Security Expert Interview Series: Randy Purse
We recently checked in with Randy Purse who is serving as Senior Cybersecurity Advisor. Randy is deeply interested in researching and finding practical solutions to the challenges for individuals and businesses facing technological disruption, including those posed by cybersecurity. Read the full interview below, we promise it will be insightful.
1. Firstly, thank you very much for taking part in this campaign, Randy. Could you tell us a little about yourself – who you are, what you do, and how you got started in cybersecurity?
Thank you very much for the opportunity. What you’re doing is valuable as it doesn’t matter what nation you’re from, finding cybersecurity talent continues to be a challenge. So, providing diverse insights into cybersecurity as a field and showing how people from different backgrounds are is always very helpful.
As for me, like many, cybersecurity was not a career ambition, but happened over time. I started out as a naval officer in the Canadian Navy. One thing that the military does well is indoctrinating you into a security mindset. Beyond this, I was employed in physical, personnel, communications security and force protection roles that deepened my knowledge and gave me a truly integrated view of security.
At the latter end of my operational career in the late 1990s, I was assigned to our joint headquarters as the staff officer for Information Operations Plans. Concurrently, I served for a time as an information systems security officer. This was my indoctrination into cybersecurity just as it was emerging. Following my operational career, I transferred to military training development. This led me to IT Security Learning Centre in the Communications Security Establishment and Canadian Centre for Cyber Security upon my retirement from the military. I was learning advisor, instructor and ultimately the Strategic Advisor for Cybersecurity Training and Education looking at the national cybersecurity talent challenge.
When I retired from the public service, I wanted to dive more deeply into this challenge, so accepted the role of Director of Cybersecurity Standards at TECHNATION leading the AI and Cybersecurity Skills Initiative. I was promoted to the Vice President of Future Workforce Development continuing to lead this work as well as other tech skill initiatives. Wanting to refocus my energies in cybersecurity, I accepted a role at the Rogers Cybersecure Catalyst at Ryerson University in Ontario, Canada as the Senior Cybersecurity Advisor. I now have the pleasure of leveraging my expertise in learning and cybersecurity to help develop training and education solutions for the public, private and non-profit sectors.
2. You are currently working as a Senior Cybersecurity Advisor. Is there a typical workday for a security advisor and more specifically?
By choice and good fortune, my day is filled with task variety. For example, almost daily, I am liaising with clients, helping them to identify their learning needs and finding and crafting learning solutions to meet those needs whether through e-learning, technical and management level courses, professional-level workshops or in our Cyber Range. I also help with the development and facilitation of learning of candidates in our Accelerated Cybersecurity Training Program. This program takes people which diverse backgrounds, often from non-technical fields or underrepresented groups, and provides them with technical and other professional training that prepares them for cybersecurity roles. Another function that keeps me engaged is consulting. I am often engaged in consultations with small and medium businesses that are looking to improve their cybersecurity posture. These are all things I love to do.
3. What is anything you wish you knew when you first went into a career in cybersecurity?
Since I flowed into cybersecurity rather than targeted it as a career, I likely have a slightly different perspective on this question. I am continually amazed at how connected the cybersecurity community is; it is one huge community of practice where there is continuous sharing of knowledge and tools. As I merged into the field at mid-career, I didn’t get the benefit of tapping into the network in any real capacity until I was immersed in the skills initiative. I think that the earlier you can connect with that vibrant community the better. There’s just so much talent, passion, and knowledge there that can be leveraged by those who are trying to make inroads into the field.
4. What policies and practices would you recommend to small businesses defending against the latest malware threats?
My focus is on cybersecurity management. So, I’ll leave the technical best practices to those who can speak to them in detail. Besides, I think that small business leaders can become easily overwhelmed by all the technology and related challenges. Instead, I’d like to talk about a few non-technical best practices that every business leader can adopt. By the way, these are also typically low cost and high impact.
- Know what you need to protect. Identify what is of value to your business and asses the risks so that you have a good idea where you should invest time, energy, and money in cybersecurity. Not everything needs the same level of protection – focus on the critical and important information and information systems.
