Announcer: [00:00:01] listening to cybersecurity inside a podcast, focused on getting you up to speed on issues in cybersecurity. With engaging experts and stimulating conversations. To learn more, visit us at intel.com/cyber security insight.
What are the components within that supply chain? And can we verify that
those are actually the right components and get the benefits of AI without having to share too much of your
own personal data?
Holy cow, there’s so many
places this could go wrong now. Right? How do I secure all of this?
Tom Garrison: [00:00:41] Hi and welcome to the cybersecurity inside podcast. I’m your host, Tom Garrison and with me as usual is my cohost Camille Morhardt today, we’re going to jump right into the interview. Our guest today is Charlie Shrek and he was a professional cricketer for. Oh, my goodness. I’m going to butcher this name, Leistershire and Nottinghamshire for 17 years.
He now makes a living working as the head of engineering for cybersecurity services company read scan, which recently became part of Kroll as a cricketer. Charlie enjoyed devising ways to get out of the best batters, including the current England captain. I’m sure there’s some stories there. And uses this same mindset to help develop solutions to the latest cyber criminals.
So welcome to the Charlie. I wonder if we could do start with what made you want to go into security number one, and what gave you the confidence that said, yeah, I can do
Charlie Shreck: [00:01:43] that. Okay. Let’s tackle the first part first. I mean, a lot of it was a necessity. I had to find a living, the standard I got to for cricket, I could earn a living, but there wasn’t future planning as it were there.
Wasn’t an affordability to be able to say, okay, I’m just going to stay in this game forever. I wanted to keep some competitive nature, have some insight and analysis of what was going on rather than just doing a laboring job that the sporting world would generally fit into in physiotherapy or continue coaching, that sort of stuff.
I liked the idea as most people do. When they look at security of pen testing, I then realized very quickly that that was going to be very, very hard to get into because it’s a want to be area, but it’s a cyber security function. And then realize that cybersecurity was so large and so broad that I found an area within it.
That would be the engineering area where that was. Setting up a programs, figuring out logging that sort of more detailed and then more how that works against threat actors. And I thought, okay, well, that’s good. It’s a challenge. Whereas in sports you have a challenge. Cricket is a weird sport. It’s a team game, but it’s an individual against an individual at the same time.
So Boulder is taking on a battle or in American terms of pitchers taking on a hitter or a batter, you can spend three hours to a day trying to figure out how to get a pass around it. It’s complicated. They have ways of negating how you’re trying to get them out. And they’re trying to school. It gets complex.
It’s funny.
Tom Garrison: [00:03:15] Cause in baseball, the big thing against baseball is that it’s too slow. A batter in a baseball might be a minute or two or three before they either make to the base or they’re out. But cricket, you just said that it might be.
Charlie Shreck: [00:03:31] So I play generally four day cricket. So you’d start off knowing that you’d be playing four days and then if it went well, it would be less than that.
But the standard up from where I go, which is test match, what, which I got, I didn’t get to, they, they play for five days, which is a batter, is looking to bat for a day and a half and score as many runs as you can in that time. And a voter is obviously looking to stop him from scoring and get him out in that time.
So. Then he would give his bachelors the opportunity to be able to bat for that long. There’s a lot of assessments. There’s a lot of figuring out a technique. There’s a lot of figuring out how they’re trying to score and play the game and there’s analysis on the back of it. And even that study, you folded them all day.
You still got to go at the end of the day and figure out what did I do, right? What did I do wrong? How can I sort this out the next day? Because obviously you don’t want to keep having one batter scoring freely. The next day, I realized very quickly that there’s the assessment factor and the self analysis of what you do and how you did it moving into a security function in it or engineering.
I mean, it could be in pretty much any job insecurity that you always have to analyze what they’ve done or how they’ve done it, and then how you can negate that and then get the upper hand eventually as a later time. So I enjoyed that. I can relate a lot to that, and it’s almost a competitive environment in the security world.
As much of it as in cricket, maybe mostly because there’s more at stake. You’ve got your customers that are at risk. If you don’t analyze and assess it properly and move quickly, create a solution. Especially when a threat actor is actually getting into a customer’s environment, but there’s a lot of crossovers.
