Secret CSO: Corey Nachreiner, WatchGuard

Name: Corey Nachreiner

Organisation: WatchGuard

Job title: CSO

Date started current role: February 2021

Location: Seattle, Washington

Corey Nachreiner is the chief security officer (CSO) of WatchGuard Technologies. Recognised as a thought leader in IT security, Nachreiner spearheads WatchGuard’s technology and security vision and direction. He has operated at the frontline of cybersecurity for 25 years, evaluating and making accurate predictions about information security trends. As an authority on network security and an internationally quoted commentator, Nachreiner's expertise and ability to dissect complex security topics make him a sought-after speaker at forums such as Gartner, Infosec, and RSA. He is also a regular contributor to leading publications including CNET, Dark Reading, Forbes, Help Net Security, and more.

What was your first job? If you mean the real first job, besides babysitting from the age of 12, then it was in the 1980s in Maryland, when I was 14. My father helped me get a work permit (for under 16 work) and I got a job at Arby’s. Nothing fancy, but instead of saving for a car, like most teens, I saved my first $800 (big money to a teen then) to buy an 8086 computer.

My first more professional, after college job was as technical support for a plastic surgery imaging company (think photoshop software made for plastic surgeons), but I quickly left there to start a support career at WatchGuard, a budding network security company in 1999. And thus started my path to CSO/CISO of the company.

How did you get involved in cybersecurity? I didn’t actually know/think cybersecurity would be my career at first, even though I was involved in learning about hacking and security on my own, at a young age. When I was in college (1992) cybersecurity was rarely discussed. I was taking a normal CompSci program and expected to be a coder. However, I had gotten a computer in my house when I was eight; a TRS or Trash-80, that my dad bought, but never used. I quickly learned basic, and got my dad to buy a coupler modem, eventually buying my own PC. In the early BBS days, I learned about phreaking and hacking via e-zines and famous test papers like “Smashing the Stack for Fun and Profit,” so while I didn’t know that cybersecurity would be my career at the time, I had a strong interest in how hacking worked well before high school and college, though I don’t have a black hat bone in my body. In any case, after college, finding a company that did computer security helped me realise that I could mix my personal interest in hacking with my formal training, and the 2000s were a perfect time for this as computer security has blown up in importance compared to the 70s and 80s.

What was your education? Do you hold any certifications? What are they? I have an AA, and started 1.5 years of a BS in CompSci, but never finished it. I took a quarter off to save money, but also got married and quickly conceived a child, so had to focus on career for a bit. As the career took off, I had less need to finish my degree as my experience started to speak for itself. I have earned various tech certifications, but getting my CISSP was probably the biggest one for this industry.

Explain your career path. Did you take any detours? If so, discuss. I would say realising I could make a career in InfoSec was a big detour, as it didn’t seem like an obvious choice to me in the early 90s. I always knew I would be in tech. Computers and digital equipment always seemed natural and intuitive to me. I loved taking things apart, learning how they work, and putting them back together, and doing the same concepts with software too. However, I assumed the money was in coding, and thought I would be a software engineer at a big tech company. Getting married and conceiving our child early in the marriage was the first “life” detour that added randomness to my career patch. I felt I had to get a decent job quickly to support a new family, so started in a support job at that plastic surgeon imaging company, I mentioned above, more for the money than as my intended path. Then that company went chapter 13, forcing me to find a new job quickly (I had my baby daughter by then). That is where luck and serendipity got me to my dream path that I should have realised earlier. WatchGuard was hiring for support, I had some experience from the job I didn’t plan, and that got my foot into the door to cybersecurity and many job titles here that gave me experience in many aspects of cybersecurity.