- Move beyond employee awareness towards training. If we expect employees to have a role in cybersecurity, then we need to move beyond ‘awareness’ and engage in training that will support that role. So, let’s engage them in the discussion about why cybersecurity is important to them and the organization, let’s give them knowledge about best practices that they can apply, where skills are required such as identification and detection of threats, let’s give them the opportunity practice. Finally, let’s have managers follow up and monitor employee performance in this area.
- Conduct role-based training for cybersecurity functions. The world over, those who perform cybersecurity functions are often under prepared and under equipped to perform to expected task. Certainly, for a certified cybersecurity professional this is not normally the case, but there are many who perform cybersecurity functions that simply do not get the training or resources needed to successfully perform their role. For example, ensure that the IT person who is a first responder, the IT manager expected to implement new security software, or the senior manager expected to coordinate incident response activities not only have the resources but the training to perform their tasks.
- Have an incident response plan. It’s echoed throughout the community, ‘there’s no such thing as 100% security’. So, moving beyond prevention, we need to consider organizational resilience. A big piece of this is having a well thought out and tested incident response plan that helps reduce the impact of the incident, helps keep you going during an incident, and helps you recover safely and quickly.
5. What do you predict to be important trends in cybersecurity in the next 5 years? AI? Machine Learning? Zero-trust?
I think that these are already having a significant influence on cybersecurity, and they will continue. For AI and machine learning, it’s a double-edged sword. There is tremendous work going on to leverage these technologies to help combat threats. However, there is also increasing use by threat actors. So, we need to stay on our toes. Zero-trust across all networks everywhere is a great idea, but for many small and medium businesses very ambitious and costly – this will gradually change with increasing virtualization and adoption of cloud-based solutions that have zero-trust architectures. Another important trend will be the evolution of cybersecurity as a discipline. Right now, it is still largely a specialized sub-discipline within the technical community.
We are starting to see greater integration of cybersecurity into mainstream management, finance, and business education programs. But this evolution appears to be considerably slower in technical disciplines. I’m hoping that in the not-too-distant future, we see all IT, computer, and engineering programs with embedded cybersecurity curriculum so that everyone graduating from a technical program will ‘design with security in mind.’ We’ll always need specialists in the field, but at this stage, there shouldn’t be a software developer or computer engineering graduating from a program without a solid foundation in cybersecurity.
6. What would you say is the most underrated skill in cybersecurity industry or the skill you wish more people spent time developing?
This is a difficult but great question. As you are holding me to just one, I’m going to say communication. One thing that I’ve noted within cybersecurity, but also in other technical fields is the ‘gap of grief’. I can’t recall who coined this phrase, but it’s descriptive of the communication gulf that often exists between business decision-makers and technical professionals.
While it’s not always the case, there are challenges because they don’t always know how to talk to each other, they both use jargon that the other doesn’t fully understand, and they often end up talking past each other in the day-to-day activities and, more importantly, during a crisis. Better communication skills include things like clarifying values, simplifying language, avoiding jargon, listening, confirming, effective use of data, checking biases, and keeping on point. These all matter and can contribute to every aspect of cybersecurity within an organization.
7. Our last question: What can you tell our young readers who are pursuing their dreams in the security market?
I realized early on in my military career that the thing I valued most is the knowledge that I am helping to protect and defend people. I was attracted to this sense of duty and ‘guardianship’. It is a core value that I think is in the heart of almost everyone I know in the security field. In cybersecurity, it’s easy to get lost in the tech and focus on the threats. But that’s not really what it’s about. As a human conception, security is about protecting what we value. That’s what we do every day! Sure, sometimes we don’t have all the tools to do the work, but we find workarounds to keep people and networks safe. Sometimes we don’t stop an attack, but we do mitigate its effects.
Sometimes we discover an intruder too late, but then we deal with the cleanup, patch the vulnerability, and make it more secure. In the end, I believe that we have many, many wins every day that go unseen by most people. But I’m certain they would notice if we weren’t there. We can certainly improve, get more talent, and better tools to help. So, if you come on board, you’ll be joining a community of ‘guardians’ that provides far more value to society than they are often given credit for.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.