Understanding Social Engineering and Maintaining Healthy Paranoia
October 7, 2019 • Monica Todros
Our guest today is Rosa Smothers, senior vice president of cyber operations at KnowBe4, where she leads KnowBe4’s federal practice efforts, including providing cybersecurity advisory services to civilian and military agencies within the U.S. federal government. From her humble beginnings with a used 8-bit home computer, Rosa’s career experience includes over a decade in the CIA, leading cyber operations against terrorists and nation-state adversaries.
She served multiple tours overseas as a cybersecurity analyst and technical intelligence officer in the Center for Cyber Intelligence and the Counterterrorism Mission Center, and was highly decorated for her service. She’s a strong advocate and mentor for women starting their careers, and is a member of Women in Defense and InfraGard.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 128 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Our guest today is Rosa Smothers, senior vice president of cyber operations at KnowBe4, where she leads KnowBe4’s federal practice efforts, including providing cybersecurity advisory services to civilian and military agencies within the U.S. federal government. From her humble beginnings with a used 8-bit home computer, Rosa’s career included over a decade in the CIA, leading cyber operations against terrorist and nation-state adversaries.
She served multiple tours overseas as a cybersecurity analyst and technical intelligence officer in the Center for Cyber Intelligence and the Counterterrorism Mission Center, and was highly decorated for her service. She’s a strong advocate and mentor for women starting their careers and is a member of Women in Defense and InfraGard. Stay with us.
We didn’t have a lot of money, and back then especially, way back in the day, computers were very expensive. So my folks saved up and purchased for me a used Commodore VIC-20 so that was where I started and learning to navigate that command line environment. And then eventually I had a system with a modem where I could dial out and go onto bulletin boards, and then came internet accessibility.
So technology has always been a passion of mine. Then as the industry grew, it then became more specific to IT, networking, and security. My current CEO here at KnowBe4, Stu Sjouwerman, I worked for him at his previous company, Sunbelt Software, where I was a sales engineer, which is like pre-purchase tech support in a way. It was great because we had a huge suite of software at our beck and call for me to learn so there was always a challenge.
That’s the beautiful thing about computers and technology is, you will never learn everything. There’s a constant evolution. Now we’re talking quantum computing and artificial intelligence, so there’s always something to learn. That’s the beauty of our industry and why myself and so many of my colleagues, we will never lose our passion for the work because of all of this ongoing and ever-evolving, cutting-edge technology.
I want to swing back to your most early days briefly and I’m curious when you were presented with that first computer, that first 8-bit VIC-20, was that something that you were asking for or was that something that your parents put in front of you on their own?
I don’t imagine I asked for it. I wasn’t a kid that asked for a lot of things because I knew money was often pretty tight. I think it was very important for my parents that I have the ability to learn and grow and be a good student. My mother, when I was a kid, she actually worked at a daycare center for an entire year to save the money to purchase a piano for me. My mom and dad being the amazing parents they are, they just put the time, money, and effort in to save and sacrifice to give me these tools to grow and learn. I’m just very fortunate in that regard, certainly.
The work that you’re doing today, what is your day-to-day like at KnowBe4?
Every day is a little bit different, for which I am grateful. So I’m never bored, that’s for sure. I do a number of different things here. My area of expertise is what we call our federal practice efforts, so that’s providing cybersecurity advisory services to civilian and military agencies within the federal government. We are working with a couple of lobbying firms to better educate Congress on the need for security awareness training.
Certainly with the ransomware, the rise in ransomware, the ransomware epidemic, it’s much more on Congress’s radar now. That’s unfortunate, but good news in that we’re able to further those efforts, so Congress and our government can better understand their cyber. There’s hardware, there’s software, but there’s the human element that we’ve not focused as much on as we should be. And so we’re making great strides in that regard.
And then I am also involved in our cybersecurity research efforts, any internal cybersecurity investigative efforts, various forms of forensic analysis. It’s a smattering ranging from working with Congress to doing very highly technical work, which was more along the lines of the work that I did at the agency in terms of the more high-end, technical efforts.
And you mentioned the agency. You had some background working in the government environment?
Yes. When 9/11 occurred, I decided that I wanted to leave the private sector and go work for the federal government in an effort to … I wanted to fight Al-Qaeda. I wanted to work against the bad guys. I didn’t have a bachelor’s degree at the time because I’ve just always been good with technology so I was making a very good living just fine without it. But I knew I needed at least a bachelor’s degree if I wanted to go work for one of the three letter agencies.
