Surf Into Cybersecurity @ Twitter:
11 questions with CISO Mike Convertino, a highly decorated U.S. Air Force Colonel. Part of Sensei School’s Meet-A-Pro interview series.
Previously he was VP & CTO of Security Products at F5 Networks where he guided and managed the core intellectual property and technologies, as well as CISO & VP for Information Security at Crowdstrike. Just before that he was Microsoft’s Senior Director of Network Security, responsible for security automation development, intrusion detection and digital forensic investigations.
Mike is also highly decorated retired U.S. Air Force Colonel and was last assigned as Commander of the 318th Information Operations Group responsible for the creation and operational employment of U.S. Air Force information operations capabilities globally.
Sensei School: Why did you get into security?
Mike Convertino: I got into security through my interest in electronics and engineering. Phone switches were particularly interesting to me at a very young age. Since they are basically computers that could respond to remote commands, I loved to tinker with them.
Sensei School: What is Twitter’s security strategy in one sentence?
Mike Convertino: Protect our users personal data and ensure that people on the platform are able to speak their minds safely in an environment of healthy conversations.
Sensei School: How do you deal with threats at Twitter?
Mike Convertino: Our platform infrastructure is massive and the threats we think about and work to defend against include both data theft and manipulation of the conversation on our platform. Many of our defenses at scale are embedded in the platform itself to prevent direct hacking, halt bots, troll farms and others who want to have an outsized impact on conversations. The privacy and the safety of the people who use Twitter is our top priority, and we are continuously working to defend it.
Sensei School: What have been your biggest insights this past year?
Mike Convertino: As new technologies such as Machine Learning become more and more intelligent, I’ve seen industry dealing with new types of threats that we haven’t seen before. Making sure that basic server hardware is not vulnerable is a challenge for companies both in terms of server load and implementation costs.
The marketplace for attack tools has increased as well, as costs have gone down and “attack infrastructure as a service” such as a set of bots is becoming more available.
Sensei School: What are some under the radar trends you’ve noticed?
Mike Convertino: One of the trends we’ve seen on the heightened risk in the banking space as bad actors search for ways to exploit online systems. The marketplace for attack tools has increased as well, as costs have gone down and “attack infrastructure as a service” such as a set of bots is becoming more available.
Sensei School: Why do people and companies underestimate the risk of being hacked / breached?
To put it simply, often times they just aren’t aware of how much is really going on.
Mike Convertino: To put it simply, often times they just aren’t aware of how much is really going on. The public generally views reports of attacks and data losses as individual events which aren’t related. The problem with that is that they actually are related to the design of the technologies. It’s important for companies to invest appropriately in threat intelligence and study where their vulnerabilities may lie.
Sensei School: How should small businesses address cybersecurity?
Mike Convertino: Small businesses should concentrate on their core business focus and outsource most of security. Some other things small businesses should consider is investing in services and technologies which will automatically block threats without a lot of human intervention. Purchasing cyber insurance coverage and making sure you have an incident response contractor on retainer are other things which they should look into.
Sensei School: How can we increase cybercrime reporting numbers other than legislation?
Mike Convertino: There isn’t actually a very well-known clearing house to post information about when individuals get hacked. There are many niche sites for specific acts like email takeovers, but no easy-to-use site for the general public. Creating one and publicizing it would help get general numbers up.
Sensei School: What’s your take on cyber insurance?
Mike Convertino: It can help companies with paying claims, defending against lawsuits and incident remediation and recovery. Some insurance companies also offer “reputation repair/recovery services” which can help to reestablish trust with users, customers and regulators.
Sensei School: What would you advise people looking to get into the industry?
Mike Convertino: If you are already in an IT or development-related field, check out different security forums for explanations of how attacks are launched and why they are effective. Sign up for a few classes with a college or university that has a cybersecurity degree program. Get involved in the community by going to conferences to meet people already in the field and make some connections. Getting a mentor in the space is a real help.
Sensei School: What does Twitter look for in security candidates?
Mike Convertino: We put a premium on looking for diverse backgrounds in an effort to foster different approaches to catching new and novel attacks. The hacking community is very diverse and comes up with some really unexpected and creative ways to break in. Our success depends on having that same level of diversity.
Mike is on Twitter @mikeconvertino.
Currently open security & tech positions @Twitter.
Follow the Meet-A-Pro interview series @SenseiSchool on Twitter.
We feature notable professionals in different fields from around the world, who share their insights and knowledge. They are also sometimes guest lecturers at Sensei School.
Hasta pronto Sensei!