From war dialing to CISO
n March, I began my quest to interview some of the most interesting folks in the Colorado security community. The goal of this series is to explore some different perspectives on security in the region, and have some fun doing it. First I interviewed information lawyer Dave Navetta. Then I sat down with Chris Petersen, co-founder of Boulder-based LogRhythm.
In this third edition, I had the opportunity to interview Johan Hybinette. Johan has served as the CISO and CTO for Schryver Medical for the past five years, and has just accepted an opportunity to join Hosting.com, located just off I-25, in the old Gates Factory.
I have had the opportunity to get to know Johan a bit over the past few years through various Denver security community events. Johan has always intrigued me. While he can comfortably talk to a group of button-down security executives, he is even more comfortable mixing with the Denver hacker community, and he’s happiest when he’s setting up his laser system and DJ’ing an event. It was these glimpses into the non-conforming part of Johan’s personality that led me to reach out and ask to interview him for this blog.
Johan and I got together for lunch at the Schryver Medical campus and walked across the street to Ajuua, a small Mexican chain. If you haven’t been, it’s a treat. Johan and I both enjoyed the crispy chili rellanos, which may not be the healthiest option, but very likely the tastiest.
My questions are indicated in bold, with Johan’s responses paraphrased below.
Let’s jump right into it. How did you get into the security field?
Apple 2 … I was basically starting to crack code on floppy disks. I was big time into modems, got really into BBS’s (bulletin boards), war dialing. [ED. NOTE: war dialing is a technique for using a modem to automatically scan telephone numbers to search for computers and other modems.] All of those things were really fun.
What timeframe are we talking here?
This was back in 1981 when I was a student at Georgia Tech studying mechanical engineering. I spent a summer hacking around with a 2400 baud modem.
Yeah, that was state of the art at the time.
So, mechanical engineering. That’s an interesting major.
When I started at Georgia Tech, there was no computer science major. They started offering the IT engineering degree while I was there.
So you were learning how systems work on your own?
Yeah, I was really curious. I was exploring and learning where I could go, and what was out there. I created my own war dialing programs which would scan all night, then in the morning, I’d have my list of modems I’d found. I was always just out there practicing true hacking; for the sake of learning.
How did you learn to program?
By the seat of my pants. I taught myself Assembly on the Apple 2. Then went to Basic and C++. Currently, I mostly code in PHP, Apache and Perl. I find that strong development skills allow me to stay on top of my teams. Being a good CISO isn’t just being good with people and creating a security program. The technical skills are important, too. My employees know and respect that I can dive into their work and see what they’re working on.
So, what did you do after graduating from Georgia Tech?
I went to Lockheed Martin as a liaison engineer. I was using my mechanical engineering degree as my fulltime job. But even in that position I found ways to create software tools to simplify my job and help the business. I saved the company something like a quarter million dollars by creating a system that would automate a heavily manual process. Previously, all of the engineers had to pull out big heavy manuals to look for the parts they wanted. I created a database where they’d enter the specifications of what they need, and it would display what options there are, saving countless hours of manual work. I wrote that thing in 3-4 months outside my normal job, on my free time. I think that was an example of programming at its best. Eventually, the program I was hired into ended and I decided to move on.
What was next?
Shortly after, in 1989, my wife and I moved out to Denver for my wife’s job. In ’89 there really were not many technology jobs in Denver, so I bought myself a computer and just worked on things at home for a bit. I started doing security projects, mostly fiddling around with them. But I was having a hard time finding a job.
Shortly after, my wife’s boss was unhappy because the machine she was working on kept breaking down, costing $20,000-$30,000 dollars per repair. I ended up figuring out how to fix the broken boards on the machine from tracing the circuits. He hired me to save himself money on repairs, and made a prediction that eventually came true. He told me that he couldn’t pay me much, but that while I was working for him I was going to start my own business there.
He was right. In 1993 I ended up creating my own business building graphic art servers while there. I was making high-quality design servers and selling them to some large printing companies. Back then a 100 gig server sold for about $100,000.
It was my success with the server company that led me to creating Cebic Technologies, a security monitoring and consulting company, a few years later in 1996. We offered services to organizations that were concerned about corporate espionage, safe transmission, network infrastructure management and general security.
Were you doing MSSP (Managed Security Service Provider) way back then?
Yes, although it wasn’t called that. We mostly focused on virus monitoring, system patching, network status and overall infrastructure health monitoring. We weren’t doing any log collection or IDS (Intrusion Detection System), as it wasn’t really done at that time. We were more providing outsourced network management and monitoring.
What kinds of tools did you use for this?
We put together a bunch of tools, both open source and commercial, to get a dashboard type view of our customers’ environments. We used private circuits to stay connected and provide the customer with dashboards and metrics. We were offering 24/7 monitoring with a staff of about 20 people.
My time running Cebic was invaluable. It gave me broad exposure to security from a number of different organizations’ perspectives. It gave me the opportunity to present and communicate with senior executives, including boards of directors in large organizations and Fortune 100 companies.
So, how long were you there?
The company is still in business, but we sold the company in 2007. At that time I decided to retire. That lasted about 3 weeks before I was bored out of my mind and had to get back into the industry.
