[1:11] InfoSec to Cyber

Rachael: We've got Ismael Valenzuela, who's vice president of Threat Research & Intelligence at BlackBerry joining us today. We're going to have such a great conversation, you guys.

Ismael: Thank you so much, Rachael and Petko. It's always great to do these things, but when you do it with friends, even better, so happy to be here. Thanks for having me.

Rachael: Exactly. Do we want to start at the beginning, Petko?

Petko: Yes, I think we do. Ismael, you've been in cyber before it was called cyber.

Rachael: It was called something else at the time, right?

Ismael: So you're calling me old right now. But I know that you're about the same age as I am, so let's go with that. We used to call this InfoSec, information security, which still seems a bit more appropriate than cyber. But I think we lost that battle. It's just like the definition of a hacker.

As much as we would like that to be defined differently, it is what it is.

I started with my own company in the year 2000 in Malaga, Spain. Beautiful place by the way, if you haven't been there. It was something I liked. It was a passion that I had. I thought, this is the combination of things that I love to do.

System administration with solving puzzles and getting my hands dirty on infrastructure. Securing things, keeping an eye on attackers. So it sounded like fun, but we never thought it was going to be what it is today.

Cyber and Business Shift: From McAfee to Blackberry

Petko: You and I used to work together at McAfee, I believe, and now you're a BlackBerry. But that's not all you do, aside from the podcast. You're always busy, I found. What else are you doing outside of BlackBerry?

Ismael: I guess I'm doing too much. That's the problem. As I said before, when something is a passion, you end up covering a lot of different projects and initiatives. I have this problem that I don't say no to things as often as I probably should. I've been teaching for SANS for the last 12 years, I believe.

I started in Europe, when I moved to the States in 2014 and I kept doing that. I'm an author of a class as well around Zero Trust. I’m working on some other projects that you may know about maybe in a few months. I've been doing a lot of different things in the industry. I like to go to conferences to speak, do the research, to present.

And also, I guess it's something I'm enjoying more these days, to build teams and manage teams where you can not only do cool things, but also learn from other people that are doing cool things and learn from each other.

Rachael: That's the fun. You're on the fun front lines, I like to think. Seeing everything as it's happening and developing and almost like the scary stuff behind the scenes. In your time, what's been your perspective on how things are changing?

A Perspective on How Things Are Changing

Rachael: Are they becoming more diabolical, or we're just hearing about it more? I'm always curious, having been in the industry, I see it through a lens. But someone who's been on the front lines for as long as you have. I think you've got to have a little bit of a different perspective.

Ismael: It's about the time of the year where everybody makes those predictions, which I really hate.

One of my colleagues on the team, he says, "We don't talk about predictions. We talk about forecasting because that's more scientific." Prediction is like, "Hmm, let me stick my finger up and see what's going to happen next year."

We do predictions, we look at the data, we see the trend, and then we do analysis on that and we tell you what's probably going to happen.

The reality is that it's all about geopolitics. If you look at threat intelligence, it's just the art of translating what's happening in the world of geopolitics into how that will affect the cyber world. I think obviously the trend is just going to continue.

We're going to see a lot more collaboration between traditional cyber crime, financially motivated groups working with APTs. Especially providing them with initial access to environments, a lot more info stealers, more credentials being sold in the dark web. We see that a lot these days.

Something we've seen over the last year as well, there's a lot more focus on Linux platforms, even macOS. Interestingly, because we've always said that the best buck for the buck.

It's on Windows. That's why attackers are focusing on Windows. What's happening today is that attackers are creating malware in languages like Golang, which can be executed on multiple platforms.

[6:13] Supply Chain Is Still Very Impactful in Cyber and Business

Ismael: So just with investing their time once into creating this malware, now they can make it portable and also infect macOS Linux systems. Then maybe the other thing I would highlight that I think we're going to see more and more. It's another buzzword these days, supply chain attacks.

But it's true. As companies are investing more in building defensible security architectures. We're getting better at having more visibility, better detection, better response capabilities. Supply chain is still very impactful. It is an avenue that attackers are going to continue using.

Petko: Ismael, when you say supply chain, can you tell us more about what you mean? When it comes to infrastructures and software when you say supply chain for our audience?

Ismael: It's about abusing the trust chain. For example, I buy a security software and I trust that vendor because they're in the business of security. So I install this, I put it on my network. I let this software connect to the internet and just do the updates or do whatever it has to do.

