For the newest instalment in our series of interviews asking leading technology specialists about their achievements in their field, we’ve welcomed Mark Kerzner, software developer and thought leader in cybersecurity training who is also the VP at training solutions company, Elephant Scale.
His company has taught tens of thousands of students at dozens of leading companies. Elephant Scale started by publishing a book called ‘Hadoop Illuminated‘. The book is an open-source book about Apache Hadoop™ & aims to make Hadoop knowledge accessible to a wider audience, not just to the highly technical.
If you want to find out more about Hadoop then why not check out our guide comparing Hadoop vs Spark?
Tell us about the business you represent, what is their vision & goals?
We’ve been teaching technologies such as Big Data, Artificial Intelligence, and Cybersecurity for the past 9 years.
We always try to teach the latest and the newest technologies. The COVID and the proliferation of recorded online education have accelerated this trend and the need for us to innovate.
I think it is just as well: I never liked to repeat the courses I teach, and now I get a chance to innovate non-stop.
What inspires and energises you within your work?
There is a wise rule: one candle can give light to a hundred people. This emphasizes that knowledge is a great force, and even a little true knowledge can help you a lot. In particular, I mean cybersecurity. With all the tools out there, knowledge is paramount.
Can you share a little bit about yourself and how you got into cybersecurity?
Security is an exciting area, because it is a game of cops and robbers, and many people like such games. I started by listening to the Risky.Biz podcast - which I sincerely recommend - more than ten years ago.
I have been keeping it up since then. I taught many people security, and I have been constantly thinking about how to teach it better and in more exciting ways.
What advice would you give to someone wishing to start their career in cybersecurity?
Start with podcasts, find ones that you personally like. Then attend a hacker conference. They do cool stuff there. Find the areas that excite you most. Like, would it be cool to wave your phone at a money machine and convert it into a jackpot? Do you want to do it or to defend against it? If you can find such an area, then soon you will know what to do without asking me.
What are some misconceptions that you believe businesses have about cybersecurity?
Many people still think that there is security by obscurity. Like, once our training provider published the credentials of accessing our labs on their website because it was convenient for the students.
When I objected, they told me that “Google does not see it.” Well, Google does see it. Worse than that, it takes less than 5 minutes for the robots, constantly run by the hackers, to scan all of Amazon's cloud machines.
With these armies of robots - which keep propagating because these robots infect further machines with viruses to run more robots there - nobody is immune. That’s the solution? People are working on the tools to help, but everyone needs to educate themselves.
Do you think that cybersecurity training should be mandatory for the majority of businesses?
I’d love to see it. Only it should be fun and smart training, like (tooting my own horn) what I do in my company. I had to take many obligatory security training, and they are boring and trite.
I don’t need to hear again that “Using long passwords” or that “Report security incidents.” Because then people find ways around such security. Rather, I teach how to automate changing passwords after they have been used. This is much more helpful security. And every level of security that people implement helps them to become more secure.
How has the rise of insider threats impacted the cybersecurity landscape?
Honestly, in my opinion, insider threat is not a big deal. The recent hack of Twitter was an insider job, but that is rare. Yes, one should protect against insider threats. One should protect against multiple threats, and “multilayer security” is a well-known security best practice.
One of the good tools here is a record, or log, of all actions done on the system. The public clouds are very good about it. It also acts as a deterrent to insider threats, knowing that all of one’s actions are being logged.
Does your organisation use log and metrics data to improve and secure your systems? How do you find managing logs assists your day to day work?
Our major work is teaching others, and yes, we do teach about implementing security by using logs and metrics, and we also teach how to implement log storage, using open source stacks like ELK.
Then you can analyze these logs for security compliance and sign of compromises.
Would you like to share any cybersecurity forecasts or predictions of your own with our readers?
Right now, there is a veritable disaster with malware attacks. However, I see a few things happening.
Law enforcement is getting more proactive in counter cyber attacks. They create counterfeit secure communications applications, and successfully promote these among criminals, eroding their trust in protected communications.
They attack the bitcoin wallets of the criminals, eroding the trust in cryptocurrency. And the private sector is creating more centralized security apps, such as ones that automatically scan for insecure default configurations left while installing applications. And they did it by reading the corporate emails a few years back. That is really quite effective.
Want to continue reading about cybersecurity regulations that may soon affect your organisation? Then our guide covering what is CMMC? will help you.