Name: Daniel Spicer
Organisation: Ivanti
Job title: CSO
Date started current role: June 2021
Location: Colorado
Daniel Spicer serves as CSO of Ivanti, a global technology company that enables and secures the Everywhere Workplace. He is dedicated to enhancing the organisation’s overall cybersecurity infrastructure by assessing future acquisitions for security strength, working with engineering teams to build stronger security into Ivanti’s solutions, and ensuring Ivanti’s network security is bolstered to protect its own systems and data. Prior to Ivanti, he led investigations and created solution response strategies at Stroz Friedberg. Prior to Stroz Friedberg, he served as a senior security analyst at The University of Texas at Arlington and held several security positions at the United Space Alliance, where he developed and maintained security plans for its mission-critical shuttle operations system in support of NASA.
What was your first job? My very first job was back in high school where I maintained the school’s computers and networks. During the summers, I was responsible for deploying and configuring computers/network equipment to brand new schools in the district. I even had the opportunity to guest lecture on the topic of web design and computer architecture in high school.
My first real security position was at the United Space Alliance, over 10 years ago. It was a role I started while I was attending the University of Central Florida pursuing an undergraduate degree in Information Technology and a Master’s in Digital Forensics. I still remember getting the call from the director of the UCF Co-op/Experiential Learning Program at 10am on a Wednesday. She asked me, “How adventurous are you feeling today?” And then she told me about the position at the United Space Alliance. I didn’t have a car at the time, so I quickly bought a car, embarked on my first long road trip, and booked an extended stay at a hotel. It was the start of a truly life-changing event.
As a Computer Security Official at the United Space Alliance, I was responsible for developing and maintaining security plans for the mission-critical shuttle operation system in support of NASA. By starting my career in an environment where things were very well structured, I got a feel for where things should be, which taught me how to identify where processes were broken moving forward.
How did you get involved in cybersecurity? I decided on a career in cybersecurity before I started high school. There is some irony in the story too since I grew up without access to the internet. My first computer was gifted to me in middle school from my Boy Scout troop leader. At that time, I used floppy disks to download applications to help me learn about programming. But then one day, I downloaded a virus and I had to go through the painstaking exercise of wiping my computer clean. That’s how I got interested in cybersecurity. I wanted to know how these hackers could bypass the security features and deploy malware on my machine.
What was your education? Do you hold any certifications? What are they? I studied at the University of Central Florida for both my undergraduate and graduate degrees from 2008 to 2014. I have a Bachelor of Science in Information Technology and a Master’s of Science in digital forensics. My graduate degree was focused on incident response and forensics. I do not currently hold any certifications.
Explain your career path. Did you take any detours? If so, discuss. I stayed in the field of cybersecurity quite consistently, holding several different positions from public sector to private sector positions. Each position added new experience to my career, which enabled me to serve in my role today at Ivanti, where I can identify and prioritise security issues that I’ve seen before at other companies.
Prior to joining Ivanti, I worked at Stroz Friedberg, a recognised industry leader in the field of incident response and digital forensics. Stroz Friedberg is where I honed my skills in digital investigations and risk management. I led over 100 investigations and worked on some of the largest and highest profile security incidents such as the Yahoo! breach and espionage campaigns launched by nation states including Operation Cloud Hopper.
Prior to Stroz Friedberg, I served as a senior security analyst in the education sector at the University of Texas at Arlington. I implemented their incident response and forensics program and led investigations and their vulnerability management program. I often performed code reviews and assisted developers with remediating vulnerabilities and implementing best practices. Since budgets were limited, I gained experience building internal tools versus buying from third party vendors, which is something that has definitely benefited me throughout my career. I also had the opportunity to hold several security positions at the United Space Alliance, where I developed and maintained security plans for the mission-critical shuttle operations system in support of NASA, which gave me experience serving public sector organisations.
Originally, I never wanted to be a CSO because I'd seen many companies use them as scapegoats following cyberattacks and breaches. Before joining Ivanti, I interviewed my bosses and peers and dug into the details. I wanted to make sure that everyone, including Ivanti’s leadership team, prioritised security. Security needs to be part of a corporate culture from top to bottom, and that is what I found at Ivanti. The company has doubled down on its mission to secure the Everywhere Workplace. As organisations and government agencies face ever more sophisticated attacks against their technologies, Ivanti is dedicated to protecting its customers and mitigating threats as quickly as possible. This includes focusing on building products securely, educating about best practices, and helping organisations to form a strong security foundation through a zero trust strategy.
Was there anyone who has inspired or mentored you in your career? I have not had a mentor, but I have been fortunate to work alongside a lot of smart people. I make it a point to find a work with people who know more than me so I can learn and grow from them.
