Interview with an Expert - Michael Babischkin: CyberSecurity

00:00

uh welcome everybody thank you for uh

00:02

watching this video here this is one of

00:04

our first series of interview with an

00:06

expert and today's expert is Michael

00:08

babishkis

00:10

um but bishkin Michael biscuit thank you

00:13

um he's the vice president and uh Duty

00:15

director of information security at the

00:17

federal Home Loan Bank of Chicago his

00:20

areas of expertise are in cyber security

00:22

incident response and vulnerability

00:24

management

00:26

um with that I will hand it over to you

00:28

Michael and I'll ask you the first

00:29

question which is can you provide a

00:31

overview of your ex of experience and

00:34

background in the field of cyber

00:36

security and maybe cryptography as well

00:39

sure so I got started a long time ago uh

00:45

initially I was active duty coast guard

00:48

for 22 years

00:51

um started off as what they called a

00:54

Radioman and I went that Direction with

00:57

um because I was interested in a

00:59

technical role where I could learn about

01:01

computers and this was in the days

01:03

before the internet was really a big

01:06

thing uh before organizations had

01:08

Enterprise Email and Enterprise networks

01:10

and things of that nature so I was doing

01:14

basically all kinds of community data

01:17

Communications long-range data

01:19

Communications but also working search

01:21

and rescue all of that stuff especially

01:24

the data Communications because this was

01:25

the military was in Secure environments

01:29

so that really was my first exposure not

01:32

just to computers and data

01:34

Communications but security and I had

01:38

multiple different roles whether that

01:40

was managing cryptographic materials and

01:42

maintaining and loading cryptographic

01:45

devices but also coordinating and

01:48

managing data Communications for

01:52

um a float units that were deployed for

01:54

the Coast Guard around the globe

01:57

supporting telecommunication systems

02:00

that were deployed on units uh

02:04

ultimately moving when the Coast Guard

02:05

established telecommunication systems

02:07

and and computer rates uh moving into uh

02:13

supporting and and managing

02:16

um computer systems for the Coast Guard

02:19

um my last role with the Coast Guard was

02:21

the assistant information security

02:23

officer for the Great Lakes

02:26

um where among others well one of my

02:28

last roles I should say one of the many

02:30

things that I did was I assisted the

02:32

then brand new Coast Guard cyber command

02:35

with conducting security investigations

02:38

and managing

02:41

um user access and user configurations

02:43

and making sure that we were doing

02:45

security awareness training things of

02:47

that nature

02:49

um my final role was leading the Coast

02:51

Guard's Enterprise I.T support desk so

02:54

any system that was used any computer

02:57

system that was used by the entire Coast

02:59

Guard my team managed

03:03

um as part of that I worked very closely

03:05

again with Coast Guard cyber command and

03:07

helping them as they establish their

03:10

security operations center and Define

03:13

how they were going to operate and how

03:14

they were going to monitor our networks

03:16

from a security perspective

03:18

tying the two groups together

03:21

um retired from the Coast Guard to take

03:23

a role with Sherwin-Williams where I

03:26

established their in their Global

03:30

incident response program

03:32

um basically they had realized as an

03:35

organization that security was now an

03:37

important thing and something that they

03:39

had to do as an organization and we

03:43

rapidly grew their entire security

03:45

program and built out an incident

03:48

response program that was monitoring and

03:50

can respond to incidents around the

03:53

globe they're in 144 countries and we

03:57

were responding to incidents that

03:58

happened everywhere

04:00

um spent a brief time after that uh with

04:03

Granger building and maturing their

04:05

Global incident response program and

04:08

then ultimately over to the position I'm

04:09

at now at the federal Home Loan Bank of

04:11

Chicago

04:13

um and for those who are not familiar

04:14

with the federal Home Loan Bank we are a

04:16

very unique organization

04:18

there are 11 Federal home loan Banks

04:21

within the United States and we serve as

04:25

banks for other Banks so consumers don't

04:29

go and bank with us what we do is we

04:31

provide funding to other banks around

04:34

the country so that they can underwrite

04:36

loans and underwrite mortgages but

04:39

because we're a bank obviously security

04:40

is very important to us

04:44

um so we're a fairly small organization

04:47

but our security program operates as if

