TDL001 | Cybersecurity Explained: Privacy, Threats, and the Future | Chester Wisniewski

The ADAM Blog
1

Summary

“The Defenders Log” Episode 1 features host David Redekop and guest Chet Wisniewski discussing the dynamic world of cybersecurity. Wisniewski, with decades of experience, traces his journey from early BBS and phone network exploration to becoming a cybersecurity expert. They delve into the evolution of hacking, the emergence of profitable cybercrime like email spam, and the critical distinction between privacy and security. Wisniewski emphasizes the importance of “defense in depth” and how AI can give defenders an advantage. He shares insights on career growth, mentorship, and the need for a more positive outlook within the cybersecurity industry. The episode concludes with a call for collaboration and establishing strong standards to make the digital world safer for everyone.

TL;DR

  • Hacking’s Evolution: Wisniewski traces hacking from early phone networks to profitable cybercrime like email spam (around 1999).
  • Defense Advantage: He argues that “defense in depth” and AI can give cybersecurity defenders a significant advantage.
  • Privacy vs. Security: A key misconception is confusing privacy and security; they are distinct and often in tension.
  • Career Inspiration: Wisniewski advocates for guiding young “hackers” toward legitimate cybersecurity careers (e.g., penetration testing).
  • Industry Positivity: Calls for a less negative outlook in cybersecurity, emphasizing early detection over 100% prevention.
  • Future Vision: Believes communities and good standards can make digital security an invisible, automatic protection for average users.

Links

View it on YouTube: https://youtu.be/1C9xVXGsC6Q

Listen to the episode on your favourite podcast platform:

Apple
https://podcasts.apple.com/us/podcast/cybersecurity-explained-privacy-threats-and-the/id1829031081?i=1000719042155

Spotify
https://open.spotify.com/episode/2uCo86SbLhYTLuiamDjjEQ

Amazon Music
https://a.co/d/dllrGs5

ADAMnetworks
https://adamnet.works

Full Transcript

Introduction

Hacking is certainly not a crime. Hacking is taking something. And is there any one particular misconception about cyber security? When you’re trying to do something on a consistent basis, you make sacrifices. Everyone, including people in the industry, often confuse privacy and security. I just really wanted the world to hear from people who’ve been there, done that. We can do this. We just have to come together as communities, establish good standards, and make sure that average people don’t have to think about it. Things might have ended up quite differently for us. I need to see where you’re going, I need to see what you’re doing, I need to see what’s inside those packets. Any personal sacrifice that you made at any point in time. 98% of everything going in and out of our network is encrypted. Number one: commitment, and number two: low expectations. If there’s an infected computer on the internet, it’s still going to sweep the entire internet every day. I was involved in setting up a South African investment bank. Choose wisely, because it’s a big investment. I’m super excited for what’s coming. You could dial into their systems to access the deep in the digital shadows where threats hide behind any random bite. A fearless crew of cyber security warriors guards the line between chaos and order. Their epic battles rarely spoken of until today. Welcome to The Defenders Log, where we crack open the secrets of top security chiefs, CISOs, and architects who faced the abyss and won. Here’s your host, David Redekop.

Initial Conversation with Chet Wisniewski

David Redekop: Hello everybody, and welcome to The Defenders Log, episode number one. This is where we have conversations with people who live in the cyber security defender space and have stories to share. On this very first episode, I’m very thrilled to have my friend Chet Wisniewski with me.

Chet Wisniewski: It’s always good to talk with you, David.

David Redekop: Well, good to have you, and I’m glad you’re able to set aside some time to chat with me in this very exciting, very dynamic space. You and I have both been in this for some time. I just really wanted the world to hear from people who’ve been there, done that, because as much as you and I enjoy the work that we’re in, I’m not sure that there’s enough of the next generation that is taking an interest. And I’m only speaking from the perspective of me speaking to young folk today, like our sons, and none of them have any interest in being in this space, and I can’t understand why, because it’s a pure adventure. So that’s partly what I’ll need your help with. Thanks for joining and I’m glad that we could connect.

