In this episode, hosts Sean Sebring and Chrystal Taylor engage with actual rock star Chris Greer, a Security Engineering Manager at SolarWinds, to explore the multifaceted world of cybersecurity. Chris shares his unconventional journey from being a musician to entering the IT field, emphasizing the importance of certifications and the mindset shift required when transitioning from IT operations to security.
Topics covered:
RELATED LINKS:
Sean Sebring:
Hello, and welcome to SolarWinds TechPod. I’m your host, Sean Sebring, and with me as always, my co-host, Chrystal Taylor. Today we’re diving into the world of cybersecurity, a critical focus area for every organization. To help us unpack what it’s like to work in security, how to get into the field, and what it means to lead with a security mindset, I’m joined by Chris Greer, Security Engineering Manager here at SolarWinds. Chris, thanks for being here with us. Can you tell a bit about yourself, and what led you into the security field?
Chris Greer:
Yeah, sure. Thanks for having me. Excited to be here. So basically, I came from a little bit of a strange background, if you will. I didn’t go to college or anything like that. I started out as a musician. My band got signed as we were leaving high school, so we got some really great opportunities, got to tour the world for 15 solid years, and then I got a call one day that I was going to be a dad. So, I was like, “Okay, I need to be home. I want to see my daughter grow up,” so I was like, “What can I do to make a consistent income where I’m still enjoying the work?”
Always been into computers. My brother and I used to build computers when we were younger, not only for ourself, but for family and friends and stuff like that. We were about 13 at the time, and that was back when you couldn’t mail order parts. You had to go to computer shows and stuff like that. So, that was part of the fun is going and walking around and seeing all the cool things, talking to people, so that was kind of my first taste in the world of computers.
Like I said, when I found out I was going to be a dad, I moved down to North Carolina and was scouring the market, looking for a job, and I applied for a desktop position at Duke University in their IT department. And shot in the dark. I was like, “I don’t have any background. They’re never going to hire me,” right? Lucky enough, they gave me the job. I ended up working there for 10 years, and that’s really where I kind of cut my teeth, learned how to be part of a help desk. I learned how to troubleshoot systems. Then I really got into Casper, which is now Jamf, on the Mac side, and that’s really where I found my deep interest in computers. So, I basically ate and breathed Casper, Jamf every day. Went to all their yearly meetings out in Minneapolis. Got all their certifications that they had. That was just my thing.
After Duke University, I got word from my brother that a small startup in Cary was hiring, looking for a Casper expert, a Jamf expert. They were called Samanage, so I applied to Samanage, got hired there, and that was my first taste at a startup company, which was an amazing experience, such a cool environment. I loved everyone I worked with there. And then I got to just continue to grow my career. So, I started out as help desk there, moved over to management, and then I got into IT operations, so I was running the whole kit and caboodle there. So I was doing networking, I was doing video conferencing, computer setups, all those kind of things, so really learned a lot there as well.
And then Sean, as you know, we were acquired by SolarWinds in 2019, so that’s kind of how I made my way over to SolarWinds here. So, started out in the IT department there. Worked with Joe Murray and Jonathan Henry in the systems team, and then I moved over to the identity and access management team with Jonathan, and kind of helped him bootstrap that team and get it started. So I worked there for about two more years or so, and then I got word that Eric’s team was looking for a SOC manager. Didn’t really have much experience in security, so I was really interested in getting my feet wet there, seeing what security was all about, and having a team to work with and build out the operation center there. So that’s kind of how I ended up in security here. Been here on the SOC team for almost a year. Next month will be a year, so it’s been a really interesting and exciting experience, to be honest with you. There is definitely never a dull moment in security.
Chrystal Taylor:
I have so many questions, just purely based on your story of your background.
Chris Greer:
Sure.
Chrystal Taylor:
First of all, can we talk about how you just casually dropped that you’re in a band that was signed right out of high school? Just a casual drop, but-
Chris Greer:
Yeah, that was crazy. Yeah, it was so crazy. One of my best friends, Thomas, we started the Catch 22 together. That’s my band’s name. We worked at a photo lab together, and it was crazy too, because it was a really crappy day outside. It was pouring rain. I was working, he wasn’t, and that record company ended up sending us a fax written in Sharpie saying, “We love your demo tape. Give us a call,” and we’re like, “No way. This is a joke. Who sends a fax, first of all.”
Chrystal Taylor:
This is not real.
Chris Greer:
And then we look at the top of the fax, where they used to put where it came from, and it said “Victory Records.” And we looked into Victory Records and we’re like, “This is definitely a joke because this is a metal hardcore label, and that’s not what we play.” So we were like, “All right, let’s just give them a call, see what it’s all about.”