04:50

we were a much larger company

04:54

perfect thank you for that yeah it's you

04:57

know and everything that you've

04:58

explained right the the emphasis on

05:01

security has been

05:03

um more so how do we proactively

05:05

um how do we proactively respond versus

05:08

you know

05:09

um yeah having the you know incident

05:11

happen and then we're responding right

05:12

so we'll be more so proactive rather

05:14

than reactive

05:15

um great so when we talk about uh

05:18

cryptography as a fundamental uh

05:20

component of cyber security as you

05:21

mentioned you know you work in areas of

05:23

banking uh and other areas can you

05:26

explain the importance of what maybe

05:28

some concepts of like uh cryptography

05:30

ensuring that the security and integrity

05:33

is so is more so

05:35

um communicated right so if we have

05:37

certain how do we make sure that the

05:39

data that you guys are dealing with are

05:42

how do we ensure that the security is up

05:44

to speed uh in your experience

05:47

so you know you mentioned

05:49

confidentiality and you mentioned

05:51

Integrity

05:52

um when you look at the textbook

05:54

definition of what security is it's

05:58

typically designed defined by three

06:00

words confidentiality integrity and

06:03

availability and a lot of times it's

06:05

Illustrated it's a triangle they call it

06:07

the CIA triangle this idea that if you

06:09

don't have any one of those legs you

06:12

don't have a secure system

06:14

when I first started working with secure

06:17

systems back in the Coast Guard when we

06:19

used to approach and think of

06:21

cryptography we only looked at it from

06:23

that perspective confidentiality of we

06:26

need to encrypt data that's either at

06:28

rest or data that is in transit and

06:30

moving around but basically it's

06:32

preventing somebody who possibly could

06:35

get unauthorized access to that data of

06:37

not being able to see that data or read

06:39

that read that data

06:41

one of the biggest shifts that I've seen

06:44

probably in the last 20 years is the use

06:48

of cryptography not just from that

06:50

confidentiality perspective but ways

06:53

that it can be used

06:55

for the Integrity piece of it whether

06:58

that's the use of digital certificates

07:00

whether that's the use of

07:03

um SSL and md5 hashing to validate the

07:08

fact that the data that you have

07:11

received is actually the data that was

07:15

sent to you and that nobody has tampered

07:17

with it along the way or the fact that

07:19

Sally sent you this data and what you

07:23

received was actually from Sally and not

07:25

from Bill posing as Sally and using

07:29

cryptographic techniques to validate

07:32

that and to provide not just Integrity

07:35

of the data but non-repudiation of the

07:38

sender of that data confirming that it

07:40

is coming from exactly who you think

07:42

it's coming from in addition to all the

07:45

other pieces of encryption of making

07:46

sure that it stays secure in transit and

07:49

nobody's listening in on your your

07:51

Transmissions you don't have uh what

07:54

they call a man in the middle of attack

07:55

of somebody eavesdropping and being able

07:58

to you know actually listen to your data

08:00

and capture it and do stuff with it

08:06

great yeah these are you know very

08:08

important Concepts and especially in

08:10

this world that we're living in now

08:11

where any sort of cyber security could

08:14

just we have incidents where the most

08:17

minor things can trigger off a whole a

08:20

whole uh Ricochet of different uh

08:22

incidents especially with how fast

08:24

technology is working now uh we have all

08:27

these push emails and uh phishing emails

08:29

were

08:30

just like clicking a link because just

08:32

like you know become disastrous for an

08:35

organization right it just takes one

08:37

small

08:38

mistake to get into the data and then

08:41

data is compromised

08:43

um so this is like a huge thing right

08:45

now and I and I've seen and you could

08:47

touch more about it too as well like you

08:49

we've seen this growing demand of um a

08:53

need for cyber security maybe analysts

08:55

we have different um different positions

08:57

you know cyber security is more of a

08:58

broad term and there's very a lot of

09:01

specifics

09:02

um so with that you know as a lot of

09:04

these students may be and early on in

09:06

their professions May some may not even

09:08

have any uh experience with working in

09:11

cyber security

09:13

um what are some advice do you have for

09:14

students who are interested in pursuing

09:15

a career in maybe cyber security

09:18

um and maybe anything in specific with

09:20

that but are there any particular skills

09:23

certificates or resources that you may

09:25

