For the latest installment of Voices from Infosec series, Breaking Badness regular Tim Helming (@TimHelming) and I spoke to co-founder and CEO of Tromzo, Harshil Parikh, about his journey into cybersecurity, how Tromzo came to be, and his thoughts on the future of automation.
It’s Ok to Meet Your Heroes
It’s always interesting to hear about peoples’ paths into cybersecurity because the industry is still new and diverse enough that it’s almost impossible for the path to be linear. But what caught Harshil’s eye was hacker Kevin Mitnick. Back in high school, Harshil read articles about Kevin, and it got him so excited he needed to learn more, which led him to the library to read up on the subject at length. He then started frequenting cyber cafes to try to get the other patrons’ passwords. Teenage hijinks at its finest.
Fast forward to Harshil’s time in Kansas City pursuing his graduate degree (he chose Kansas City because Sprint was a big deal at the time and they had a strong networking research program). On his second day there, a conference took place, and the guest speaker was none other than the Kevin Mitnick. Harshil promptly reacted the way most do when meeting their heroes and took a picture with him (which he still has to this day!) As you can imagine, and Harshil confirmed, it was one of the best days of his life.
Location, Location, Location
There are a lot of professions where location is everything and pre-Covid, infosec was no exemption to that rule. Harshil had a buddy in California who talked up San Francisco as the place to be for not only infosec, but also for the beach and access to the mountains. Feeling tired of listening to livestock and wheat grow, Harshil made the trek to California, where he quickly discovered the beaches are intensely cold and you must actually drive 8 hours to get to Tahoe for the aforementioned mountains. Talk about some false advertising.
Regardless, Harshil truly believes San Francisco was transformative for his career. He found that the most advanced work was being done in this city and was exposed to such a dense talent network.
The Power of Myth
Harshil has done so many different types of security during his tenure in the industry: network security, software security, identity and access management, and security operations, just to name a few. So, it’s relatively safe to say, he’s seen a lot, and there is one myth he’d like to debunk which is: people don’t care about cybersecurity.
Harshil believes it’s actually quite the opposite, and if you stop and pause, you might tend to agree. Stop and ask anyone, regardless of their background, if they think cybersecurity is important — they will likely say yes. It’s usually the people in the cybersecurity industry who believe others don’t care about it.
The problem is there’s historically a lack of empathy missing from those in security. We tend to become too pragmatic in forming these opinions. However, if we’re able to step outside of ourselves and embrace where others are coming from, we might see cybersecurity is more important to those outside the industry than we realize.
The Rise of Tromzo
The idea Harshil and his co-founder, Harshit Chitalia, had for Tromzo was all inspired from the idea of, how do we make security easy? We’ve established that people understand the importance of security, but why is it still such a problem to implement? Harshil has found that a lot of times, it’s because people don’t understand how to do it or it’s just not high on the list of priorities.
Tromzo is built to solve that problem and make security less of a mystical art for non-security folks. It’s a platform that makes it easy for developers to automate and integrate security controls in the software development life cycle (SDLC).
Moving the Needle
Tromzo’s mission to move the needle when it comes to organizations, whether they’re public or private, will likely be a trickle-down process of larger companies affected by things like ransomware. Harshil provided an example of a newer company to the shipping business where their competitors are these large, 100+ year old companies. One hadn’t paid attention to cybersecurity and a ransomware attack infected almost every single system they had, shuttering their business for about a month. Events like these bring more awareness and recognition to help build better cybersecurity hygiene.
Getting a seat at the table is also critical for cybersecurity to become more integrated in workflows. Harshil discussed the CISO role and for the sake of argument, let’s say that role is about 20 years old. Today, we’re on our second or third generation of CISOs and they’re reporting directly to a CEO, which wasn’t happening before. Having someone at the executive level brings stronger awareness.
To Automate or Not to Automate?
That is the question. In Harshil’s experience, there are tactical elements that definitely require automation, but the needs change as the company evolves and grows. People got excited about SOAR automation tools like Phantom or Cortex XSOAR, which have impressive capabilities, but they aren’t necessarily used to their fullest capacities. It’s gotten more sophisticated, but Harshil believes there’s a delta between what people should automate and what they do automate. Automation does not always resolve the dreaded alert fatigue—sometimes it is a major contributor to it!
One reason this might be is simply due to dealing with different people and how one person may inspect another’s work from badness, and what we end up automating tends to be more tactical (i.e. moving data from one system to another). But there are a number of things in the security world that require human interaction, and it’s uncertain if those things can be automated.
Liar, Liar
As you may already know, we play Two Truths and a Lie during our regular podcasts and feel it wouldn’t be right to leave our guests out of the fun. We asked Harshil to provide us three statements and we guessed the lie:
- He has two dogs – golden retrievers to be specific
- His wife is also in cybersecurity
- He can swim 10 laps in an Olympic-size swimming pool
You’ll have to tune in to find out how we did!
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!