Tag: Cybersecurity Leadership

  • What Companies Should be Telling Investors about Cybersecurity

    As a customer, how much do you know about how major corporations handle your personal data? If you’re a shareholder in a company (or several), do you have any idea how well it is prepared for a cyberattack? What is the company protocol for publicizing a security breach?

    For the vast majority of Americans, the likely answer is no on all counts. And here’s the worst part: You won’t find out by reading their official filings with the Securities and Exchange Commission (SEC) or hear the topic come up on a quarterly earnings call.

    A recent study confirmed what a lot of us have known for a while – a lot of publicly traded companies still refuse to reveal the true nature of the threats they face and what they’re doing to mitigate them. Despite increasing pressure from the SEC, the report suggests that most would greatly prefer to stay silent, even after a breach has occurred.

    The report was assembled by the National Association of Corporate Directors (NACD), Security Scorecard, Cyber Threat Alliance, Diligent, and IHSMarkit. These organizations and companies are arguing for more cybersecurity transparency. In my view, this action is long overdue as ransomware and other serious threats grow in both frequency and severity, according to the authors.

    To be clear, as a CEO, I understand why some corporations worry they’ll face a competitive disadvantage if they are too forthcoming about risk. As a professional penetration tester (ethical hacker), I also appreciate their concerns about giving the bad guys in my line of work information that might be exploited or even help cybercriminals better understand the value of data they’ve stolen.

    On the other hand, I am also an investor and a customer. Wearing all these hats makes me frustrated that the government and Corporate America haven’t come up with a solution that puts everyone on a level playing field – including the people who are shouldering much of that risk in the form of their investments.

    In my view, that solution could be as simple as providing answers to three simple questions that would help me, as an investor or potential investor, decide whether to put my money on the table.

    • First, what assets do you have that are most at risk from a cyberattack? This might be intellectual property that can be stolen, customers’ personal information, the money in your corporate bank account, or all of the above and more. And it should address the potential impacts on upstream and downstream vendors and customers. The most important issue here is knowing that the company understands what it has to lose.
    • The next question follows logically: What are you doing to protect those assets? This doesn’t have to be a laundry list that describes each security layer in detail, but it should give readers a sense that the security is appropriate to stop the types of threats it anticipates. Again, what I really want to know is that the company is doing what’s necessary, not just providing a generic response that restates the question.
    • The third and perhaps most important question is whether the security has been evaluated and validated by experts outside the company. Former President Ronald Reagan famously described his policy toward the Soviet Union as “trust but verify” and that’s appropriate in the world of cybersecurity as well. Though we have to trust companies to be candid and truthful, there is a lot of value in having professional third parties provide independent analyses.

    Simply answering these questions is no guarantee that the company won’t be breached, but there is great value in the asking. For one, it keeps cybersecurity top-of-mind in the c-suites, ensuring that it factors into all major company decisions. It also gives policy makers a clear idea about our nation’s cyber resilience and exposes major shortcomings that can be addressed with legislation or regulation. And it provides peace of mind for people who are considering placing their hard-earned money in the company’s hands.

    In the wake of the far-reaching SolarWinds and Colonial Pipeline breaches, now is an excellent time to ask Congress and the SEC to work with publicly traded companies to find a workable disclosure template that better protects all of us.

  • Change is Growth in the Pen Testing Field

    Ask most of us at Raxis what we do, and we’ll tell you we’re penetration testers or ethical hackers or simply that we work for a cybersecurity company. But if you ask what that means – what we really do on a day-to-day basis – you’ll likely get a variety of fun stories about sneaking into buildings, bluffing our way past security guards, using high-tech equipment and special software to hack into networks . . . you know, the usual things.

    That’s partly because the field of penetration testing requires us to try many different approaches to breach a customer’s defenses, which means the more skillsets we bring to the job, the better our chances. But it’s also because Raxis is a company where those additional talents are rewarded with opportunities to grow.

    In this week’s video, Adam Fernandez explains how his journey at Raxis has taken him from pen tester to his current role as our Lead Developer. 

    Adam is a great example of the unique talent we have at Raxis and the type of multifaceted professionals we look for to join our team. His professional growth is helping our company grow and in turn opening up new opportunities for all of us.

    Are you the kind of person who brings more than one set of skills to the job? Are you looking for a team where flexibility and adaptability are appreciated and rewarded? If so, take a look at the other articles in this series and let us hear from you.

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • Client Success is Raxis’ Success

    At Raxis, we find communication with our clients is one of the most critical and key components of our service. 