I then put additional controls over that, thinking that that software could have something extra. Because maybe it's not you that were attacked directly. It was that third party that was attacked, their source code was modified, and now there is a backdoor in there that can be leveraged by an attacker to get access to your internal network and. In most cases, to your most trusted segment, whether it's onsite or cloud-based. So it's very tricky.

Is TikTok Really That Bad?

Ismael: Because if you think about large suites of software, we talked about SolarWinds, what, two years ago. But it could be anything. It could be any software that users install on their computers, things like. I'm just going to throw names there, I don't know if we're supposed to do that.

Petko: Go for it.

Ismael: Dropbox or WhatsApp or any communications tools, Slack. Is this safe? Can we run these in our computers? So I think we're going to see a lot more emphasis on auditing, product security testing, and auditing the source code. What do we put on our laptops and on our computers.

Rachael: Definitely. Did you guys read this? I know TikTok is always everyone's favorite thing to hate. But I believe it's been banned in government offices now is something I was reading. I always think, is it that bad, Ismael? Is TikTok really that diabolical, bad, bad thing lurking? Because I'm obsessed with it right now, by the way.

Ismael: I'm going to answer that with the default answer to any of these questions, which is like, it depends. Every time I have this conversation, I always ask this question back, "Tell me more about your threat model? What's your threat model?"

Because what's acceptable for me as a user or as a maybe small company, my risk appetite might be very different from the DoD. Or a large financial organization that is conducting business in a country where there is some geopolitical situation where attackers might be interested in. So it all depends on your risk appetite.

Safety Depends on Your Risk Appetite

Ismael: But many organizations may start saying, "Look, this software, we didn't trust it. So with just the policies, we're not going to install it on corporate-managed computers. On your personal device, you can do whatever you want. But that's going to be completely segregated off the network. It's going to have a separate connection.

You do with that device whatever you want."

Petko: Now, I know you mentioned software, but it also then applies, I think, to hardware. Because I think saw the US government also banning certain network infrastructure brands. That they wanted to make sure, "Look, we would not want to do business with you if you had X."

We're not mentioning their names. So we always talk about software, but that software's got to run on something. Sometimes, and we all know this, there's always software in your BIOS, in your firmware. Now, it's a lot more targeted. It's probably not as mainstream as some of the others. But it goes back to what you said, risk appetite. The risk appetite for a US government or a nation state that is constantly under attack. They're going to worry about not just the software, they're going to worry about the chips and everything there.

Ismael: If you think about IoT devices, security cameras, all these things that we just bring into our home. We don't really know what's running on them. Large government agencies, they're been doing this for quite some time.

At BlackBerry, we have a bunch of people that are focused on this, product security testing.

Cyber and Business in Blackberry

Ismael: One of our big business units is IoT, even automotive, software for cars. When you think about it, there's about 250 million electric cars running our software. Think about how attackers could start shifting their attention to this in the future and what the impact of that could be.

Petko: Can you tell us more about what BlackBerry's working on now? Because Rachael and I were talking about this. She loves her BlackBerry from years ago. I'm like, "I think they're doing more than that now." You're in a lot of different things. You just mentioned the millions of cars up there. What's BlackBerry up to nowadays?

Ismael: That's a good question. Essentially, we have two business units. One is cybersecurity, the other one is IoT. They're obviously very related to each other. As I said before, on the cyber side, you probably are familiar with Cylance. That's the company that was acquired by BlackBerry years ago and that we continue to work with.

I run the Threat Research & Intelligence team. Which we are, as I said, Rachael, before, at the forefront, trying to monitor what's happening in the world and creating threat models. Sharing that information through many different ways.

We do a lot of public talks, we do reports, blogs. Recently, the US government has been acknowledging some of our research when we shared some of these TTPs, or tactics, techniques, and procedures, for specific threat actors. But we also build or improve our products as a result of that research.

How It Feels to Be in a Company that Focuses on Cyber and Business

Ismael: The other piece, the IoT, automotive, is really fascinating because it's not the future. It's the present, as I said before, millions and millions of cars running this software. QNX and large manufacturers use that to build the capabilities that you have when you get into your car and you get your phone connected.

You get your access to a lot of different services. This is just going to increase.

Because at the end of the day, cars are becoming just computers on wheels. That's really interesting to me because it's where we're heading towards. It's nice to be in a company where we're at the forefront of these two very fascinating fields, as it is IoT and cybersecurity.

