Cloud growth, AI, and beyond: A conversation with eSentire CISO Greg Crowley

35:21 VIDEO

This episode features an interview with Greg Crowley, CISO at eSentire. eSentire is the authority in managed detection and response services. They protect critical information for over two-thousand organizations across more than 80 countries from cyberthreats. Prior to joining eSentire, Greg served as VP of Cybersecurity and Network Infrastructure at WWE, where he spent over 17 years. On this episode, Greg discusses preventing alert fatigue within your organization, addressing the talent shortage in cybersecurity, and the benefits and challenges posed in the security industry by artificial intelligence.

Time Stamps

What does the advent of Chat GPT and generative AI mean for the cybersecurity industry?
What are the security downfalls of AI?
What are best practices for addressing alerts and preventing alert fatigue?
Addressing the talent void in cybersecurity
What advice would Greg give someone just entering the cybersecurity field?
How companies could benefit from adopting consumer-grade end user authentication procedures
How did Greg first get involved in cybersecurity? And what was his path to CISO?
Open Transcript

[00:00:00] Greg Crowley: it’s always been the cat and mouse game in security. Right? you have a neural network that is out there creating new content, and then you have the opposing network that is looking to detect the artificially created content. And so same thing as the good guys and the bad guys, and or the threat actors and the defenders, the red team and the blue team. But in this case, it’s actually making the AI stronger because the more we able to detect what’s fake, then the AI learns and the AI will generate better fakes.

[00:00:34] Tim Chase: Welcome to Code to Cloud. Uh, I’m Tim Chase, global Field CISO at Lacework. And here with me today is Greg Crowley. Greg is CISO at eSentire. They protect critical information for over 2000 organizations across more than 80 countries from cyber threats. Prior to joining eSentire, Greg served as VP of Cybersecurity and Network Infrastructure at w e where he spent over 17 years. Greg, welcome to the show. 

[00:01:00] Greg Crowley: Thank you, Tim. Pleasure to be here.

[00:01:02] Tim Chase: Let’s get right into it and get with some, some tough questions that are, that’s, uh, that we’re kind of dealing with in the cybersecurity industry today. Uh, generative AI and chat, G p t, obviously they are both hot topics right now. So what do you think that it means for the cybersecurity industry?

[00:01:19] Greg Crowley: I think it’s exciting and I think there’s, you know, there’s threats and then there’s opportunities for advancing defenses as well. So, if I was to step back a little bit, cuz. You know, first I think a lot of people in the mainstream may have just heard about chat, G B T, right? Okay. So chat, G B T is a chatbot element of the G P T underlying technology. And then one of the interesting things about it is, You know something called generative ai, right? And that’s a type of artificial intelligence that is capable of producing new data. So it could produce images, videos, text, et cetera, right? So it’s not your typical machine learning, it’s actually creating something new. And it’s called generative ai. That’s probably as deep as I’m gonna get on any explanation. Cause I’m not a data scientist and that’s not, but it is. What, what I did know is when Chat G B T came out, the security community was. Really dove in. Right. And I think we dove in for a couple of reasons. A, it is just our natural curiosity and wow, this was, for me, it was just like, it was something cool. It was what? O Over the years, being in my, my role and position, a lot of companies have tried to pitch to me that whatever solution they have for security is doing ai. Right. And was it not really sure. Maybe. 

[00:02:37] Tim Chase: in, it was kind of like, eh, that’s just some fancy algorithms.

[00:02:41] Greg Crowley: Exactly. And this was the first time, you know, okay, the Siri, Alexa kind of an artificial intelligence in a way, but, um, this was the first time it was like, wow, this is, this is cool. This is really doing what everybody thought it could do. You ask it something, it tells you anything. You ask it to write some code. I think I did something cheesy like, all right, write me, um, Write a webpage in whatever language, and on the webpage, write the code to, um, in blinking rainbow colors, write hello or something like that. Right. And it just spit out just totally random or whatever I could think of off the top of my head. And it didn’t, it spit out the code and I’m not a coder, but it looked pretty good to me. Right. Um, so yeah, I think the, right now it is a, a very hot topic for a few different reasons. The one of them is the security industry has, um, a huge challenge. It’s had a huge challenge in, in, in filling security roles. We have a, a talent gap and there’s 3.5 million unfulfilled roles out there, I believe right now in the security industry. So how do we fill that? Some of them, a lot of those roles are not gonna get filled internally. It’s gonna be filled by, uh, security providers. Um, but then there’s opportunities for technology to fill the gap a little bit, right? So if you can take artificial intelligence that can analyze a lot of data, that can streamline a lot of different tasks, that can help out, especially on lower level, say soc um, entry level one type of positions, right? Or do some malware analysis. I think that’s where you have a lot of great opportunity to take advantage of this new ai.

