HALOCK Radio Episode 1: Terry Kurzynski and Dave Bruskin

TRANSCRIPT

Hey, we’re here at, Radio Halock. These are the interviews with secure information security leaders podcast, and we’re here with David Bruskin. And David, it’s been at least fifteen years since we work together?

Yeah. So you and I first met, I was coming out of university And it was, like, my first big time job. I joined Remington Associates as a a network security consultant.

Big eyes, bushy tails, ready to, you know, rock the world, getting into cyber, which, you know, back then, had no idea where it would end up here many years later. We met a long time ago, and it’s great to be on the show.

Well, and it sounds like you just had tremendous success. Just get me caught up in the last fifteen years. I know we get busy with life and, you know, I I know I got married and had kids, and I know you had some stuff happen too. But let’s start with the career.

You know, catch me up to today on the career side.

Yeah. So, you know, starting off, before joining it, right, kinda doing university job, working for, for the cyber security team. I was, you know, number two at, the university security team. Many years ago and kinda fell in love with, security.

And, you know, since departing university and and working for your organization, as well as other organizations, kind of built myself, consulting and implementing basic firewall in a virus, you know, mail gateways, Then started getting into the next evolution of, like, FIM and, you know, kinda next gen tech. Started doing full packet capture, consulting, and engineering.

And then eventually kinda moved from technology consulting to more, like, services advisement. So, like, how to build a stock how to respond to incidents, you know, kind of strategic services to either come in post breach or, you know, go into an organization that kinda wants to be forward looking and, like, you know, build it from scratch, maybe a separation or divestitures.

So really kind of progressed in my career to where I’m at today, from at Synchrony Financial and, you know, essentially, large, financial organization where we, provide a How many employees do they have?

So we’re about twenty thousand.

That’s an organization.

Yeah. And, you know, we have a variety of verticals that, you know, most off people know our major brands such as CareCredit, a very important clients and partners.

If you have a credit card at a store such as Lowe’s or Amazon or or, you know, TJX, that’s us behind the scenes. So, a variety consumer facing, infrastructure that my job is protect.

You know, going in my career from engineering, implementing technology, protecting it, to now leading an organization that’s responsible for the the twenty four seven action for, York.

Well, you know, you mentioned incident response. I think what What I always find is that, you know, clients and audience members, they really want that those little hints and guides, like, what you know, if there’s one piece of, commendation or hint that you can give about your lessons learned on incident response, You know, do you have anything that really sticks out that, like, oh, man. If I would’ve known that then, you know, I would’ve saved a lot.

Yeah. You know, I I think you can buy and, and acquire the greatest technology, core packages. But I think it’s having the right people, having those passionate technologists who believe in the mission with you is so critical And then the existing technology that you have, be brilliant at the foundation. Right? Everything starts at the foundation, whether it’s how to provision a user, how to collect logs, are you collecting the right logs to secure those identities?

You know, often you look at these, you know, big breaches and it’s, you know, it has to do with just foundational elements that, Yeah. I didn’t have a hundred percent coverage or, you know, hey, we were ninety eight percent there on the implementation and that last two percent burned us. So it’s being brilliant at the the basics and having that solid foundation and people that are passionate.

Being brilliant with the basics. So Give me an idea, your title. What’s your exact title at Synchrony right now?

So I am a senior vice president and head of cyber operations.

How many people are reporting you at this point in the structure roll up to you?

Yeah. So I have around ninety.

Ninety people ninety souls that you’re responsible for directing in some form or fashion, either directly or indirectly.

Yep.

How now how do you let me just ask. How do you deal with that sort of pressure? I mean, There was a stat. I was at a conference Friday, and they said one in six, you know, cybersecurity leaders are, you know, alcoholics are addicted to some sort of drug just because of all pressure. Right? And I leave it. Like, you know, we’re constantly being rattled.

You you seem pretty composed. Like, so how what are you doing to really you know, keep that composure and, you know, keep it under control.

So I’m a big proponent of, like, structure, like, repetitive structure. Okay. So when I think about kind of my day to day job, right? You know, a lot of it is repetitiveness.

And when I say repetitiveness, daily operations call where we assess the current threats out there for the day, the new vulnerabilities, you know, things like that going on in the environment.

We talk about how our infrastructure and telemetry is doing. So do we have any issues, challenges, ongoing changes And then we discuss, you know, current investigations going on. We need to respond to. And then we kinda overlay that with different physical aspects, right, things that could pose risk to our infrastructure, whether it’s a hurricane or, you know, executive travel or maybe a new upcoming business application release.

