The Recorded Future, a podcast that takes listeners inside the world of cyber threat intelligence, recently interviewed Ericom’s own Nick Kael.
In this fascinating 20-minute discussion with Dave Bittner, Nick describes his personal journey from the U.S. Marines to Ericom and the valuable lessons he’s learned along the way. He shares insights about how security flaws often hide in plain sight, and how he encourages out-of-the-box thinking in his staff.
Hello, everyone, and welcome to Episode 153 of the Recorded Future Podcast. I’m Dave Bittner from The CyberWire. Our guest today is Nick Kael. He’s chief technology officer at Ericom Software, a company that provides secure web isolation and remote application access software and cloud services. In our conversation, Nick Kael shares his professional journey, including the important lessons his experience in the U.S. military have provided. We’ll learn about his leadership style, his take on threat intelligence, what he looks for when hiring, as well as his approach to his day-to-day responsibilities at Ericom Software. Stay with us.
It’s been an interesting one. I started off out of high school and college, actually left college a little bit early to join the United States Marine Corps, spent eight years in the Marine Corps. Got to travel the world and do some interesting things that way. But nothing really IT-related, although very security-minded. Both physical and logical security. And, now that I’m in the security industry, I see that a lot of it translates.
From the Marine Corps, when I got out, [I] landed in the wide area networking space. So, I worked for a lot of the telco companies, Global Crossing, British Telecom, Infonet, a few of those companies providing global wide area network services. So, I was doing a lot of engineering work, building out networks for organizations that were global.
In about 1999, I got a call from one of the customers that said, “Hey, we bought this thing, it’s called a firewall and we want to install it and we don’t really have anybody on board that knows how to install it or deal with it. Could you help us?” I literally went home that night and read the Check Point Firewall-1 Manual and Firewalls for Dummies and did an install for the customer.
Everything went great. And then I was actually given an offer to move over to our security team after that.
So, I made a move into the security team and started working a lot with managed security services, in the early days of it. That was while I was still with British Telecom actually, and then when I left British Telecom, I went to Symantec. That was about 2009. So, I spent about four years as part of the CTO’s office for security in Symantec — my first run there.
[I] left Symantec, went to a startup that you might know of — Zscaler. I believe I was employee number 82 in Zscaler. Spent just under six years there, and then left and actually went back to Symantec for around a year and then joined Ericom about a year ago.
Gotcha. So what is your day-to-day like these days? What sort of things keep you busy at Ericom?
I own a few facets within the organization. I have solutions management team or what a lot of organizations would call sales engineering. So, the folks that are out working with our customers to build the solutions from a technical aspect and support our sales organization. I also [lead] what we call customer advocacy team, which is our customer support team globally. And then I’ve got responsibility for the product in terms of helping leading product strategy and everything from a technology perspective.
So, I work a lot with our chief product officer, our R&D teams and the developers on products. Also, I just recently inherited our internal IT, so now I manage all of the internal IT aspects for the organization as well.
Day-to-day is interesting because it kind of flip flops between the different teams. And, so I do a lot of customer support and working with customers in the field to make sure that they’re getting what they need from a solution perspective, deal with support issues. If there is, some type of bug or issue that they’re dealing within their environment, helping them sort that out from a technical perspective, escalations on support issues or what have you. And then also our internal IT quite a bit. Keeps me running.
Do you feel like having that wide view being involved with so many different teams? Does that give you better insights into the things that need to be done throughout the organization?
Yeah, absolutely. I think from a historic perspective, the things that I’ve been able to see and do with just a lot of different customer environments gives you a really diverse view on how to handle things in different ways, to maybe tackle problems with the environments. But then also, just dealing with our customers and seeing things, seeing how different customers approach things differently. It kind of opens your mind to look at things very creatively and open minded.
And I think we do have to do that a lot of times, both in IT and then especially now in security. Not everything is just straight out of the box.
You mentioned that many of the lessons that you learned in your time in the military have transferred over. Can you give us some insights there? What sort of things did the military provide you with that are beneficial today?
Kind of the way you look at the world, simple things where sometimes the attention to the detail of something. I’ll give an example. I was dealing with a customer and they were saying how much they’ve invested in their data center security and that, basically they’ve got full-proof security right down to biometrics on the door and the eye, the retina scanners and all the good stuff that they’ve bought and invested in. And that really no one could penetrate their data center.
