Secret CSO: Martin Jartelius, Outpost24

Looking back with 20:20 hindsight, what would you have done differently? “If I got to go back in time, I would tell young me that what I thought were technical problems in almost 9 out of 10 cases were human problems.”

Headshot of Martin Jartelius, CSO at Outpost24
Martin Jartelius, Outpost24

Name: Martin Jartelius

Organisation: Outpost24

Job title: Chief Security Officer

Date started current role: May 2013

Location: Karlskrona, Sweden

Martin Jartelius is the CSO at Outpost24, with responsibility for internal security as well as security in delivered services and solution. In his role, Jartelius is tied to both the account management teams and the development teams. Earlier, Jartelius was the global team leader for the Outpost24 Professional Services team and in this role, he was responsible for forming and managing the delivery of services. Jartelius has a background as an IT-security consultant, with his area of expertise covering incident management, forensics, audits, security assessments and testing.

What was your first job? I started off in eldercare, essentially a workplace where, as a male applicant I realised there were a good chance I would get an interview as a minority, and essentially this work paid my way through 5 years of university. It also gave me some rather valuable humane traits that I somewhat lacked coming from a pure technical background.

How did you get involved in cybersecurity? I am by education a distributed systems programming specialist. Something that the release of cloud services more or less ruined over night, leading me to pursue my night-time passion of applied IT security. One could say that market changes pushed me from a potential career as a developer into focusing on hacking, forensics and over time – compliance.

What was your education? Do you hold any certifications? What are they? I hold a bachelor’s in computer science with a focus in distributed systems programming. Had I finished my masters which was my goal, it would have been in the same focus area. When I graduated, IT security as a focus area was still relatively unheard of as an education.

Explain your career path. Did you take any detours? If so, discuss. I started off branded for being a bridge between technical and organisational security, which to that point had been treated as two separate focus areas in the organisation I landed. I got trained on firewalls, VPNs, Intranet Portal security gateways, disc encryption and so on, but my actual passion was closer to humans than computers. This made me detour to work a lot more with the management focused security team, forming that bridge and over time being a part of making the two entities one.

Was there anyone who has inspired or mentored you in your career? There have been two gentlemen that inspired me deeply. The first was the manager of an insurance company I interned at who, after receiving the necessary technical help, said “Never lose your ability to explain technology to those less in the know. You will grow old. Younger men and women will know things you no longer understand, they will be faster, more efficient and more knowledgeable. But if you maintain your ability to explain technology and security to those less in the know, you will never be out of a job.”

The other man was an old banker. He found me useful as a source of information in my early days, as I knew technology above and beyond what he knew. I could essentially automate what he spent most of a week doing down to a matter of hours. Having helped him free that time, he immediately showed me how to find others around us in need of support, who were uncertain, and who by guidance could be supported into delivering better quality, more high security solutions with the time they were spending in the projects we were involved. Apart from cementing the social network that helped me build who I am today, it also showed that almost everyone would be given a choice to pick the more secure option, provided they knew how to make the choice and provided they did not have to document it in full on their own. A valuable lesson – security is often better than documentation shows. But cheap and by design security only comes by supporting those responsible for building a solution in the phase where they are still asking the “how” questions. At that phase, its borderline for free.

What do you feel is the most important aspect of your job? Enabling others to make the right choice. Not making choices for them, albeit we all must be the nay-sayer on a recurring basis, but enabling others to make educated decisions, and instead of stating “no” stating “yes, if…” and setting the requirements for doing what the business needs doing, in a manner that enables everyone to do it in a sane and secure way.

What metrics or KPIs do you use to measure security effectiveness? Incident resolution and mean time to patch. It may sound simplistic, but one tells you how fast we are to detect, detain, respond and recover, which in turn gives a feel for the business continuity plan, disaster recovery and contingency, the other tells you how well in control we are of the release windows, how equipped we are to detect deficiencies and how fast we can without affecting anything in operations respond to it.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes and no. We have what we need from internal auditors, lawyers, CISO and CSO skills. What is lacking for us, as we provide competence for others, are sufficient amounts of quality raw materials to train and shape the security specialists of tomorrow. Europe, where I reside, is not subject to the shortage in hundreds of thousands of the US market, but it is still a situation where a well-established program to onboard, train, and develop young talent is key to enabling our success. And even building our own success story by finding and acquiring young talent, we are challenged by the competitive nature surrounding securing high quality talent. So far, we are blessed with excellent staff, but provided an exponential growth even providing our own internships our recruitment base consistently needs to grow.