[00:04:27] Tim Chase: Greg, you mentioned a little bit about some of the positive parts, uh, of ai. Obviously that’s one of the things that we in the cyber in industry have talked about for a while. It’s how do you, um, You know, how do you do more with less? Right? We have a cybersecurity, um, industry resource shortage. And so how do you do more with less? And so you mentioned one of the benefits of, of AI potentially is being able to kind of take some of that workload off some of the, maybe the repeatable processes or the first line processes. Right. Um, what are some of the, some of the downfalls that you could see? Obviously there’s probably a few, um, security downfalls that can, that can come with, with, uh, ai. So I’m curious to hear your thoughts.

[00:05:06] Greg Crowley: Yeah. Well, there’s definitely, I think anytime a new technology comes out, right, it’s going to be. Used for good and used for bad. So there are some, some caveats, some uh, malicious ways that this will be used. Um, but I don’t think it’s anything necessarily new. It’s more about what’s old is new again, or if you look at it, fishing is always been a problem, not always, but for a long time has been a problem. Um, there have been deep fakes. There’s social engineering. I think what AI is doing is it’s lowering the bar of entry. So, Whereas maybe the threat actors used to have to have a certain amount of technical capability, I think it’s just gonna become a lot easier for them to execute upon the, uh, nefarious activity that they want to do. Um, so I think. You know, it’s things like social engineering, um, chat, G p t for example, could help you create a very realistic phishing email. Uh, get people, you know, take out the language biases. Uh, and deep fakes are a little bit more scary to me. So this is where you’re gonna take, um, you’ll be able to recreate voices out there, right? You’ll be able to take my voice, your voice, Tim, and. Transform that into a brand new message. Again, that’s the generative AI piece of it. Um, so if you’re leaving voicemails, it could actually sound like Tim or Greg, and I think that can get people to take action. Um, creating media, um, snippets, misinformation campaigns. I think those are the things that are scarier to me from generative ai.

[00:06:53] Tim Chase: that’s a great point. So it’s kind of the same things that we were talking about, um, that it’s good from AI as far as, you know, helping us do things quicker and helping us solve a resource shortage. It’s kind of the same thing on the bad guy side, right? This can help them do things quicker. It’s gonna help them do repeatable tasks quicker, right? So it’s kind of the, you know, the same, I guess, the same side of the coin there. 

[00:07:12] Greg Crowley: It is cuz it’s always been the cat and mouse game in security. Right? And if you look at MFA for example, right? The bad guys were, they’re getting the credentials. They were getting our credentials, they were compromising, they were able to then log in as us, what did the good guys do? We come out with mfa and that kind of slowed the bad guys down for a while. And, oh, we don’t have the mfa. We can’t. But they find their way around it. They’ll do fishing campaigns that’ll launch a. Website that looks like your Office 365 login. You type in your credentials and you hit accept. They are the man in the middle. They captured your MFA session. Now they’ve bypassed mfa or they’ll do something called MFA bombing, which will then just pester your phone until you accidentally, or at a frustration, hit accept. Right? And then they cap, they get logged in with your credentials. So it’s that cat and mouse game of, okay, the bad guys are ahead and we come out with mfa. We’re we’re really kind of. Knocking down their effectiveness. And now it’s the same thing with ai, right? That’s I, I imagine will be the same thing. They’re going to use it. And then on the other side of ai, we’re going to come out with artificial intelligence that is going to look for deep fakes, that is going to look for, um, even see it in, in colleges or in schools where there’s plagiarism going on and there’s new technology out there now that will look for and identify plagiarized writing. But in an odd way, that’s what makes generative ai. You have, you have a neural network that is out there creating new content, and then you have the opposing network that is looking to detect the artificially created content. And so same thing as the good guys and the bad guys, and or the threat actors and the defenders, the red team and the blue team. But in this case, it’s actually making the AI stronger because the more we able to detect what’s fake, then the AI learns and the AI will generate better fakes.

