A Culture of Drive, Work Ethic, and Attention to Detail
Our guest today is Nick Kael. He’s chief technology officer at Ericom Software, a company that provides secure web isolation and remote application access software and cloud services.
In our conversation, Nick shares his professional journey, including the important lessons his experience in the U.S. military have provided. We’ll learn about his leadership style, his take on threat intelligence, what he looks for when hiring, and his approach to his day-to-day responsibilities.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 153 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.
Our guest today is Nick Kael. He’s chief technology officer at Ericom Software, a company that provides secure web isolation and remote application access software and cloud services.
In our conversation, Nick shares his professional journey, including the important lessons his experience in the U.S. military have provided. We’ll learn about his leadership style, his take on threat intelligence, what he looks for when hiring, and his approach to his day-to-day responsibilities. Stay with us.
Yeah, it's been an interesting one. I started off out of high school and college. Actually, I left college a little bit early, joined the United States Marine Corps, spent eight years in the Marine Corps. Got to travel the world and do some interesting things that way, but nothing really IT-related, although very security-minded, both physical and logical security. Now that I'm in the security industry, I see that a lot of it translates.
From the Marine Corps, when I got out, landed in the wide area networking space. I worked for a lot of the telco companies, Global Crossing, British Telecom, Infonet, few of those companies providing global wide area network services. I was doing a lot of engineering work, building out networks for organizations that were global.
And in about, well, let's see, it was about 1999, I got a call from one of the customers that said, "Hey, we bought this thing. It's called a firewall and we want to install it and we don't really have anybody on board that knows how to install it or deal with it. Could you help us?" I literally went home that night and read the Check Point Firewall One Manual and Firewalls for Dummies and did an install for the customer. Everything went great, and then I was actually given an offer to move over to our security team after that.
Made a move into the security team and started working a lot with managed security services in the early days of it. Then from there, that was while I was still with British Telecom, actually, and then when I left British Telecom, I went to Symantec where, that was about 2009, I spent about four years as part of the CTO's Office for Security in Symantec, the first run there. Left Symantec, went to a startup that you might know of, Zscaler. I was employee, I believe, number 82 in Zscaler. Spent just under six years there and then left. Actually went back to Symantec for around a year, and then joined Ericom about a year ago.
Gotcha. What is your day-to-day like these days? What sort of things keep you busy at Ericom?
I own a few facets within the organization. I have our solutions management team or what a lot of organizations would call sales engineering, the folks that are out working with our customers to build the solutions from a technical aspect and support our sales organization.
I also own what we call the customer advocacy team, which is our customer support team globally. And then I've got a responsibility into the product in terms of helping lead product strategy and everything from a technology perspective, so I work a lot with our chief product officer, our R&D teams, and the developers on products. Then also just recently inherited our internal IT, so now I manage all of the internal IT aspects for the organization as well.
Day-to-day is interesting because it flip-flops between the different teams. I do a lot of customer support and working with customers in the field to make sure that they're getting what they need from a solution perspective. Deal with support issues. If there's some type of bug or an issue that they're dealing with in their environment, helping them try to sort that out from a technical perspective, escalations on support issues or what have you. And then also our internal IT keeps me running quite a bit.
Do you feel like having that wide view, being involved with so many different teams, does that give you better insights into the things that need to be done throughout the organization?
Yeah, absolutely. I think, one, from a historic perspective, the things that I've been able to see and do with just a lot of different customer environments, and it gives you a really diverse view on how to handle things in different ways to maybe tackle problems with the environments.
But then also just dealing with our customers and seeing things, seeing how different customers approach things differently, it opens your mind to look at things very creatively and open-minded. I think we do have to do that a lot of times, both in IT and then especially now in security. Not everything is just straight out of the box.
You mentioned that many of the lessons that you learned in your time in the military have transferred over. Can you give us some insights there? What sort of things did the military provide you with that are beneficial today?
Yeah. I think, one, just the way you look at the world, simple things where sometimes the attention to detail of something ... Give an example, I was dealing with a customer where they were saying how much they've invested in their data center security and that basically they've got foolproof security right down to biometrics on the door and the eye, the retina scanners and all the good stuff that they've bought and invested in, and that really no one could penetrate their data center.
