CyberWire Daily - Ted Wagner: Get that hands on experience. [CISO] [Career Notes]
Episode Date: October 1, 2023This week, we are joined by Ted Wagner, Chief Information Security Officer at SAP National Security Services, or SAP NS2. Ted sits down to share his story on how he got introduced into the industry an...d why he chose this as a career path. He went straight into the Armyas a second lieutenant in the artillery field after high school, which after his time was up he decided to move on and started working for a company that allowed him to do a management training program. After that he found himself working on IT projects which got him interested in the field. Ted shares that one thing that has helped him throughout his career is teaching about very technical terms and turning it into more operational or business like terms for his students at MIT. He shares that people getting into this field should get as much hands on experience as they can, saying "I think those are all things that can really help someone who may not have all the experience, but this is a pathway to, to learn." We thank Ted for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. Hi, I'm Ted Wagner.
I'm the Chief Information Security Officer
at SAP National Security Services or SAP NS2.
I had general ideas about spending some time in the military and then going into business.
And to some extent, that's run true in my career.
I majored in economics.
I was very fascinated by how the economy works, but I always had an inkling
towards technology and computers. So in high school, I took computer programming. I did
so in college. And my mom got an IBM PC early on back in the day, and I was always fooling
around a little bit on it. And so I always had that interest.
So I always had that interest.
I went straight into the Army as a second lieutenant in the field artillery field of the Army.
I was on active duty for about three years and participated in Operation Desert Storm was with a very successful unit and really my first experience with true professional success surrounded by some really talented people. The problem I had, I was young and not very wise,
I guess, is I felt like this was a lifestyle as opposed to a career. It was very overwhelming and encompassing. So I decided after my initial
obligation was up to leave active duty. I did eventually rejoin the reserve component of the
army and served out a full career, retiring in 2018.
I started with a company.
They allowed me to do a management training program.
I learned the components of business.
And while I was in that program, I submitted all of my reports with diagrams and the like on a computer.
And that caught their eye
and they had a computer migration project
and I became involved in part of that migration,
primarily training new users,
but different aspects of the migration
from an IBM-based computer system
to a HP server client type of network.
Eventually, I found myself working on IT projects in the defense sector, working for
different defense companies like Booz Allen Hamilton and Northrop Grumman.
And at the same time, I was in the reserves.
I found my way into a cybersecurity unit.
And the Army was generous enough to send me to a lot of good training and participate in a lot of training within the Army.
And then 2005, they said,
we really appreciate the opportunity to give you that training.
Now we're going to call you to active duty
and send you to Southwest Asia
to monitor the network for security.
So great experience.
It was arduous, of course,
but firsthand experience in an operational organization
monitoring for world-class threats against the network.
So really a great experience.
So really a great experience.
I was working at the Army's CERT as a contractor for North Grumman.
I met a guy named Rick Howard around that time and got a chance to work at the center of where the Army protects its network.
I did that for nine years, I guess.
And in the reserves, I had an opportunity to work up at Fort Meade for a while.
And again, another eye-opening experience.
I was just enjoying all the opportunities to support government's context. But the size and scope of protecting government networks is significant.
And there are some things that are unique about how the government
protects its network, which is different from the commercial sector,
and provided some really unique experiences.
When I became a CISO, I could no longer hang out with my geeky cyber friends all day.
I had to actually go and meet with business leaders who were more concerned about profit and loss
and how to make their projects successful.
So I had to attune my perspective into how can I support the business in being successful.
perspective into how can I support the business in being successful.
And so that was a real transition and kind of a challenge to me.
But I've enjoyed it and I've got to work with some great business leaders.
But if someone says there's no professional pressure or tension between making a project go forward and making sure it meets all the security requirements,
they're not being honest. There is that tension and you have to
recognize it, communicate through it, and just work the problem.
I try to be collaborative and communicative.
That's really the key.
I've done a lot of teaching.
I've been an adjunct professor for over 10 years.
I've been a guest lecturer at MIT.
And having the ability to and learning the ability to translate very technical terms into more operational or business-like terms
or things that people can grasp onto helps in my communication with folks who are not cyber savvy
or maybe don't have the technical underpinnings or understanding that I have.
So being able to translate those very technical terms into more digestible concepts is really something that's been key, I think.
The first thing, I told this to my son who recently got a software development job,
but initially was struggling to find that first job after school.
I said, get a job at the help desk, the service desk.
You'll get some great opportunity to confront technical issues, do some problem solving,
and they're reasonably approachable in getting hired.
And then once you're in the door, you have lots of opportunities because there's always a need
for folks who can contribute.
The other things that I did in my career
were to do a lot of self-learning,
read a lot of books,
attend technical classes,
attain technical certifications.
And the three areas I always say are really key
is understanding the operating system and its architecture, the network in which these attacks are going across.
So understanding network protocols and then understanding the threat landscape and how threat actors conduct their tasks.
So those are different things that I've learned.
But lastly, what I would say is as much hands-on experience as you can get.
And there's a multitude of ways to do that.
For example, you can get a cloud, like an AWS account, for free or for a small cost
and be able to stand up servers and develop communications, network protocols,
implement those protocols and things of that nature.
So I think those are all things that can really help someone who may not have all the experience, but this is a pathway to learn.
I'd like to think that I was a mentor and help folks to find their own path and help them along the way.
I'm humbled by the large projects and the things I've done, particularly in the government, really contributed to national security.
And to be a part of that and to know that I left some sort of legacy in my contribution would really leave me satisfied.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter
code N2K at checkout. That's joindeletete me.com slash N2K code N2K.