Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

 

Episode 4 - Ed Escobedo: Translating the value of CyberSecurity

This week - Ed Escobedo joins the podcast to discuss his journey to join the Silent Sector team as Chief Strategy Officer, the purpose of cybersecurity, and what lesson’s he’s learned while implementing programs for companies like PayPal and Apollo Education Group, plus the importance of translating the value of cybersecurity to CFO’s and other organizational leaders. This will help you understand why we need cybersecurity.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe! 

10103417-small

Send Us Your Questions & Rants!

welcome to the cyber rants podcast where we're  all about sharing the forbidden secrets and  
slightly embellished truths of corporate cyber  security programs we're ranting we're raving  
and we're telling you the stuff that nobody talks  about and their fancy marketing materials all to  
help you protect your company from cyber security  criminals and now here are your hosts mike rotondo  
zack fuller and lauro chavez hello and welcome  to the cyber rants podcast this is your co-host  
zach fuller joined by mike rotondo lauro  chavez and our uh guest today ed escobedo  
mike why don't you go ahead and kick us off  with the news what's going on in cyber today  
oh there's a lot going on this week um  let's start out with the top of this  
4.83 million ddos attacks took place in the first  half of 2020 which is a 15 increase uh people are  
taking advantage of the you know covered lockdowns  basically um another exciting thing to find out  
is that vulnerability in one and wireless router  chipsets is prompting advisories this is qualcomm  
mediatek and real tech chipsets basically there's  an authentication bypass vulnerability that's out  
there now microsoft xp leak would be less of an  issue if it didn't if so many didn't use it the  
source code is online apparently it still has a  large user base and cyber criminals are using that  
code base to go ahead and develop new exploits for  it why anybody's using microsoft xp now i don't  
know but apparently they are new tactic from  the new old tactic from hackers is basically  
they're they're setting up front companies  to disguise their hacking and bar and which  
is basically an old camouflage tactic so they're  setting up a company like xyz insurance company  
sending out email duping who they can and taking  the cash lentil in the company later there's  
a new ransomware out there called the gregor and  basically what their thing is is that they release  
the data if you don't pay they release all your  data some kind of mass media mass media release um  
nice of them um the fbi is warning spoil your  working from home escape plan apparently what's  
happening is a lot of people tired of looking at  the same four walls of their office den bedroom  
wherever they have to be working are escaping  to hotels to work remotely the problem is  
hotel security wireless security is not all  that good never intended to be you know office  
grade and so it's being exploited um from the  truly scary and creepy uh kids smart watchers  
can secretly take pics record audio or command on  command by encrypted text apparently the brand of  
chinese smart watch called explorer which is has  a back door that was apparently deliberately put  
in there so they can receive an sms to kind of  check out the kids surroundings take pictures  
and record conversations that are around and  another note to have group groups chain vpn and  
windows bugs to attack us government networks  basically it's an additional of the zero login  
and uh a weakness in fortinet which  is allowing them to exploit that  
from the we haven't talked about it in a while  but it's something continually aware of uh cisa  
is urging utilities to increase protections and  warns of potential attacks from china it's again  
you know tax on the grid uh the power  grid and that sort of thing is is  
ramping back up kind of good news men with a good  news new ransomware vaccine actually vaccine kills  
programs wiping windows shadow volumes it's called  racine and basically what it does is when it sees  
the ransomware trying to kill the shadow volumes  it kills the ransomware so and with that i'll go  
ahead and pass on to lauro for his vulnerabilities  thanks mike well appreciate the information i  
guess now i need to update my windows xp yeah oh  yeah someday i've got to take uh i got to take my  
website off of that that dmz xp server anyway you  know it's still you know a workhorse yeah yeah it  
is i you know as far as i'm concerned it's one  of microsoft's greatest achievements anyway so  
if you're if you're running an oracle database  this week and you know in general i'm sure it's  
going to happen again but if you're running oracle  database 18 charlie there's some critical patches  
you need to be aware of that include some command  injection and remote code execution so those those  
those are fairly serious so if you're running  an oracle 18 char let me show you update that  
um fedora got a few things uh included this week  for samba if you're running slime on top of fedora  
there's a couple command injection uh weaknesses  in in in this version so make sure you update  
your samba framework on fedora and then openSUSE  again uh security updates for the dp dpdk packages  
so if you've got those uh up and operational make  sure you're you're running those updates so again  
microsoft stayed the list again this week that's  two weeks in a row uh my money is on they'll be on  
the list for a five next week and that's it that's  all i got zach all right thank you lauro and mike  