I looked at the door from the inside, because we were talking on the inside of their data center, and they had a mail flap for the mail to be dropped in the door. That mail flap had the metal, I don't know, the angled metal piece so that no one could stick their hand in and go across side-to-side.
But it was tipped up and down, and it was angled the way to where they had the big green square button that said Exit to the side of the door. I mean, I could literally just reach in the mail flap, reach my hand over and tap the green button to open the door. And so I made a bet with the CIO of the organization that I could get into their data center. He said he liked his steak medium, and I said, "I like mine medium as well." He went back to his office. I waited about a minute and I just reached my hand through and tapped the green button.
It's those little details and attention to detail, I think, that a lot of people just overlook and that military is very much detail-oriented, thinking about security, like I said, both physical and logical all the time, because either it's troops you're trying to protect or information about a mission that needs to be protected.
I never really thought much about encryption while I was in the military because I wasn't IT or technically focused, but just the use of encryption, for instance, that we use over the radios and communications. And yet, I see today some simple problems that customers could deal with by using encryption, but they haven't gone there.
I don't read a lot of books, but lately, some of the IT security books that I've picked up, there was one called America the Vulnerable, and it talks about a hack of our U.S. government in 2008 and the Chinese, I guess, nation-state, not to pick on them, but they were the guilty party on the hack on these firewalls of the U.S. government. The NSA director at the time called out that we didn't use encryption, but yet the Chinese, before they actually traded all the data, they encrypted it so that it couldn't be seen what they took out through the firewalls.
In the time that you've been at this, and you've been at this a while, what strikes you as some of the interesting evolutions you've seen? What sort of changes have you tracked over the years?
I think it's definitely interesting. Recently, we were out at the RSA Conference, and every year what I try to do is walk the floor. I think what you get from that, one, you'll learn a lot about what's going on in the industry and other vendors and what they're doing, and, again, keeping an open mind to their approach.
But I think you see trends in the industry and they almost go on a yearly basis. We've seen two-factor authentication a few years ago and we've gone through encryption and all the different removable media and things. This year, the big thing is zero trust. These buzzwords, I always like to find out if it's just a buzzword or if somebody's really sticking to that spec or that standard or whatever it is that we're trying to achieve.
Zero trust seems to be the big thing this year. A lot of us, a lot of those in the security industry are talking about it, but I think it's interesting to follow those trends. But a lot of what I see, I think still we overlook something simple and that's that security needs to be part of our culture in the company, and it starts with the users.
A lot of times we overlook simple things like just security enablement or security training of our employees, basic things for them to look at. If you didn't ask for a password reset, but yet you're getting an email saying, "Reset your password," probably want to second-guess or take a closer look at that email. Is it a phishing attack? Is someone trying to trick you into giving up some type of credentials or information?
Just getting the people to think about that and making it part of the culture, I think, is something that outside all of the other tools, it's a basic thing that we should all do. I can't say it's totally free. It probably does cost us some time and it also may cost us some tools to do so, to test it and make sure that it's working correctly, but most of that is free. We can take the time to train our employees and get them to think that way.
How do you describe your own leadership style? When you're trying to have that sort of culture spread through the organization to nurture that kind of thinking, how do you go about doing that?
Yeah. I think, one, it's trying to inspire or keep your people always curious, to think outside the box, and to look at things and be curious about them more and not just, not get wrapped up in just clicking and being on the go all the time, blind to what the content or information might be, challenging people to be thought leaders and think bigger.
Some of my leaders within the organization, I get them to challenge their teams. But also not one of fear of any kind of retaliation or anything from management if something bad was done, but what can we learn from it? What do we take away from different things?
If we did an internal test with a phishing link and somebody clicked on it, I don't want them to be afraid that they're in trouble or something. I want them to learn from it. We go back and use that for helping users understand a little bit more, how to maybe hover over that link next time and look at what it really is taking them to.
One, it's funny, a lot of people think that with a military background that you're going to be a yelling, screaming type of a leader. And I try to inspire people to think for themselves and be a little bit more of a leader themselves instead of just counting on everybody in the leadership team.
I want to get your take on threat intelligence, specifically the role it plays in your organization and the importance that you place on it.