And we still have BlackBerry software on our phones. We don't do phones anymore, but we have BlackBerry software. You can brand on iPhone, an Android. Actually, we work with a lot of different governments to secure these communications, but it's not that well known.

Petko: I think I've seen some of your BlackBerry interfaces. I'm so used to Android owning the car business. But I'm finding out BlackBerry does have tons of it out there with BMW and some of the higher-end ones. What are the major attacks that cars have that someone would want to run a more secure operating system in their car versus custom made, let's say, or rolling their own?

Ismael: Well, that's a good question. I think that if you look at what's happening today, outside of the research. We don't see these attacks happening in the real world as of today.

[15:01] Where Attackers Will Shift Their Attention to in Cyber and Business

Ismael: Most of the software that you see today implemented in cars is telemetry generated, it's more about sensors. Looking at what the car is doing and how to become more efficient. But as cars have a lot more features, and we're talking about the next few years. You start talking about cars being able to pay for things automatically as you go. Then, as there's always money, when there is money involved, attackers, they always have an interest in that.

I think that that's where we're going to see maybe attackers shift in their attention towards this. But as of today, thankfully we don't see real-world attacks against cars as something prevalent.

Petko: I believe BlackBerry's got a large threat intelligence infrastructure, and you guys are seeing attacks on companies. Is there something we should be doing in order to share more data and get ahead of attackers or be aware of this happening? Any suggestions there?

Ismael: Well, something we have been doing is collaborating with a lot of intelligence agencies around the world. I just mentioned before, we talk regularly to DoD, DISA. We share information with them. They gather this information, and they share it with the community, with companies.

Especially obviously anything related to critical infrastructure that affects everybody, all of us as citizens, residents.

We're very prompt in quickly sharing that information with them. So I think that's obviously one of the things that can help. Sharing with those agencies so they can share more with the community.

I think that many security companies are doing a good job at that, at sharing that type of information. Obviously, when it comes to intelligence, not everybody shares everything because there's also value behind that.

There Are Things We Cannot Withhold in Cyber and Business

Ismael: There's an industry, and there's money to be made out of this. But I think we have to be responsible and understand that there are things that we cannot withhold. We have to release this information quickly to those that can do more than what we can. Or, let's say, what we should do because we're not law enforcement.

We can do research and we can find about the bad guys. We would love to punch the bad guys in the face, but we cannot do that. It's not on us to do that.

Petko: But I have seen, I think, companies do takedowns of some of these infrastructures. If they're operating in certain areas or working with DNS providers to disable all domain name space.

They're sharing the threat data with certain ecosystems that do threat sharing. I think, in my experience, a lot of the challenges, no one wants to be attributed as the original patient zero of when they found it. Because then someone's like, "Oh, did you get hacked?" "I can't answer that."

But I think to your point, the sharing is something we need to do more often. Because, if we can get faster at that, we can get faster at preventing the next attack and the third attack. And then reuse net infrastructure, reusing that code base. You mentioned earlier, the supply chain attacks that we saw, those are very targeted.

But if we know it's happening, think about how many companies we could have helped: "Hey, look for this ahead of time before it goes out. It might be coming from SolarWinds." But I think to your point, it has become a business. But I think the business is trying to automate the sharing into products and into everything.

Zero-Days

Petko: I'd love to get your take on what's some of the craziest zero-days you've seen around this threat intelligence. You mentioned IoT and others, but what's some of the most interesting ones? I see you smiling, for those of you that are on the podcast. But knowing Ismael, he's always got something in his head he's thinking about.

Ismael: I'm trying to think of something that would be funny. But the reality is that most of these things are not really that advanced. That's the sad part, that it's always about credentials compromised. We've had on the news, Grizzly, a big company, well known. It was this attack where the user is bombarded with multi-factor authentication messages.

No, that was not the initial access. The initial access was an info stealer, something like RedLine.

We see a lot of those. Why? Because it's a big business. You don't have to be very sophisticated to just spray all of these attacks, phishing, watering hole attacks. Just enticing somebody to download and execute something. Especially with teenagers, I have teenagers, too, at home.

They download games, cheat sheets, things like that, and they come with these info stealers.

People install these things, you get the credentials stolen. It might be that guy that is playing with that computer also works for the large multinational. Now you have username and password. Then those credentials are sold on the dark web for just ten bucks or five bucks. It's crazy.