And it ended up being real, believe it or not, and we were just floored. We’re all 17 years old and running around, just screaming, because we’re so excited that we got an offer to play music, to the somewhat disappointment for a while from my parents, because they really wanted me to go to school really badly. So, I would call home when we were on tour and they’re like, “How are the shows?” I was like, “Well, it wasn’t all that great. We played to the bartender, but I’m in Phoenix, Arizona today, and then tomorrow I’ll be in San Diego, so I’m seeing the country.” And they’re like, “Are you sure you don’t want to come home? You sure you don’t want to go back to school? It’s going to be really good for you,” and I was like, “No way. Let’s play music forever.”
Chrystal Taylor:
Well, I kind of want to twist this into a question about how this helps you, but I think that A, I want to say, it’s nice to talk to another person who doesn’t have a formal educational background in a strong position in IT. There is a kind of a stigma where it’s required in a lot of cases, and we’ve talked about this on the podcast before about how … And I actually wrote a bunch of articles recently about how AI is making this even harder, is that recruiters look for degrees, and so it’s kind of hard to get those differing experiences. So, I’m really glad that you shared so much about your background with us today to kind of illustrate that anyone can learn, and you just need the opportunity.
But I want to ask you specifically, because your band’s been brought up and because I already asked the question about your band, do you think that your 10 years working in the music industry as an artist helped shape some of your experiences now as a SOC administrator, or whatever? Does it play into your security role at all, the experiences that you had before?
Chris Greer:
I think so, especially on the people side, right? Because when you’re a musician, I mean, you don’t have to talk to your fans, but that’s not really the nicest thing to do. So I mean, you learn to talk to a huge swath of different types of personalities, so you have the super extroverted, the super introverted, the people that just can’t even say a word, they’re just in shock, like deer in headlights. And you learn how to kind of navigate that and make them feel comfortable, because a lot of times they’ll say, “I’m so sorry, I’m so sorry.” And it’s just like, “Don’t be sorry. Let’s have a conversation. Let’s chat. You’re here. You came to see my band. I’m here for you guys. Let’s chat it up. Let’s enjoy our time together.”
I think it’s really important to be able to talk, especially when you’re speaking to departments that aren’t very technical. So it’s like you need to learn how to talk to different types of, say, sales or marketing, that they’re not dealing with scripts and they’re not dealing with JSON and stuff like that. So, it’s like being able to talk to anyone, I think, is a huge plus, no matter what position you’re in.
Sean Sebring:
Would you say you have a similar amount of fans being in security as you did in the band? I’m totally joking, by the way.
Chris Greer:
I would say no.
Sean Sebring:
Yeah, no, but I 100% agree. I think people skills, and like Chrystal said, we bring this up all the time, but people skills are the most transferable and one of, if not the most, crucial skill to any role, arguably being able to work with others, talk to others. And I like the way you kind of mentioned it, just because there’s a diverse group of people that will have different skill sets, so being able to translate what you need to translate based on their level of understanding is a big deal.
Chris Greer:
Sure.
Sean Sebring:
One of my favorite things about the way you talked about your transitions is they all seemed pretty organic in nature. Not that you didn’t pursue them, but that based on your interest, the opportunities became available. And then based off of your interest in the opportunity, upskilling yourself, which is a big thing in IT, and it kind of rings true with the, quote, unquote, “informal education” of it, is that IT is still … I don’t know that I believe there’s a true, true formal education path for most of any IT field, security included in this case. So the skills, I think frameworks are the closest that you could get to a scripted education for IT stuff, but for the most part it’s just, I’m interested in this. Let me go learn everything I can.
Chris Greer:
Right.
Sean Sebring:
I would also say a lot of IT education material is a little bit more open source than other education paths, and again, we’ll see what happens as AI continues to dominate education in the future. But yeah, as far as the education for it goes, since you did lead with saying, “I didn’t go to university, college,” how did your education into these fields happen? Was it just Googling? Did you go for specific certs? What helped you gain credibility, some certifications along the way? What helped give you that as you moved into the roles and kept going up?
Chris Greer:
Sure, sure. So kind of just what you just said, I like to call myself a cert dog. I love certifications, so basically what I did was I kind of looked at all of the-
Sean Sebring:
I’ll get you a shirt, by the way, now, Chris, a cert dog.
Chris Greer:
Cert dog. Yeah, so I looked into certifications and saw what the basic certifications were, A+, Network+, Security+, those types of certifications, and I kind of started there. I think that’s kind of how I got my foot in the door at Duke there, because I had my A+ certification. I only had one, but I think that kind of showed them a little bit of initiative, because I had some more on my list there that I was working on. So, I think going the certification route is a really great spot, especially if you’re starting out in help desk, because all those early certifications really help you understand your role, understand how to troubleshoot and what to look for. And then it’s also nice to have that certification on your resume and in LinkedIn, because a list of accomplishments is always satisfying. So for me, certifications will always be a huge part of my career and kind of how I look at things.