Chet Wisniewski: Yeah, no, it’s always good to talk with you, David, and it is. I consider it a fascinating space. I mean, I think the reason I’ve stayed in it so long is that every morning it’s different than the day before because it moves so fast and there’s so much change all the time, which may, you know, for some people, I guess that’s scary, but for me, it’s the most fascinating thing ever, 'cause I get bored easily. The criminals don’t let any grass grow under their feet, and our money turned digital and, you know, there’s an opportunity to steal it. They’re not going to stop anytime soon, and there’s plenty of work to do.

David Redekop: That’s been my experience as well, is that we can’t sit still. Like there’s this real bad asymmetry that I find between the defenders and the adversaries, and you would know this better than anyone in your capacity, but we always find that the good guys have to find every single hole and every single weakness and every single vulnerability and every single exploitable thing in any way. But the bad guys, they have an unfair advantage in that sense, that they only need to find one.

Chet Wisniewski: I don’t know if I agree with that exactly, though, because, you know, the attackers have a whole chain of things they need to get past these days, right? Like you think about the layers and defense in depth that we’ve built around most of our critical assets, or hopefully we have. I mean, too often we’re hearing in the headlines about organizations that haven’t necessarily had strong layers of defense, and therefore we’re getting our eighth breach letter of the year for our information being stolen. But the truth is, if we’re doing this well, I don’t think we’re at such a disadvantage anymore. And actually, I think AI is an interesting topic on this, too, because I think the good guys have a dramatic advantage over the bad guys when it comes to this particular technology. I think about my network here at my house and it’s like, well, first you’ve got to find a way to get past my firewall, and then even if you stole my passwords, I’ve got monitoring, I’ve got XDR, I’ve got lots of different things going on where none of those technologies are perfect, so which means any of them can be bypassed. But to get my information, you kind of have to bypass all of them, right? Like you’ve got to get past all the layers and me not noticing that you’re there, so you’ve got to do it quietly as well in a well-monitored network. I think it’s quite formidable.

David Redekop: Well, okay, so you and I are going to disagree on some things, but I think you’ve already convinced me that if you do defense in depth properly, that you’re basically turning what used to be an unfair adversarial advantage to be your own advantage. So I buy that. But before we get into the technical things, which I’m really excited to chat with you about, because of the space that we live and work in, I would like the folks who are going to watch and listen to this to learn a little bit about Chet. Tell us a little bit about your background. What got you into the space? How did you get started, you know, before the internet and cyber security was even a thing?

Early Days and the Rise of Hacking

Chet Wisniewski: I got involved, ultimately I started on this journey in the mid-80s on bulletin boards and BBSs. I lived in a very rural area and I spent a lot of time at home with my Commodore 64 and I think I got a modem in 1983, maybe 1984, something like that. But because I lived in a really rural place, at least in, you know, in the US where I grew up, you know, you could make local phone calls for free, but of course, local phone calls, I mean, the cows didn’t have phones, there wasn’t really anybody to call much to speak of. So I always wanted to connect to the, you know, the BBSs in the big cities. But of course, back in those days, AT&T was still a monopoly in the US. And if you can imagine 12 cents a minute, or it’s probably more like 25 cents a minute in current dollars, that’s like a dollar a minute or more that you’d have to pay to call long distance. And somebody kind of turned me on to the fact that maybe the phone network wasn’t so secure and you might be able to make some free phone calls if you messed around with the phone network a bit. That caught my interest. I don’t recommend stealing from the phone company, but it certainly made some connections and started but I started kind of figuring out that, you know, all these, well, one, the, at the time the phone network was the world’s largest computer. I mean, you think about it, it was the only thing connected to every, just about every country in the world, and certainly in developed countries, every house in the world. It’s a pretty amazing network when you think about, how does this thing work? If you’re starting to try to manipulate the phone network to make a free phone call, you have to understand how it works. And you’re starting to realize this massive, amazing, impressive computer and programming that goes into operating it. And I think that sparked my curiosity that’s led me all the way through my journey to where I am now.

David Redekop: Wow. So you really were there at the beginning. Like I didn’t even know that you could get modems for Commodore 64s.

