John Strand to Information Security Colleagues: “Creativity and Collaboration”
The folks who work in information security have a certain image similar to that of their IT brethren: smart, driven and good at solving technical problems, but maybe not too creative or collaborative. John Strand of Black Hills Information Security would like you to rethink that second part, because he believes his colleagues can be both “creative and collaborative.”
“We’ve got to find ways, in everything that we do, to be creative,” Strand says. “And let’s try to be collaborative when offensive security professionals are working with defensive security professionals, like law enforcement, and really try to instill a culture where, one, we can push back against authority, and two, authority is okay with that.”
Strand spoke at the January 2022 Information Security Symposium hosted by NSF-ISR, a global management systems certification organization based in Ann Arbor. The theme of the symposium was the importance of creating a culture of security compliance within businesses and organizations to protect against the rising surge in cyber threats worldwide.
He is a tech entrepreneur comfortable doing business out of his corporate offices in Spearfish, South Dakota — population 11,547, and 1,394 miles removed from Silicon Valley. He has a reputation for speaking his mind about the vital work he and his information security colleagues do on behalf of companies and government agencies.
“Our main goal is to help the customer develop a series of on-point solutions and technologies that will improve the overall security of the company. Testing should never be adversarial, but collaborative.” And to arrive at those sometimes elusive collaborative solutions, he feels InfoSec professionals need to use creative approaches.
Like having your mom pose as a food inspector so that she can gain access to a prison as part of a physical pen test. The client? The department in charge of that very same prison. “She spent 30 years in food service, so she knows health inspections inside out,” Strand says. “We made a badge for her, she had the clipboard, the papers, she had everything.”
Strand recalls the initial conversation when his mom arrived at the prison. "Hi, my name is Rita. I am from the Health Department. I’m here for your surprise health inspection, and I need to get access to all of your food preparation places and where the employees eat. And I also need access to your network operations center."
In the end, Stand’s client, the prison, was fine with the results of the physical pen test, but the food inspectors in the area were not. “Our customer and everybody we worked with were very happy, but the people that she impersonated were not.” A creative approach can yield results, but it can also create tension, and that’s where the collaboration comes in.
“These stories we share with the community are important for us to communicate,” Strand adds. “Not sitting and talking about the latest exploit or trying to make our team look really smart and super technical, but striving for understanding and communication with the people that are around us.”
John Strand understands that his creative approach is not for everybody, but he argues that the current cybersecurity landscape does not allow for the “safe” approaches used in years past. His method is creativity combined with active collaboration and communication.
The sage of Spearfish, South Dakota, has spoken. Straight from the heartland.