Then that's when you see the multi-factor authentication attack coming after that. So the reality is that it's not as sophisticated as we maybe could think. Obviously, zero-days, it's always something.

Why Are We Missing the Simple Things in Cyber and Business?

Ismael: We've seen a lot of zero-days exploited, or M patched, I should say, M patched systems. VMware systems being exploited this year. Which brings another question, why would people expose these servers to the internet?

Once again, it's a lack of a solid, defensible architecture, lack of good hygiene, the simple things really.

Petko: If you were, let's say, a small business enterprise, not a nation state, not a Fortune 10 company. But if you're a regular company out there that maybe has 1,000, 2,000, 3000 employees and you're trying to do right by your employees, you're trying to do what's needed, what are the top two or three things you would say they should do?

Or be aware of to create a defensible architecture? Or protect some of their info from information stealers and other attacks, those initial vectors?

Ismael: I think I'm a big fan, and I've mentioned this before. Of having a threat model where we think about business continuity. Ransomware has changed everything because now people understand, "Oh, if I'm a victim of ransomware, this impacts my business directly."

But it's more than that. If you're a small company, who do you do business with? Because you're always part of a chain, even if you're small. Do you work with financial organizations? And do you work with governments? Do you work with education, with healthcare? Now, how can your organization be abused or used?

What can harm you? What are your lines of revenue that brings most of the money into the company, the services, the products you have? Now, how can that be impacted by any of these cyber attacks?

You Cannot Separate Cyber and Business

Ismael: At least have that high-level threat model. If you cannot do that, you don't have that information, get somebody to do that for you. Then with that information, now you know what's stake, what's at risk. How much money can I lose? How much will it impact my business?

Based on that, you can make decisions now on, "Okay, I want to go with this provider." Use managed services, small organizations that are never going to have a SOC. They're never going to have a threat intelligence team, an instant response team in-house. Because that's not their business.

But at least know what's the strategy. The companies must own that.

I think that's changing a little bit right now. Companies are starting to understand that you cannot separate business from cybersecurity. You have to know what your threat model is. Do you do business in Taiwan? Well, what could happen if China invades Taiwan? How is it affecting what you see today in Southeast Asia? Because we see a lot of attacks in Southeast Asia right now.

Especially attacks related to stealing intellectual properties, espionage. Those are the questions that we need to answer.

Petko: You're speaking almost of regulation, not just geopolitical, but almost a regulation. I was having a conversation recently with someone about what happened in Australia with Optus. If you've been following some of their, I don't know if I'll call it breach, but spills, whatever you refer it is.

Now there looks to be a regulation impact where they're talking about, how do we put the burden back on them for this breach?

[24:11] Insurance Can’t Fix Everything in Cyber and Business

Petko: Then at the same time, which is almost like a checkmate move. You saw the cyber insurance company market saying, "We are no longer covering nation states attacks." So now you're like, well, before I'd say it's a nation state, but really it's someone just clicked the wrong button.

Now you get into the burden of proof is to prove that you are not negligent.

So I think there's going to be a lot more investment in cybersecurity to say, "Did I do the right thing?" back to your threat models. If we're doing the right thing that says we're not negligent, we're doing our due diligence here. But there is that possible risk. I think, as a cybersecurity professional, you hit it really succinctly.

You've got to be tied to the business. It's not just the company, but also be aware of the impacts in Southeast Asia or regulatory changes that might happen. It's part of that threat model that needs to consider, if this changes. We can't just fix everything with cyber insurance.

We might have to actually invest in certain things to avoid the risk to the business.

Ismael: That's a problem we've always had with security. Every now and then somebody comes up with, "Oh, I have the solution to all of our problems," whether it is, I don't know. You call it however you want, XDRs right now. XDR, that's the solution to all the problems. Or cyber insurance: "I have insurance, therefore I am covered." No, there's a lot more.

Regulations are great, compliance is great, but that's only the starting point.

Know Your Business to Protect It

Ismael: You always have to look beyond that. If you cannot do these things yourself, as I said before, well, go to somebody that can help you at least cover the basics. Nobody can be 100% protected. Nobody can protect even everything, all the assets. That's why you have to be specific and know what's important to your business.

If you don't know the answer to that question, you have another problem.