So having that consistent daily touch points huge, and then I keep with that theme, right, of doing, you know, competitive check ins, we’ll review our our technology every so often. Review our KPI and KRIs. Right? And we do these in a open setting where everybody has a voice, and it helps me as a leader, right, that has managers and managers understand the pulse.

Right? So understand those conflicts, dynamics, challenges.

Those are some of the examples of just trying to stay on top of it.

You know, and so that you you’re talking about a management structure. Is that something you built yourself? Did you inherit it? Did you were you trained on this from you know, RSA or some other pass, where’d you get that? Where’d you get that knowledge, the structure, the formats, you know, the, the process where that come from?

Yeah. So, you know, I call it my, my TRD, my tech review day, my PRD, my program review day, and then my ordD, operational review day. All of those three core kinda formation gathering exercises, hold elements that I always wish I had it in one particular job. So whatever organization I was at, whatever stock I was sitting in or organization that I was helping out, I kinda pulled, like, all the best out of all of those different organizations that come up with this philosophy It didn’t come from one single company, but it was like, I like that approach.

So the tech review day, how often is something like that being done? How often are you doing a tech review day? Let’s say?

So we do our tech review days every other month where we do a complete bottom up reviewing each tech challenges going right, upcoming releases, and the product donors, right, get to brief out the leadership team, the peers, and talk about their tech they’re passionate about and owning.

And the other one was product and then the other one was operations. Is that what I heard?

AP. Program review day.

Program. Got it. Okay.

And that is where we look at, you know, the trends. Right? We look at the performance metrics. We talk about, you know, where we late to respond to that investigation or what is our volumetric or our, you know, how many alerts do we have coming in, reaction time, dwell time, analyzing and slicing and dicing that data, determine where we need to make kind of program, you know, program deviations or course corrections.

And is there any tool that you really relied on other than, say, you know, Excel to man in a word and to manage this stuff for PowerPoint? I mean, what is there some key tool that we should come way with on this one. And then I’m not pitching a a tool here for you, but I’m just wanna, you know, I think the audience might wanna know, like, well, what are you doing to manage that, you know?

So Yeah.

So great question. So, you know, throughout running these PRD, they’ve evolved. Right? I’ve learned. My team has learned my incredible set of leaders that I have.

You know, they’ve said, Hey, we’re gonna do PowerPoint. We like PowerPoint. Then we like Excel. Then we’re like, no.

We wanna do analytics and a BI tool.

And now we’re at, we’ve actually developed our own BI tool, so we can kinda pull in Okay. Mold and craft. So it’s, it’s a custom built BI tool, but, anybody could do this in Tableau or SharePoint or whatever tool, sell that that folks are used to.

Cool.

Fascinating. So then alright. So I’m gonna go back to my original question. How do you decompress?

Like, how do you remain so calm and confident. You know, what are you doing? Like, I I know a lot of, security leaders, information security leaders have hobbies, you know, mine are kind of extreme sport like. But what you into that’s kinda getting you distracted from the day to day, you know, hyper hacking that’s going on.

You know?

Yeah. So I think first is, you know, daughter’s soccer. So watch my daughter’s soccer. It it kinda, like, completely, you know, disconnects me and and watch, you know, a bunch of seven year olds race around and and a lot of fun. As far as, you know, I think it’s important to to stay fit, stay active, like, what you’re doing, whether it’s, men’s league softball or golf or I do quite a bit of running. So some of those to kinda get away from the phone for a little bit, is very important, and and that helps, you know, cooking. I love to cook, and, these things bring the heart rate down.

Yeah. Well, sometimes I I talk to the security leaders. I’m like, what do you do for fun? I’m like, I read, I’ll thread Intel.

You know, I read thread Intel reports. I’m like, that doesn’t sound like fun to me. You know, it sounds like work. So Alright.

What about, what’s your latest song that you might have added to your pod, you know, like your, playlist?

So I’ve been really getting to, like, Zach Brian and Chris Staples. Something about, like, the, the Yeah. Like, they slow down a little bit.

Yeah. Yeah. Like, they slow the mind down because I think all security professionals, like, what you were saying, like, our minds are racing all the time.

Yeah.

So early out of my profession, I love the house music, the, the EDM, like, the beat that was constant. And now I’m trying to find ways of, like, low. Right?

Yeah.