Yeah. I think it's huge right now to get that visibility and what I call actionable intelligence, to be able to take, whether it's just threat feeds type of data, ingest those into your organization to understand the different threats. But you also have to look at it from what is your posture in your industry. Is there some type of industry-specific attack? What are the trends going on at the time, whether it be the Olympics or right now the hot topic coronavirus.
We know that any time there's a major event like this, off the back end of it, there's going to be different types of attacks that are going to come, whether they're phishing attacks over email right now, hey, do you read up more about the coronavirus or those types of things. And so threat intel to get ahead of that.
And then what do you do about it? What controls do I put in place around that threat intel to actually control or to protect the infrastructure and the employees as much as I can? Yeah, without it, we're just guessing, so that threat intel is huge that you can gain insights from. Then, like I said, it's actionable intelligence. It's whether you've got workflows built to automate some of it, but implementing actual controls or policies that will put you in the best posture from that specific threat or threats that might come at you or your organization, your industry, and your users.
As you look ahead, you're looking down the road, what sort of things do you think are headed our way? What are your expectations there?
Yeah. I'd really like to say something really cool and different there, but I think some of the same old tricks, and we see it time and time again and it's, a lot of these things repeat themselves. They're cyclical. Social engineering, it's something pretty simple to solve, but yet, it happens all the time. For how many years now we've seen SQL database attacks, and it's pretty simple for most organizations to go fix them and do things like input validation and whatnot to help fix them, but yet we still see things happen.
I think it's the same old tricks in a lot of ways, but reinventing themselves, different types of ... We're dealing with smart individuals on the other end, so they keep rethinking how to get it out there, how to reinvent an old, old type of an attack and do it in a new way, or right now with ransomware, for instance, on the uptick in a lot of organizations.
Those types of things, I think they just keep happening, and it's the old tricks over and over again, and the attacks do get more and more sophisticated at a code level and what they do or the stealthy type of capabilities. I think, again, we have to think about where our important assets are in our organization, who has access to them, and then how do we protect them in the best way that we can.
And then, again, it comes down to the users. If I can trick a user into clicking on a link, most situations, it's game over. And so, that weakest link coming back to the user, if I've got them educated and I've got the culture right in the organization to where everyone's thinking security all the time, I'm probably in a much better place, even if some new, crazy attack comes out. People have to second-guess and question these things as they see them come across the wire.
What goes into your hiring practices? When you're looking to bring someone on your team, what are the things that are important to you and what are the things that maybe aren't as important to you?
Yeah. From an importance perspective, I mean depending on what team they'd be coming on. If they're in this solutions management team where they're going to be engineering solutions, it's different. It's really a diverse technical capability that I'm looking for and looking for someone that has very diverse backgrounds in the technology space, whether it be networking and understanding the network stack security, servers, operating systems. It's that technical skillset and knowledge of the different tools that are out there and customer environments, whatnot. Their ability to fit in the company culture is important.
I think to be part of the team culturally, it needs to be a good fit and understanding what their goals are, whether it's long term, short term, that we can work together, some of their background, what their work history looks like. Does that person jump around quite a bit, short term everywhere, or have they been somewhere for a long period of time?
I guess I'm wondering are things like degrees and certifications, are those important factors when you're weighing whether somebody's a good fit?
Degree is nice to have. For me, I think certifications, definitely on the technical side of the team, it shows ... I know a lot of people are against certifications. They think it's a vendor's view of the world or that type of thing, but I think what it does show is that, one, they have the discipline to sit down, whether they did it self-study or however they went through and learned the content for that certification, and then the fact that they've been tested against it and they passed that test shows that they at least retained some of it for that period of time to pass that test.
I personally like the certification track myself, what they do with themselves outside of work, if they've got a family, and what drive the person has, really. I say to folks all the time, "We have to be a student of our game.” As the bad guys are always trying to change their methods of attack, we can't just think that we know technology and we just stop there. We have to constantly keep learning this. I think that's why IT is so interesting for me. It's constant puzzle-solving and we have to keep reinventing ourselves and learning more things, learning different technology as it comes out.
I look for somebody that's got that drive, that wants to come in and be a sponge, be eager to learn and that's going to drive themselves to be successful. That's really important to me, just having that drive and the work ethic.
Our thanks to Nick Kael from Ericom Software for joining us.
Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner.
Thanks for listening.