Petko: You don't know your business so you can't protect it. It's an interesting thing. We've talked about trends. We talked about your background. I feel like we can talk about so many different things here. Rachael, anything we're missing?

Rachael: We talked about the geopolitical landscape was cyber. When you started hearing these terms like cyber war when the whole Ukraine and Russia. Because my question is, does a cyber war ever end? Are we ostensibly now in this perpetual cyber war? You've got these volunteer cyber armies that you really can't regulate.

People are just jumping in the fray. Who knows what can happen. How do you even get a handle on something like that? Does it ever end, and how would you know?

Ismael: Well, again, I think it has to go to what I said before. Wars that you should really be worried about.

It's funny because we're talking about cyber war here. But if you ask the people in Ukraine right now, they don't care about cyber war. They care about bombs dropping on their houses and killing their loved ones. So that puts things into perspective. Cyber war always has an important part and it took an important part.

What We Should Worry About in Cyber and Business

Ismael: Especially leading into the invasion. But then at that point, it's all about the physical world. So it's about risk management. We know all those risks that are out there. It's like getting to your car in the morning, you know there's so many risks. But you don't stay home because you know that you have to do things.

But you're constantly managing or evaluating, what are the acceptable risks? Which are the ones that you're not going to take today?

Same thing with cybersecurity. We have to live, we have to operate, we have to do business, and there are so many threats out there. But APTs, they're not going to go after everybody. They go after specific organizations that have specific things.

What are the things I have to worry about? Well, ransomware attacks. That obviously can't affect everybody. Credential stealers. I'm a big fan of emulating these things. Hire somebody to do that emulation for you. If I was a victim of this type of attack, what will happen? What data will you be able to access?

That puts things into perspective and gives you factual data that you can use now to make decisions.

Petko: You know what's interesting? I've noticed recently, most of the time, I think I saw a statistic where 80% of the attacks, you don't find out about them from internally. You find out because someone notified you.

Sometimes you get notified by, let's say, the FBI who will tell you, "Hey, we see some of your IP traffic coming to this domain that we took down." The question is, "Do you guys own this IP? Are you aware of it? Do you know what's there?" is part of the conversation.

[29:20] How to Protect Your Business from Threat

Petko: When you start going through that, you realize, "Oh, we need instant response. We have to figure out how to respond to the FBI. Potentially, the media has to get involved. So I think from the threat modeling, if you take that one step further, is you almost have to do a tabletop: What if this happened?

What if the ransomware happened, who do we bring in internally? Do we have canned responses? What's the process we can quickly make a decision in not days but hours or minutes? Then how do we interface externally? Do we have the relationships externally?

Ismael: You can do this with tools that are available out there, even data that is available out there. I'm a big fan of the MITRE ATT&CK® framework to build these threat models. You can go into ATT&CK Navigator and say, "Okay, if I'm in healthcare, what are the attack groups or even,"

I call them weapons, "the weapons or the software that can be used against me?"

And you can start with things that we already know that people is using. You can just read the reports. I said RedLine before us, one of the top info stealers we're seeing. You can look at Cobalt Strike, SILENTTRINITY, other frameworks that you know attackers are using.

So if they're using these weapons, what do they look like when they're used on an endpoint on a network? What type of artifacts will it generate? Do I have visibility of that? Am I able to detect this? If so, how fast can I detect and react to something like this?

So that puts another threat model into something practical that you can measure, that you can improve.

Interesting Ransomware Names

Petko: Ismael, I got a silly question here. Who gets to pick these names, like RedLine and some of these? It almost feels like astrology where whoever finds it gets to name it in the sky. Then afterwards I'm like, "Is the same thing I'm seeing in the sky the same thing as what you're seeing, and we both call it two different things?"

It feels like some of these names always feel like astrology. We're talking about the same thing, but we are speaking different languages. I'm kind of curious, how do they get named?

Ismael: That's interesting. Some of that is marketing. Even the bad guys have marketing. Or you create your own team, I mean, your own tool. I remember back in 2014/15, I created this tool called rastrea2r. It was a little tool that I used, before EDRs, to go and collect artifacts from different systems and then bring them into one single machine and do analysis on that.

Long story short, I called it rastrea2r because I thought that was cool. It's based on Spanish "hunter." But then I realized that nobody here in America could pronounce that correctly. So that was a marketing failure.

Petko: How do you spell it?