Cybersecurity is constantly changing – how do you keep learning? If you want to know what is “hip and coming” in any other fast passed industry you surround yourself with younger, smarter and more up to date specialists and ensure to remember that your seniority on paper and in years of experience do not trump their knowhow. What is powerful, truly powerful, is the combination. In all essence we were equipped with one mouth and two ears, or as the saying goes – we don’t hire smart employees to tell them what to do, but for them to tell us what to do. I ensure to stick around those who are more in the know while trying not to embarrass myself too frequently.

That, and surprisingly when it comes to the offensive side of security, while one may think things have escalated - apart from cryptocurrency and its implication on ransomware - we are still stuck on the same challenges as 20 years ago, just with more sophisticated adversaries and substantially better support systems. Understanding how things work under the hood enables you to see the parallels but being surrounded by a competent team means someone else knows where the applicable buttons are today.

What conferences are on your must-attend list? I am not a fan of conferences, I digest blackhat and defcon from their YouTube uploads. Conferences to me is a place for the younger crowds. I appreciate sessions such as InfoSec UK as a great place to meet existing customers and get a pint with some of those who after 10-15 years of bumping into each other reminds more of a school reunion than a conference. Conferences by the years have become more a way of maintaining the existing network of customers and fellow security enthusiast than a place to learn and develop. I learn differently, sometimes on my own, in quiet and peace. Prior to covid I would be watching recordings on YouTube while travelling or in hotel rooms, or from the comfort of my couch. Not to say that conferences do not carry their own value in and of themselves, but to state that to me, they are a place to meet those we hold close but do not get to see that often. Hence the reference to a high school reunion rather than a place to learn. And in Europe, for this purpose, there is essentially InfoSec, potentially challenged by HITB in Amsterdam, BSIDES in London and some others for those of the more technical inclination.

What is the best current trend in cybersecurity? The worst? The best is an increased openness and seeing security as a business enabler – The average customer today will ask “how do you secure my information” shifting security from working in the shadows to ensure all is good and in order, to a more customer and business centric position. The worst? Well, this one is tough, and I am not likely to make friends, but I am going to say integrations. Everything can talk to everything, and businesses love it because it is so amazing and efficient. But as we do so, we entrust others to be the wardens of our information, and the granularity of access is so extremely immature that we essentially are building extreme attack surfaces that on the hood looks fine. There are such incredibly large amounts of hidden entry points into the modern organisation that when those things start to break, when large carriers of trust fail, the organisations they potentially pull with them are counted in the thousands.

What's the best career advice you ever received? No matter how long I progress in my career, as long as I am enabled to make technology, security, risk, relatable and understandable to others, I will never be out of work. It is the truest statement I have ever encountered, and it is applicable to so many other areas, including information security. If the business does not understand the reason behind a policy, or a no, they will work around you as you are a blocker and not a guidance.

What advice would you give to aspiring security leaders? Listen, shape, guide. Do not dictate but motivate, do not say no, say “yes IF”. And do not forget to follow up on the IF’s.

What has been your greatest career achievement? This is a hard choice. I am still relatively happy about finding two separate pass the hash vulnerabilities in SCADA systems. I am equally pleased in having, during my forensics years, contributed to get some predators off the streets that should not be near our children. In my most recent role however at Outpost24, having helped hundreds of other organisations getting to grips with their security, and guiding them towards making the correct decisions before things go south fast. This has been important. To be honest, I can’t choose, but being a father of two, I would simplistically state that having made the world a better place for our children is close at heart.

Looking back with 20:20 hindsight, what would you have done differently? If I got to go back in time, I would tell young me that what I thought were technical problems in almost 9 out of 10 cases were human problems. And that whenever someone claims it’s a human problem, its time to understand the technical solution. There is rarely a problem with technology – if its worth its name and it does what its designed to do. Claiming a user clicking a malicious link and getting malware on their system is a human issue is a lie – its something a technical department should have solved to not allow humans to fail. If we were working in an industry and an employee carelessly put their arm in a machine and lost their arm – we do NOT state that the problem is employees putting their limbs where they do not belong. We would most likely have a review of the criminal responsibility of whoever did not ensure that limbs could be around the machine without risk. Similarly, understanding humans and their behavior tells us what we need to be secure – security should never be based on humans not failing, it should be based on them failing, decreasing the chance of failing and designing our security on the assumption that they DID click the email.

1 2 Page 1
Page 1 of 2