Tribe of Hackers Spotlight: David Kennedy
David Kennedy is the founder of TrustedSec, Binary Defense, and DerbyCon.
TrustedSec and Binary Defense are focused on the betterment of the security industry from both a defensive and offensive perspective. He also serves on the board of directors for the (ISC)2 organization. Formerly, David was the CSO for Diebold Incorporated, where he ran the entire INFOSEC program. He is also a co-author of the book Metasploit: The Penetration Tester’s Guide as well as the creator of the Social-Engineer Toolkit (SET), Artillery, Unicorn, PenTesters Framework (PTF), TrevorC2, and several popular open source tools. David has been interviewed by several news organizations, including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News.
David has also consulted on hacker techniques for the hit TV show Mr. Robot. He is the co-host of the Social-Engineer Podcast and is featured on several additional podcasts as well. David has testified in front of Congress on two occasions concerning the security of government websites, and he is one of the founding authors of the Penetration Testing Execution Standard (PTES)—a framework designed to fix the penetration-testing industry. Prior to the private sector, David worked for the United States Marine Corps and deployed to Iraq twice for intelligence-related missions.
Don’t know what the Tribe of Hackers is? Check it out here!
How is it that cybersecurity spending is increasing but breaches are still happening?
There does not appear to be a direct correlation between spending more money and having fewer breaches. Return on investment has always been a hard thing for the security industry, because you are either breached or you are not. (And there may be some lag time between when you’re breached and when it’s detected.) It all comes down to how the investment is used and what the intent of risk reduction is. We are a risk-centric industry, and if an organization doesn’t have a good grasp on what they are trying to protect, the risk factors, and the threats towards their organization, then any amount of money will not protect them.
Instead, focus spending on understanding adversary capabilities, threat modeling, and emulation, and having supplemental security programs in place that identify threats. This is where most of the investment should be going.
Unfortunately, too many companies still focus on regulatory and compliance as their primary driver—as well as purchasing technology—instead of investing in people or leveraging what they already have. What most organizations fail to realize is that when you introduce a new piece of technology, it introduces complexity. If you don’t have the people to support that complexity—and with the knowledge to appropriately use this new technology—then it’s a detriment to the organization, not a risk-reduction factor.
Do you need a college degree or certification to be a cybersecurity professional?
The simple answer to that is no; however, this is complex. A degree or certification doesn’t attest to the skill level of someone at any stretch. But a degree or certification does show commitment and dedication to a specific focus area or an understanding of certain topics. This can be beneficial for hiring managers and human resources to be able to identify potential candidates for an organization. It’s often difficult to discern between raw talent and a career of degrees and certifications when leveraging human resources. If a security professional were able to interview each candidate and test them on skills and capabilities, the answer would be, “No, degrees and certifications make no difference.”
The truth, though, is that isn’t a reality. So, certifications and degrees do make a difference. They help show your focus as a security professional and that you’re spending time to differentiate yourself from someone else. This doesn’t mean that the skills are there to meet the job requirements, but it’s at least a conversation starter. If someone comes highly recommended to me from individuals I trust, I won’t look at a certification or degree. However, if someone is blind applying, then they do help in understanding the skills and expertise of someone. There are also many certifications that hold larger weight depending on positions. For example, if I’m hiring someone who is technical centric, I will look more for technical certifications that require applied knowledge to pass (such as lab simulations).
What qualities do you believe all highly successful cybersecurity professionals share?
Passion, dedication, loyalty, ethics, communication, and drive are some of the highly sought-after skills.
You can have someone who is technically brilliant but lacks drive or passion, and getting what you need to out of that person becomes challenging. I’m an advocate for the idea that you can teach a driven person anything and train them up. The ability to be a self-starter and learn information without being taught is also highly desirable. Also, being able to communicate with others and work together as a team shows humility, and it demonstrates the ability to learn from (and teach) others.
To read all of David’s answers, sign up for our email list on the right and be the first to know when Tribe of Hackers is released.
Check out some of our other Breach and Attack Simulation and cybersecurity content while you’re at it:
- Breach and Attack Simulation vs. Pen test
- Tribe of Hackers Spotlight: Lesley Carhart
- Tribe of Hackers Spotlight: Jayson E. Street