Chet Wisniewski: Oh, yeah. I had the first one I had was an acoustic coupler that you had to take the handset and put it on the suction cups, and then, and then I got another one that later that you had to switch on. So you had to dial over the actual phone still, but then you could just flick a little slider switch on the back and it would engage the 300 baud modem. And then, you know, much later we got the auto-dialing modems, and then it was like, “Oh, wow.” Like the thing can dial on its own. Except where I lived, our phone exchange was so old. In fact, to this day, that area, I was just there a few weeks ago, they still have a 1930s era phone exchange in that community. So, no touch-tone calling, no 911, none of these fancy things, which made it easier to bypass.

David Redekop: Right. Wow. That’s fascinating to me because I remember at the University of Waterloo, my first year in 1990, that it was just a few years prior that it was still one of the only mainframe computers in Canada at the Waterloo campus. Then, of course, computer labs spread out very quickly and then they came online and so forth. So to me it seemed like it happened really fast, but obviously there’s much more of a history.

Chet Wisniewski: I think I first accessed the internet, similarly, not as a student, but the University of Michigan in Michigan was a huge part of building the modern internet, and so they had connectivity in the late '80s and anybody could ask them for an account and they would give you an account if you could dial into their systems to access the internet. So I think I got online, like what we would now consider the internet, it was probably still called ARPANET back then in like 1987, would have been '87, '88 around that time when it was just starting to be called the internet. You could access it through the big university computers, which was really cool.

David Redekop: I’m curious as to at what point did you experience the very first time that you felt that this ubiquitous connectivity, well, as non-ubiquitous as it was, even just universities and those very interested in the magic of connectivity, at what point did you first detect that there was going to be a malicious kind of activity around this that you took an interest in observing?

Chet Wisniewski: It was kind of obvious all along that there was going to be problems, but I guess when none of us envisioned that the entire world’s financial networks would be written, you know, layered on top of it, which obviously changed the, you know, the dynamic changed a few times along the way, right? Because I was always interested in, I can’t believe back to, you know, even in the, you know, logging into University of Michigan systems in the late '80s, it gave me access to early IRC, internet relay chat rooms and things like that, and already you’re just seeing that like people choose garbage passwords. There’s systems everywhere with no passwords. This could only end in tears. Like this is, everything is so poorly built and so poorly managed and secured. And of course because it sprung out of academia in those early years in the early '90s, academia’s view was, well, information should be free and knowledge should should be shared, and who cares, these systems don’t matter, why should we lock somebody out of them if they might learn something, which is a is a beautiful attitude to have, but it’s wholly unrealistic in the world we live in now, isn’t it? And so I think there were, to me, there were two pivotal moments that completely changed information security, if you want to call it that. One was around '95, '96, when Kevin Mitnick was in the news for his crimes that he was committing. Suddenly the world had heard of this thing called a hacker and it wasn’t just a movie with what’s his name? Matthew Broderick. Um, right.

And, you know, it was a bit of a real thing, and the New York Times got hacked. And so because the New York Times got hacked, of course, the New York Times wrote about the New York Times being hacked. So everybody knew about it. And it started becoming a thing that like all these computers are on the internet and they belong to these mega powerful rich businesses and if they get hacked there could, there’s obviously this is bad. We should do something about this. There weren’t really information security jobs outside of the military and government to speak of and maybe universities again, academia, but in the private sector it wasn’t much of a job that you could get until around that time when suddenly, oh wow, these things can get hacked. And then the second pivotal moment was probably about 1999-ish when we all started getting Viagra spams and Russian brides and email spam became the first profitable e-crime as far as I’m concerned. Like there was no way to make money off of these crimes before. Kevin Mitnick was a nuisance. He wasn’t making money. And even hacking the New York Times, a lot of this stuff, it was just people showing off and causing harm, but not not for personal gain. Just showing that they knew more than the defenders did. And suddenly when the Russians figured out that Canadian based in Saint Petersburg was profitable and that everybody’s mailboxes were insecure and they could just take over any mail server in the world and just send millions of messages for pennies, it changed everything once money got involved. It changed everything, right?