What was next for you?
I started doing security consulting … CISO as a service type offerings. I worked for a few companies before accepting a fulltime position with First Data in Denver. I was hired as a security director, responsible for helping with a massive data center consolidation project. We shrank the footprint down from 13 data centers to two, and virtualized the entire environment, approximately 100,000 servers.
That is a massive project.
And back then it was not officially approved by PCI (Payment Card Industry) to virtualize, so it was a major feat.
Tangent for you … since we’re discussing virtualized security. When you’re virtualizing multiple environments with differing security requirements, are you willing to share the hardware and use vCenter (software offered by VMWare to manage virtual computer servers) to segment, or do you stick with physical separation?
I would want to see physical separation. Well, it would depend. There are certain controls that are much easier to implement when you’ve got a physical separation. You can easily inject IDS, NAC, DLP or whatever when there’s a physical separation. It’s much harder to implement those controls through a vCenter.
That said, I am very open to new ways to do things. If we can find a way to get the right kind of controls there, I would be happy to listen. A big part of my management style is not to look down on any ideas … if you have a logical argument I can be persuaded.
So often, security is at the tail end of technical leaps forward. We are a drag on the business instead of enabling.
Yeah. I am on the other side of that. I often find myself on the bleeding edge of technologies, which isn’t necessarily the place where you want to be from a security perspective. But it’s the way I can best move the business forward, which is the ultimate goal.
Okay, you finished up the data center project at First Data. What came next?
I left First Data in 2009 and started at Schryver Medical later that year. I was hired as the head of IT and Security, as what was eventually called their CTO and CISO. There I was asked to come in and right the ship in IT. In my first two years there, I implemented massive changes in the infrastructure and turned the IT department from a black hole into a significant business enabler.
Since 2011, I have looked for more ways to improve the program and continue moving the business forward. I have just recently accepted a position as the CISO for Hosting.com. I will be starting there in the coming weeks.
Wow, breaking news here. Exciting stuff.
Yeah, I am excited for the new challenge. I will have the ability to help move a large service provider forward, and turn their security program into a world class operation.
What are your goals around that program? In a few years, what will make you feel like you’ve been successful there at Hosting.com?
To keep it simple, I want to build a world class security program on a value budget. If I can make a $5 million program for $2 million, that would be successful.
My program should be state of the art, with a succinct team, controls seamlessly installed and working cohesively with each other. My program will be customer service focused. And there should be metrics attached to everything, ready to be pulled up with the touch of a button.
Let’s talk through your career progression here. You started working for large corporations as an engineer. Then you founded and successfully ran your own company for about 14 years. Why did you go back into the corporate world?
I was ready for a new challenge. I had successfully run my own company, but I wanted to take on the challenge of stepping into a larger organization and show that I could help run an effective company. The biggest thing I love in my career is to take on big tasks. That’s what has driven me to make moves.
What advice do you have for young folks looking to get into the industry?
Curiosity is key. You need to have a natural curiosity to learn how things work. That is essential for excellent security folks. You need to like change. Change is constant, and if you don’t enjoy it, you won’t keep up.
You should try to be a jack of all trades. Many technologists can focus on just one area. When I’m hiring security engineers I look for people who have a broad base of experience. Then, once I have them on board, I will train them for the specific tools or areas where I need them to have more specialized skills.
Be prepared to work long, odd hours. While we try to minimize it, we are the ones who have to take those strange calls at 2 a.m., or work through the night after a security incident.
I am looking for employees who are diligent and methodical in working through problems. Don’t come to me every time you run into a roadblock. Use that curiosity to work your way through it.
Excellent. What are the biggest things that CISOs are doing wrong right now?
They are biting off more than they can chew. Instead of trying to go implement every tool out there, find the ones that are most important to you and really become excellent with them. Frankly, I see a lot of organizations that put the wrong people in the CISO role. The right CISO is an action player; there are far too many figureheads in this position.
So, for those CISOs who find themselves in a position they aren’t qualified to do, what do you recommend?
Find a mentor. Get involved in the security community, network and find someone who can help you along. Another option would be to bring in a consultant. They can help point you in the right direction, and help you start to move the security program in the right direction.
Alright, last question for today. Tell me what you see in the Colorado security community.
Colorado is really one of the great security communities. It’s large, with a lot of good companies here. It’s unique. We’re much more mom and pop. We haven’t matured as much as other areas, especially out on the East Coast. Things are more ad hoc here. This also flows down into our start-ups, which seem much less mature than the start-ups you’d find out east.
Between the local groups like ISACA (regularly voted the best chapter in the world), ISSA, DenHac, the 303 and DC303 crews, BSides, and other groups, Denver really does have a thriving security community.
Big thanks to Johan for setting aside time to meet with me, and setting me up with such a tasty lunch. This project continues to give me the opportunity to explore the unique ways that successful security folks got where they are today. For my next interview, I am hoping to sit down with one of the gray hat folks. So keep an eye out for that in the coming months. If there is anyone in particular you’d like to see me interview, let me know, and I’ll see what I can do.
Connect with Robb on Google+