    Throughout the penetration testing process we are communicating with our clients through daily updates, at the end we provide not only a debriefing call but also a full report describing what we found, what it means for them, and steps they can take to resolve any issues uncovered throughout the process. 

    In the video above, Raxis Senior Manager of Operations and Customer Delivery Tim Semchenko explains how critical the after-action reporting is for our clients.

    It is undeniable that finding network security vulnerabilities and helping our clients shore up those weak spots is a huge component of what we do. However, the key to a successful engagement between us and the client is all about the communication. Our penetration testers must be able to not only find security flaws but also to accurately communicate these issues with the client as well as detail how to remedy them. 

    We could simply drop a report on your desk showing what we found and what to do to fix it, but that just isn’t who we are. We want our clients to feel that Raxis is a trusted partner who respects them and is there to help them understand every aspect of their report.

    By treating customers like partners, we ensure our success is based on your success. 

    Here are some other posts you might enjoy:

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • Guiding the Next Generation of Cyber Pros

    “After graduation, I’m heading to the United States Naval Academy and plan to major in cyber operations.”

    Cameron Colavito

    At Raxis, we love what we do, and we relish any opportunity to share our passion with the next generation of cyber professionals, so I was thrilled when Cameron Colavito, a senior at the Lovett School in Atlanta, asked to interview me for her senior project focusing on cybersecurity. 

    During the interview Cameron asked what I believe is the most important trait for cybersecurity leaders to possess. I knew my answer immediately – integrity, without a doubt. Businesses, schools, individuals, and families all trust cybersecurity professionals to protect their most sensitive data from attacks, leaving these cyber pros with an extreme amount of power. And as we all know, with great power comes great responsibility. 

    We take the responsibility we’ve been entrusted with very seriously at Raxis, and we’re so glad to see that schools are giving students the opportunity to learn ethical practices as well. Judging from her project description below, Cameron will be more than ready for a future in this field.

    “The concept of my senior project is to learn about how cyber security professionals handle ethical hacking, leadership, and education. I have the opportunity to interview professionals in the field, as well as take up a spring internship with Curricula. During my internship, I will experience how they lead and educate their customers on important cyber issues such as ransomware, social engineering, information security, etc.

    “After graduation, I’m heading to the United States Naval Academy and plan to major in cyber operations. I am excited to see how this field of study becomes a reality in businesses such as Curricula, Raxis, and this growing industry.”

    Cameron Colavito

    I will add that Cameron has earned a great honor with her acceptance into Annapolis. If she sticks with cybersecurity, she will have an opportunity upon graduation to be an officer in the Navy’s information warfare community. In that role, she will help lead the ongoing fight against nations and non-state actors in an ongoing battle to protect our critical information systems.

    It has never been more important for us to encourage the next generation’s best and brightest to pursue a career in cybersecurity. Given the threats we face from within and from abroad, the opportunities are limitless. For those like Cameron, who answer the call with initiative and integrity, I expect that future will be incredibly rewarding.

  • At Raxis, Learning and Improving are Constants

    In today’s video, you’ll hear from Lead Penetration Tester Matt Dunn, the newest member of our team, about why he appreciates the learning environment we’ve created and continue to nurture at Raxis. 

    Matt actually came to Raxis with several certifications under his belt and another now in progress. That proactive quest for knowledge was a good sign that he would be a great fit on our team and was among the reasons we hired him. As it turns out, we were right: Not only has he done excellent work as a penetration tester, Matt has also published his first Metasploit Module. (For the uninitiated, that is a very big deal in the pen testing world.)

    To be clear, it is certainly possible to be an outstanding penetration tester without professional certifications. Likewise, I’m sure there are bad testers out there with walls full of them. As with Matt, however, taking the initiative and making the effort suggests that you are willing and able to learn – and that is a key differentiator for both pen testers and the companies that employ them.

    Why? Because the threat landscape is constantly evolving, and our knowledge and skills have to keep pace. That means the pros that make up our team have to be smart enough to hit the ground running and humble enough to continue learning once they’re on board. 

    Listen to Matt describe his experience, and you’ll get an idea of what this means in practice.

    At Raxis, we foster a learning environment, not just through research and certification training, but also through open communication among our team members. This group includes people from diverse backgrounds who each bring unique skills to the table. When we hire, we look for individuals who are both willing to share their talents with us and also able to learn from the other accomplished professionals on our team.

    Do you thrive in a learning culture? If so, Raxis might just be for you. Be sure to check out our other videos in this series and see if Raxis is the opportunity you’ve been looking for. 

    Here are some other videos you may find interesting:

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • Why Teamwork is Key to the Raxis Culture

    As individuals, the members of the Raxis team are among the most talented and accomplished people in the field of information security. They are super-smart high performers who have been or could be successful in many different lines of work. Yet, they have chosen to be a part of Raxis.