Was there anyone who has inspired or mentored you in your career? Early on, no. My interest in hacking and digital security was internal, and since in the 80s it wasn’t discussed as a career much, there was really few people to look to for inspiration, that came more from grey hat community members who eventually became the big names in cybersecurity decades later. However, at WatchGuard, Steve Fallin was a person in cybersecurity education and communication at our company. He noticed that in my support cases, I didn’t only fix the customers main tech support problem, but I also gave security advice and other policy recommendation. He invited me to help at security conference like RSA and Black Hat, to learn more about me, and eventually recruited me onto his team. Without him, and other leaders at WatchGuard I met as I moved forward, I may not have grown to the CSO/CISO I am today.

What do you feel is the most important aspect of your job? Procedure and diligence. I got interested in cybersecurity for all the cool and technically interesting ways you could make systems do unintended things. Researchers who find complex remote code execution zero days are my heroes, and I tend to geek out about cool software hacks. However, defence should be boring and programmatic. Deep coding and technical knowledge are not really that important to the blocking and tackling of defence. The hardest part of security is just the repeated diligence of going through your programmatic procedures to support your policies. If you are doing it right, it might seem a little boring as you have playbook and procedures for everything, and you are obsessive about running them.

What metrics or KPIs do you use to measure security effectiveness? Many, but here are a few:

• Security incidents per year
• Mean time to detect, mean time to respond to and mean time to resolve security incidents or alerts
• Security Awareness KPIs (some people think these aren’t worth tracking, but we have lowered and maintained these)
  • Click rate on phishing simulations
  • Overall security awareness risk score (based on employees completing required trainings, privilege level of employee, and things like click rate)
• Many Patching and Vulnerability Assessment (VA) metrics:
  
  •  Number of external high and critical unpatched vulnerabilities
  • Time to patch
  • SLA misses

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes. Our organisation is a security vendor. We make network, endpoint, and identity security products, so have some specialised security expertise needs on top of the CISO/CSO needs. It is hard just finding experienced SOC incident responders for our CSIRT team, but we also have need for deep malware researchers, threat hunters, etc. The deeper the technical expertise in a cyber security domain, the harder it seems to fill the role.

Cybersecurity is constantly changing – how do you keep learning? Conferences, blogs, and videos. There is endless media now available to learn about security. I have researchers I follow, YouTubers that cover security, I have a news aggregator that focuses on cybersecurity news, and I and my team attend Black Hat and DEF CON every year we can.   

What conferences are on your must-attend list? We like Black Hat and DEF CON, although there are many other great ones like them. If you can only do one, DEF CON is very inexpensive, and has the more uncensored version of many of the Black Hat talks. We avoid other conferences that get a little to vendor-y, unless we are specifically looking for a new product. Ones like RSA do still have good research talks, but we feel it seems more like a conference where security industry folks are doing B2B with each other. If you are low on conference funds, B-sides follows around just about every big conference, and often has good stuff without the high cost.

What is the best current trend in cybersecurity? The worst? The best trend is machine learning and other technologies helping automate some of the rote tasks in cybersecurity. The worst tread is adversaries starting to realise how machine learning and automation can help the black hat too.

What's the best career advice you ever received? The best leaders listen more and talk less.

What advice would you give to aspiring security leaders? Stay humble; always keep learning; treat everyone with equal respect; most importantly, listen more and talk less.

What has been your greatest career achievement? Strangely, my greatest career achievement is seeing and helping my employees grow into leaders themselves. There are a lot of things I did as an individual contributor that I am proud of, but my biggest joy is seeing people that I helped lead develop into leaders. Once you hit a certain point of personal achievement, the only way you can exponentially achieve for your company and other is by helping everyone around you achieve their goals. A leader’s goal is not to continue being an individual rock star, but to help many others become rock stars themselves.

Looking back with 20:20 hindsight, what would you have done differently? Learn faster and try to introspectively work on my weaknesses even earlier. I’m not sure if I would change the past. While I guess others might create a more direct path to their end goal, I feel like the path I took to get to where I am is part of what forged me to be able to fit the situation. You can’t change outside factors; you can only change yourself. None of us are, or will ever be perfect, but we can improve forever, as long as we are willing to do the introspection to learn our strengths and weaknesses. The only thing I would do differently would be to learn that and get to the introspection much earlier in life.