And going back to where you said, I feel like when you’re in a certain role in IT, you’re doing the day-to-day work, but you get to a point where you feel like you’re ready for a new challenge or a new experience, and it’s usually not within a week or two. It’s usually after a year or two you feel like you’ve really mastered your craft and you’re ready to just keep expanding. And that’s kind of how I look at it is I look around and see what jobs are available within the company. Because the thing I really love about SolarWinds is they really try and have internal transfers be a huge part of movement in the company, so they’re not just looking to hire outside of the company. If they have any internal candidates, they’re always willing to help them get into that role they’re looking for if possible, or at least have the opportunity to interview for it. So, that’s kind of how I jumped around SolarWinds is all my moves have been internal transfers. So, it’s been a really great experience with that.
Chrystal Taylor:
I want to follow up on the certification bit. I want to quickly, just as a rebuttal to Sean’s earlier statement that there’s not really a formalized path, I think that that is true, if you can talk to a person and get past the recruiter and the AI now that’s in play for recruiters, that they’re looking for specific … Certifications are one way to get past a recruiter. Formalized education is another way to get past a recruiter.
But if you are from an unorthodox background, and let’s say you don’t have a bunch of certifications, but you do have experience and knowledge gained in the field, like … That’s my background. I don’t have any certifications active right now, actually, but I did have certifications at one point or another for certain things. But I think that it’s important to note that for people who have a more unorthodox background, getting into any role in IT, but especially security, that certifications are a good way to go, and I did want to ask you about that specifically. So you have worked in desktop IT as well as now working in security. How important do you think certifications are in either of those roles?
Chris Greer:
I think they’re pretty important, right? I mean, you get a really good baseline for what the role is going to encompass. When I look at certifications and roles, there’s also a lot of networking. So kind of a little off-topic, but especially in the security world, I mean, you can go to DEF CON. There’s a lot of really great security conferences to go to where you can get your networking done. And at least for me, that’s kind of how you meet a lot of really great people and you get offered a lot of really cool opportunities. You can’t take them all, but it’s also nice to know that they’re out there and that they’re not unobtainable, if you will. You just kind of got to put a little bit of legwork in, and usually it works out in the end there.
Sean Sebring:
I appreciate that. Chrystal, keep me in check when I lead us astray from the clear path. No, I like that, the way you kind of phrase that, Chrystal. If you talk to somebody, they can give you a nice path, right? So there definitely is, and that’s kind of one of the reasons we like these episodes is to just say, “Chris, what was your path?” Right? Because that unorthodox path, meaning rock star path, you can actually go find the rock star path to it if you look at Chris’s LinkedIn now. But yeah, no, so you can definitely make a path out of it.
Just another observation, because before we dive into more about what is the security role to you today, I really do just like talking about how you got there, and things that stood out in the conversation were interest. You said interest so many times. There’s a phrase that rings true to me as a manager also when interviewing folks, it’s will before skill, so is the interest there? Is the will there? And especially if you can show in your past that you’re able to be adaptable, that will is there, it’s like, hey, I have the interest for this now. So, that’s just much more attractive to someone saying, “Look, if their interest changed to this, look how quickly and capable they were of transitioning to that other obscure role that’s different than what they were doing before.” So, the level of interest, it seems like, was one of your biggest benefits, just genuinely being interested in the next technology area of focus.
Chris Greer:
Yeah, and I feel like when you’re interested in something, you’re more willing to put the work in. If you’re doing something you have no interest in, it’s really hard to be motivated to want to do it, right? So, I think that you made a really good point there, Sean.
Chrystal Taylor:
Sean’s a manager of people, and I formerly managed a team, and I’ll say that in a management role, I would much rather have someone who’s enthusiastic and interested in what we’re doing than have to painstakingly drag it out of someone, or just get the bare minimum. So, in those hiring roles and things like that, if you’re in hiring role out there, consider when you’re doing your interviews, consider gauging in level of interest and enthusiasm, because that can be more valuable in a lot of ways than just straight flat background experience, I think.
Chris Greer:
Right, right, and we all have parts of our jobs that aren’t the most fun, but you got to do them. But as long as that’s not 95% of your day, then I think you’re doing it right, you know?
Sean Sebring:
So, one of your first roles kind of transitioned you into … I suppose your first role out of working with Duke, you mentioned at the start-up, Samanage, which is actually how we met over six years ago at this point now. And you moved into the IT operations management space there, which Chris also gave me my first MacBook, which was fun. He mentioned his interest and infatuation with with Mac.
Chrystal Taylor:
Ah, you’re a Mac user? That explains so much about you.