David Redekop: It didn’t hurt them that the Sendmail default installation was that it was an open relay, right, accepting email from anybody willing to send it off to anybody? Because I remember how quickly we had to, around that time, start patching default Sendmail configurations that were exposed to the public internet that was assuming your Sendmail was up to date enough to not have an earlier vulnerability that gave root access by just talking to Sendmail. So, I mean, there’s Sendmail had a long history of dodgy configurations and a pretty bad security posture that goes back to its invention, you know, basically in the early '90s. So, those CF files, oh, it was horrible.

Chet Wisniewski: You were talking about Mitnick and just being a nuisance. Did you ever come across the Monkey A and Monkey B viruses? I think it was those two series.

David Redekop: In my early days, I was all on Commodore and Unix stuff, so I was all on Amigas and then I did a lot of NetBSD and a lot of Unix things. And so, I didn’t pay attention to Windows viruses that much until they became super wormable when we all got hit with Melissa and I Love You and all that kind of stuff, which I think was '99 and 2000. So the really early stuff, I mean, I’d heard about it and there were some Amiga viruses I got on some of my diskettes and things, but I wasn’t a big virus guy until kind of the real famous ones started hitting big time because I remember what you’re talking about. There was Jerusalem, there was a bunch of mid '90s ones, but I wasn’t really in the scene then.

David Redekop: I remember at the time people asking us, “Why would anybody do this?” And the answer was just because we could, right? The bad guys. That would be their response.

Chet Wisniewski: Well, some of them had political messages. I mean, there was an early one that was a macro virus that inserted messages into Microsoft Word documents that said, “End all French nuclear testing.” There was a smattering of sort of politically motivated early viruses. A lot of it was just to see what people could do. A lot of people were just experimenting to see what they could do.

David Redekop: In your work today, do you still come across any remaining NIMDA or MS Blast packets that, I know we’re still seeing a ton of Eternal Blue? We’re still seeing Configer. These things never go away. And with the amount of telemetry we have, I would be really really surprised if we’re not seeing some MyDoom and some, you know, SQL Slammer or, I mean, these things never really go away. Hey, I mean, if there’s an infected computer on the internet, it’s still going to sweep the entire internet every day trying to find something else to infect. And we have about just under 700,000 firewalls out there sending us telemetry. So I would be shocked if there’s anything that’s active that we’re not seeing, but it’s not something that comes up all that often, but Eternal Blue, there’s still a ton of it out there.

David Redekop: Is there any one particular misconception about cyber security that you would want to communicate to defenders or the public today that you think are commonly misunderstood?

Chet Wisniewski: Everyone, including people in the industry, often confuse privacy and security and lump them together. And they’re really quite different things. And in this climate that we’re in right now where many governments are talking about wanting to backdoor encrypted chat programs, the changes politically going on in the United States, there’s a lot of turmoil right now out there and a lot of discussion around online privacy. And I think it’s an interesting challenge, right? Because like if you’re a company trying to protect your users, if your users have privacy, then ultimately it makes it harder to protect them. Security and privacy don’t always go together because if I want to inspect things to know if they’re bad or dangerous for you, that means I need to break into them. I need to see where you’re going. I need to see what you’re doing. I need to see what’s inside those packets. Is there something malicious in there? Is there a URL that you’re going to a phishing website? Well, if I know you’re going to a phishing website, I also know you’re going to an adult content website. I also know that you’re going to your bank, and I also know that you’re shopping for your father’s day present. Some interesting moral and ethical challenges we face as practitioners, I think, to decide what is okay for us to break into and look at and what isn’t because in the pursuit of security, you’d want to break into everything and look at all the stuff. But I think we all probably agree that that’s bad. We ought to, there ought to be some boundaries around some things. And the question of where those boundaries lie is very complicated. I don’t think people think enough about that. And I think security people I know don’t think enough about when they’re providing people advice, what is the actual threat for the person you’re providing the advice to, right? I was visiting my mom and my uncle two weeks ago. They’re quite elderly. They don’t know much about computers. What, when I have five minutes with them, what do I tell them? Do I tell them that their password should be 35 characters with an exclamation point and an ampersand? Do I tell them that the Wi-Fi at the mall is scary? Do I tell them not to plug their phone in at the airport because it might be juice jacking? Probably not. I don’t think I tell them any of those things. I probably tell them to use different passwords everywhere and write them down in a notebook. And I wouldn’t give that advice to my 25-year-old niece. The things that we, when we give people advice, we need to give it within the context of who they are and what their threat model is. And if your threat model is a nation-state, then the advice you get is very, very different than if your threat model is a commodity scammer who’s trying to convince you that they’re Toronto-Dominion Bank and that you should give them your password.