recommend that they should start

09:26

focusing on uh now in their college

09:29

Years and

09:31

graduate and the kind of things that

09:33

they're doing early on in their careers

09:36

so certainly uh participating and taking

09:40

classes like this and degree programs

09:42

like this to learn the basic

09:44

fundamentals and Foundation of cyber

09:47

security is a good start where you want

09:50

to dovetail with it at least for me and

09:52

what will get my attention when I am

09:54

looking for entry-level positions is

09:58

make sure that you're looking for

10:03

opportunities that you can continue to

10:05

show and display that interest in cyber

10:07

security look for those internships

10:09

we're always looking for for folks to

10:12

come in whether it's a summer internship

10:14

or a long-term internship but look for

10:16

those opportunities where you can start

10:19

to gain that experience that entry level

10:21

experience and exposure to cyber

10:25

security programs and

10:27

um the various opportunities that there

10:30

are out there

10:31

um when I'm taking in resumes for

10:33

full-time folks in particular outside of

10:35

the internet folks when I'm looking at

10:38

resumes I'm looking especially for an

10:41

entry level position I'm looking for

10:44

indications that the applicant is

10:47

interested in the field so if you've

10:51

taken a whole lot of classes in cyber

10:54

security if you've done a whole lot of

10:56

projects around securing stuff even if

10:58

you haven't taken classes in security

11:00

you've taken classes in application

11:03

design and development

11:06

I'm looking for indications in your

11:08

resume that there's an interest in

11:10

security

11:12

um and when I call folks in especially

11:14

for entry level folks even if there's

11:16

not a lot of experience and most of what

11:18

you've done is academic stuff my

11:21

questions can be well tell me about the

11:23

projects that you've done to secure

11:25

systems tell me about the things that

11:27

are going to show me that you're

11:29

interested in this field and you're not

11:31

just carpet bombing resumes looking for

11:33

any kind of I.T related entry level

11:35

position

11:37

um

11:38

I I build my entry level positions with

11:42

this idea of I'm looking for somebody

11:44

who's got a basic understanding of the

11:47

field the basic

11:49

um level of experience whether that's

11:50

degree programs whether that's that's

11:53

internships that we can then take in and

11:56

grow and teach more

11:59

um my goal when I bring folks in

12:01

specifically is in an entry level

12:03

position is I'm hiring you to retire you

12:06

I want to grow you to the point that

12:09

you're with us for a really long time

12:10

and you want to retire with us

12:13

um and we want to grow you so that

12:16

you're not just staying in that entry

12:17

level position but we're bringing you

12:19

into uh growing levels of responsibility

12:22

growing levels of uh experience within

12:26

the organization so that you can have a

12:28

full-length career through our

12:29

organization

12:31

um

12:32

and I I I've heard the message from a

12:35

lot of folks and I've seen it myself and

12:37

it drives me baddy there are a lot of

12:39

organizations who they write their job

12:43

descriptions for a quote unquote

12:44

entry-level position that they're

12:46

looking for three to five years of

12:47

experience it's a terrible way to do it

12:49

and and I hate doing it

12:51

um I push back whenever I can whenever I

12:54

see it

12:55

um but the positions that I put forward

12:57

I really word it in a way that if you've

13:00

got an understanding of I.T and an

13:03

understanding of Security even if you

13:05

don't have years and years of experience

13:08

we want to hear from you and when we

13:11

hear from you we want to hear about how

13:13

you're interested in security and

13:15

looking to grow

13:17

um beyond that other things that I like

13:19

to look for especially for the positions

13:21

that I that I hire for is that

13:25

continuing interest to grow and develop

13:27

where's your curiosity what are you

13:30

trying to do yes you've taken all of

13:32

these classes but I want to hear that

13:36

how else you're looking to grow and

13:38

develop and be interested

13:41

um especially when I'm looking for

13:43

somebody like a sock analyst an incident

13:46

investigator or something like that

13:48

these are folks that I want to be

13:50

inquisitive because when something

13:52

happens I want them to go well why did

13:55

that happen and dig into that

13:58

um but it depends a lot on the role that

14:01

I'm trying to hire for

14:05

yeah you know perfectly said I love what

14:08

you said early on when you said you know

14:10

I I uh you hire to grow and to retire