[00:09:11] Tim Chase: absolutely. I like that. I mean, it’s a little scary, but obviously, Um, that’s kind of what we do in security, right? We’re always catching up, we’re always having to kind of, um, protect kind of the next thing. So it’s also what keeps, uh, me interested in security and why I don’t, uh, ever wanna leave this field. Um, but since we’re not quite there yet in, in ai, like what are some of the best practices that you guys use? Like, as you would think, uh, to manage and prioritize the alerts, right? Obviously you’re an mssp, you work for an MSSP and, um, you know, what are some of the best practices for managing and prioritizing alerts?

[00:09:43] Greg Crowley: so eSentire is a managed detection in response. It’s in the same vein as an MSSP managed service security provider. Um, and one of the things that we want to do for our customers is not drown them in alert fatigue. So part of it is making sure you’re getting the logs from the right sources and then having, right, that’s one signal. Then you’re gonna take your, what other signals do you have as part of your security posture? You usually have something on the network. Take, take your, um, take your signals and telemetry coming from the lo sorry, sorry. From the network, from the endpoints from cloud. Right. And look at them. And so behind the scenes you’re gonna have this data lake of all this information from all your different sources, getting all this telemetry. And that’s a lot of data to go through. So I think something like AI can also be looking at all that data and churning it and trying to find correlations. But then when it comes down to false positives or the alert fatigue is really what’s gonna kill security teams, we don’t, security teams don’t have enough people to look at it. So what you need is that security provider to really. Work with you to tune. All right. Do you need all of these logs? What type of alerts do we really care about? Um, looking for misconfigurations, looking for true malicious, uh, activity, looking for, uh, anomalies and behavior. And that’s what it’s looking for. So you need, you have to think of it as a funnel and have all this noise at the top, and then it goes through a lot of processing to get down to. What’s a true positive and what’s false positives? Yeah, leave it on the mssp. Leave it on the managed detection and response provider to really do the analysis using their technology and their people. Um, and then really only filter up the alerts that matter to back to the security teams and the alerts that it has to have context, not to, okay, this is alerting through and it’s a true positive. Okay, what does it mean? What’s at risk? Is there an immediate response that can be done? And have I enabled the security provider to take that response? So if you look at it, you’re taking alerts and alert fatigue and the false positive, you’re trimming it all down, and now you move to the next step of response. And so, great, we got these alerts, but what do I do with that alert? Well let the, A good MDR provider can help you take action upon that.

[00:12:05] Tim Chase: So you, you mentioned that a little bit. Um, you know, one of the advantages of an MDR provider is being able to kinda, um, reduce a number of alerts, but alert fatigue seems to be a, a real thing in organizations today. And you obviously, you know, that’s one of the advantages of, of using MDRs is to bring that alert fatigue down. Like how do you think alert fatigue actually impacts the overall security posture of an organization?

[00:12:30] Greg Crowley: It’s extremely detrimental, right? So there’s a, there’s a lot of security tests that are functions of a security program that are needed, right? You have to be looking at security architecture. You have to be doing configurations. You have to be working with the business as they’re rolling out new technologies. So if you’re, if you’re down to one, maybe two people for on a security team, and now you’re just, Flooding them. With all these alerts that are coming in, this noise that’s coming in, you’re gonna be taking them away from other security tasks that need to be done. Now, in addition, if you’re, if there’s constantly false or false alert, false alert, and 99 point something percent of them are then. It is very likely that the true positives are gonna slip through because you see so few of them. So you’re just getting lost in the noise. It’s the needle in the haystack that’s gonna get through, and that’s the one that’s gonna come back and, and bite you.