Career and Personal Growth

David Redekop: Would you then agree with this notion that many of us today that live in the defenders world, if we had been born and raised in a complete criminal community, that the same curiosity, the same hunger for understanding how things work, that things might have ended up quite differently for us?

Chet Wisniewski: And I think this is happening every day in our high schools and middle schools, right? Most kids that learn how to reverse engineer software do it so they can cheat in a video game. That’s an amazing motivation for them. And they’re actually learning an incredibly useful skill. Like if you can figure out how to break into Counterstrike and cheat, you can use that same skill to break into computer software and you could be a penetration tester. And there’s a fork in the road for those kids at some point where they realize I can steal these other things and make money, or I could use these skills to stop other people and have a career or a job or, you know, opportunities to make the world a safer and more secure place. And I think that’s that battle’s going on in Discord chat rooms while we’re recording. I think there’s a lot of interesting initiatives going on. I’m not actually aware of any here in Canada at the moment, but I do know in the US and in the UK and in Australia, there’s a lot of programs now starting to try to help point that out to kids when they’re making those choices and go, “Look, you know, sure, you could steal, but do you know how much money a penetration tester makes?” Like, “You could do this for the good guys and have a pretty secure future.”

David Redekop: I’m wondering if there’s you, you speak of a community overall because it really is about the collective influence of of a number, and I had the same, but is there any one particular most influential mentor that really would have been the the strongest or a strong form of influence that either chose you or that either influenced you to make a choice for legitimate defense or or utilizing it for a greater common good?

Chet Wisniewski: Certainly early in my career at Sophos, even 20 plus years ago, Paul Ducklin, who’s a dear friend of mine in a long time industry guy, for people that work in security, you may be familiar with the EICAR test file that you used to test an antivirus.

David Redekop: Oh, my goodness.

Chet Wisniewski: Paul wrote that as a college student in South Africa back in the early 1990s. Paul was an enormous influence on my modern career, I would say, and that he’s a no-bullshit guy. And the point of everything is to leave the world better than you found it. To not hype things and to to help people understand. You might not be able to explain a software vulnerability to them, but help them understand what, how these things impact their lives and how to make choices to be more secure. And he’s just been such an amazing positive force in the world and a great role model that way. And really from the very beginning of my opportunities working with journalists and media, establish this, you know, unshakable foundation that we have to be a voice of reason and not fan the flames of hype and help people truly understand how to make choices to be safe and and not to do it for personal profit or fame or glory or to be the infosec rockstar. That’s not the purpose of this. The purpose is to leave the world better than you found it.

David Redekop: Yeah. No, that’s really good. I will definitely express my appreciation towards Paul as well because I have used that download hundreds if not thousands of times for various tests. I’m wondering if you have, can reference any personal sacrifice that you made at any point in time at the front lines of cyber security. And we know sleep is definitely one of them, but what would be like your most sacrificial moment in pursuit of your line of defense?

Chet Wisniewski: In a lot of cases, I’ve had a lot of opportunities to go into other jobs and roles that would have paid me a lot of money personally or possibly made me wealthy as being a part of a new company or a startup. And I didn’t feel that that work was important as the work I’m doing. And so, you know, I’ve been in my current job for, it’ll be 22 years this summer. That’s a long time in this business to be in one spot. And unlike yourself, I’m not a founder or a co-founder of the company. I mean, obviously when you, when it’s your own baby, it’s a little easier to have a long term in an organization, right? But as a contributor and now I’m a leader within Sophos, that’s a long time to be in one spot. And and along the path, you know, there’s been a many times where, you know, I’ve had opportunities to do other possibly more personally beneficial things, but I recognize the amazing spot in the role that I have allows me to have so much influence on making that world a safer place and and I genuinely believe it that I’ve I’ve kind of foregone things that might have been very profitable but probably are far less important.