14:13

rather than just kind of like ins and

14:14

outs right so we see that a lot in the

14:16

industries

14:17

um you touched upon a lot of like a

14:19

technical skills they should have like

14:20

more so like a basic understanding of

14:22

the area that they're they're applying

14:24

for

14:25

um is there any sort of like soft skills

14:27

that you may see so like are they good

14:29

at communicating how are they receptive

14:31

to feedback are those kind of things

14:33

that you also look for

14:35

um for potential candidates

14:38

um a lot of it depends on the role that

14:40

I'm looking to fill

14:42

um especially in our organization

14:45

um I do have some of my roles like folks

14:49

who are doing vulnerability

14:51

um management those are folks that not

14:54

just are they going and detecting

14:56

vulnerabilities but we then have them

14:58

presenting to the greater or the greater

15:01

I.T organization uh what their findings

15:04

are and how they need to remediate those

15:06

vulnerabilities so so those are folks

15:09

that yeah I'm looking for good

15:10

communicators there I'm looking for

15:12

folks who are comfortable or who feel

15:15

that they're at least comfortable in in

15:17

talking to a wide variety of groups at

15:21

different levels of the organization

15:24

um when it comes to my incident

15:25

responders these are folks that

15:29

I'm looking for folks who are cool Under

15:32

Pressure

15:34

um

15:34

they're typically in situations that

15:37

when we're doing an incident that it is

15:39

a crisis and we need them to be able to

15:43

navigate and manage through that crisis

15:45

even if it's just the things that

15:47

they're doing without getting swept up

15:49

in some of the excitement

15:51

um certainly we can see from some of our

15:53

business partners

15:56

um if a compromise is bad enough there's

15:58

certainly there I don't want to say

16:01

hysteria but there can be excitement and

16:03

it can be very easy to get yourself

16:06

swept up and

16:08

whether that's cut corners or so we need

16:12

you to be calm Under Pressure

16:14

um our security Engineers a lot of the

16:17

times we're looking for that combination

16:19

of that ability to deal with the Deep

16:22

technical Concepts but also being able

16:25

to explain to business partners in

16:27

language that they'll understand uh and

16:29

translate those technical Concepts into

16:32

stuff that they can work with

16:35

yeah great like you mentioned great

16:37

points especially being calm Under

16:39

Pressure I think in my own experiences

16:41

like in the world of like corporate

16:43

things can like go very quiet and then

16:45

like Skyrocket one minute you just have

16:48

to be ready for those moments uh which

16:51

is great yeah and these are great things

16:52

to develop which leads me to my next

16:54

question you know has there been any

16:56

obstacles throughout your career that

16:58

you've had to deal with in you know

17:00

um things that may be hard to deal with

17:02

and things that you've never dealt with

17:04

and kind of maneuvering through that can

17:07

you talk about how you've overcome those

17:09

obstacles and kind of what you advise

17:11

for people

17:12

um just kind of breaking into that area

17:14

of space and like what they should be

17:15

what they should expect to happen

17:19

um

17:20

I I think one of the biggest ones

17:23

um that I've seen in a lot of ways to me

17:27

it's it's a a measure of a mature

17:29

security person is

17:32

um this idea that yes it is our job as

17:37

Security Professionals to provide secure

17:41

environments for an organization but

17:44

that doesn't mean we need to achieve

17:46

perfect security

17:48

um and and a lot of organizations and I

17:50

and I've heard it when I talk to

17:52

organizations whether that's interviews

17:54

or just their peers uh and and business

17:57

partners they get very concerned when

18:00

they're dealing with Security

18:00

Professionals of this idea that we're

18:03

just going to come in and we're going to

18:05

lock their systems down and we're going

18:06

to make it hard for them to operate and

18:09

all in the name of security and we need

18:11

to to have as tight as controls as

18:13

possible and we're going to give them

18:16

hurdles and how they interact with their

18:19

customers hurdles and how they interact

18:21

with their data and just generally apply

18:24

friction to what they do

18:26

and

18:29

especially as we move up further up into

18:32

the ranks as Security leaders and

18:35

Security Professionals making sure that

18:37

what we are doing is tailoring our

18:40

program and tailoring our goals to the

18:42

needs of the businesses that we support

18:45

um and I I see that a lot with Junior

18:48

folks who you know we have a security