Sean Sebring:
Let’s first talk about the culture of that role, being in … I suppose it’s going to be a little bit difficult as well, because you mentioned it was a startup, and startups themselves have a different culture about them. But doing your best to separate startup versus a large organization that’s established, IT operations itself versus security, I’m kind of curious. Let’s start there and then just speak about the transition, because you said this is about a year in now, just over maybe, to transition to security. I’m curious about the bigger differences between just IT operations versus being in security.
Chris Greer:
Sure, yeah. I think the biggest thing is kind of the mindset change, right, like, proactive versus reactive mindset. And so in IT and help desk, you’re way more reactive. You’ve got a machine down or server down. Downtime is the enemy in help desk and IT, so you’re looking to resolve whatever issue you have as fast as possible.
But in security, you got to kind of take a step back a little bit and slow down, because it’s not all about speed. You got to understand where the threat’s coming from, what they’re attacking, and how to prevent it in the future, so I think that’s two of the biggest things there. And sometimes it’s a little hard to slow down because you get used to that cadence of, all right, let’s knock this out, let’s get it done. And sometimes in security investigations, they will take a day, they’ll take two days, they’ll take three days to really understand what was going on, and the things you need to put in place to prevent that from happening again.
Chrystal Taylor:
Are there any similarities between doing a security investigation and doing root cause analysis on the IT side?
Chris Greer:
Yeah, for sure, because in RCA, you need to understand why it happens and how to prevent it, so during the investigation, you’re all about trying to find out who they are, what they’re doing. And then once you establish that you can kind of, how do we prevent this from happening in the future? So that kind of completes that final step of the RCA there.
Chrystal Taylor:
I like that comparison because it showcases that if they’re not that different, I think that working in an IT role and working with a lot of people in server administration, network administration, whatever, security has a reputation in most places of being sort of an impediment. Or there’s a lot of conversations about red tape, or basically that it feels like they’re making the process harder than it needs to be?
Chris Greer:
Sure.
Chrystal Taylor:
And having had conversations here with Josh Vanhoose, I know that not everybody in security is trying to do … I’m sure there are people out there that live to say no. I used to be the subject matter expert for a specific product that was very black and white and didn’t have a lot of customization, and I lived to say “No, it can’t do that.” I loved it. I would get called in by my engineers to tell people no, because they couldn’t tell people, and I’m like, “You got it. I’m on it.”
Chris Greer:
Call Chrystal.
Chrystal Taylor:
Yeah, for me, it was like a break from the normal, because all the other things we worked with were super customizable, and so you couldn’t just say no. There was a possibility that you could do that thing, so having something so I could just be like, “Nope, you can’t do it. It’s not a thing,” was a break from the normal. So, I think there’s probably some personality aspects there in security that maybe relish being able to tell people no, that they can’t do things.
But to get back to the point, it’s nice to have these kind of comparisons of tool sets or skill sets that are transferable between a normal, regular IT role and specifically a security role, because security, in general, can seem very intimidating to try and move into, because it seems like … And I don’t know if this is just a reputational thing or what, but it seems like there’s kind of an unspoken barrier to entry into security, and they’re not looking for a lot of junior roles or people that are outside of security skill sets, and so being able to compare skills gained in both places, I think, is really helpful. And I wanted to know more about your transition between the two roles. How many things did you take from your former desktop security role, or desktop support role, sorry, into your security role? How much of that is transferable, I guess?
Chris Greer:
Sure. I think they cross a lot, right? Because in desktop, especially in IT and systems work, you’re into the networks, you’re into the firewalls, you’re into the servers. So, a lot of those things transfer over, because when you get an investigation, you’re looking at IP addresses, you’re looking at where they’re coming in from, you’re looking at the logs in Azure or wherever, whatever tool you’re using, and that’s a lot of the same thing when you’re troubleshooting in IT. You do have to look at the logs and see where those errors are, and see how you could reconcile those and get your system up and running again. So, that solid troubleshooting skill set is really important, and really, no matter what role you’re in in IT, but it definitely transfers over to security as well.
Sean Sebring:
One thing I’m curious about is, well, two things actually, but let’s start with this one. Your role, your title, is security engineering manager. Can you break down the engineering part of that? What’s unique about the security engineering part versus maybe just a generic security title? Is there anything that’s unique about your specific role in security being security engineering?
Chris Greer:
As far as the engineering title part, I think that’s more company-based.
Sean Sebring:
Okay.
Chris Greer:
The guys on my team are definitely engineers, right?
Sean Sebring:
Sure.
Chris Greer:
I don’t know if I would consider myself an engineer, I feel especially at my time in the SOC, but those guys are writing queries, they’re writing scripts, they’re writing custom alerting based off of what the business needs are. So, those guys are definitely engineers. But for me personally as a manager, that was a different transition on itself, because I was an individual contributor, so I was a lead engineer on the IAM team, so I was doing that work myself. Now it’s more delegation, helping my team grow their careers, making solid decisions for the SOC and security as a whole. So, it’s a little different mindset, but as far as the engineering part for the analysts and that we have the engineers on our team, those guys are definitely engineers, for sure.
