Secret CSO: Josh Brewton, Cyvatar

What is the worst current trend in cybersecurity? “Artificial Intelligence… While AI shows immense promise, there will always be vulnerabilities that will need compensating controls to close those gaps.”


Name: Josh Brewton

Organisation: Cyvatar

Job title: vCISO

Date started current role: September 2021

Location: Remote/Alabama

Josh Brewton, CISSP, CISM, is vCISO at Cyvatar, a leading tech-enabled CSaaS provider. As vCISO, Brewton culls his skills and experience from over 10 years in security industries, both physical and cyber, to help establish more resilient cybersecurity postures. He’s held multiple roles within cybersecurity including Information Security Analyst, System Security Officer, Incident Responder and Security Operations Center Manager. In addition, Brewton has worked in compliance advisory roles for the TSA, as a cybersecurity specialist for the Alabama Air National Guard, and within an MSP providing services advising against PCI/NIST/CMMC/ISO. Prior to Cyvatar, Brewton spent over 7 years in law enforcement including time as a Michigan State Trooper as well as a Police Officer in Honolulu.

What was your first job? My first job was working for a family-owned pizza joint when I turned 16. I was the cashier, cook, clean-up crew, and delivery driver. My first day was the Friday before a hectic Superbowl weekend. That was a great way to learn the concept of "sink or swim." I was grateful to have a position with enough flexibility to earn money while playing high school sports and still have a social life.

How did you get involved in cybersecurity? While earning my degree in Criminal Justice, I remember sitting in class learning about critical infrastructure protection. All the physical protections in the world mean nothing if the facility/organisation is hit with a cyber-attack. At that point, it hit me, "I need to get involved with cybersecurity." Initially, I was not sure how I wanted to achieve this goal. After contemplating switching my major, I decided on the Air National Guard as a Cybersecurity Specialist.

What was your education? Do you hold any certifications? What are they? I obtained my B.S. in Criminal Justice with a minor in Homeland Security from Lake Superior State University. I hold a Certified Information System Security Professional (CISSP), Certified Information Security Manager (CISM), and CompTIA Security +.

Explain your career path. Did you take any detours? If so, discuss. I never really considered IT or cybersecurity as a career path. I was dead set on going into law enforcement. I started my journey of law enforcement working as an Auxiliary Police Officer for the Sault Ste. Marie Police Department. I then became a Michigan State Trooper for a few years. I then moved out to Hawaii, where I joined the Honolulu Police Department (HPD). Here, I joined the Hawaii Air National Guard and started seeing my future in cybersecurity. Ever since leaving the HPD, I have been involved with IT and cybersecurity. I like to think that my past life as a law enforcement officer has given me a unique perspective and equipped me with the ability to handle high-stress situations.

Was there anyone who has inspired or mentored you in your career? I would say that I have learned a lot from those I have worked with and for. I have seen characteristics in my peers that I have admired and attempted to adopt in my life. I have also learned a lot from those I do not want to be like. There are so many different avenues in IT, and they are not for everyone; it took me a while to realise that.

One person that I can say who has inspired me would be my father. He is a Navy vet who retired and started a career in a sector he never considered before retirement. He has experienced great success through his diligent and dedicated efforts. I have always admired that about him, and he has inspired me to work hard and do what is right.

What do you feel is the most important aspect of your job? Within the context of the CISO role, remember that different types of people make up our organisation. They may not understand some of the tasks we are trying to complete. Communication and education have helped in addressing these issues. I have seen that most are very receptive to the education component when it is presented genuinely and sincerely. As far as communication goes, there isn't enough of it. I don't care if something is wrong or that it can't get done. Just communicate with me the issue you are experiencing so that we can come up with a plan to overcome them. I can't help with problems that I don't know about.

What metrics or KPIs do you use to measure security effectiveness? For me, it would be response time and time to resolution. Generally, the quicker these two tasks are completed, the more mature and effective the security team. If my team can identify a legitimate incident and resolve it quickly, I'm happy. Often, if the unit is responding to a high number of incidents, it is quickly recognised, and we work on a plan to increase our security posture to eliminate the spikes.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I guess I am a conspiracy theorist who thinks that the security skill shortage number may be skewed. I don't think we can say we have a shortage when there are still organisations that are unwilling to accommodate flexible work environments (working remotely) or still have a lengthy and cumbersome hiring process.

I have seen companies that have issues hiring for *fill in the blank* entry-level positions. I have heard frustration from the employer's perspective that the talent pool isn't there or they are unwilling to work. There seems to be a disconnect between entry-level abilities and employer expectations.

Cybersecurity is constantly changing – how do you keep learning? Two things that help me keep learning are following/listening to a wide range of tech blogs and always having a certification that I am studying for.

What conferences are on your must-attend list? I want to attend Black Hat 2022. I followed the activities from last year, and it looks like a great experience to learn a few things and have a blast.

What is the best current trend in cybersecurity? The worst? One of the best cybersecurity trends is the widely accepted use of multi-factor authentication. MFA is no longer just for the government or large corporations. Mom and Pop shops see the value in this technology, and it is becoming an accepted norm.

I know I am not the only person with this point of view, but one of the worst cybersecurity trends must be Artificial Intelligence. I have seen AI marketed as the "silver-built" for cybersecurity and that this will be the end of traditional practices. While AI shows immense promise, there will always be vulnerabilities that will need compensating controls to close those gaps.

What's the best career advice you ever received? The best career advice I received was based upon failure. I was posed with the question, "You failed, so what? How are you NOT going to fail next time?" Although it is not the traditional advice given, it has motivated me to continue pursuing and succeeding in areas of my career that I may have failed.

What advice would you give to aspiring security leaders? I would tell them not to discount their life experience. To be a good security leader does not mean that you have had to spend all your life in this discipline. You can combine all the life lessons to mould yourself into a practical and inspirational security leader.

What has been your greatest career achievement? My greatest career achievement was deciding to shut the door from law enforcement and transition to a full-time cybersecurity role. I loved what I did, but it did not align with what I wanted my future to look like and what I wanted to be doing in 20 years.

Looking back with 20:20 hindsight, what would you have done differently? If I had to do one thing differently, it would have been to jump straight into my continuing education. I may have had the chance to obtain a degree or formal education in a field more closely related to cybersecurity.

What is your favourite quote? "Nothing in the world is worth having or worth doing unless it means effort, pain, difficulty… I have never in my life envied a human being who led an easy life. I have envied a great many people who led difficult lives and led them well." ― Theodore Roosevelt.

What are you reading now? I am currently reading Leadership 2.0. I continue to expand my understanding of different leadership styles, and I am always looking to add new tools to my toolkit.

In my spare time, I like to… I find myself doing family activities with my wife and son. We try to get out of the house and be as active as possible. It forces my wife and me to experience new activities that we usually wouldn't partake in for the sake of making memories with our son.

Most people don't know that I… Would drop everything and move to a mountain cabin. I would love to work remotely from a secluded cabin (internet speeds permitting). This is the dream, but it may be a few years off for me.

Ask me to do anything but… You could ask me to do anything but to go running. I love the outdoors and working out, but I can not say the same about running.