18:50

incident and they look around and they

18:52

go well gee why didn't they just do this

18:55

if we had just done this this never

18:56

would have happened and looking at him

18:58

and going you know yeah you're right but

19:03

you also need to look at it from the

19:04

fact that our I.T support teams that we

19:08

partner with not only do they have to do

19:11

those things that we're asking of them

19:12

but they've also got to build out new

19:15

systems and they've got to make sure

19:16

that their business partners have the

19:19

resources that they need to conduct

19:22

business and that all of those systems

19:25

are working and they're managing that at

19:27

the same time that they're trying to

19:28

manage our security ass and that as an

19:32

organization everywhere that I've been

19:34

there there's very few organizations out

19:36

there that make money from security

19:38

security costs everybody money so we

19:43

need to look at how we approach security

19:45

with every organization that we're at of

19:49

how do we support the business and allow

19:52

the business to operate in a secure

19:55

manner but the key thing is the business

19:58

has to operate first and foremost and we

20:01

need to tailor what we do around the

20:04

businesses goals and the businesses

20:06

objectives not the business needs to go

20:09

and tell her what they do around our

20:11

goals and objectives

20:16

I love how you mentioned that because

20:17

like you'll usually have this dance

20:19

between organizations and security to

20:21

see what ways they could you know at

20:23

what cost could they minimize costs but

20:26

also have high security right you can't

20:27

have spending low money on security and

20:29

then have a high security right it's

20:31

like that low balance of like you have

20:33

to spend adequate money to get adequate

20:35

amount of security

20:37

um and a lot of organizations are still

20:38

you know dealing with this and

20:39

continuously as we talked about earlier

20:41

security is becoming a very big thing

20:43

now especially with the rise of all

20:45

these different type of Technologies we

20:47

talk about AI we talk about chat GPT we

20:50

talk about Bard and all these different

20:51

AIS that could in some way become more

20:54

of a security threat to organizations

20:56

just because they could you know do all

20:59

these you know insane different things

21:01

and

21:02

um people will never detect it right so

21:04

it's like that kind of future

21:07

um perfect so what I want to do having

21:09

those conversations now it's yeah not

21:11

even in the future it's the how do we

21:14

manage through the adoption of these

21:17

tools and do it in a secure way and some

21:22

of it is we're still trying to

21:24

understand as Security Professionals

21:26

what the risk is from these tools to our

21:30

organizations and how we Define what

21:33

makes sense there

21:38

and it's this growing concern right

21:40

because you'll you have these big

21:42

organizations like you know open AI that

21:45

operates chat GPT and what's happening

21:48

to that data right who is in control of

21:50

that data especially when organizations

21:53

freely just use chat CPT May uh there

21:56

could be incidents of which uh and you

21:59

know an ex-organization

22:01

employee types in some confidential

22:03

information of like oh can you create a

22:06

status report about X Y and Z and now

22:08

you're leaking out private information

22:10

to chat GPT

22:12

and who who stores that information

22:14

right because like it's who now has

22:16

control of it

22:17

um so it's this growing concerns and

22:19

some organizations have actually banned

22:20

their employees from you know using chat

22:22

TPT and other AI tools just for the

22:25

safety of their own organization

22:28

yeah and and those are conversations

22:31

that that I mean my organization we are

22:33

having it today I'm having it with

22:36

um my sister Banks like I said we're one

22:38

of 11 of well how are you guys

22:41

approaching it and do we then and my

22:44

argument that I've had with a lot of

22:45

folks is well if we ban it well that's

22:48

great but when Microsoft rolls out

22:50

theirs well then what and when this

22:53

other partner that we have rolls out

22:55

their tool that integrates these same

22:58

Technologies

23:00

We Can't Ban that because that tool is

23:02

integral to our operation so now what

23:05

and how how do we adjust what is

23:09

acceptable use and how do we manage

23:11

through that and we're we're trying to

23:13

work that out but it's not going to be

23:15

an easy an easy uh solution

23:19

it's one of those growing problems in

23:21

the industry and everybody everybody's

23:23

trying to figure out the best route with