David Redekop: We’re certainly very grateful for for the good choices that you made, because in our industry, when we have industry standards to reference, to say, here’s a person who’s played a significant role and showed that churn wasn’t necessarily part of the journey, that you can pick strategically. I remember a video that I just watched yesterday about a guy who talks about a successful marriage. He says it’s only takes two ingredients. It takes number one: commitment and number two: low expectations. And if you have those two, you’ll have a successful marriage. And in a way, it’s almost like that with cyber security. I find that if you have low expectations any given day that it will be there for the long haul. But, um, yeah, I do have another question for you that two actually that came to mind as you were sharing. I remember a long time ago when Astaro was still a separate company. Is there anything there that you were involved in when Astaro, which we were a huge fans of, by the way?

Chet Wisniewski: I was too. Um, and I remember I remember, yeah.

David Redekop: Oh, that’s right. Well, I have a quick story for to tell you then. I was involved in setting up a South African investment bank with six Astaro units so that they would operate in high availability in three different networks. And that was my first real, “wow, you can actually have security and stability at the same time.” So, is there anything about that event, the Astaro acquisition, that you are part of?

Chet Wisniewski: A colleague of mine, Chris Craft, who I think is with Arctic Wolf now, but at the time, we were working together at Sophos, and he was, he was tasked with finding a firewall vendor that was interesting to purchase because we knew we didn’t want to start from the ground up, but we wanted to get better network visibility and get into the network security side of things more. He had kind of come up to me with the menu of, “What do you think of these four vendors?” And I looked at the list and I’m like, “Astaro.” And he’s like, “Really?” I’m like, “Yeah, no, I’ve played with all of them.” And Astaro, like I I was using it at home at the time 'cause they had a free home use license, and I was using it on my own hardware at home and I was very familiar with it and I knew the quality to be exceptional and, um, and I was like, “Yeah, there’s no question. Just buy the Astaro one.” And that’s a few weeks later we went forward with the transaction. But I believe the last Astaro based firewall is going end of life this month. So, we still have that product line in, but it is, um, I don’t recommend buying one today because I think the end of life is the end of this month is official end of life where I think it gets another year of updates or something, but it’s still around.

David Redekop: Well, I’ve deployed my share of them in the world of Canadian brands. I’m definitely proud of every deployment that we’ve ever done. So kudos to you and that role. If you could go back and give your younger self any one piece of advice, what would that be?

Chet Wisniewski: Do as many of the things as possible to figure out which is the thing that is going to really light your lamp and get you excited and want to do things. In the mid '90s, I was working for a network integrator and I kept overhearing this guy in the room down the hall having conversations with customers, and this is before we really had the modern term of sales engineer, but that’s what the job kind of was, really. It was a network architect kind of thing where you would work with the customer to design a solution for them and then if they bought it, somebody else would go in and install all the stuff and and set it up and things. But I wish I had done that earlier which was I was hearing that guy and after he was done after a couple days I walked down the hall and I said, “Who are you?” And he goes, “Oh, I’m Jim.” I said, “Hi Jim, I want your job. Like, what is this that you’re doing and how do I, what do I have to do to be sitting in that chair next year doing that? Like, you know, guide me, mentor me, teach me, show me, whatever, however you want to say that, right?” I wish I had thought of that or gone that path steps earlier. Ask for help, ask for mentors, talk to, find somebody who’s doing something that sounds super fun and exciting that you’re really motivated by and just go ask them. Go ask them.