um today uh like i mentioned earlier we have a  special guest ed escobito for those of you don't  
know recently joined the silent sector team  as their chief strategy officer so it's real  
pleasure to have him work with him and ed brings  just a a deep deep uh base of knowledge with him  
and experience and through a lot of different  companies held executive roles uh like the  
um head of of uh technology risk management for  paypal is cio of apollo education group he's been  
vp uh in various forms for multiple  companies like charles schwab and  
dhl uh so tremendous amount of experience really  has a great lens um at the the executive level of  
cyber security for large organizations and so  it's a it's absolutely a pleasure to have them  
and ed thanks for coming on the show  thank you zach it's good to be here  
are you great well ed what else would you  tell us about your background i mean i gave  
the high level overview but any anything in  particular you want to share any highlights  
um don't be afraid to brag a little bit here sure  well let me start with how i got started in the  
industry so i got started back in the late 70s  when i joined the air force out of high school  
and i ended up getting a job in the air force  as a computer operations mls and so um that  
that launched my career and i ended up out of the  air force uh becoming what i thought was like the  
best job you could ever have in technology  which was an mvs systems programmer back  
on the days when mainframes were the hot ticket  item for computing and uh you know just a couple  
of things that we did back in the early 80s as an  mbs assistance programmers we had a thing called i  
mean security and business continuity and disaster  recovery were a key part of what we did back in  
the 80s i mean a couple examples is if anybody  knows anything about z os mvs there was a security  
product that i installed back in the early 80s  called ecf2 which had kerberos security and  
you know did a lot to restrict access for critical  accounts and the other thing i remember doing back  
you know a long time ago back in the 80s was  our disaster recovery plan was mag tapes you  
know where we would take backups of disk drives  across the mainframe complex put them in our car  
drive to a cold site load them on a tape drive  restore these tapes and make sure we brought up  
the operating system to test our environment  so i mean that's how far back my experience  
goes well before you know the current way  of thinking about security and cyber and  
risk management uh and then you mentioned uh  michael mentioned uh windows xp i remember back  
one of the roles i had at schwab after i moved to  california from the east coast you know i remember  
fondly dealing with windows xp as a desktop i  ran desktops for our call centers back in the  
day at schwab and i think we had 10 000 desktops  you know using where we had windows xp was the  
endpoint but we had a product called i think  it was sms microsoft sms we had to distribute  
patching to vulnerabilities i remember doing  like two or three nights of full-time non-stop  
work to patch windows xp devices uh just trying  to find those on our network was problematic and  
having to go through and get those systems  passed back in the day you know 15 20 years  
ago was was hard to do and it's interesting to  find that people are still running windows xp  
today so very much uh very much resonate with the  idea that those things will need to be patched  
because we had trouble back in the day patching  them and it's interesting to see the people still  
running those systems so the most recent role i  had was running technology risk management i think  
a large part of what i did with paypal is helping  our senior leadership on the first line of defense  
understand the importance in the context means  to have a mature operational shop that that has  
operational excellence and processes around risk  management and security best practices and so  
i kind of felt i had two roles there paypal  most recently one was i felt like i was the  
general counsel for all things risk management so  helping protect the cto and his leadership team on  
the things that relate to you know how do we make  sure that we're translating the expectations from  
external auditors to ensure that we're  appropriately applying best practices and  
their operations to support the things that would  come our way from from external auditors internal  
auditors and second line of defense and then  the other role that i played there which i think  
because i ran technology at apollo education group  which was a large online university university of  
phoenix i felt like the other role that i had the  other hat that i wore and the other role that i  
played was that of educator and helping all of  our i.t operational folks basically understand  
the various nuance of security risk management  i think one of the things i realized is  
it's it's in some ways it's the language of risk  management and security is you know it's kind of  
a niche language right people they talk about  things uh that that are hard to understand and  
so helping people understand how important these  things are were clearly the role that i played and  
what i'm hoping to do with silent sector with  clients that we have that's great i appreciate you  
sharing um what you know with all that uh large  corporation experience what made you make the  
switch to uh to more of a boutique firm dealing  in primarily in mid-market and emerging companies  
i worked at some of the greatest companies in the  world charles schwab i had a long career there  