Sean Sebring:
And it’s not a big deal, but I just have to ask, because especially in, let’s be honest, sales, where I’m at, everyone’s got manager in their title when they’re not a people manager. So I wanted to clarify, did engineering have anything unique about that? Because on the opposite side, engineering is used a lot, and I get both as well, even though I’m not an engineer, I suppose.
Anyway, so you perfectly pitched me up for the second part of my question, which was about that mindset differentiation. So, I would say with personal experience, having managed before, managing now, that those characteristics, those traits, being a people leader in itself is the most important part. Because you said, career growth, helping remove barricades for your employees, helping make sure they can do their jobs better, and that they feel like they have a career path, they’re nurtured, that’s more important than the field that it’s particularly in. So, you being transitioned over there straight into a leadership position, you already had some of that management background. You were ready to do that and take those management skills, but you were learning security at the same time.
Chris Greer:
Right.
Sean Sebring:
Having done that, you kind of already said a little bit about it, but I want to expand on it. What is the difference in your mindset as a leader as well? Not just the people part, but as a security leader helping to try and motivate them or steer them to get their jobs done or look at a bigger picture? What’s different in your perspective as the security leader versus the security practitioner? Not saying you don’t practice as well.
Chris Greer:
Sure.
Sean Sebring:
All right, do you understand where I’m going with that? You have to have maybe a bigger picture idea of it, whereas the individual practitioner might have a single-lane focus.
Chris Greer:
Right. Yeah, no, for sure. To play off what you were saying is, when you get an investigation, that’s where the ISD comes in, and they’re focused on that investigation. They’re focused on closing out. As far as management goes, I really try to let the engineers and my team do that work. I don’t need to go in there. I mean, they’re the experts, right? I am not, so I don’t want to go in there and muddy up what they’re trying to do. I basically sit back and watch what they do, so I’m understanding what they do, but I really don’t think it’s my place to get my hands in all of that. So, I try to give them the freedom to do their investigations. I am not a micromanager, so if you’re able to work on your own without much influence from me, that’s my perfect team.
I want to be able to trust my guys or girls or women or whoever’s on my team to do their job, and not have to go behind them every time and just to make sure they’re closing things out correctly, or they’re doing the investigations right. So I think as a manager, I try to foster that environment. I want to make them know that they’re valued, the work that they’re doing is good work. And then basically, my role is to report the great work they’re doing up to leadership, so I’m kind of that middle man between the CISO and my team. Basically my end goal, kind of like you said, is to grow their careers, advance the security program, and make it tighter, because there’s always improvements to make, right? So, if I’m able to fulfill the requirements that the business needs have as well as develop my team, then I feel like I’m in a pretty good spot and kind of doing the role where it needs to be.
Chrystal Taylor:
We talked a little bit about people skills earlier and how important those are to really any role. But in your role now, if you’re kind of interacting directly with the CISO, between your team and the CISO … I guess, do you have any advice for those kinds of interactions where you’re sharing concerns from your team to the CISO and vice versa? How does that interaction work, and how much of your people skills are brought into play, I guess, for those kinds of interactions? I don’t know. People might find the CISO to be … Not our CISO. He’s wonderful. I love him genuinely. He’s like the nicest person in the world.
Chris Greer:
Yeah, Tim’s great.
Chrystal Taylor:
He is, but a lot of people can find interacting with that level of person in the company to be very intimidating. And so I guess, do you have any advice on handling that business interaction, and managing and maintaining your team’s expectations between yourself and the CISO?
Chris Greer:
Sure. The way I kind of approach speaking to leadership and the executive level leaders is, they’re normal people. They’re a human being. Just because their title is nice and high and it has a C in front of it, it doesn’t mean that they’re going to be some terrifying person, or a terrible person you can’t talk to, or you only get two seconds and then you’re cut off kind of thing. So I always just approach it as just a normal person. I probably wouldn’t say “Dude” or “Bro” to Tim, but just talking like we’re talking now, and as long as you have what you need to talk about laid out and you’re not wasting his time, if you will, it’s just a normal interaction just like any other person. So, that’s kind of how I go into those discussions.
And with my team, I kind of approach it the same way. I may have a manager title, but I’m part of your team, and everyone’s success relies on everybody in the team. It’s not just me, it’s not just one engineer. So, if we’re all not jiving with each other, then we need to figure out how to make it better, if something arises like that. But I think if you treat people like humans, then you’re 80% of the way there already.
Sean Sebring:
Got to love humans, I guess.
Chrystal Taylor:
I guess.