[00:13:28] Tim Chase: it’s a time aspect too. You know, obviously even if you have, you have a thousand of ’em, you gotta search through all of them. You know, it could take you hours to respond to the actual, um, one that you need to, right. The true incident. Um, so, uh, it’s all about, you know, resourcing and responsiveness, um, kind of combined

[00:13:45] Greg Crowley: And, and, and those, those alerts, those alerts don’t come in nine to five, right? Those alerts come in at any time of the day, on the weekends, on the holidays, and if you just wait. Well, a that’s really bad because you know, the threat actors will take advantage of that and try and hit you on holidays. I’ve been victim of that in my past as well. Right? I’ll take advantage of the holidays when I’m out having a beer and on the deck enjoying the, the 4th of July, then I get all of a sudden a phone call. Um, so these things happen, um, and you gotta be looking at them 24 7, but we just don’t have enough people to even fill, uh, Your, your normal nine to five or nine to six type of security or IT team with security professionals is trying, doing that around the clock, weekends, holidays, it’s, it’s, it’s a daunting task.

[00:14:35] Tim Chase: Yeah, I, I love this, um, this conversation. You know, I wrote a, a blog, uh, earlier this year that kind of talked a, about. Um, how I think that MDRs and, and uh, services similar to that are really gonna be more and more popular in the future. You know, right now a lot of enterprises and, you know, higher level, um, companies use them, but I think they’re gonna be something that, you know, even, um, smaller companies end up using, right? Because it is, it’s all dealing with that alert fatigue. The security is not getting any easier for everybody. So I think that the. The market is huge for a lot of the, the MDR type of, um, organization, so I, I look forward to kind of just seeing how that plays out over the next,

[00:15:15] Greg Crowley: It.

[00:15:16] Tim Chase: year or two.

[00:15:17] Greg Crowley: It has to be. I mean, if you just go back to the stats I mentioned before, three and a half million unfulfilled security jobs, right? Where, where is that gonna get filled from? It’s gonna have to be, the providers, companies are gonna have to lean on their partner and their security partners to fill that void. I’ve gone through this in my past, right? So, um, I’ve been in a spot where I started off alright, internally, We didn’t even have a security team. My, you know, previous life. And it was, the responsibility fell upon it for a while and that’s kind of typical. Used to be more typical. Now it’s becoming better practice to have your own security team, which is great. But a lot of organizations, depending on your size, they don’t have that luxury to hire, uh, additional staff or it’s just hard to find those professionals that have the security skillsets. Um, And then when I was faced with it, we knew that we were getting alerts after hours. We knew we had blind spots. We were burning out the team. When alerts did come in, be they’d be getting phone calls throughout the night. It was just, it wasn’t sustainable. We were burning out our own people. And that is not a recipe for success for protecting your organization. So we first went down the road of going to a traditional mssp, but we found that. Okay. They were kind of doing some of the configurations on the alerting, but they weren’t giving us the value, um, back. It was just kind of chucking over some alerts. Um, and every time I would go back to them, they would say, all right, well reboot, I’m sorry, re-image the machine. You can’t, every little thing that happens need to be a re-image of a machine and. How severe is it and the delay in getting back information back from the security provider. So you gotta find the right security provider first of all. And that’s when I found, um, this is going back now to 20 17, 20 18, and I stumbled across what was new to me at the time. MDR managed detection and response. And it was like everything I wanted was okay. It was the 24 by seven soc, it was the quality SOC analyst. Um, it, you know, so. I believe it was as an RSA and I had stumbled across East Centi and eSentire was, um, in the category of mdr, which I hadn’t heard of. And it’s what we needed. We had the, the need to have security around the clock, um, but we couldn’t staff it. and then when you did, did you have the quality people analyzing it? Did you have the tools in house to, to analyze it? So if you’re, if I was faced with the choice of building it out internally, um, A, we were never gonna find enough people that was gonna keep on being churned. We would have to bring in the tooling, we would have to, um, maintain the tooling. We would have to gear people up on understanding how to use the tools. Um, so it didn’t make sense. We had all these different signals, send ’em to the, send ’em to the MDR provider, let them do the analysis. Um, call them up 24 by seven and only escalate the things to us that we really need to take action on. And then you’re able to take the next step and say, Hey Enti. Hey provider, when this comes up, can you quarantine this machine for me? Can you isolate that machine for me? Can you do the response action? And it just made our lives so much easier. So, yeah, I mean, I really do think the future is mdr.