Ismael: So that was a marketing failure from my side. But I already had stickers and a logo, so I was not going to change it. Then I went to Black Hat, and I was able to present it there though, so that was cool. For example, we have now the ability to call malware names.

You Find It, You Name It

Ismael: If you read one of the latest reports we wrote, we analyzed some malware. We look at the PDB, which is the database where you can see debugging symbols for a binary. And we look at that and we saw some strings that said ARC, and it was a crypter. We said, "Okay, ARC, ARCrypter," so that was the name.

So we get to name the baby and say, "This ransomware, it's called ARCrypter." But again, that's just a name to describe something. It's part of the fun.

Rachael: You find it, you name it is really what the mantra is. I love this. One day I'll find something, I hope. I would love to have that opportunity.

Ismael: It's part of the fun.

Rachael: Absolutely. I want to know, Ismael, I like to get into the more friendly parts of life in cybersecurity. Petko probably knows where I'm going with this. I'm curious, what are you reading right now? I'm in a total pivot.

It doesn't have to be security related. I will say we did have a guest who was reading Dave Grohl's biography, and I went out and bought it. I was so excited about that. So it can be anything that you find interesting. Is there a downtime reading that you like in addition to work stuff? What's on the bookshelf right now?

Ismael: I have to say right now because the end of the year it's so crazy and I have so many presentations and so many things. I'm not reading a new book right now.

How to Tell a Story

Ismael: But as soon as we get into two, three weeks and I get some downtime, I'm going to pick up something new. I can tell you that I love to read about history. I love to read about things that don't have to do necessarily with cybersecurity. Because I found that that helps me to become better at my work and when I do presentations as well. It's also good to keep your sanity.

For example, I live not too far from New York. There's a couple of art fairs that they do there that I love to go, which is local artists. People that are not very well known and just go there with my family. Just walk around the booths, and watch people do amazing things. It's like, "How do you do that? That's awesome."

Or talking to a photographer explaining what they felt when they took that photography and how they did it. I find that so fascinating, and it helps me to keep my sanity. So anything that doesn't have to do necessarily with cyber.

I remember going on a flight recently. I didn't feel like reading. But they had these MasterClasses. There was one with Malcolm Gladwell, and he was explaining about how to tell a story and how to tell stories that are captivating. So I got a couple of ideas. I was like, "Whoa, I'm going to use that in my next talk."

You Have to Tell a Story

Ismael: It turned out that people loved it, and it was something completely different from what I've done so far. So my suggestion is, 20 cybersecurity professional listening to this, just do other things. Don't just live for cyber 24 hours. It's not good and it's not good to anybody.

It's not good for you, and it's not good for the people around you. So pick on other interests.

Rachael: I love that you were talking about storytelling, too, because we have talked about that in the past. Because so many people especially if you're talking to a CEO or the board level folks who really just don't know.

It's that storytelling that kind of helps them understand what the heck you're talking about and what the impact is and why it matters. And there's an art to that. There really is.

Ismael: I always use this quote from, I have the book here, Clifford Stoll, The Cuckoo's Egg. He did a presentation a few years ago at a SANS CTI summit. He was explaining when Berkeley Labs got hacked in 1986. We went to FBI and trying to explain, "Hey, I have a hacker on my network."

The FBI officer was like, "How much money was stolen?" He said, "Well, 75 cents." The guy was like, "Whoa, okay, kid. Come back when you have something."

He said, "I have all the data and I thought people would understand what the data meant." He said, "No, you have to tell the story. That's what people really understand." So it's important to be able to tell stories that explain the "so what?" Why do you have to pay attention to this? Or why you have to do something about it?

Keep Your Mind Sometimes Out of Cyber to Do Well in Cyber and Business

Petko: I love that. We've learned so much about you and what BlackBerry's up to now. Ultimately, for folks who are in cyber, we got to make sure to keep our mind sometimes out of cyber to do well in cyber.

Ismael: It's important. There are so many beautiful things around us, nature, music, other things that can help you become a better person. A better professional at the end of the day, too.

Rachael: Exactly. It doesn't look like we're ever going to unplug anytime soon and get back to the world of unconnectedness. So good to have these conversations. I think to your point earlier, Ismael, we get connected cars and electric vehicles and we're connecting our homes.

Pretty soon, everything's so connected that if you're not putting cyber kind of at the forefront of your thinking, it's just going to run amok and be complete chaos. We just can't have that happen.