Sean Sebring:
Just kind of an off-the-wall one, but I think it fits well with our conversation so far, because you’ve got a really cool tool belt of diverse IT skills. Having moved into security, what’s like an underrated or a unique skill, maybe even? It doesn’t have to be unique, but something that you say, “That’s a really good one for security.”
Chris Greer:
Patience.
Sean Sebring:
What’s a good skill, you would say?
Chris Greer:
Patience, for sure.
Sean Sebring:
Say again? Patience?
Chris Greer:
Yeah.
Sean Sebring:
Okay.
Chris Greer:
Yeah.
Chrystal Taylor:
Unexpected.
Chris Greer:
Because kind of like we were speaking about before, a lot of times people want to get things done as fast as possible, and it can be frustrating when it takes some time, especially if the threat actors are sneaky, and there’s a lot of really good threat actors out there. So, you really got to dig in and take your time and make sure that you’re looking at everything that needs to be looked at and you’re not missing anything. So for me, patience is definitely up there. And then perseverance, I guess, you could throw in there as well.
Chrystal Taylor:
I love that they were not technical skills.
Chris Greer:
Yeah.
Chrystal Taylor:
I’m very excited about that.
Chris Greer:
All those things you learn on the job, you learn how to dig in, you learn how to look for certain things, but it’s the other skills that are harder to teach, you know?
Chrystal Taylor:
Yeah, I mean, even just reacting well in a crisis, I feel like especially in a security role, if you were a person that was maybe prone to panic, would maybe not be a good fit for you, because stuff is always happening or there’s people getting in the way or trying to subvert processes. And actually, I do want to pivot us a little bit to that kind of question. I brought up earlier that a lot of IT folks see security as kind of an impediment, and they will, if possible, subvert security expectations every time, in my experience, in order to get what they need done. And some of that, I think, comes from this unnecessary … What is the word I’m thinking of? Basically, everything is important to be done right now, this unnecessary rush of like, “Oh, well, the boss man said it, so we got to do it right now.” And then also from that attitude of they expect to have administrator-level access.
And last time Josh said something, which was that the first thing that he learned moving to security was that you don’t have administrator access anymore and you don’t need it. So, I think that that was a curve ball to realize, oh, wait a minute, you don’t have that. So I think that my question really is, what kind of interactions do you have to have on a regular basis or a semi-regular basis with people who are trying to subvert processes? And what does that do for the processes that you guys are creating? How does that whole interplay kind of go?
Chris Greer:
Yeah, sure. Since we’re scanning everything, I think people are caught off guard a little bit sometimes when we do reach out to them, because they’re like, “How do you know what I’m doing?” It’s kind of our job to know that, so that’s how we know, but-
Chrystal Taylor:
Big brother.
Chris Greer:
Yeah, no, a lot of times things are just done out of, like you said, just trying to get things done. So sometimes you kind of take a little nudge around the rules just to get things done sometimes, and that’s where we step in, because we’ll get the alert and then we need to follow up and do that investigation. So sometimes we make a little bit more work for people, so I apologize for that, but in the end, we’re just trying to make sure that everything that needs to stay secure stays secure, that it’s not out in the open.
So, we deal with some key leaks here and there, not external leaks, but just post it in a Teams channel or something like that, which is not something you really should be doing, so that’s kind of when we’ll reach out. And we’ll get a little pushback sometimes, but once we have a call with whoever it is or the team, they get where we’re coming from, and they understand why we’re reaching out and asking what we’re asking for. So, in the end, everyone is pretty compliant and pretty friendly. I think just that initial message maybe catches them off guard and could set the wrong tone sometimes if it’s not done the right way.
Chrystal Taylor:
Based on your conversation earlier, I don’t remember if you moved into security when you were still at Samanage when it was a startup, but I do have a follow-up question, which is based on this kind of subversion of processes. There are some differences between a large corporate culture and a startup culture, and that startup culture requires people to move fast and make changes very quickly, which means that people are maybe even more prone to subverting processes, or there not being processes even in place. So I guess, what do you think the differences are in dealing with security in these two types of companies in IT, which is the two main things going on?
Chris Greer:
Sure, sure. So in a startup, it’s usually a very, very small team, and IT is in general, right? So when I was doing IT operations, it was myself and a team member, and we did everything IT, so it was the whole gambit. In a bigger company, you have different departments, you have systems, you have security, so you have people that are specifically looking for certain things or working on certain things. So I think in the startup, it’s really reliant on who is in charge of that IT department and how they set up permissions.
Going back to what you were saying about admin rights, everyone wants admin rights all the time, and it’s just not possible. So, you need to restrict that, which causes a little bit of pain points here and there because they’re frustrated they can’t do what they need to do. But something I always explain to people is, listen, it’s a two-man IT team, so to have 200 people have all admin rights and be able to have … It’s like the Wild West and it’s just impossible to keep everyone secure as well as the business. So moving over to like SolarWinds. In a larger company, it’s really nice to have those separated teams that focus on things.