And I looked at the door from the inside because we were talking on the inside of their data center and they had a mail flap for the mail to be dropped in the door. And that mail flap had the angled metal piece so that no one could stick their hand in and go across. But it was kind of tipped up and down. And it was angled the way to where they had the big green square button that said “exit” to the side of the door. I mean, I could literally just reach in the mail flap, reach my hand over and tap the green button to open the door.
So, I made a bet with the CIO of the organization that I could get into their data center. He said he liked his steaks medium. And I said, I like mine medium as well. He went back to his office, I waited about a minute and I just reached my hand through and tapped the green button. It’s those little details and attention to detail, I think, that a lot of people just overlook.
The military is very much detail-oriented thinking about security, like I said, both physical, logical all the time, because, whether it’s troops you’re trying to protect or information about a mission that needs to be protected. I never really thought much about encryption while I was in the military because I wasn’t IT or technically focused, just the use of encryption, for instance, that we use over the radios and communications. Yet I see today some simple problems that customers could deal with by using encryption, but they haven’t gone there.
I read a book (and I don’t read a lot of books) but lately, some of the IT security books that I’ve picked up — there was one called “America, the vulnerable.” And it talks about a hack of our U.S. government in 2008. And the Chinese, I guess, nation state — not to pick on them — but they were the guilty party on the hack, on these firewalls of the U.S. government. The NSA director at the time called out that we didn’t use encryption. But the Chinese, before they actually traded all the data, they encrypted it so that it couldn’t be seen what they took out through the firewalls.
In the time that you’ve been at this and you’ve been at this a while, what strikes you as some of the interesting evolutions you’ve seen? What sort of changes have you tracked over the years?
Yeah, I think I think it’s definitely interesting. Just recently we were out at the RSA Conference and every year what I try to do is walk the floor. And I think what you get from that, one, you learn a lot about what’s going on in the industry and other vendors and what they’re doing. And again, keeping an open mind to their approach. But I think you see trends in the industry and they almost go on a yearly basis.
We’ve seen two-factor authentication a few years ago. And, we’ve gone through encryption and all the different removable media and things. This year, the big thing is zero trust. So, these buzzwords, and I always like to find out if it’s just a buzzword or if somebody is really, really kind of sticking to that spec or that standard, or whatever it is that we’re trying to achieve. Zero trust seems to be the big thing this year.
A lot of us in the security industry are talking about it. I think it’s interesting to follow those trends. But a lot of what I see, I think still we overlook something simple, and that’s that security needs to be part of our culture and the company, and it starts with the users. A lot of times we overlook simple things like just security enablement or security training of our employees, basic things for them to look at.
If you didn’t ask for a password reset but yet, you’re getting an email saying, “reset your password.” You probably want to second guess or take a closer look at that email. Is it a phishing attack? Is someone trying to trick you into giving up some type of credentials or information? And so just getting the people to think about that and making it part of the culture, I think is something. Outside all the other tools, it’s a basic thing that we should all do. I can’t say it’s totally free. It probably does cost us some time and it also may cost us some tools to test it and make sure that it’s working correctly. But most of which is free, right? We can take the time to train our employees and get them to think that way.
How do you describe your own leadership style when you’re trying to have that sort of culture spread through the organization to nurture that kind of thinking? How do you go about doing that?
Nick Kael Yeah, I think, one, it’s trying to inspire or keep your people always curious to think outside the box and to look at things and be curious about them more and not just get wrapped up in just clicking and being on the go all the time, kind of blind to what the content or information might be. Challenging people to be thought leaders and kind of think bigger. So, some of my leaders within the organization. I get them to challenge their teams. Not out of fear of any kind of retaliation or anything from management if something bad was done. But, what can we learn from it? What do we take away from different things? If we did an internal test with a phishing link and somebody clicked on it, I don’t want them to be afraid that they’re in trouble or something. I want them to learn from it. We go back and use that for helping the user understand a little bit more how to maybe hover over that link next time and look at what it really is taking them to. It’s funny. A lot of people think military background that you’re going to be some kind of yelling, screaming type of a leader. And I try to inspire people to think for themselves and be a little bit more of a leader themselves, instead of just counting on everybody in the leadership team.
I want to get your take on threat intelligence, specifically the role it plays in your organization and the importance that you place on it.
I think it’s huge right now to get that visibility in what I call actionable intelligence, right? To be able to take, whether it’s just threat feeds type of data, ingest those into your organization to understand the different threats. But you also have to kind of look at it from what is your posture either in your industry? Is there some type of industry-specific attacks? What are the trends going on at the time, right? Whether it be the Olympics or right now, the hot topic Coronavirus.
