It was truly Safety Detective’s Aviva Zacks’ pleasure to sit down with Mike Gruen, VP of Engineering and CISO at Cybrary. She asked him about how his company helps educate IT professionals.
Safety Detective: What got you interested in cybersecurity?
Mike Gruen: I’ve always been sort of a hacker—someone who likes to take things apart, put them back together, and understand how they work. What started me down the road was early in my career I frequently was the software engineer who was the liaison to the operations team or the security team.
Most of the companies that I have recently worked for were in the cybersecurity space. At one job where I was a contractor, I was working on a product for NSA and doing natural language processing. At my previous job before joining Cybrary, I was the first senior engineer, and I took on a lot of responsibility for the overall security and IT systems because it was something that I enjoyed, and that came naturally to me.
SD: What does Cybrary do to help educate IT and cybersecurity professionals?
MG: Cybrary is a cybersecurity professional development platform. We don’t see ourselves as either a cybersecurity company or a training company, even though maybe many of our customers do. As a professional development platform, we like to help people in their careers, whether it’s transitioning into a cybersecurity career from a different field, scaling up and staying relevant in their current job, or guiding people who want to move into other roles including management.
We have two different offerings. One is an individual membership that provides access to mentors, a community, and all of our content. The hands-on learning experiences are where we see the greatest value because there’s nothing more important than getting your hands on the keyboard and doing things as opposed to just watching videos.
The other offering is for teams. We work with companies to tailor our learning paths so that they better align with their roles. This enables managers, directors, and CISOs to understand their team’s technical gaps and how best to address those gaps, whether it’s by providing training to their workforce, or hiring new people to augment what they already have.
SD: What do you think are the worst cyber threats that are out there right now?
MG: Social engineering and IoT are always the two that come immediately to mind. Social engineering because people are always going to be one of the weakest security links because people like to be helpful, are curious, and like to tell stories. It’s also fairly easy to take advantage of people’s natural tendency to trust other people. Spear phishing and phishing attacks are successful because they rely heavily on exploiting these human behaviors.
IoT devices are not particularly well-secured. There’s no real incentive for a manufacturer to secure their IoT devices, but it never really occurred to me what the greatest threat was from IoT devices until more recently. The real threat is that IoT devices are reflectors and multipliers. They have been used to carry out distributed denial-of-service attacks that have been quite effective. And as more and more IoT devices come online, at this seemingly exponential rate, the ability for someone to launch a devastating attack is a growing threat.
SD: How do you think the COVID-19 pandemic will affect cybersecurity for the future?
MG: One of the biggest changes I think we’ll see is that more people will be working from home now that companies have been forced to adapt. If that happens, endpoint security will become that much more important because they will be running in environments that you no longer have control over and they significantly increase the attack surface area.