can learn more from knowing their personality type.

Ask me to do anything but… Wash dishes. Sure, if I have to, I’ll find some XL gloves to wear. Sorry, I have to draw a line and for me, the shrunk-up hands is the grossest feeling out there.