Hey
Camille Morhardt: [00:05:15] Charlie, were you ever like a, it nerd or geek or something like that when you were in
Charlie Shreck: [00:05:21] sport? It’s one of my catchphrases almost when I’m trying to describe the shit. When I was playing cricket, I was the geek. I was the nerd because I was the one that was fixing the computers. I was sorting out the home networks, a cam wasn’t working.
They come and get me to fix it. Now that I’ve moved in security, I’m basically the jock. I’m the one that was the sporty guy that doesn’t have all of the technical requirements. So it didn’t have it from a very young. That I think is the main crossover of understanding how people see you when you’re approaching a task or a meeting or anything like that.
So, yeah, I was in regard to supporting road, very techie, but then when I get into the security world, um, wasn’t that techie, but I’m learning still four or five years on from the changes.
Camille Morhardt: [00:06:06] Is it possible for anybody who’s interested in the cybersecurity space to move into it? It sounds like you came in with one kind of an interest in pen testing, but then realized this was a gigantic field.
Is it something that’s learnable or had you not had that background or interest from the very beginning, would it have been extra difficult to come move into?
Charlie Shreck: [00:06:29] So I came in with a very good mind of trying to understand how it was done and how it was deployed and how people are understanding from both sides.
As in the threat actor, all from the company that’s being attacked. Even if you have no experience in it, you can come in, you can figure it out. You can figure out the main technique, the best practices that you would follow. They’re all laid out for you. They work for me. It was a realization more after probably six months that actually from the outside, it isn’t as scary.
And it isn’t as complicated as you think, if you follow the best practices that you’ve been given that are out there and freely available for you to find, because the vendors that deliver the tools. Have it, th there’s plenty of frameworks that you can follow to see how that threat actors are attacking companies.
It’s that fully, you just need to go and find it and then absorb it almost. I was lucky because I came from an area that I didn’t have any preconceptions. I wasn’t delivered down a path to then try and come into this and say, right now I have to adjust to it. I was completely free. And completely roar in it.
I was like a sponge for the first, last year, two years, and I probably still am picking up how things have been. I’d say in that yes. To answer your question. Yes. But with an open mind, you’re going to have to be able to pick up a load of stuff very quickly
Tom Garrison: [00:07:45] as an industry. This security space is one that right now is so lacking of people to come work in the industry.
And I think a lot of it is because quite frankly, I’ve intimidation and fear where they feel like I don’t have the background or. Really have the skills required to do it. You know, you mentioned just a second ago that there are tools that exist. Then if you just sit down and sort of learn the tools and learn the techniques.
That this is something you can build up over time. And I wonder if you could just spend maybe just a minute or two and just kind of walk through that, especially from the perspective of a new person that just is coming in the door, maybe has just decided to sort of make the leap into security and do penetration testing or some other form of security.
Charlie Shreck: [00:08:32] When my first manager, when I was on the first job, whenever I came to him with an issue that I felt I couldn’t really figure out, his first question was always without a doubt, have you Googled it? Have you looked for someone else to have that issue and have they found a solution for it because they’ve done the heavy lifting for you.
So that straight away made a huge impression on me purely because. Someone else would have had the same problem using the same tools you’re attacking the same problem that you’re not going to be on your own using it. Internet find dates there. It’s an amazing tool to have. Once you do get past that, then go through into the communal chat forums, the actual documentation, albeit we don’t like reading documentation, generally it’s there and it’s available.
And the vendors tried to give you as much help as possible with the tools that you have. So there’s no reason why someone who can understand text and can understand how to use the internet and find and relate certain scenarios and certain solutions together to find a solution, which is at the end of the day, is what we’re looking for.
Regardless of if you’re just starting on a service desk at an it company, or you’re a CTO of a powerful company or influential company, you’re still just looking for a solution. Try and use as much resources as you can is how I’ve attacked it. And if I’m in a scenario where I feel a little bit under done, or a little bit put on under the spot, that’s generally my fallback, but that also relates to sporting environment or actually any other environment where you’re looking for someone who’s had that experience.
Who, how have they dealt with it? How have you moved it through? How have you got over. Um, the internet is just putting the all around you and saying it’s going to be okay. You can figure it out and move on.
Camille Morhardt: [00:10:13] Can you talk a little bit more about how you balance kind of following policy and practice diligently and at the same time, think outside
Charlie Shreck: [00:10:22] the box?