paypal was one of the largest fintech companies  in the world dhl i think we had 300 000 employees  
because we were part of the global deutsche  post world net ecosystem and then obviously  
running apollo education group which was at the  time had 500 000 students online students and  
was a significant player and disrupter to the  industry um so i i've spent you know my 40-year  
career all of it in large companies and i've had  some of my best friends in my personal life have  
been entrepreneurs and i've always admired sort  of their tenacity with with with what it means to  
be an entrepreneur and i've and we i i always  just talk to them about the just in terms of  
personal relationships you know the things that  they did to sort of help grow their business and  
and they all have had really successful businesses  and so i've always admired it from from the  
outside and you know as i was transitioning from  paypal i realized that you know i've never done  
that before i've never worked at a small company  i've never you know learned the skills of what  
it means to to help grow a company from from a  certain size to a larger size and what it means  
to serve to serve a market i've always been  and this is i think the training from schwab  
focused on customer first schwab taught me  that you know as i grew my career there you  
know paypal obviously reinforced that with the  focus that we had on customers and their mission  
uh and so i thought well this this could make  sense and let me let me let me give my energy  
and efforts to this venture and see how we can  help grow the business the mid market obviously is  
something that because i'm a big company guy sort  of bringing that perspective to companies that are  
growing and need to build maturity and process to  to support their growth i think you know i kind of  
have a unique vantage point to that uh with ceos  and cios and csos as they're trying to establish  
best practices around uh around how to mature  their capabilities so i thought it was a good fit  
and you know i'm excited about the opportunity the  other thing i'll say is um you know when i asked  
asked you all zack mike and lauro you know what  your mission was you know the idea of protecting  
companies and protecting the us economy i think  to me resonated at having been a veteran with the  
air force many years ago and so that that mission  resonated with me as well and then um you know the  
idea that uh you know most of us are veterans and  minorities i think also resonated with me having  
my personal back background and story being both  veteran and hispanic so those are the reasons  
we're glad to have you you know that's that's um  something we really uh we don't take lightly you  
know these mid-market and emerging companies are  absolutely the backbone of the american economy in  
our way of life i mean without without them uh we  would we would not uh be you know blessed to live  
like we do in the united states and um so we we  absolutely have to protect them because they are  
under attack or under underserved and under  attack constantly um they're just it's hard  
for them to find good options and support there's  everybody's quick to sell them tools and products  
but there's not a lot of hands-on you know boots  on the ground expertise uh for them to work with  
out there so um it's it's great to be able to  bring that large corporate experience um to  
those organizations of course mike and lauro also  have backgrounds and working with large corporate  
within large corporate environments so we can take  and and understand you know what's what works what  
doesn't where there's uh traditionally a lot of  waste um and where where resources should be put  
and um and really bring best practices into  these organizations so where are you seeing  
you know throughout your career at least you  know over the last 10 years or so i mean where  
do most companies struggle with their cyber risk  management where what what are the kind of the big  
factors or the big problems that you run into you  know i think it's just sort of an understanding  
of the importance of cyber security and risk  management as a practice that's critical to both  
revenue and sort of core business operations i  mean when i was the cio at apollo education group  
i mean i know enough i've always been a like  an i.t infrastructure guy data center guy and  
a big mainframe guy running operations for  large companies and did a lot of work on  
desktop collaboration back at schwab but i  always knew that obviously you needed to have a  
like a somebody that paid attention to security  and so i ended up hiring a person and knew enough  
to build a sock and the importance of that and you  know putting eyes on glass to monitor our network  
but that's kind of i just sorry take care  of it let me let me turn it over to you  
sort of your baby to to drive and i used to  have to represent the security uh progress  
program to the risk oversight committee which  was connected to the board of directors and  
so i i knew that i had to make pay attention to  them but i never really understood the importance  
of it when i went to paypal i worked for the  cso there and had a global role running a large  
security practice for him faced after the business  and one of the things i've learned at paypal  
is as i said earlier is that people don't quite  understand the the terminology and the importance  
and the expectations and so a lot of what i found  at paypal is helping uh practitioners that are  
they they all want to do the right thing but  you know prioritizing you know when you've got  