I left my job and moved up to Tallahassee, Florida and attended Florida State, and I did my junior and senior year there and got an information studies degree with an emphasis on computer networking. And then I minored in Russian because I just always enjoyed the Russian language; and met a recruiter at a jobs fair who was at the Defense Intelligence Agency, and I spoke with him. I was working on an honors thesis about information warfare. So they ended up hiring me as soon as I graduated.
So I moved up to … Small town, Florida girl, moved up to DC and I worked at the Defense Intelligence Agency for about two and a half years. During that time, I collaborated a great deal with my CIA counterparts and eventually they wooed me over. I was at CIA for, believe it’s 11 years and seven months. I had a lot of adventures, a lot of international travel, met President Bush, met President Obama. I’ve seen a lot of amazing and sometimes scary stuff.
I got to the point where I decided I need to be back home and closer to my family. I had done my service to my country and I felt like I was at a good stopping point, and so I decided to come home. And no more snow, which is always a benefit.
Yes. How do you describe your own leadership style? How do you lead a team?
One of the great things about having worked for over a decade at the agency is you truly get the best of the best training. So I’ve had a great deal during the course of that career, my intel career of leadership and management training. It benefits not only your professional life, but I think your personal life as well.
I consider my leadership style to be very collaborative. I think it’s important to ask open-ended questions. It’s important to know your people and not just their names, but who they are, what are their likes, what are their interests, what are their kids’ names, to have that personal engagement as well. Because people’s personal life affects them 24/7 so it affects their work day. They bring it into work with them.
So I think it’s important to understand that level of detail that you’re not dealing with a two-dimensional person that’s there to serve a function. You’re dealing with a human being and there are a lot of layers to that. And also making sure to be clear on people’s strengths and their weaknesses because that’s the best way to build a team and that’s the best way to ensure everyone is supported within that team. That everyone is sort of a puzzle piece and they all fit together and complement one another.
And I think it’s also very important to thank people for their effort. I would try to remember every day when I was managing various teams at the agency, at the end of the day to thank them for their hard work that day. Because sometimes it’s as simple as saying thank you, but it really does go a long way, especially when people are putting forth 110 percent constantly, which you know we do at the agency and we do here at KnowBe4.
It’s interesting to me, I’m wondering for your perspective on this situation that I think we find ourselves in where there is a tremendous amount of competition for people in cybersecurity who have those skills.
And so it’s not uncommon to hear that that is a particular challenge for the government in recruiting and keeping people on board. So it’s a really interesting perspective that you share about some of those things I don’t think we hear a lot about, like you mentioned training. There are opportunities within government that maybe we don’t hear about that much.
Oh that’s very true. The federal government writ-large, I think is struggling with a brain drain, if you will, because there are a lot of incentives in the private sector that the government can’t necessarily offer or can’t necessarily match. Especially for great tech companies like the KnowBe4s, the Apples, the Googles of the world, government can’t quite offer a lot of those benefits, but there are other aspects of federal service that are hugely beneficial.
A lot of federal agencies, to include the CIA, provide tuition reimbursement. Not every company does that. Again, the richness and diversity of the kinds of training that can be offered for professional and personal betterment. And obviously when you’re working for an espionage organization, there’s the potential for international travel as well. So there are a lot of benefits either way.
There are some huge cultural differences of course being in the federal government versus the private sector as well. Some people appreciate that. Others don’t. It’s a lot more of a, I would say a structured environment. Here at KnowBe4, it’s a tech company, we’re all wearing shorts and blue jeans and yoga pants, and it’s very casual. You are not going to walk into a federal office dressed the same way we do here.
Right. At least not twice, right?
Right. At least… Yeah, exactly. That’s a good one, yeah. You might once and you’ll live to tell. There are pluses and minuses, great things to be grateful for on either side of the fence. But I also think the diversity of experience is important as well because I think it’s made me a better person and a better employee. And I think that would serve a lot of people if they wanted to serve their country in some way, shape, or form like that.
You came up through the industry at a time when there were very few other women. And to this day, you’re a strong advocate for women in cybersecurity. Why is that something that is important to you to spend your time on? What’s the value that you get back from that?