Yeah, I mean, that was in a fund that I had coming in was because I wasn’t aligned to the same thinking that everybody else was. It’s almost like. They take the best practice. This is how it’s done. They’ve done their research in the background, on the chat forums and what’s been published and go, okay, well this is solution.
Yes, they’re there, but it’s how you interpret how they’ve done. How do you then move on? So yes, there is an element to your using it, but you still got that information there. And then you still have to make a decision on how to use that. If you have all of that best practice and all of the information you’re being given, then you take what the scenario you have.
You still have to apply it to that scenario. And yes, there is an element to following the lead, but then there is also an element too. Okay. Let’s take a step back that, see it from a different angle and move it from. I’ll try and give you an example where we have in red scan CHRO, we have 12 different technologies that we use to cover our customers so that then we have almost a complete coverage.
So we align it to which customer needs what? So lots of tooling. Now we needed a way to be able to keep an eye on all of this, to be able to. Make sure that it all staying up and it’s all delivering a service in the correct way because there’s so many, we got lost almost when I first started. And there, wasn’t a way of being able to understand if one technology was performing as it should compare to another.
So we brought in another layer that monitors all of them together in a simple view. So we can see all of them lining up. Now that isn’t best practice because you’re adding another tooling to monitoring all of this stuff, but it delivered. In an easy, simple way for all of the engineers, to be able to see all of their platforms all at wants to see if they’re taking over in the right way.
Now we saw best practices and the best practices to monitor them within their own environment and monitor their own platforms within that platform. But we couldn’t do it because we have so many. So we had to make a decision and say, okay, here’s the best practice. This is what we’re supposed to be doing, but we can’t do it.
So we’re going to follow best practice on another tool. And it’s. We’ve got most following best practice on one side. So we thought we’d come in at a different angle and we all following best practice in another area. That’s contradicting the other, other tools, but we got what we wanted.
Tom Garrison: [00:12:43] That’s a great example of something that you see all the time.
No matter what sport you’re talking about. There’s the way that you would traditionally approach an opponent that may or may not work. If it doesn’t work, you don’t just hang up and quit and walk away. You, you gotta find something else. You got to try something else until something finally works. So I think that’s a great example.
You mentioned something a minute or two ago about the fact that you came in with such a different. Background that that actually was a bit of, I’ll put a word in your mouth. It’s almost like a super power for you because you’re not like everybody else. So you approach problems uniquely. Do you think that that applies really for anyone, especially somebody coming in from the security world, the more different they are that may turn out to be an advantage for them, because they’re going to have a different point of view, a different perspective, maybe a different way of tackling a problem, then everyone else was similar.
Charlie Shreck: [00:13:45] Oh, without a doubt, the more opinions you get, the more opinions in the difference of opinion. You’re then in a better place to make a better decision, you’ve hired for a position. You get some new blood into an area. You’ve got a young person who is thinking, understands the concept and they’ve come in and given you more ideas, how to solve problems.
They see how you’ve got it set up in your area. Slightly different and they stop making suggestions on why are you doing it this way? Why can’t you do it this way? This seems convoluted. It’s a lot, most simple. If you do it this way, there’s a lot of time that you have, because you’re almost numb to the way that things are done in the past assess and the delivery of your service.
You almost get blinkered into not being able to see the better solution coming in from a different world, coming into a, an environment that is so. Well, my strict in process. And if you move away from the checklist and have you done this right? If you got that in, it’s almost enlightening it. So it’s freeing, obviously eventually I’ll get numbs to it and stop being sort of blinking in the same way, because I’m trying to understand certain ways of being done.
I’m still questioning well, why are you doing it? Like.
Tom Garrison: [00:15:04] There’s two different ways to think about that too. There’s the perspective you’re sharing right now, which is from the new person, but the people that just hired you and really independent of what industry you’re in, but certainly in security. It takes some discipline and patience to listen to those new perspectives coming in and not just saying, well, we do it this way because that’s the way we do it.
Effectively cutting off the discussion or the dialogue, and maybe 90% of the things they just don’t know something, but there’s that 10%, the value of
Charlie Shreck: [00:15:36] that new person, there’s a phrase in sport. It’s the 1% says that we knew the game is the same in this it’s the, that 1% change that you would. That would you think?
