Introducing Hack’d: A new live series deconstructing historic cyber breaches
Cybersecurity Awareness Month is a time dedicated to increased security awareness and better habits for every one of us. It’s also a stark reminder for industry professionals that preventing bad security outcomes is a full-time, year-round job that requires constant diligence and training. With this in mind, Lacework is launching Hack’d, a new series of open cybersecurity discussion and training sessions to bring new educational resources to the industry and utilize them for teaching — not just in October, but across the year.
This year marks over 25 years of my work in the security space — and is a good moment to reflect on how to bring security knowledge to a broader audience. My security work started with open source security, helping to build tools and technologies such as bcrypt, honeyd, and OpenSSH. This was followed by 15 years at Google, where I helped manage software engineering teams that built security primitives into the company’s infrastructure and also worked to protect billions of users online from malware and phishing attacks via Google Safe Browsing, a technology that has been integrated into most major browsers.
Across my career, the constant threat of adversarial attacks weighed heavily. At Google, the Aurora incident in 2009 was a big wakeup call and led to a significant investment in Google’s security efforts. We grew the security organization to basically 1,000 people. While nobody can say that they will ever be safe from nation-state actors like the 2009 incident, Google is one of the few companies that has really managed an admirable security stance. Nation state actors know that if they go after Google, they face the risk of discovery and public embarrassment.
After Google, I joined Stripe as Head of Security and helped put the company on a world-class security roadmap. We also grew the security organization from just 30 engineers to 160.
The underlying thesis for both Stripe and Google was that security needs to be treated as an engineering problem. Without an engineering approach to security, good outcomes are difficult to accomplish. But security talent is hard to find and highly competitive. Most companies cannot devote the resources to attract and retain top security professionals.
That imbalance is the primary reason that I joined Lacework: I see the opportunity to scale good security to thousands of companies without requiring them to hire large engineering teams to build bespoke security infrastructure.
None of that changes the challenge that the industry faces around a dearth of skilled security experts and the growing volume of larger, more complex security needs. At Lacework, I helped to build Hack’d to fill that gap (a unifying effort that I also take on with cybersecurity-themed EDM tracks as Activ8te) to create broader interest in security. A learning series open to everyone, Hack’d will help elevate the cybersecurity narrative by deconstructing past events and workshopping solutions with modern and legacy tools. Throughout the series, we hope to get more people interested and knowledgeable about real security problems in a fun and engaging way.
A new medium for cybersecurity awareness and education
Initially, Hack’d was developed as an internal learning tool for the team at Lacework. The goal was to provide continued security education to our employees about security through real-world breaches and incidents in a group discussion format facilitated by security experts. Meant to be accessible to anyone irrespective of their security background, the primary way of learning was built to be through engaging the participants through them asking questions that lead to group discussion. Primarily, we frame this with the notion of imagining they are a CISO during a major security event such as log4j or Solarwinds and probe questions such as:
- How would they respond?
- What questions do they need to answer?
- How would they get answers to these questions?
- What can we all learn from this?
Internally, the Hack’d sessions have received great feedback and participation from teams, and many have asked whether the coursework can be expanded to the wider community. To meet that request, we’re opening up the Hack’d series this fall and through 2024. All are welcome to join and help elevate the narrative around cybersecurity.
An investment in the community
As security knowledge is scarce everywhere, Hack’d will be built as an open resource for any company that may want to expand its internal learning resources. Slide decks and facilitation guides will be released in the Lacework Community so that independent facilitators can run these sessions locally, help teams learn more about security, and perhaps even seek a lateral shift in their role to focus on security. I hope you get value from the content and would love to hear your thoughts and feedback.
If you’d like to learn more about the series or sign up for one of the events, head over to our series landing page or drop by the discussion forum in the Lacework Community. Our first event is on October 10 and will focus on NotPetya, the 2017 ransomware attack that ended up costing international companies and governments over $10B. Later events will cover Solarwinds and APT 28. See you there!