[00:18:52] Tim Chase: I agree. Um, I, I do wanna kind of hone in a little bit on something that you mentioned. You started talking about, you know, we talked about resource, uh, shortage and, and um, uh, kind of just a career in cybersecurity. But I think that’s one of the things that you really like, um, to talk about it and help with is mentoring the next generation of security leaders. So, just to kind of start out like what. Skills do you think will be necessary for somebody to move into the security field or just starting out in the security field?

[00:19:21] Greg Crowley: You know, it’s, it’s funny that with, um, ride sharing applications, Uber, Lyft, et cetera, it’s funny how many times I get into an Uber and for whatever reason, and it’s usually a, a younger driver and they’ll just ask me a random question, oh, where are you going? And I’d say, oh, there’s a cyber conference that I’m going to. And immediately their eyes open up and like, oh, I was thinking about getting into cybersecurity. And it, they, it starts off the conversation, okay, well what do, what do I need to do? Do you think it’s worth getting into? And there’s a, it’s a land of opportunity. Um, you can make a good living and, but it’s always that what I look for is the passion, right? If you’re, if you’re curious, if you like solving puzzles, if you like pulling out threads and doing some type of investigation, um, those are the qualities that I would look for. You know, somebody, if they have that, the curiosity and passion, then you can, you can learn the technical bits and bites after.

[00:20:27] Tim Chase: Yeah, that, that’s funny. I actually remember I was doing an event, um, in St. Louis one time, and, uh, I, I was leaving with a, with somebody else from, from our company and heading to the car. And, um, a waiter like takes out after me, um, out of the restaurant. And I’m like, oh no, like, did somebody forget to pay the bill? Like, what happens? And he flagged me down in the parking lot and he was like, you guys are doing cybersecurity, right? And I was like, yeah, that, that’s, that’s what we do. He’s like, I’m, I’m super interested in it. Like, how can I get started? Even like as a. Just like a, you know, beginning sales rep, like a bdr. Like how can I, how can I do it? Like, so we spent like five minutes conversation from the, from the waiter that, that flagged me down, um, outside the restaurant. Right. So just, so like you said, the Uber driver, like it’s the passion that you want because I feel like the cyber industry is broad enough that, um, If, if they wanna do that and there’s a passion for it, there’s, there’s probably a place for them, right? Like, if they’re not the most technical person, maybe they can find something on the GRC side, right? If, if they are a technical person, and maybe they’re a developer, they could find something, you know, on the AppSec side, like, I feel like there’s enough room, um, for, for, for anybody that, that has that passion and that curiosity.

[00:21:38] Greg Crowley: that’s exactly what has come up in my conversations as well. Um, a lot of times I think be, maybe it’s because of movies and I think it’s a good thing. They might think of getting in as a pen tester. Right. And I think, but there’s, it’s such a broad field, like you mentioned the GRC or the security awareness or the identity and access management. And, um, you could do the digital forensics. There’s pen testing, there’s red teams, blue teams, there’s a lot of different areas within cybersecurity. There’s plenty of opportunity. So what I usually suggest is that, all right, go out and search. What are different cybersecurity roles? Positions, titles and then start exploring which ones pique your interest, you know? Cause that’s where you’re gonna be successful. Cause cybersecurity can be scary, can be challenging. It can be stressful. But if you’re find, if you’re, if you find an area of it that you really like, that you have interest in, that’s you’re passionate about. Right. That’s what’s gonna keep you going through those long nights, through those back and forth battles with the adversaries. So yeah, there’s a lot of opportunity, a lot of different ways you can go in the field. And uh, yeah, I encourage everybody to just look, uh, see what they, what interests them, and then take some online courses and then maybe get some entry level, um, certifications depending on which one, if you wanted to go down the pen testing route. Right. Well look for what’s the entry level. Uh, certification for a pen tester. Get the education, get a, get a, get a certification. And then with that, your certification’s kind of in lieu of experience, right? And then you start getting the experience, get into it, get into a security, uh, an entry level security role.