Right. Great. Originally, we wanna be all hyper and just thrashing. And now we’re just like, no. We have to we have to live long. We have to keep the tension down and the stress down. Right?

So I don’t remember. Do you play a musical instrument? I don’t remember if you did or not.

So I do not. I growing up by a kid. I played percussion at drums, and, was not good at it. Enjoyed it.

And now I think if I could look back, right? Hinesight’s always 20/20. Sure. I would have loved to play guitar.

Like acoustic guitar, I think, is like, hobby or a skill you could carry with you your whole life.

It sounds like my life right there. Right? So I started out playing drums too, but I kinda, you know, I got a little maybe I would say bored with drums just because it’s, you know, it’s the beats over and over again. But, yeah, I put I picked up guitar years ago, and, actually, this is a nineteen sixty six Martin with, Brazilian. It’s a d thirty five.

And it’s Brazilian wood. So it’s, longer you can no longer make those because they they outlawed using Brazilian hardwood for guitars. Because they’re endangered. Oh, wow. But, it’s only my favorite guitar to play because it’s just the the way they age and sound is just fantastic. So Alright. Well, that’s great.

Prediction, I like to know what your predictions are for 2024. You know, as we kinda head into the year here, You know, everyone’s trying to come up with. What do we need to be prepared for? What’s everyone talking about? What’s the next big thing? I kinda have my predictions, but I kinda wanna hear your predictions. What what do we need to be thinking about?

Yeah. So, yeah, I I think the identity and privilege is still, paramount that we as security leaders get get perfect. Right? It just takes one, you know, you know, one fishing exercise where they get a username password, manipulate the MFA, and and they walk in the front door. You know, there’s lots of big name breaches where that occurred. So understanding the identity and privilege is feel gonna be crucial.

Is there a recommendation? I I like that idea. Right? So you’re talking about the, you know, the initial token upon, authorization.

What Is there one thing that every organization should be doing that could prevent that?

So I would make it even. You know, I talked about being brilliant the basics and and kind of setting that foundation.

You know, I would implore and advocate for looking at the the basic of how do we have a new user get onboarded? How do we provision an identity that secret? How do we deliver that secret? How do we enroll MFA? Change MFA?

You know, those types of foundational building blocks I think are so crucial. And I think the data’s there to represent why we have to get a perfect, right, of of, you know, targeting attackers do incredible reconnaissance on LinkedIn and social media. They know who the super admins are. They know who to impersonate and and who to do account take over and do the unenroll and reenroll. So those basics, right, we have to get right. Yeah, I would say, you know, big twenty twenty four prediction is we need to continue, focusing on identity and privilege.

And the other item I would throw in there is the speed.

Have to get faster. You know, you look at all those reports out there and research papers about how fast an attacker moves, I’m sure many organizations out there can, you know, can kinda giggle at this, but, like, it takes hours to get the right people in phone, get the right authority to make a change.

And then three hours, you can lock up a whole division. Right?

So Yeah.

And and if, you know, There’s no rules and attackers playing by. So I think the, decentralized decision making, the speed, the ability to authorized changes the environment and just overall react faster. It goes back to speed.

I like it. And then, you know, ransomware was a big issue in twenty twenty three. Right? I mean, we heard big ransomware attacks.

That last defense is those backups Is there a couple of key insights on what people need to be thinking about? You know, I know that Microsoft kinda hurt us with the whole primary and backup domain set up where, you know, people don’t realize you can’t use that as your alternate, you know, domain at the backup domain because If the primary gets locked, you’re not gonna get, you know, access to your backup infrastructure if you used backup as your backup infrastructure domain, you know. Guidance on backups and protecting those?

So I, you know, I think utilizing examples that how companies have been ransomware and and build that anatomy of an attack, replicate how that occurred in that unfortunate victim, how would play out in your environment.

Those, you know, those security leaders, right, they need to put together those exercises and and not just a tabletop, but certainly determine, right, you know, if they, you know, if an adversary were to come in and do this and that, How would that play out in my environment? How quick can we restore to an alternate location? How can we restore from the backup environment we thought was secure, right, and that potentially could be compromised. So rehearsing and stimulating, utilizing kind of the real world scenarios, I think is important, ensuring, right, that, people know how to react, right, should it happen? So you know, within my organization, we do a variety of, tabletops, but also force, you know, DR scenarios and and implement BC plans and test.

Was gonna ask about that. So you have the incident response plan, you have the DR plan, and you get kind of maybe two different sets of citizens, you know, you know, departments.