    Why? For one thing, the job is interesting and rewarding. Knowing that we’re giving business owners and corporate leaders peace of mind and allowing them to focus on their priorities is a very satisfying experience. And it’s hard to beat the sense of accomplishment that comes from solving the ‘puzzles’ that CTO Brian Tant discussed in a previous post.

    An even more important benefit, however, is the sense that, as Raxis, we’re part of something bigger than ourselves. That’s because effective teamwork creates a multiplier effect. We get the benefit of more minds working on tough problems and we have opportunities to learn and teach each other as we do. 

    The diversity of our team means that there’s always someone we can turn to who brings a different background and skillset to bear. As they do, we all gain new perspectives. The beautiful part is that the learning and improvement is continuous in the Raxis environment.

    As you might expect, this makes us very protective of our culture and very particular about who we ask to join us. Big talent is welcome. Big egos need not apply. It’s sometimes hard for us to find the right person only because it’s so hard to be the right person.

    Is that person you? Take a look at the video above and hear Brad Herring, our VP of Business Development, explain why teamwork truly is our special sauce. Also, check out our other videos in this series and see if Raxis looks like a good fit. 

     

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • What’s it Like to Work at Raxis?

    One of the great things about being a penetration tester is explaining what we do to people inside andoutside the world of cybersecurity. Having done this work myself and now managing others, I can’t imagine a more fascinating job. However, I also can’t imagine doing this job for any company other than Raxis.

    That’s because we’ve assembled a team of outstanding professionals with wildly diverse backgrounds that range from film and television to law enforcement to web design to IT administration and software development. We are, of course, expert hackers, but working for Raxis means that we all bring much more to the table.

    Over the next several weeks, we’ll be offering up a series of videos that will show you what our company and our work is truly like. These videos will likely be helpful if you’re interested in penetration as a career. They must-watch material if you want a career at Raxis.

    In addition to an advanced skillset, we expect an incredibly high degree of integrity. The nature of our works means that we only bring on people who have held positions of trust and who have proven themselves worthy of ours. 

    Integrity is essential, but it’s only one part of the larger picture that is culture. Beginning with our founder, we’ve brought on people who work well together, naturally. We have created a culture that places a high value on creative thinking, problem-solving, and above all, teamwork. 

    Please take a look at our inaugural video above. Raxis’ chief technology officer Brian Tant and I will explain how each penetration test demands presents different issues and opportunities. If you think you have what it takes to join our ranks, keep watching in the weeks ahead as other members of the Raxis team discuss different aspects of life in our world.

    Also, keep an eye on our careers page. Occasionally, we have openings for people with the right skills, determination, and attitude to join our team.

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • Bonnie Shares Words of Working Wisdom with Westminster Students

    “I have literally walked past security guards who assumed that a petite, professional woman couldn’t possibly be up to anything nefarious.

    Raxis Chief Operating Officer, Bonnie Smyre

    At Raxis, we believe in giving back to our community and especially to the young people who are our future workforce. That’s one reason why I was very excited for the recent invitation to deliver a video message to students of Atlanta’s Westminster Schools, a private academy for kindergarten through 12th grade students, as part of its Conversations Around Race and Equity (CARE) initiative.

    Westminster aims to instill in its students a strong belief that they can do anything they put their mind to, as long as they create meaningful goals and work hard to achieve them. In the US today, their choice of profession isn’t limited by anyone else. So, it’s important for young people to open their minds and explore a wide range of career options.

    As a woman in the male-dominated field of information security, I was able to talk about my experience and how, through hard work and focus, I have earned the respect of my (all-male) colleagues along with the position of chief operating officer (COO).

    I also had some fun explaining how being a penetration tester allowed me use my gender to my advantage. I have literally walked past security guards who assumed that a petite, professional woman couldn’t possibly be up to anything nefarious. Some cheap surgical scrubs from Walmart were all I needed to enter a nurse’s station and access a hospital’s computer network. A birthday cake was my ticket onto a secure elevator and directly into the office of a corporate vice president.

    My intention was to present the infosec field as a fun, challenging, and meaningful career choice. It’s also a field that is inclusive and accessible to everyone, regardless of race or gender, as long as they are willing to invest the effort.

    Congratulations to Westminster Schools for introducing students to a broad range of career options and for teaching them that all are within their reach. I was proud to be a part of that effort.

    If you’d like to learn more about our work as ethical hackers, be sure to subscribe to our YouTube channel and stay up to date on all our latest tips, tricks, and commentary.