What do you feel is the most important aspect of your job? The most important aspect of my job is educating people and getting them to think differently, to create a culture of security within the company from top to bottom. For example, I’ve been educating our employees on different types of phishing attacks and encouraging them to think carefully before clicking on any links. All phishing emails include a call to action and create a sense of urgency. I encourage people to slow down and really think about if the email and call to action makes sense. I’ve also been encouraging our developers to think about how threat actors might attack our software. Security involves breaking the rules and finding the logical blind spots, and most people do not think in that way. So, it’s all about trying to provide the right education.
What metrics or KPIs do you use to measure security effectiveness? I measure our ability, and the ability of our solutions, to reduce the mean time to detect, discover, remediate, and respond to cyber threats, particularly critical vulnerabilities linked to or associated with ransomware. It’s critical to know how our solutions are improving the efficiency and effectiveness of security and IT operations teams in combatting weaponised vulnerabilities used by cyber adversaries.
Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes, there is a global IT talent shortage. Globally, the shortage of cybersecurity professionals is estimated to be 3.12 million. It’s challenging to fill all roles right now, but it’s also important to hire people with a combination of dedication and passion.
Security is a hard job, and it wears on you very quickly if you aren’t passionate about it. It’s critical to have a combination of dedication and passion. It’s also essential to have a deep understanding of security rather than just textbook knowledge. A lot of people can say multi-factor authentication is important, but not everyone can explain where it should be deployed and where it shouldn’t.
Cybersecurity is constantly changing – how do you keep learning? I’m an avid reader. I spend at least 30 minutes a day reading technical articles and research reports. I have a tailored newsfeed to help me stay sharp and learn about the latest edge techniques.
I also read books that are outside of my field. For example, I read a lot of philosophy and psychology books, which help me think differently. I’ve also read biology books, which are very process oriented. I like to seek out knowledge and wisdom from other fields and apply them to security.
What conferences are on your must-attend list? I prefer to network outside of conferences, but I'd say my favourite conference is REcon. It’s an annual reverse engineering and security conference held in Montreal.
What is the best current trend in cybersecurity? The worst? One positive outcome that has come out of this pandemic is the pace at which IT modernisation has occurred to support the Everywhere Workplace. What typically would have occurred over a 10-year period, happened almost overnight. This sudden shift to the cloud also has spurred on innovation within cybersecurity, and we now have solutions and security practices that help protect the Everywhere Workplace.
One of those trends includes the wide adoption of Zero Trust principles in an organisation’s security practice. Zero Trust is designed to provide security in a perimeter-less environment given that we are no longer working inside the walls of a corporate office that is protected by legacy technology such as firewalls. Zero Trust is designed to combat cyberthreats inside and outside the traditional perimeter by requiring that all users, applications, and devices that are trying to access networks, services, servers, and databases—no matter their location—should be authenticated, authorised, and validated, and that trust is not inherited or presumed anywhere across the Everywhere Workplace. So, I’d say this is one of the best trends in security right now.
The worst trend that I see is that many organisations are not prioritising cyber hygiene. An advanced attack, such as a supply chain or ransomware attack, often starts with basic tactics like social engineering, phishing, or exploiting vulnerabilities in unpatched software to infiltrate environments and deploy malware. According to a recent survey by Ivanti, 74% of respondents said their organisations had fallen victim to a phishing attack in the last year. SMS phishing is the latest variant to gain traction. It works much like an email phishing scam, but instead sends deceptive or malicious slinks through text messages. Ultimately, most attacks are the result of poor cyber hygiene.
What's the best career advice you ever received? It’s important to love your job because otherwise it wears you out. It’s also important to like your teammates. I’ve been blessed because I’ve always worked with smart, fun people.
What advice would you give to aspiring security leaders? Below is some additional advice I’d offer aspiring security leaders, based on lessons I’ve learned during my career:
- Identify experts and learn from them. Don’t act like you’re the smartest person in the room because you probably are not. If you are, you’re in the wrong room.
- Don’t be afraid to dig in when you think you’re right and defend your opinions. Always admit when you’re wrong.
- Don’t be discouraged if your solution isn’t chosen as the “go-forward”. Always understand why a chosen solution was decided.
- Don’t let rigor and process kill innovation. Find the right time and the right way to break the rules and find something new and better.
- Security is a process of continual improvement. Don’t get hung up on the “optimal” and don’t let good improvements get in the way of perfect.
What has been your greatest career achievement? It’s rewarding to help companies proactively defend against cyberattacks. With the Ivanti Neurons platform, IT can query all edge devices with sensor-based architecture and natural language, get intelligence across the enterprise in seconds, and then take the right action at the right time to effectively defend against cyber threats, such as ransomware attacks. I enjoy advising how to make our technology better, while protecting our customers. Similarly, I enjoyed helping authorities track down cybercriminals and helping companies respond quickly and aggressively to vulnerability challenges during my time at Stroz Friedberg.