Secret CSO: Bernard Brantley, Corelight

What conferences are on your must-attend list? “RSA is the single “must attend” conference that I can suggest to anyone in the industry. There is such a wealth of thought leadership across all domains in cyber and I have yet to find a better singular forum to access it.”


Name: Bernard Brantley

Organisation: Corelight

Job title: CISO

Date started current role: August 2021

Location: Seattle WA

Bernard Brantley joined Corelight from Amazon, where he led a threat hunting and threat intelligence team which covered a wide range of security threat scenarios. With an extensive background in threat detection for businesses, Brantley was also at Microsoft, levelling up security for Microsoft HVA (High Value Assets) environments, including XboxLIVE, and at Alert logic in both research and analyst roles. Brantley also continues to serve as an advisor to a number of innovative technology companies, including a new emerging player in the GPU-accelerated analytics domain. In addition to this, and looking ahead, Brantley actively participates in technology workshops that are meant to shape and sharpen the strategy for adoption and use of ML/AI within segments of the federal government.

What was your first job? My first role was as a baby gear associate at Babies R Us, where I helped new parents learn the ins and outs of strollers, cribs and car seats. I landed my first job in cybersecurity at AlertLogic as an appliance support engineer for the fleet of field sensors. During my time there, I learned a lot about managing Linux infrastructure and open source IDS (Snort) at scale.

How did you get involved in cybersecurity? I faced a lot of adversity in my late 20s trying to figure out my station in life. I held jobs in retail sales, B2B sales, finance and construction; none of which satisfied my inner curiosity and desire to grow. In the late 2000s, I started working with Linux operating systems and the airodump-ng suite of tools to audit my own home wireless network and got hooked from there. Working on the Linux command-line while trying to solve problems was fascinating to me, and I began seeking opportunities to convert that passion into a job which would ultimately become a fulfilling career.

What was your education? Do you hold any certifications? What are they? I spent three years at the United States Military Academy, however I failed an English course and was separated after my cow (junior) year. I am grateful for the exposure to strong leadership but most importantly the Thayer method of instruction. In short, the Thayer method made us responsible for our own learning by making us study the material before class, and then coming to the session with questions that we would determine the answer as a group through discussion and active learning. This practice is something that I’ve carried with me throughout my career and is the basis of my approach to engaging with and mentoring others. I do not hold a degree or any certifications; however, I have borrowed knowledge from the wealth of available resources for certifications like the RHCE, GCIA, GPEN, CISSP, CCNA, and others, to help educate myself and become operationally viable in every domain and capability area that’s led me down the path to where I am now.

Explain your career path. Did you take any detours? If so, discuss. Before IT, I banged my head against multiple walls looking for fulfilment in my work. After my first job in a datacentre, I chased opportunities that satisfied my curiosity. I held roles as an infrastructure engineer, security analyst, and security researcher, before taking on roles with responsibilities that would allow me to implement change. Before joining Corelight I architected and managed security infrastructure at Microsoft and lead a threat hunting and threat intelligence team at Amazon.

Was there anyone who has inspired or mentored you in your career? I have been inspired by a number of great leaders throughout my career, all of whom guided and supported me in leveraging my natural “soft skills” while challenging me to solve problems technically. Early in my career, I looked to the texts written by Richard Bejtlich as guideposts for my growth and a measure for my own capabilities with respect to cyber maturity. I was in complete admiration of Dr. Vern Paxson and his work on the Zeek project, and I aspired to have a similar impact on the cyber industry. Today I have the privilege of working directly with both of them. I also had a great leader and mentor in Sacha Faust, who taught me the value of people-centric engineering and leading through inspiration versus authority. There have been many others along the way but I would like to take this opportunity to directly thank these three for the lasting impact they have had on my career growth and mindset.

What do you feel is the most important aspect of your job? I believe that leadership is the most important aspect of any job. Every day, I’m given the opportunity to guide my team and within my sphere of influence to deliver impact in a meaningful way. I was once told that “Alone we can go fast, but together we can go far”. The diversity of thought and the art in individual application of that same thought is our path to making advancements in cybersecurity. I am responsible for giving individuals the freedom and flexibility, within the bounds of strategy, to bring their passion, uniqueness, and corpus of experience to the execution of their daily jobs. That all stems from effective leadership. It’s exciting to set an objective and watch the paths that people take to reach it; the entire organisation is often better for being along for the journey.