One thing we’re trying to do is we’re trying to break down those silos and have all these IT departments work as one. It’s called cyber fusion, so that’s something that the SOC team has been working on. Myself and Harry Griffiths, we’re in phase two of that program, so we’re going to start developing that out a little bit more, and hopefully making security just part of daily life rather than, oh, no, I clicked on a phishing email kind of thing.
Sean Sebring:
So, I guess this will be pivoting, but it wouldn’t be a TechPod episode if we didn’t bring up AI and exhaust it a little bit. But I want to approach it a little differently, and it’s not talking about using AI. Instead, I want to talk to you about from the security mindset of, what kind of risk it poses to the employee using it? So you mentioned earlier, and I like the ominous statement, “That’s my job to know what you’re doing,” right? So let’s say an average Joe like myself is using an AI through a browser. What are the primary concerns that security would have in your everyday person, be they in sales, finance, any business operation department, using an AI tool? Because it’s almost part of everyone’s everyday job now that they use it just as an assistant tool.
Chris Greer:
Sure.
Sean Sebring:
What kind of threats or concerns does the security team have? And I suppose small opportunity for you to give guidance on how to best use it.
Chris Greer:
Yeah, sure. Talking about AI, there’s a bunch of different options out there. I think one of the most important things is that if you are going to use AI, one that we use, Copilot, here at SolarWinds, so that’s an authorized AI client. So, if you need to use AI, try and use Copilot. If you’re using ChatGPT or OpenAI or whatever, don’t put any sensitive information in there, all right? If you need it to help writing an email, totally cool. If you want it to write code for one of our products, probably not the best spot to do it. We will get an alert for that and we will reach out to the user. So, we do monitor all those channels to make sure that we’re not having that out in the open, but I kind of look at it as, don’t put anything in there that you don’t want getting out. I think that’s the best way to look at it.
If you’re putting something in there you know shouldn’t be putting in there, don’t do it. It’s not worth it, because there’s no security as far as they’re concerned. They use everything you type in there to machine learn and get better at what they’re doing. And a lot of times too, I’ve seen it just messing around with it myself, just trying to learn JQL, it’ll give you bad code too. So I mean, if you’re trying to put it in a product, you could just hose the product itself because you’re putting in code that doesn’t actually work.
Chrystal Taylor:
That happened not that long ago. It was a big deal in the media where one person decided that he was going to do a whole company by himself, and he had AI write his product, and then he couldn’t fix it.
Chris Greer:
Yup, yup, and then you’re hosed, right? There’s nothing you could do.
Chrystal Taylor:
Yup. Yup. That’s really good. I’m going to pivot us again, because we’re getting kind of close to the end of our time together. I want to ask about security’s portrayal in media, and this is a two-part question, A, how did that affect your own impression before you moved to security? Did it influence your decision to move into security at all? And then I have a follow-up also.
Chris Greer:
Sure. Full disclosure, when I moved over to security, I knew a little bit about security just from my past roles, but as far as the security alerts and all that stuff, I really didn’t look into it much until I joined the team and I really kind of got my feet wet. But I will say, I have a feeling what your follow-up question is, and this may or may not lead into that, but if you look at all those security advisors, the world’s on fire, basically. There’s so many threats out there, it’s like the most paranoid feeling in the entire world. You feel like you’re never safe. There’s always someone trying to get at you. There’s always someone trying to steal something from you, which I guess in theory in a way is true in a little bit. But for the most part, it’s not like the Earth is a huge dumpster fire and everything is security-related. But all those advisors are also really important for us as a security team, because that helps us be aware of what’s out there and to make sure that we’re keeping our eyes on things.
Chrystal Taylor:
Yeah. That’s not my follow-up question, but I’ll get into it in a second. I think that the portrayal in media generally for anything IT is usually kind of laughable. So security is no different, but you think about hacking and then they’re all like … It’s insane.
Chrystal Taylor:
And so it doesn’t make any sense, but I’m sure it influences someone out there of, oh, hacking looks so cool. Just the movie Hackers, people are like, “Hacking is so cool.”
Chris Greer:
I was just about to mention that.
Chrystal Taylor:
You think about things like WarGames and these classic tech movies that really probably influenced people’s ideas of what it was going to be like, and it’s not like that at all. But what I was going to say is, do you think that the portrayal of security in popular media affects how users interact with the security team?