Oh, actually, no, that makes sense. You look into it further and then you have another, this, this helps of all, this is improved our service 10%, 12%. It’s lightened the load on some engineers. It’s cracking a method. So that then the servers don’t run so quickly. There’s a whole lot that goes on there as a hiring manager.
I look for that sort of enthusiasm and that drying the think and look slightly outside the box. And just to question everything.
Camille Morhardt: [00:16:11] The bowler is one of the major strategic thinkers on the team. And obviously your head of engineering in your present position. So is leadership different? I mean, is it the same exact kind of thing or does it map over or.
What’s different about it in the business world versus the world
Tom Garrison: [00:16:29] of
Charlie Shreck: [00:16:29] sport. Other than he goes nothing really the character they’re trying to take upon in sport. It has to be that sort of match show. I can get you further than anyone. I can throw it faster than anyone. That sort of thing. The business world, it’s slightly more subtle, but it’s still understanding how people function, how they work, what gets them.
What motivates that doesn’t change in any way. There’s still exactly the same methodology, the learning of how to deal with people and the learning of how people tick and how you can talk to people and how you motivate people and how you understand their drive. There’s no difference from sport to business to even social.
It doesn’t matter. Being able to understand and allocate people to what they’re good at and what they’re not good at is also very similar. So in the sporting area, you would have people who are good at oh, embarrassing. But then you’ve also got the sub-genres within that of people that could have facing Spanel FOS, balding, people that are good at fielding people who compromise people who can back, you put them in certain areas so that when that scenario rears its head, they can do it.
The same as in security world where, you know, when you have to understand who’s good at what, for what particular time, so that when something has gone down and there needs to be instant reaction to it, and you need to have someone on it and fixing it and you have to have full faith. Do you know who can do that within the team?
It’s just an understanding of people. And there’s a relationship that you have with them that, uh, I think won’t change within the sporting world within business and especially secure.
Camille Morhardt: [00:18:09] Would you be more apt to hire somebody who has a background in sports?
Charlie Shreck: [00:18:14] That’s a good question, especially since I would, sir.
I know what I was lacking and I had to work very hard to get those areas up to speed. I definitely would know if they’re coming from a sporting world where they would be very strong. Yes. So, I mean, tell me your question. Yes. I would employ them if they had enough skill to be able to handle it in this faith.
Camille Morhardt: [00:18:36] I’ve got a question then, do you think that the weaknesses tend to map over? So, you know, what would it be? It would be not expecting a certain thing maybe in sport or putting a time pressure on it when somebody should wait, does the same kind of strength in the same kind of weakness do you think map over from worlds?
The world?
Charlie Shreck: [00:18:55] Yeah. Yeah. I mean, there’s some examples where I’m be looking for how you cope with. So in sporting world, in every game, there is a crunch moment that it’s either a win or lose. If you don’t get that right, it’s over. And it’s how you handle that situation that crosses over very, very easily into a security world.
If you’ve got a change to make, or you’ve got to make an analysis on something. If you don’t get it right. And you start to flap under that pressure, the stress level increases and it’s contagious. Once you get into it and then people around you start to lose it. If they can’t handle that and they start spreading that stress and that anxiety, you can’t really have them in your team in either a team environment or in the business world, because you can’t have your team falling over under that person.
Tom Garrison: [00:19:40] I think that’s good advice and something certainly I’ve seen over the years, and obviously it didn’t play professional sports, but I did play sports growing up. And you’re so correct about this, how people deal with stress. It’s not an individual action. How one person deals with stress has a transmitting effect to the people around them and a different sport.
The sport I played growing up was basket. And basketball is such a mental sport. Guys can hit shots and everything from all around the floor, seemingly without even needing to look at the basketball hoop, but that’s when they’re confident and when they get hit, they miss a few shots and all of a sudden you can see them just sort of mentally crumble and now they can’t even hit the easiest shots.
It’s crazy how mental sport can be. And then also I see that translating to the work environment as well. You can feed on positivity and sort of build people up and build yourself up. Or you can either knowingly or unknowingly tear people.
Charlie Shreck: [00:20:41] England won the rugby world cup in 2003. And with three minutes to go, Johnny Wilkinson our kicker, a score two points, and you can see him mounting world cup, world cup.
