This installment of “Sitdown” shifts from the end-user world to the vendor world, where we schmooze with Ingalls Information Security’s Cyrus Robinson, whose upbringing exposed him to computers and later a stint in the U.S. Air Force got him hooked on cybersecurity.
Nowadays, Robinson’s focus is on running a first-rate SOC (he shares some great leadership thoughts below), but he has a bigger mission in mind: He is passionate about introducing more diversity into security operations, not only to ensure under-represented communities get a fair shake on opportunities but because diversity will help the function thrive.
Enjoy the conversation!
1) Hi Cyrus! Thanks for (virtually) sitting down with us. Tell us about where you work, what you do there, and the role security operations play there.
I am the SOC director and incident response lead at Ingalls Information Security, a Louisiana-based cybersecurity firm. Security operations are woven into the fabric of everything that we do, whether that be consultants working as virtual CISOs or leading tabletop exercises, technical testers conducting penetration tests, incident responders investigating breaches, or SOC analysts monitoring our managed detection and response (MDR) clients’ environments. As SOC director, I get to build and lead the team that monitors for and responds to incidents in client environments. In the role of IR Lead, I’ve had the opportunity to respond to everything from business email compromise to ransomware incidents impacting organizations from every sector imaginable. I’ve investigated incidents impacting health care providers, MSPs, banks and credit unions, state and local governments, school districts, and even professional sports teams. With our organizational focus being on providing cybersecurity services to our clients, it’s important for us to implement safeguards for our clients that offer the same rigor and scrutiny that we apply to ourselves.
2) Describe your career path and what propelled you to want to work in security operations?
I’d describe my career path as the intersection of opportunities and personal interests. When I was a child, my dad (who was also my best friend) fostered a spirit of critical thinking, as we would spend evenings debating everything from politics to religion to sports. I also owe my interest in computing to my Uncle Lloyd, who owned a computer company and introduced me to computers and the internet as a child. I spent my teenage years experimenting with computers and networking, and when I enlisted in the U.S. Air Force, I pursued a career in communications-computer systems, working in change management and later as a systems administrator for the Air Force Global Strike Command (AFGSC). This learning opportunity also set me on a path towards getting my CISSP certification.
The federal government shutdown of 2013 motivated me to move into the private sector for my next role as the IT director for a large cardiology practice, where I developed a real-world, hands-on experience managing and securing an enterprise environment, developing and implementing policies and procedures, and gaining a detailed understanding of HIPAA
In fall 2019, I came across an opening for a SOC analyst position with Ingalls Information Security. I knew that my qualifications were beyond what was needed for this specific role, but I couldn’t pass up the opportunity to see if it could get my foot in the door back into the world of cybersecurity, the field where my true passion lies. In April 2020, I was given the opportunity to transition into the position of SOC director, my current role, and where we have had great success in building an incredible team of passionate cybersecurity professionals.
Cyrus Robinson began his IT career in the U.S. Air Force, before pivoting to the private sector (and later security operations).
3) What’s the most important hard skill(s) and soft skill(s) for an analyst or engineer to possess to move to the next level?
Some of the most important hard skills for a SOC analyst include an understanding of networking defense and log sources. Understanding what differentiates between an IDS alert for your run-of-the-mill scanning activity and an actual attack is vital to timely network defense measures. Likewise, knowing which logs contain potential indicators of compromise and which logs are normal “noise” in an environment can be invaluable in an investigation.
One of the most important soft skills for a SOC analyst is curiosity. The truth of the matter is that the world of cybersecurity is evolving at such a rapid pace that an analyst might feel discouraged by the sheer breadth and depth of knowledge that it takes to keep up with it all. In a world where so much of the collective intelligence of mankind is readily accessible on the internet, I believe that a curious analyst with a solid understanding of the fundamentals of cybersecurity has what it takes to truly excel.
4) Which threat that comes into the SOC worries you the most/keeps you up at night?
My “top” concern has a tendency to shift with the current trends and events. ICS and attacks against health care providers are often at the top of my list. However, considering the scope and impact of the SolarWinds attacks, the threats that worry me the most right now are supply chain attacks. The fallout from the SolarWinds attacks illustrates the far-reaching implications of a sufficiently motivated threat actor given enough time and access, not just to an intended victim’s environment, but to any of the endless intermediate organizations along the supply chain to those environments.
The unfortunate success and longevity of the SolarWinds attacks mean that we can expect to see these types of attacks continue to be leveraged. These attacks were nearly undetectable yet hugely powerful. It’s important to recognize that many of the organizations that are known to have been breached are organizations with fairly sophisticated detection and response capabilities, yet none of the security tools, controls, or very capable security professionals monitoring these environments had a clue that they were compromised until months later. Beyond day-to-day security operations vigilance, this really underscores the importance of some really fundamental cybersecurity principles, even (or especially) when it comes to very “convenient” solutions that also represent a single point of failure. In addition to vendor management and supply chain risks, organizations really need to consider the principles of segregation of duties and least privilege access, especially when it comes to any software that holds all of the keys to the kingdom.
5) What’s one piece of advice you’d give for someone considering a career in the SOC?
Be curious. By all means, research and experiment with as many technologies as you can get your hands on, but don’t put all of your crayons in one basket with a chosen technology stack. A tenacious drive to learn, to understand how things work (or don’t work), and to dig deeper than the surface will serve you well in the SOC. Push buttons. Break things. Fix things. Learn to learn. In the words of Jon Lee, one of our Ingalls senior SOC analysts, have an “investigative spirit.”