Chris Greer:
That’s a good question. That I’m not too sure of, to be honest with you. Going back to H ackers, it’d be really cool if you were hacking something and it all pops out and the words start flying around on the sky in front of your eyes. I mean, that’d be pretty cool, but hack-the-planet type stuff. But yeah, no, I think it’s really based on a person-to-person basis. Some people could read those things and just be like, “All right, cool. Here’s what’s out there. This looks interesting.” Or like I said before, get super paranoid about it and kind of disconnect, read it offline, reformat their phones a couple of times, all that kind of stuff. But I think if DEF CON and stuff like that was more visual for, quote, unquote, “normal people,” who are outside of the security world, I think they would find it’s pretty interesting. It’s pretty amazing what these guys and women could do. They’re so smart. It’s just incredible how they can just hack into something and just follow that wormhole down and just get in there, and it’s really, really amazing.
Chrystal Taylor:
Just following up on that, I do think that CISA has done a good job in the last few years of becoming a bit more visible about what they work on and what they’re doing, so I’m with you. For the average person, I’m not in security, I don’t know enough about it. I’m enthusiastic about it in the sense of helping normal people be a little bit more secure, but not in the, I’m going to go work in the security team type of way.
Chris Greer:
Come on, why not?
Chrystal Taylor:
I’d have to learn quite a bit for that, and I don’t know, maybe one day I’ll switch into it, because that’s my favorite thing about IT is that there’s always something new to learn, always something new to do.
Chris Greer:
Sure.
Chrystal Taylor:
And you mentioned it earlier, you found a new interest and so then you went into it. I operate very similarly, where I just do a thing until I’m bored of that thing and then I go learn something else, because we can.
Chris Greer:
Right.
Chrystal Taylor:
But you mentioned earlier that you could get really paranoid watching all of the media and like, “Oh, everyone’s out to get us all the time.” I do think that there’s a certain level of that that’s necessary to have personal risk aversion. Just as an aside, I finally have convinced my mom to be more secure with her phone and with her jobs and stuff, like her job applications and things. Twice now, twice now in the last year, she’s applied for jobs, done interviews, and they turned out to be fraud.
Chris Greer:
No way.
Chrystal Taylor:
Yeah. They sent her a check for computer equipment. They were work-from-home jobs, so watch out y’all, but they sent her a check for computer equipment and then she was suspicious, and so she called the bank that it was supposed to be from, and the bank was like, “We’re investigating.”
Chris Greer:
Oh, no way. That’s crazy.
Chrystal Taylor:
“The FBI’s already involved.” It was like a whole thing. Anyway, but she used to say, years ago, “Why would anyone steal anything from me? I don’t have anything worth stealing.” And I think that that is a crazy attitude that the bulk of the human populace has. And the people who aren’t involved in IT, or your parents or whatever, like, “Oh, I don’t have anything worth stealing. I’m not a millionaire,” and that’s just not true. The value of data is so large, and I finally have impressed it upon my mom, she’s become more secure. Just some, some more. Don’t click on everything that you see.
Chris Greer:
Right, right.
Chrystal Taylor:
It just needs some help. So does you working in security now, from having been in IT and all that, does it influence your personal relations as well in the same way of like, “Oh, you guys, come on, you got to watch out for this thing,” or whatever? Does it influence your relationships at all?
Chris Greer:
Oh, for sure. My daughter is the worst with passwords, so when I got onto the security team and started really digging in, kind of like I mentioned before, you get really paranoid. So I got paranoid, because I was like, “I need to make sure my family is locked down. I need to make sure my network is locked down.” I wasn’t aware of all the little intricacies that these hackers do, so learning about that, it definitely made my security footprint at home, device-wise, way better. I went and made sure everyone changed the passwords and they weren’t reusing the password 1,000 times.
And kind of going back to what you said as well with my mom, right, because she has five devices for no reason, and they all have different email accounts on them, and she stores passwords here and there. And I’m just like, “This is the worst thing you possibly could do.” I’m trying to help her as well, so she’s come a little way, but she still has a long way to go. But it definitely influences how I look at security and my own personal stuff as well.
Sean Sebring:
Yeah, it’s a good topic for us to kind of close on, that we brought it from your career, your journey, bringing in how we observe and view security through work, and then how it actually relates back into home life, in your personal life as well. And Chrystal, I really like what you said, is that you think you’re not valuable to someone who wants your information, but you are, right? So you don’t have to be paranoid, but you should probably take it a little more seriously than you give yourself credit for, but great stuff.
Well, thank you Chris, for giving us an inside look at the world of cybersecurity and what it really takes to succeed in this critical and constantly-evolving field. Whether already in tech or just curious about making the jump into security, we hope today’s convo was really valuable and gives you some perspective. So Chris, I really want to thank you for joining us today.
Chris Greer:
Yeah, for sure. Thanks for having me. This was great. Really enjoyed it.
Sean Sebring:
Yeah. And thank you, listeners, for joining us on another episode of SolarWinds TechPod. I’m your host, Sean Sebring, joined as always by Chrystal Taylor. If you haven’t yet, make sure to subscribe and follow for more TechPod content. Thanks for tuning in.