Well, cut thinking he’d won it. But actually what he was saying was Tika, which is think clearly under pressure and shouting at everybody and going, okay, relax. Take it easy. We got to think clearly now for the next four or five. Okay. He was completely in the zone to say, right, we’re in the league now let’s just stay calm and we’ll be all right
Tom Garrison: [00:21:15] from your journey.
You went from a totally different world into security. Do you have any words of advice for people that might be considering a similar kind of
Charlie Shreck: [00:21:22] transition? Well, I think we touched on a few of them. One is that done? There’s always going to be an answer for you that there’s going to be a solution. So if you’re fearful of getting into this environment, it isn’t as bad as you think, as long as you stay calm and you can basically think clearly, or we’ve got serious resolve the situation, trust that you can do it.
The information’s out, all you need is to be able to resolve them. And that’s pretty much what I’ve done over the last four years and learnt how to deal with it. And then the experiences come together. I honestly think that it’s a good area to be in. It’s a growing environment. It’s something that I think a lot of people will get a lot of enjoyment about from, I do.
I mean, I came into it, not really assessing the enjoyment factor that it’s here and there is an element. Yeah. The adrenaline rush is when you figure something out. And when you get it working is the same as being on a sporting field. I don’t miss that side of it because it’s there, it’s in the job. Would you say
Tom Garrison: [00:22:18] that finding big security vulnerability gives you the same sort of high as, I don’t know what the word is striking out the England captain,
Charlie Shreck: [00:22:26] you don’t have the crowd cheering you in the background, but other than that, yes.
Celebrating with you. Yeah. But definitely when you achieve something and you figure something out and you. There is definitely a, an element too. I mean, I don’t get out of the chair and start running around getting high fives for everyone, but there is a definite joy opportunity.
Tom Garrison: [00:22:51] Charlie, before we let you go, we have a segment on our podcast that we invite guests and Camille and I joined in as well to share some interesting fun fact piece of trivia that you think that the listeners may find. Enjoyable or entertaining or just make them go, oh, I didn’t know that
Charlie Shreck: [00:23:10] a group of the things is called a flange or a tree.
So you have various animals that you have titles for what they’re called. The fact that the group of civilians is called a flange isn’t from any scientific background or anything like that. It was quite literally made. When, uh, BBC sketch called not the nine o’clock news didn’t know what it was called and they just made a word up and said, it’s, it’s a flange.
And now it’s official that a group of, of Boone’s is called a flange, right. Or a tree, which is its actual name it’s made into the science books. Now.
Tom Garrison: [00:23:45] That’s great. Camille, how about you?
Camille Morhardt: [00:23:48] Okay. So I was reading my son, one of his favorite books. It’s called the element in the room and. I’m reading this little piece about copper.
And it turns out that according to this book, snails, crabs and lobsters copper plays the same role that iron plays in our blood, in their blood and their blood is
Tom Garrison: [00:24:12] blue. That’s very
Camille Morhardt: [00:24:14] cool. I had no
Tom Garrison: [00:24:17] idea. I did not know that either actually, copper, I know copper for human cells. We didn’t coordinate this. So this is interesting to me, but I’m also in the world of animals for my fun fact.
It’s kind of a two-parter. So it has to do with the ostriches. I happen to have the opportunity to go to Africa for a business trip. And I remember driving back to the airport and looking off to the side of the road, just like here in the U S you’ll see deer or whatever off the side of the road. And there was an ostrich, which I just thought was kind of cool.
First of all, I’d heard something about this where they can run faster than a horse. So they’re really, really fast birds. They’re massive too, by the way, but they’re very fast. And the second one, which I did not know is that the male ostrich can roar like a lion. Did
Camille Morhardt: [00:25:03] one drawer at you or was that
Tom Garrison: [00:25:06] may have.
So there we will. We’ll end it here. Charlie. Thank you so much for spending the time with us and talking about your journey from the world of professional sport to now a very successful member of the security community.
Announcer: [00:25:24] Stay tuned for the next episode of cyber security inside. Follow at Tom M Garrison and Camille at Morhart on Twitter to continue the conversation. Thanks for listening.
Charlie Shreck: [00:25:39] The views and opinions expressed are those of the guests and author, and do not necessarily reflect the official policy or position of Intel
Announcer: [00:25:47] corporation.