David Redekop: It is quite common in our industry from folks that I’ve talked to, where not having a university degree was not a hindrance to getting really meaningful work. And that was because I sense that our industry was in such rapid flux that we were able to adapt fast if not faster than academia could at the time. And I see that pattern repeating itself. Like it used to be like that with accounting where you didn’t need a university degree to be an accountant. Eventually you had to. It was much more regulated. And then it was like that with actuarial science still in the '90s. I don’t know if it is still like that today, where as long as you passed your actuarial science exams, you would have the equivalent of a university degree. And still to this day, I sense that a lot of defenders and even adversarial emulations, red teamers, are looking for the ability to think like an adversary and to defend like a defender as being the more important attribute.

Chet Wisniewski: So, well, yeah, and this career didn’t exist when I started. I mean, like I if I could have got started in information security in the early '90s when I started my career, I would have done it, but these jobs didn’t even exist. And so that was why I had to do other things, you know, you know, networking and other computer tasks until this kind of developed into being an industry. But then when it did become a real job, at that point there still weren’t really any college degrees or anything outside of the fantastic program at Purdue. I mean, if people are looking, if you want a formal education and you really want it to be awesome in information security, you have to go to West Lafayette, Indiana to Purdue University’s CERIAS program started by Gene Spafford in the '90s. There are very few computer security programs out there that I would give the time of day to, to be honest. Most of them are trying to capitalize on the interest, right, in employment in our industry and the high wages and the alleged shortage of people. And that is not Purdue’s program. It is an amazing program. I’ve had the pleasure of guest lecturing down there. And in fact, Gene was just promoted to distinguished professor at Purdue, which is quite an accomplishment for Gene. That is an amazing program. UC San Diego has an amazing program. UT’s program is rating quite well these days as well.

David Redekop: I think my wife and I, we have this conversation very frequently about the value of academia. And my response usually is the lawyer type. “Well, it depends.” And then a whole bunch of dependencies on when academic credits really do matter and when they might not.

Chet Wisniewski: It’s like certifications, right? I get asked constantly by students about what certifications they should pursue. And it’s like it’s a tough question because some of them matter in some things more than others. It depends on where your career is going to go, right? And they’re expensive. And just like, I mean, college is expensive, certifications are expensive. Choose wisely because it’s a big investment. If you came to this podcast looking for a very specific certification answer, another Chet, I don’t have an answer for you, but yes, be hungry and and choose wisely is what I would say as well. Is there any one particular most rewarding moment that you’ve experienced as a defender?

Chet Wisniewski: I used to have a podcast that I did for many years for Sophos called the Sophos Security Chat, and I did about 300 episodes over the course of I don’t know seven, eight years. I didn’t realize how influential that was on so many people’s decision-making for how to protect and secure their organizations until I stopped doing it. And but like the number of times I would like, walking around at RSA, I think I met you for the very first time at RSA, probably six or seven years ago. People will be like, “Hey, are you that,” they’ll see my badge hanging with my name in giant print like you have at RSA, right? And they’re like, “Oh, Chet from Sophos, are you the guy from the podcast?” Because I didn’t do video on my podcast. People wouldn’t recognize me, but um, they recognize my name, like, “Are you the guy?” Oh, yeah, I I used to listen to that, and you know, like all these different things that it helped me clarify and understand that I did to protect my organization, and you didn’t, I didn’t recognize how much of an impact, you know, that that had on so many people, having these types of conversations where we’re being genuine, we’re talking about real problems, we’re talking about practical things and and how to soberly assess the risk of something and make a good judgment about it is not un, it’s unfortunately uncommon apparently.

David Redekop: Yeah.

Chet Wisniewski: And and when you do that, it has this enormous ripple effect in people’s careers and and and lives and decision-m and and it it’s it’s really amazing. And I I mean I’ve even had the opportunity from that that I’ve gotten hired to give, you know, some talks privately at businesses and things for rather handsome sums of money off the back of, “Like you’re a trustworthy person with credibility and that we believe will truly influence people to to do security better.” And that’s pretty cool.

David Redekop: That’s awesome. Congratulations. I mean, I did not realize you had done that many episodes.

Chet Wisniewski: Um, I knew others while I was on airplanes and in hotels in 35 countries. It was a lot to do as you’ll find doing the podcast. I mean, you’ve got much nicer recording setup and things than I certainly had. I think I did at least a dozen episodes from Air Canada Maple Leaf Lounges.