23:25

it

23:26

um so with the last few minutes we have

23:28

I want to kind of give you this

23:29

opportunity to just give advice to any

23:31

potential in any individuals that want

23:34

to enter the space of cyber security I

23:36

know again cyber security is very broad

23:38

but any advice you have for students

23:40

that want to get into cyber security any

23:42

advice that you may have for people that

23:44

are maybe you even want to shift careers

23:46

right like get it kind of move away what

23:49

are some things that you would advise

23:51

and kind of we can close off uh we can

23:54

close off with that I'll leave it to you

23:58

um you know I I think that the biggest

24:01

one is is like I said look for

24:04

especially while you're in school look

24:06

for those internships take advantage of

24:09

them there's always companies that are

24:11

out there looking for that kind of stuff

24:14

um any opportunity that you have on your

24:18

resume coming out of school to show that

24:21

you've got an interest in the field

24:24

um when you go to those entry-level

24:25

interviews to be able to have in your

24:28

back pocket to talk about well these are

24:30

the projects I did to even if you don't

24:34

have the internet these are the projects

24:36

that I did around security these are the

24:39

studies that I was doing in the papers

24:41

that I wrote around how we can secure

24:44

various things and what these approaches

24:46

are

24:47

those will help you move forward through

24:50

that interview process

24:52

and then to be able to show that

24:53

continuing level of interest and desire

24:56

in the field

24:58

that that's going to help you get get

25:00

your tone adore and keep it in the door

25:03

um you don't necessarily have to have a

25:08

security background to get into security

25:11

um some of the folks that I have worked

25:13

with Through The Years they've come up

25:15

through itself but you know one of the

25:20

strongest security Engineers I work with

25:21

he was an art history major in college

25:24

um but he came up through I and was

25:27

doing I.T jobs

25:29

um I know a lot of managed Security

25:30

Services provide partners that they like

25:33

to hire analysts with degrees outside of

25:36

security because it's that idea of

25:39

they've got this well-rounded experience

25:41

yes they've come to them and they've

25:43

shown an interest in security and an

25:45

interest in I.T but this well-rounded

25:47

background and well-rounded experience

25:49

that they like to leverage for other

25:51

things

25:52

um and remember there's a lot of

25:54

different disciplines whether it's

25:56

cryptography whether it's security or

25:57

whatever there's a lot of different

25:59

disciplines within security as a whole

26:02

and a lot of different directions that

26:04

you can go not all of them are

26:07

necessarily technical

26:09

um especially when it comes to security

26:11

there's a lot of policy and compliance

26:13

stuff that are very different directions

26:16

that you can go and still be in security

26:22

great yeah these are great things for

26:25

people to kind of understand and you

26:28

know as we discussed multiple times

26:30

throughout this you know the world of

26:31

cyber security is just continuously

26:33

growing and you know today we might

26:35

think that one that we understand one

26:37

thing and then tomorrow it completely

26:38

changes we have to relearn it right

26:40

anything in this industry nowadays

26:41

especially in the world of I.T uh has

26:44

just continuously grown and it's going

26:46

to continuously evolving with the

26:48

increase of more technology right that I

26:50

guess like the saying is that you can

26:52

never have too much technology around

26:53

you so

26:55

um yeah it's you know it's a great great

26:58

thing to know and a great thing to have

27:00

so but yeah I want to take this

27:02

opportunity and thank you for joining us

27:04

Michael I think my pleasure everybody

27:05

will take this advice and you know run

27:08

with it and hopefully in a couple couple

27:10

years we'll have this video be credited

27:12

as like this oh you know definitely help

27:13

me get into my career but I I want to

27:16

give my sincere uh gratitude for this I

27:18

think this has been a great opportunity

27:20

and I hope that everybody that's

27:21

watching this takes

27:23

um takes an info from this and kind of

27:25

you know build their own career around

27:27

you know what Michael has said here so I

27:30

want to give you another thanks and

27:30

thank you for a shout out I appreciate

27:32

it a lot this means a lot to me and I I

27:34

definitely had fun having a discussion

27:36

with you thank you it's been a blast and

27:38

and you know anytime

27:40

okay perfect thank you so much