What metrics or KPIs do you use to measure security effectiveness? I focus on coverage, completeness and influence/impact. I measure coverage and completeness against NIST and the Cyber Maturity Model. Measuring influence is a bit trickier, but I currently like measuring the number change actions and fix velocity outside of the security team. I also believe that a measure of  proactive vs reactive actions with respect to incident response and threat intelligence is critical in determining the effectiveness of the overall security program.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I see the skills shortage as an opportunity more than anything else. I believe that security should be accessible to all and more directly. That diverse way of thinking is our path to needle-moving application and execution of security initiatives. I challenge my team to deliver in ways that take maximum advantage of current skills paired with tying into the momentum of outside teams, leveraging relationships and broader goals to mature cyber capabilities. I’ve been lucky in having an exciting company to work with, along with a broad network of professionals who are more than excited to join us, so we haven’t been directly affected by the cyber skills shortage. This may become a challenge however as we continue to scale, and we intend to look for talent within the open source community to meet future demand.

Cybersecurity is constantly changing – how do you keep learning? I constantly look for opportunities to convert theoretical work into operationally viable capabilities. I spend much of my time embracing the future by decomposing research whitepapers, and looking for ways that I can steer those around me to deliver on the meta-themes which can, if executed well, provide us with a strategic advantage over our adversaries. I am also a student of the Military and Intelligence Community. There’s a book by Aaron Brantley called “The Decision to Attack, Military and Intelligence Cyber Decision Making” and in it, he brings an economic framing to offensive cyber operations. I find myself re-reading certain chapters of that book on a quarterly basis and using it to measure our capabilities and my situational awareness. My primary objective is learning ways to minimise the amount of anonymous action in the environments I protect, and continuous learning is required to do so.

What conferences are on your must-attend list? RSA is the single “must attend” conference that I can suggest to anyone in the industry. There is such a wealth of thought leadership across all domains in cyber and I have yet to find a better singular forum to access it. In addition, Defcon is always a fun conference to attend and a way for me to catch up with old friends and colleagues. However RSA stands out as the conference for those looking to educate themselves on the fundamentals and the advancements in cyber.

What is the best current trend in cybersecurity? The worst? I am a big fan of graph technology and thinking in graph. I believe it to be the most important effort in improving our ability to defend against the evolving and increasingly complex threat landscape. John Lambert once said “defenders think in lists, attackers think in graph.;” We must get to equal footing with those who intend to do us harm. While not a trend, I feel the worst thing for the industry is the lack of understanding around AI and ML: everyone thinks they need it while very few understand how to use it or how to apply its outputs properly.

What's the best career advice you ever received? Take individual ownership of failure and pass on the recognition and celebration of successes to individuals within the team or to the team itself.

What advice would you give to aspiring security leaders? Be willing to be vulnerable and embrace failure. If there is a single truth in cyber, it is that at some point, the adversary will win. If we take that mindset, and look at failures as our route to learning what’s required to minimise the future impact of adversarial activity, we will all be better for it. Next, figure out ways to convert the learnings from those failures into institutional memory. In order to improve cyber resilience, we must disseminate those learnings in ways that weave it into the cultural and operational fabric of the institution at large.

What has been your greatest career achievement? I am really proud of the work I did at Microsoft. Without disclosing too much, I was able to revamp the way in which network security was viewed and executed within some of their most sensitive environments.

Looking back with 20:20 hindsight, what would you have done differently? Nothing… Every step I’ve taken along the way was a requirement for me to be here. While there has been challenges and missteps, I am grateful for all the things I’ve experienced, and all the people I’ve met, and all the knowledge that has come from those interactions. I wouldn’t change a thing!

What is your favourite quote? “If the rule you followed brought you to this, of what use was the rule?” Anton Chigurh - No Country For Old Men.

What are you reading now? How to Read Water: Clues and Patterns from Puddles to the Sea - Tristan Gooley

In my spare time, I like to… Watch my kids grow! I missed a lot of opportunities with my oldest, Liana. With my youngest two, I make sure to take advantage of every moment I have with them. I also love playing soccer and golf, but I am recovering from an Achilles injury and have been limited in those activities.

Most people don't know that I… Am the product of two Detroit Police Officers. My dad was a homicide detective with one of his cases being written about in “Masquerade: A true story of Seduction, Compulsion and Murder” by Lowell Caufield. I have a belief that detective work and the investigative mindset are a part of my DNA, and I owe much to my parents for giving me the tools to make it here.

Ask me to do anything but… Stop dreaming. I believe that anything, within the limits of physics, is achievable and our ability to dream is what gets us there.