so many things on your plate the the importance of  best practices around vulnerability management of  
access management configuration management asset  management you know making sure that those are  
integral into how you run your operations and  and in some ways you know way to differentiate  
companies from the rest of the competitors that  are in their space you know i found that that was  
something that that that i saw paypal and and  we did a lot of work helping people understand  
the importance of things and putting in processes  and dashboards to help put us by learning that but  
i i suspect that many companies that are not  practitioners that are not you know smes and sort  
of from the academic lens of security uh cyber  security and risk management just don't quite  
have an awareness of what it means and and so i  feel like part of the opportunity that i have with  
the silent sector is to help sort of translate and  help all right let me just put a language that a  
cio or ceo or cfo can understand you know why why  you have to pay attention these things because  
eventually you know um this could come back to buy  you so just to me it's the role of translator and  
helping people have the context and the business  understanding and business context to sort of help  
prioritize the things that need to be put in  place uh consistent with other things that  
are going on in the operations to support growth  and protecting their assets yeah translation is  
critical because uh you know without without the  right resources and budgets uh it's very hard for  
security practitioners to get anything done so  um you know it's just one of those things that  
a lot of times we see these organizations that  it's kind of out of sight out of mind right and so  
they'll just just uh you know won't put the time  and attention in at the executive level to really  
truly understand what the risk management means to  their organization the benefits it brings and and  
how it supports the longevity and so um critical  critical area to be and i think there's not enough  
translation going on out there otherwise we'd  probably have far fewer cyber attacks happening  
so what do you hope to see in the cyber security  industry moving forward yeah i mean i think i mean  
so i i kind of view this chapter of my career  in the top of the first inning you know just  
there's nlcs i was watching the game last night  so i've got a baseball metaphor here man sort of  
just at the very top of the first inning and i  kind of view this as a long journey a nine-nine  
game and so it's just getting started but i'm  really excited about the opportunity to serve  
the clients that are currently in the in the  book of silent sector and then also growing our  
our portfolio to include other clients and  particularly those that you know are looking  
that that are in highly regulated areas like  healthcare and financial services and fintech  
you know where you have to basically build  the foundation and the core capabilities  
to serve clients so you know i'm just really  excited about um about it's really just serving  
clients at the end of the day just being a  servant to ceos cios cisos and cfos to help  
establish that capability great and you  mentioned veterans and minorities earlier  
yeah i know you have some some plans some ideas  uh to really use cyber security as an opportunity  
for for young people that uh don't have a lot  of options tell us a little bit about that  
yeah you know i i mean when i was a kid i mean  i never would have thought back growing up in in  
the middle part of california and fresno that that  i would have a career in technology that spanned  
you know multiple decades and then i would just  feel so blessed with the opportunity that i had  
to be in technology and cyber security has been  a part of my career and so the idea that that  
we could help close the skills gap with those  that are living in disadvantaged communities in  
let's say south phoenix and and giving young  people men and women people of color you know and  
everybody that has the energy the opportunity to  sort of get into the career that for me has been  
just a blessing to to to feel like uh my life was  turned around i think to me is such an important  
personal mission of mine um you know one example  of that is been asked to serve on the arizona  
tech council support with pipeline az to sort of  help close the skill gaps for those that are going  
to school and and have an aspiration to get into  cyber security and how we connect them to jobs in  
the state and so you know i'm excited about that  uh serving on their advisory council and so those  
are the kinds of things that i just personally  have paid attention to in my career and then  
i'm going to continue to do that and obviously  as we grow silent sector the opportunity to  
to bring in uh and mentor and apprentice to  bring in apprentices that can help and help them  
understand what it means to be a cyber security  professional is something i'm excited about  
yeah absolutely um we've already had a couple uh  a couple students work with us on various projects  
and uh that just you know they were absolute  rock stars and you know ready to get going and  
growing in their career and so it's a lot of fun  and we certainly need more security practitioners  
in this country um so it's great great opportunity  winning winning opportunity for everybody i think  
so well thank you so much ed for joining us today  thank you mike and lauro uh for your insight and  
uh we will wrap it up and see you on the next  show