Ismael: We're human beings, and we're made out of different needs. Obviously, finding new stuff, learning, it's fascinating. But we also have to maintain our own health and mental health and physical health, and that involves other things. It cannot be just all cyber or work.

Rachael: I think it's a good message too. I think about probably kids at your age, teenagers that you have and Petko's children growing up with all of this information and all of this technology at your fingertips. I came into it, ugh, I'm really old, but closer to college age or what have you.

You see the kind of impact that it can have on mental health well-being. But also getting sucked into TikTok for an entire day.

A Challenge to Stay Out of Devices

Rachael: How does that grow or change as you get older or the next generation that's coming behind us as well? So I love those kind of messages because you got to remind yourself to get out and actually be in the moment.

Ismael: It's a challenge. I have to say I've gone through all those phases of like, "Oh, I have a smartwatch. And I read all these eBooks." Maybe I'm going to sound boring now or old, but I don't use the smartwatch anymore. I just ditched that, and I'm using just a regular watch. I like watches.

So a nice watch that it's not beeping or vibrating or sending me any notifications. I make sure that I turn off all the notifications as much as I can. And I wake up in the morning, I get my coffee first. I do the things, a little bit of reading before I even turn the phone on.

I'm not always good at that, I have to say. We're not perfect. Sometimes it's just first thing in the morning I check my email. It's like, "Ah, I shouldn't have done that." But all these little things, hell, even grabbing a book, like a physical book when I need to do a deep study, absorb. I need to walk away from the computer.

I cannot read it on an electronic device because I get distracted. Because all these applications are made for that, to keep you swiping and scrolling down.

Petko: You remind me of that whole industry of self-improvement and folks who just want to get better.

Cyber Is Not a Career, It’s a Mindset

Petko: Because you got to problem-solve. So I'm thinking if there's anyone out there who's into self-improvement or any of that, go get into cyber. Because we need more of you because you're already a problem solver. We need more problem solvers.

I think on one of our episodes we had someone that did medieval history, and he did cybersecurity. He majored in medieval history, and now he's in cybersecurity. Think about it, he's an outsider, but he loved problem-solving. That's the mindset we need.

Cyber is not a career. It's a mindset that we need to proliferate and bring more people into the roles because we definitely need more people.

Ismael: That's the beautiful thing about this field, that you get to work with people with different backgrounds, different ways of approaching things.

I've never had so much fun than when I worked with people that didn't have my background, people that came from the data science, people came from big data PhDs, and they have no training on cybersecurity whatsoever.

I would be talking to them, it's like, "Yeah, because this is like that." "Oh really?" "And why is that it's not like that?" It's like, "Well, it's obvious, but now I have to think about how to explain why it's obvious. And maybe it's not that obvious anymore." That's really, again, enriching.

When you're young, you want to start into a new field. You can spend a lot of hours, a lot of time going deep into something. But at some point, it's good for you to get out of that and then see what's around it, zooming in and zooming out.

Rachael: Yes, absolutely. Because I think, to your point, when you have outside interests, like the medieval history person, he would look as security differently through the historical lens of war and combatants.

I just love to champion to all of our listeners out there, even if you have an art degree, this is an amazing field. Your perspective would be very valuable. I love that we continue to try to get that message out there. Because we need so many more good people to come join us and join you in the trenches.

Well, I know we're coming up on time, so I absolutely want to thank you for your time, Ismael. This has been a wonderful conversation. I'm so excited about the work that you're doing at BlackBerry, particularly information sharing. It's critical if we're ever going to get ahead of these things or have a chance at trying to slow them down.

So keep up the great work, and I look forward to follow more about all the great work that you're doing at BlackBerry. And Petko, another great conversation. I love what we do. I love this podcast.

Thank you, guys. To all of our listeners out there, thanks again for joining us. Another great conversation. Don't forget to smash that subscription button. You get a fresh, clean episode in your inbox every Tuesday. So until next time, everybody, be safe.

About Our Guest

Ismael Valenzuela is Vice President Threat Research & Intelligence at BlackBerry Cylance, where he leads threat research, intelligence, and defensive innovation. Ismael is co-author of the Cyber Defense and Blue Team Operations course, SANS SEC530: Defensible Security Architecture and Engineering. Ismael Valenzuela has participated as a security professional in numerous projects across the globe for over 20+ years, which included being the founder of one of the first IT Security consultancies in Spain.