David Redekop: So, when you’re trying to do something on a consistent basis, you make sacrifices.

Chet Wisniewski: Well, now that you mentioned that, um, I’m not sure how sacrificial I will be, because I can imagine even earlier when I asked you about sacrificial moments, you never mentioned how committed you were to doing podcasts while you’re on the road. But we live in a day today where that technology is possible.

Looking Ahead

David Redekop: So I’m super excited for what’s coming and I’m really glad I was able to connect with you today. Is there anything that you want to leave our listeners with in terms of wisdom or or nugget of advice on cyber defense?

Chet Wisniewski: I think we’re too negative in this business and I think that that’s something we need to carefully think about and maybe that’s why you mentioned youth not coming or expressing as much interest. Well, as much as we complain about mental health stress, burnout, it is a high pressure responsibility to be a CISO today. You’ve got lawyers and boards and regulators and criminals all coming for you. It’s a lot and maybe that just dissuades a lot of people. But I also think there’s a lot of negativity in our industry that we’re losing these fights and that there’s nothing we can do about it and nobody’s going to arrest the Russians and they’re just going to keep coming and stealing and robbing us blind and ransomware is inevitable and what am I supposed to do? We consider anything that gets past our defense as a loss and it’s just not true, right? Because being successful is detecting it early, not preventing everything. We can’t prevent everything. I mean, as hard as I, as much as I masked and avoided human beings, I got COVID, but once I got COVID, I went to the doctor and I got Paxlovid and I did something about it to try to minimize the harm and risk to my body of of this bad disease. And it’s no different. Like just because we can’t prevent 100% of attacks doesn’t mean we failed. The goal is try to prevent 90% and then the 10 percent that we don’t, detect them in an hour, not a week. And if you detect them in an hour, it’s the equivalent of catching a mild cold as opposed to a deadly disease. If we are a little easier on ourselves and stop being as negative about losing as much, I actually think we’re making an enormous amount of progress. And 10 years ago, Ed Snowden told us that the government was listening to everything we did on the internet. Here we are, 98% of everything going in and out of our network is encrypted and my mom didn’t have to do a single thing. It just happened. We did it perfectly. It’s in the background, it’s automatic. You don’t have to think about it. You’re suddenly safe. We can do this. We just have to come together as communities, establish good standards, and make sure that average people don’t have to think about it. That it’s just there for them.

David Redekop: That’s good solid wisdom right there, is that we can do this, we can do better and we can present it as a positive environment. Because really it is about problem solving, right? And there is a real sense of reward in doing problem solving. So you certainly gave me lots to think about today, Chet. I don’t know if you have any particular upcoming events 'cause I know you were the keynote at the BSides just a few weeks ago. Do you have anything coming up where people can find you?

Chet Wisniewski: No, nothing, nothing in the real short term. Although I will be at Black Hat and Defcon. If people want to say hi, they can reach out to me on social media on LinkedIn and I’d be happy to meet up for a coffee or a brew somewhere in 45 degree Las Vegas. Um, and in and in October you can see me in London at the Gartner Summit and you can also see me in Santiago, Chile, but I don’t know that your listeners are are likely to find me in Santiago or or London, per se, but I do hang out on Mastodon and post there and on LinkedIn, um, when I’m speaking at events.

David Redekop: Awesome. Well, I’m going to look you up in Vegas again, but definitely not in the heat and definitely not to gamble. So we’ll connect. Thanks very much for joining me today. Appreciate it very much, Chet. Take care.

Chet Wisniewski: See you, David. Cheers.

David Redekop: Bye-bye.

David Redekop: The defender’s log requires more than a conversation. It takes action, research, and collective wisdom. If today’s episode resonated with you, we’d love to hear your insights. Join the conversation and help us shape the future together. We’ll be back with more stories, strategies, and real-world solutions that are making a difference for everyone. In the meantime, be sure to subscribe, rate, write a review, and share it with someone you think would benefit from it, too. Thanks for listening, and we’ll see you on the next episode.