SANS: What made you choose to work in tech/security?
I have always loved computers. Beginning with our first home computer, a Commodore 64 system, to current fun items like Software Defined Networks, I always knew I wanted to do something with computers.
When in university doing engineering, I did start my own company and did a bit of work then, but it showed me that there is lots of work out there that people need done and how you can help fill a need
I didn’t start in security, but moved there through a long route, but all of that experience provides a great knowledge base that I draw on regularly. I have a very diverse background. I started doing network design when first out of school, designing and implementing networks for small customers (50-100 people) and large (100k+ people). This gave me a great grounding in how our networks work. I have also worked on email system design and Voice over IP system design, installation and troubleshooting, giving me more experiences higher up the stack and how these all interrelate. From there I moved into security, be it design, requirements definition or implementation of devices. I also led a security operations team, playing the whack-a-mole game with attackers and problems. From there I moved into security research work, specifically vulnerability management and remediation.
My current role I am engaged in security research work within the federal government. This has helped me to connect with some of the brightest people doing some really cool things. All which, when added to my ability to do teaching with SANS, has enabled me to really enjoy my work.
SANS: As an instructor, what is your teaching philosophy?
My goal when teaching is to ensure that the class is engaged and able to take practical information back after the class and use it immediately. Theory is nice, but being able to use something you have learned immediately is key. My goal is to help ensure this is done for the students. This includes information shared by other people in the class too. Nobody knows everything, and we all have unique experiences that can help others. Fostering an environment where this can happen helps ensure my classes are a success
My diverse background (describe above) helps provide the knowledge, background, and experience that has helped me to write the course. Understanding the different layers of our environments, from networks through the applications, and how these all interact, helps inform all of the different facets needed to effectively manage and deal with our environments from a vulnerability management perspective.
SANS: Why do you enjoy teaching about vulnerability management and the cloud?
There is something unique about teaching a class that you have written. Don't get me wrong, I enjoy teaching a wide variety of subjects, but something about knowing what you have put together matters to people. Seeing the heads nodding, the "lights going on" or after a section having people come and state that this was the exact problem they had at work and now they know how to tackle it. It reaffirms all the time and effort you put into the class.
Vulnerability management spans the entire spectrum of IT and even some areas outside of it. We need to interface and deal with the system and network administrators, the IT architects, the operations teams, the change management group to name but a few. It takes a lot of understanding to be able to work in this space. I find that my background, having started with network design and support, some application deployment, Linux administration, network architecture and security operations all have provided me with knowledge that I leverage in vulnerability management. I can talk IP and routers as needed, get into Linux specifics, discuss architecture challenges and even dealing with digging into route causes and incident handling. These experiences enable me to talk intelligently with all the groups I work with. And then we need to communicate what we need to get done with everyone.
Drawing on these 20+ years of experience, I can help stitch together the various pieces that people may not be able to fully see or understand. Helping people unscramble the puzzle that is before them into the manageable pieces and how they can work through it all to have a program and not just a collection of parts is truly rewarding.
SANS: What’s your advice for someone taking a SANS course for the first time? Attending their first event?
Hang onto your hat, as you are in for a wild ride. You will most likely be overwhelmed by the amount of information that you get from the class. Don’t worry. Everyone needs to start somewhere, and gain an understanding. Ask questions. Don’t be afraid to say you don’t understand something.
One of the biggest items I found when attending SANS classes and events is the networking with other people. From the instructors to other students, take the time and meet some new people. You will be surprised how helpful everyone can be. And you will soon find that you are not alone in the problem you are facing at work… others are doing the exact same thing, or just completed doing it. And they can help you avoid some of the pitfalls you may encounter
SANS: What has been the highlight of your career so far?
After one of my classes last year, I was talking with one of the students before we all left. I had asked her how she felt that the class had gone for her, and if she felt there was anything that she would be able to use when going back to work the following week. She looked at me somewhat dumbfounded, and I could tell from the look on her face that she wasn't sure if I was serious or not. Seeing this, I clarified that I was wanting more feedback, and how we may be able to improve it based on her experience and background.
She looked my right in the eyes and said that this was exactly the course she was looking for. Her company, a large international organization, needed to implement a more robust program than they currently had. She said that I had given her a roadmap for things, and because of the information I had given her in the class, she knew exactly what she needed to do, had already started a plan to do it, and said that because of what I had shared with her, she would end up being promoted and her career would continue to advance and even accelerate, as she could clearly see how to resolve issues that had been causing problems for them.
That sums up why I do what I do, and I know I am doing the right thing.
SANS: How has security changed in your specific industry over the past five years? Where do you expect it to go next?
This field is a constantly evolving and changing. And it isn’t happening slowly. Blink and something new is out.
Currently I think as we continue to move more and more to the cloud it will be the software defined networking and how can it be leveraged to quickly adapt networks to deal with threats.
Dealing with copious amounts of data that we process and access in security, and how do we successfully fuse that together quickly and easily to make meaningful nuggets we can action. Just staring at “the matrix” doesn’t help. We need to automate and give the analyst items of interest to spend their time on instead of having them look for the needles in the haystack. Automate to remove 95% of the haystack and let them do their work more effectively.
SANS: What are your interests or hobbies?
- Flying (I’m a private pilot, though finding the time is always hard.)
- Outdoor activities (e.g. skiing, fishing, camping, hunting)
- Family (spending quality time with my 3 children)
SANS: What is your favorite quote?
There are several quotes that I like...
"If you focus on what you left behind, you will never be able to see what lies ahead." --- Chef Gusteau, Ratatouille (the movie)
"You have brains in your head. You have feet in your shoes. You can steer yourself any direction you choose." – Dr Seuss
Read more about Jonathan Risto.
Learn more about LDR516: Building and Leading Vulnerability Management Programs