We know that anytime there’s a major event like this, off the back end of it, there’s going to be different types of attacks that are going to come, whether they’re phishing attacks over email right now – “Hey, do you read up more about the Coronavirus,” or those types of things? And, so threat intel to kind of get ahead of that. And then what do you do about it? What controls do I put in place around that threat intel, to actually control or to protect the infrastructure and the employees as much as I can?
Without it, we’re just kind of guessing. So that threat intel is huge that you can gain insights from. And then like I said, it’s actionable intelligence. It’s whether you’ve got workflows built to automate some of it, implementing actual controls or policies that will put you in the best posture from that specific threat or threats that might come at you or your organization, your industry and your users.
As you look ahead, you’re looking down the road. What sort of things do you think are headed our way? What are your expectations there?
I’d really like to say something really cool and different there, but I think, some of the same old tricks. We see it time and time again and a lot of these things repeat themselves. They’re cyclical. Social engineering is something pretty simple to solve, but yet it happens all the time.
For how many years now we’ve seen SQL database attacks. It’s pretty simple for most organizations to go and fix them and do things like input validation and whatnot to help fix them. But yet we still see things happen. So, I think it’s kind of the same old tricks in a lot of ways. But reinventing themselves. We’re dealing with smart individuals on the other end, so they keep rethinking how to get it out there, how to reinvent an old type of an attack and do it in a new way. Right now with ransomware, for instance, is on the uptick in a lot of organizations.
So those types of things, I think they just keep happening. And it’s the old tricks over and over again. And the attacks do get more and more sophisticated, at a code level and what they do or the stealthy type capabilities. I think, again, we have to think about where our important assets are in our organization, who has access to them, and how do we protect them in the best way that we can.
And then again, it comes down to the users. If I can trick a user into clicking on a link. Most situations, it’s game over. And so that weakest link coming back to the user. If I’ve got them educated and I’ve got the culture right in the organization to where everyone’s thinking security all the time, I’m probably in a much better place. Even if some new crazy attack that comes out, people have to kind of second guess and question these things as they see them come across the wire.
What goes into your hiring practices when you’re looking to bring someone on your team? What are the things that are important to you and what are the things that maybe aren’t as important to you?
From an importance perspective, depending on what team they’d be coming on, if they’re in the solutions management team where they’re going to be engineering solutions. It’s different. It’s really a diverse technical capability that I’m looking for. And, looking for someone that has very diverse backgrounds in the technology space, whether it be networking and understanding the network stack, security servers, operating systems.
So, it’s that technical skill set and knowledge of the different tools that are out there in customer environments. Their ability to fit in the company culture is important. I think to be part of the team culturally. That needs to be a good fit. And understanding what their goals are, whether it’s long-term, short-term. That we can work with together some of their background and what their work history looks like – does that person jump around quite a bit, short-term everywhere, or have they been somewhere for a long period of time?
I guess I’m wondering, are things like degrees and certifications or are those important factors when you’re weighing whether somebody is a good fit.
A degree is a nice to have for me. I think certification is definitely on the technical side of the team it shows. I know a lot of people are against certifications. They think it’s a vendor’s view of the world or that type of thing. But I think what it does show is that, one, they have the discipline to sit down. They did it self-study or however they went through and learned the content for that certification. And then the fact that they’ve been tested against it and they pass that test shows that they at least retained some of it for that period of time to pass that test.
So I personally like the certification track myself. What they do with themselves outside of work, if they’ve got a family and what kind of drive the person has. I say to folks all the time, we have to be a student of our game. As the bad guys are always trying to change their methods of attack. We can’t just think that we know technology and we just stop there.
We have to constantly keep learning this. I think that’s why IT is so interesting for me. It’s constant puzzle solving. And we have to keep reinventing ourselves and learning more things, learning different technology as it comes out. So, I look for somebody that’s got that drive that wants to come in and be a sponge, be eager to learn. And that’s going to drive themselves to be successful. So that’s really important to me, having that drive and the work ethic.
Our thanks to Nick Kael from Ericom Software for joining us. Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the Web. Cyber news. Targeted industries. Threat actors. Exploited vulnerabilities. Malware. Suspicious IP addresses and much more. You can find that and recordedfuture.com/intel. We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online.
The recorded future podcast production team includes coordinating producer Monaca Tedros executive producer Greg Barrett. The show is produced by The Cyber Wire with editor John Petrich, executive producer Peter Kilby. And I’m Dave Bittner. Thanks for listening.