It’s funny people look at it from an altruistic perspective, but I consider myself to be pretty selfish in this regard because it makes me feel good to help young people and women in the industry. I did not have a mentor with cyber skills when I was coming up. I really didn’t. I certainly didn’t have a female mentor, so it nourishes my soul to help others. I mean, just this week, I’ve had three former agency colleagues and one person here at KnowBe4 reach out to me and say, “Hey, I know someone that’s coming out of military service. Would you mind talking with them about transition into civilian life?” And another person, a young woman who is looking to diversify her skillsets.
I don’t always have the answers, but what I’ll tell everyone is, “I might not have the answer, but if I don’t, I can find someone who does.” So that’s the best thing that I can do to help people build out the tools in their toolkit, if you will. We all need multiple mentors, again, with those multiple skillsets I was referring to earlier. It’s also, I think, sort of from a karma perspective, important to give back. I’ve been very blessed to have amazing agency colleagues with whom I’m still in touch with that were mentors to me and are still mentors. Some of them have transitioned into civilian life as I have and they still serve as mentors to me. We all try and pay it forward by supporting folks that want to learn and grow and evolve.
I think, certainly for those of us agency or prior military, I view my work here as still working towards defending our country’s private sector or public defending our networks. I want to make it as hard as possible for the Russians and the Chinese to get into a healthcare system, a bank system, make it harder for someone to steal an elderly person’s money via social engineering. So it’s a different kind of service, but if we’re working to harden networks and make them tougher targets, then that’s the most fulfilling work that I could hope for.
Yeah. It gives you the ability to, at the end of the day when you go home, you can look back and say, “Maybe I made a little difference in the world.”
Yeah, absolutely. That is how I feel and I see that difference. We get that feedback a lot from our client base, so it’s great to have that almost instant gratification.
It’s interesting to me to have seen this, I guess what I would describe as a necessary shift toward the social engineering side of our defenses, toward the human side. I think partially because the technical defenses have gotten better, but where do you see the future going for this? What’s on the horizon for you all, for yourself and the sort of things you’re tracking at KnowBe4?
Well, I think your point about that technology has become so good at plugging a lot of the holes. Now it does assume that the technology is implemented correctly. There are technologies that can be used to harden networks, but if they’re not implemented correctly, then you’re open to harm and you don’t even realize it. There’s a technology called DMARC, which stands for Domain-based Message Authentication Reporting and Conformance, which is quite a mouthful, but it’s an email authentication policy and reporting protocol.
A lot of folks consider if they’ve got DMARC set up, they’re safe, they’re good to go. But it’s sort of like assuming if you’ve built a wall around the castle that there are no holes in it or you can’t go over the wall. Because a lot of times those implementations are not 100 percent accurate, and thus, you can still get through. Or most companies allow their employees to, from a corporate system, log onto personal accounts, web mail, Facebook, LinkedIn, what have you. So I can spearphish your company’s IT admins, executive assistants, “high value targets” via their social media accounts and still land on your network. So that’s where the whole point of technology implementation is great, but at the end of the day, unless individuals are smarter and savvier about the choices they make, or in this case the links they click, you’re still at risk.
The technology, especially when it comes to artificial intelligence and deep fakes, as this technology evolves, there will be a time where it will be virtually indistinguishable to know whether you’re talking to a person or an AI system. And again, that’s where making sure your users are savvy comes in because you have to … Your Spidey sense tingles, if you will. Hit the pause button literally or figuratively. Pick up the phone and call the person and say, “Did you send this email? Is this your video that you just texted to me?” before you take an action that can compromise your phone, your laptop, your corporate system.
I especially think AI and AI as it relates to deep fakes, it’s a tool hackers are going to use. It’s a tool that intelligence services are going to use against us as well in information operations to sway opinions on various issues, be they technical or political in nature. That will never go away. It will remain an evolving threat. It will never go away. That’s why understanding the nature of social engineering and maintaining that healthy paranoia is so important.
Our thanks to KnowBe4’s Rosa Smothers for joining us. She’s one of the featured speakers at the upcoming Women in Cybersecurity Reception at the International Spy Museum in Washington, D.C. The event is hosted by the CyberWire and both KnowBe4 and Recorded Future are sponsors. You can learn more about the event by visiting thecyberwire.com/wcs.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.