Supply chain attacks are now getting a watchful eye from Robinson following last year’s SolarWinds hack.
6) You kicked off your career in IT when you were serving in the U.S. Air Force. How has your experience as an airman helped you in the SOC?
One of the most important lessons I learned and that directly influences my philosophy of management today was from my time in technical training at Keesler Air Force Base. The Air Force had a new slogan around that time called “People First, Mission Always.” They had banners all around base with that slogan on them.
Now, I’ve heard some horror stories about bad leadership from friends and family who served in the military, but somehow I was fortunate enough to always have exceptional leaders while I was in the military. This was true at basic training, tech school, my first duty assignment at the DoD Cyber Crime Center, and at my ROTC unit at Louisiana Tech. Everywhere I was stationed, I was blessed with leaders who seemed to genuinely care about their troops and the real challenges that we all face in life. We made it our goal to always do everything that is necessary to ensure that our missions were accomplished, but my leadership always took into account that the airmen are actual people with actual lives and appointments and families and schoolwork and … you get the picture. The bottom line was that people matter and have needs that must be met in order for the mission to succeed. In the SOC, that mission is to secure the Internet for our clients.
7) What’s the No. 1 thing SOCs can do to improve their maturity?
There are so many important considerations for a SOC looking to improve its maturity. The most valuable resource of a SOC is its people – the analysts who build their careers by ensuring the security of the SOC’s clients and end-users. With this in mind, I believe that the best thing that SOCs can do to improve their maturity is to truly value personal evolution and growth from its analysts. If the SOC’s analysts aren’t learning and growing, then no amount of automation, technical improvements or documentation are going to bring maturity. This can be implemented differently in different organizations, but at Ingalls, this includes a core value of “personal evolution and innovation,” providing and tracking training hours for our analysts, paid subscriptions to industry-leading training resources, on-the-job training sessions, analyst job-shadowing training, and career-progression opportunities to shadow or to be involved with different roles within the company.
8) What’s your proudest professional accomplishment? You can be as generic as necessary if it involves a customer.
Probably my favorite part of my current role is being able to help people begin their journey in cybersecurity careers. While I’m very proud of the team that continues to learn, grow, and work in the Ingalls SOC, one of my proudest accomplishments has been seeing people who got their start in cybersecurity with the Ingalls SOC moving on to other roles, even with other companies. It’s tough to see great analysts leave, but knowing that bright individuals with limited or no experience in cybersecurity were able to mature and pursue new opportunities equipped with the knowledge, training, and competence that they gained as analysts in our SOC has truly been an honor.
9) What books, blogs or podcasts have you read that have helped you advance your security operations skills and career?
I’m a huge fan of podcasts, and I love to listen to them on a daily basis during my downtime or while I’m driving. My favorite podcasts to remain informed of current cybersecurity events and trends are “The Cyberwire,” “SANS Internet Storm Center StormCast,” “Recorded Future: Inside Threat Intelligence,” and “Hacking Humans.” My favorite cybersecurity podcasts from an entertainment perspective are the more narrative-based podcasts, “Malicious Life” and “Darknet Diaries.” Probably one of my favorite books is “Tribe of Hackers” by Marcus Carey and Jennifer Jin. “The Cuckoo’s Egg” by Clifford Stoll is another must-read for cybersecurity professionals. My favorite blogs at the moment are Krebs on Security and Schneier on Security, and I enjoy reading various threat intelligence reports.
10) What security industry luminary would you most want to have dinner with and why?
This is a tough one! There are so many exemplars in the industry who I would love to share dinner with, but I think that someone whose work I’ve recently become acquainted with and would love to have an opportunity to know would be Dwana Franklin-Davis, CEO of Reboot Representation, a coalition dedicated to increasing the representation of women of color in the tech sector. As the father of two little girls and a Hispanic-American son and the grandfather of a Hispanic-American granddaughter, I profoundly want the current generation of cybersecurity thinkers and leaders to build a world free from inequity for women and minorities in cybersecurity. Additionally, in a world where every segment of every population faces risks of cybersecurity threats, and in a world where cybersecurity threat actors have an incredible diversity of backgrounds and motivations, having a diverse SOC analyst team helps insulate that team from groupthink and creates a more well-rounded, capable security team. For these reasons, I’d love to have the opportunity to sit down with Ms. Franklin-Davis someday to discuss and strategize how organizations can work toward this end.
“As the father of two little girls and a Hispanic-American son and the grandfather of a Hispanic-American granddaughter, I profoundly want the current generation of cybersecurity thinkers and leaders to build a world free from inequity for women and minorities in cybersecurity.”
11) What is your philosophy on how a SecOps team should be built out?
My philosophy on building a SecOps team is that hiring managers should 1) commit to building diverse teams and 2) invest in training new employees who have the right soft skills but perhaps lack the hard skills. I mentioned this in a few of my other responses, but I think that cybersecurity is a career field that can not only have a tremendous impact in bridging the tech-sector gap between underrepresented groups but also stands to benefit greatly from doing so. Diverse teams with multi-faceted perspectives bring value to SecOps teams that a homogenous team just can’t compete with. Also, it seems like every other month we see studies and surveys describing the security skills gap or huge numbers of unfilled cybersecurity positions. It’s not lost on me that cybersecurity can be a challenging career field to break into, but so long as there are entry-level positions for challenging roles, organizations will struggle to fill these roles unless they realize the unique opportunity that exists in being able to train the next generation of cybersecurity professionals from scratch.
You can connect on LinkedIn with Cyrus here.
Dan Kaplan is director of content at Siemplify.