Understanding Cybersecurity Advisory Services
Mike Tyk is Novacoast’s Vice President of Security Services. He’s the man behind Novacoast’s Cybersecurity Advisory services, which is that bigger picture above integration, above training, above procedure. But zooming out that far can be confusing. And it might help to ask him exactly what this service entails. So that’s what we did.
How did you get started in computer security?
Mike Tyk: You know how some kids find out they’ have a Knack for drawing? I have a knack with computers. As a high school kid, I just got how they worked. It came natural to me. In fact, early on it got me into some trouble how naturally it came to me.
Want to elaborate on that?
Then in college, I studied computer science. Got a job working at Northrup Grumman, building electronic countermeasures systems. Before long I was deep in security, supervising special services and protecting systems full of classified material.
Classified? Does that make it hard when people ask what you do?
MT: Honestly, so much of what I’ve worked on is classified—and the nuts-and-bolts of enterprise security are so complicated—that if I’m at a party, I just tell people I replace toilet seats for a living.
After Northrup, I joined Arthur Andersen & Co worked their for several years in various practice management roles. After consulting burnout I moved on. I was a CISO for four years, a CIO for another four. I realized that “catching bad guys” is something I am good at. I ran Symantec’s Incident Response team for five years and it felt kinda like a Sherlock Holmes novel—you have a puzzle you’re putting together with all this information until you can say: It’s coming from here, from this group, from one of these guys.
At one point I worked with the FBI to take down a child pornography ring that spanned the US, Poland, France and Italy.
Eventually, I started to think it would be more helpful to teach organizations to catch bad guys rather than just catching them myself again and again. I’ve been put in a lot of leadership roles in different businesses to design and build security practices and get them up and running so they can go on without me.
That’s the idea with our advisory practice. Right now actually, our whole team is built of ex-CISOs. We’ve built a group of guys who have all done the job we’re advising on.
So what exactly do you do at Novacoast?
MT: The simplest way to put it is that I tend to respond to a couple of primary concerns—“We need a security program,” and/or “I have a security program and I worry that it stinks.”
I work with clients to predict, prepare, detect and respond to various threats by increasingly sophisticated attackers. I work mostly on the executive-level, essentially becoming a member of a client’s senior management team, to evolve or even build their cybersecurity program from the ground up.
We've built a team of engineers who have worked at every level of enterprise cybersecurity, who know how all the pieces have to work together, and can take a holistic approach to creating a powerful security posture. Not “what tool do I need” but rather “what technology approach should I take, how do I build it, and how do I create an environment where my people leverage it to deliver responsive security.”
Every company says they want to become “trusted advisors.” But most are just consultants—they’ve never been CISOs, and when they’re asked complex, experience-related questions, they may not have the answers.
If your goal is “fix everything,” where do you even start?
MT: Gradually. We start by evaluating a client’s security maturity level, awarding one of four grades based on where they are, where they want to be, and where they sit compared to their industry standards. We provide a document explaining the grades, and a roadmap of recommendations.
What I like about this approach is, we’re not there to sell anything. For a long time, we’re just there to listen, to observe and to interact. We talk pain points, concerns, etc. The idea is to provide the opposite of that one-time phone call with a sales guy. I regularly check in; I’m their guy when an issue comes up; I help them get projects going with the right people.
But honestly, often, when clients call me, they don’t have a service or even a problem in mind. They just call and say “hey, I want to talk security.”
What are the biggest misconceptions about what you do?
MT: It’s funny. In the old days, when I said “computer security,” people would think about security guards. But today, I think the average person finally has an idea about cybersecurity. They think “oh you catch hackers.” And yeah, that’s part of it.
But when I talk to executives, they still have a confusion about how a security program should function. Basically without exception, a client always notices need for restructuring after an assessment. Almost across the board, they underestimate how much authority and support a cybersecurity program needs.
What should the average person know about security?
MT: Imagine someone says “give me your car keys.” You ask why. They say they need your keys. Then you start to fight over them.
That’s how you should look at your cybersecurity. People don’t pick strong passwords that are easy to protect. They aren’t suspicious enough about suspicious emails and other attempts to take their credentials. A lot of us are still giving this stuff away, in ways we never would with our stuff in real world offline.