Do you guys do your exercises together for those?

Yeah. So I think, you know, the natural evolution of how, dealer industry is moving is, you know, the operational resilience. Right? Typically, as you said, those teams are settings sitting separate, right, report up through different pillars. But, you know, to ensure that, you know, resilience within the organization security leaders, you know, they gotta partner, right, with the business and and the technology leaders to to dedicate the time resources to practice during we’re resilient and plan for it.

Wow.

My personal prediction is that I think it’s gonna be the rise of governance next year. Right? You know, I don’t know. Are you guys publicly traded?

We are. Yes.

So you’re thinking about the 10-Ks and and the what’s gonna go into those. Is that something that you’re embracing that whole process? Is that how’s that going, I guess? Yeah.

You know, so I I it’s it’s been fun. Right? In my eyes, it’s been fun. Right?

Because working with, you know, your securities team, understanding, you know, disclosure requirements and how disclosures that happen on a frequent basis. Right? You know, how they occur and how cyber is gonna kinda overlay with that. So, you know, all, you know, all publicly traded companies, right, should at this point now that the, the ruling has gone live, should have those templates ready to go should know how a materiality determination occurs within their own organization, determine if the committee interacting with those securities team, security team.

Certainly, I think it’s just another regulation, another reg, and there’s gonna be others right, that are following on. And it’s gonna be important, right, that this is the new norm, but consistency within those incident playbooks, communication playbook, no, disclosure playbooks.

That is gonna be important because You can’t have people burning out when, like, the next federal agency puts one up. Or if you’re in a multinational company, right, you know, other countries are quickly following not, some are ahead of us, right, in the US.

Some are are lagging, but it it’s gonna be an onslaught of regs, and consistency is gonna be, So the drive for the board to be involved in making decisions and about threats and bringing an acceptable level to all interested parties.

That’s kind of the messaging and some of the SEC cyber security rule. Are there any changes your organization’s gonna make so that the the board and executive management can make more effective decisions and get information so they are able to make decisions because I think a lot of boards are like, Yeah. The security team kinda deals with that. But now they don’t have that luxury. Right? They have to show the how they are involved in making decisions. Is that gonna drive any changes in behavior for your organization?

Yeah. So I I think the frequency, education, touch points, and, and questions is gonna rise. And that’s not a bad thing. Right?

Never let something, you know, never let a new ruling in the records and then go to waste. Right? Right. So capitalize on it, balance that that risk and that education.

And, I think certainly when it comes to, let’s say, some of the new regs coming out, like the SEC ruling, It can be interesting for the next year to play out because a lot of companies, right, including, you know, director positions are gonna probably side on the air, you know, side on on caution. So probably over report or put in more details, be more transparent to ensure, right, they don’t start to all into the enforcement eyes or or analysis. And I think you’re gonna see a pullback, you know, where companies will kinda say, hey, let’s do the bare minimum. And in about a year or so, the SEC is probably gonna come out with some form of advisement, recommendation.

Further guidance. Yeah. Yeah.

Yeah. And that’s that’s not a bad thing. Right? And, I can show your balance, as you notify the shareholders, right, that absolutely deserve to, know what’s going on, put the existing organization at risk by oversharing as potentially the adversary still has a backdoor foothold in the environment. As those folks are battling an ongoing incident or doing mitigation cleanup.

This might be a good time for me to mention our sponsor real quick. So Reasonable Risk SaaS, only cyber security, for an existing built on the Duty of Care Risk Standard, reasonablerisk.com. Thank you for our sponsor for sponsoring this podcast. So Hey, and with that, Dave, I wanna really thank you for your time. It’s been I mean, it’s really cool to see you know, from fifteen years ago and where you’ve come, you’ve been so successful.

I appreciate you taking time on this podcast today, and But a lot of people benefit too because there’s some great nuggets that I’ve, you know, that I personally got from it. So thank you for your time. Any any parting words to our audience on going forth for twenty twenty four.

Stop. We’re seeing an unprecedented level of the tax and, vulnerabilities.

Certainly know that, all about surrounding yourself with good people. Right? And, but good people need rest and and time and you know, as we head into the holidays, you know, I think it’s an excellent time to to, maintain operational readiness try and, you know, slow down a little bit. But, certainly, next year, we know it’s gonna be a big year.

Thanks a lot, Dave. And, here’s happy New Year. We’ll talk soon.

Alright. Thank you, Terry.