[00:23:19] Greg Crowley: Exactly. Yes. Um, so one kind of final question in this area before we we shift to our next topic. But, you know, we’ve talked about, um, ai, uh, a little bit, but do you think there are any other emerging trends that people who want to get into the cyber field should have their eyes on?

[00:23:37] Greg Crowley: maybe it’s just because we were talking about it, but it’s what, what I think right now is the biggest one is ai, is the machine learning. I think understanding how that can be harnessed and leveraged and or how do we defend against, uh, the, the, that technology. Um, in general, I think cloud technology. Or cloud infrastructure as a service or cloud as a platform? Um, I think there’s a security. I think the security gap is even wider when it comes to cloud. So there’s a lot of IT professionals who came up the traditional route of infrastructure on systems and network, on traditional routers, on traditional um, servers. Um, but they might not have the greatest understanding of how those operate in a cloud infrastructure. And if you’re not understanding or you’re not familiar with cloud infrastructure, then it’s hard to secure that cloud infrastructure. So

[00:24:48] Tim Chase: Yes.

[00:24:49] Greg Crowley: if you take the cybersecurity shortage problem, I think it’s even amplified. In the segmental cloud.

[00:24:58] Tim Chase: I think that’s it. You know, I, I love cloud. I’ve liked it. I’ve been working in it, I think eight or nine years now, and I think that that’s a great place for people to make, um, an entry level. Um, start, uh, there’s, there’s a lot, you know, it’s not just cloud, but it’s maybe the scripting of how you build infrastructure in the cloud. There. There’s so much, um, that goes in there and so many companies are becoming cloud native today, where, you know, they don’t know anything but the cloud. They’ve never had data centers. So I think that’s a great way for people to, to kind of move into that role and understand the cloud security. So, absolutely.

[00:25:32] Greg Crowley: I’ll flip the tables here, Tim. So lemme ask you. Um, so for cloud security, I mean, If somebody was just to come with you, a very basic question, all right, I’m afraid of the cloud. Um, how do I secure the cloud? What, what, what’s the number one things I should be looking to do?

[00:25:50] Tim Chase: I always say, know what you have first, right? You can’t secure what you don’t know. So my typical answer is, do you know what you have in the cloud? Because if you don’t, and I, the term is visibility and that, that’s still such a big problem. Um, it’s had conversations at several conferences over the last, you know, Few weeks, you know, I say, where are you at on your cloud journey? What’s your biggest problem? And and people are still like, ah, I, I don’t even know, uh, what I have in the cloud. Like the infrastructure teams are throwing stuff up there. I’ve got this development team throwing stuff up there. Um, our business is using things and this cloud provider, right? And so visibility is, is to me, is, is still kind of the biggest problem. So once you have that, then the, the next step to securing it to me is like, Locking down the posture, right? You’re making sure that you don’t have, um, port 22 wide open to the world so that anybody can try and brute force your, your infrastructure. So just kind of understanding your overall posture and getting it locked down, uh, before you even kind of look inside your cloud, right? Like making sure that your doors are locked before you start, like, you know, clearing the house, so to speak. So, um, that, that’s what I think, um, from, from my 2 cents and from doing it a few times.

[00:27:03] Greg Crowley: I think got some good advice.

[00:27:05] Tim Chase: Thank you. Uh, so let’s talk about, uh, Greg a little bit. Um, your background is in it. Uh, can you tell us just a little bit about the beginnings of your, your career and how you made the transition to cybersecurity?

[00:27:22] Greg Crowley: Sure. So when I went to school in college, I, my degree was in something completely different. It was in communications and. Um, I just quickly realized it’s not, it’s not really what I want to do. I think like there’s a lot of kids in colleges trying to figure out what they want to do for their. For their life. Right? And it’s a lot of, lot of pressure to figure that out in, you know, those four years. Um, so I got out and realized, all right, this is not what I want to do. Um, but what do I want to do? What out there is emerging? And at the time it was really a, there was a need for systems administrators out in, in the world, um, seeing similar to there’s a need for security professionals or cloud professionals right now. So I went back to school and I got. A bunch of certifications. I really understood technology started from the ground. I got my A plus certifications, then I’ve got my mcse for all the, for the Microsoft stack I got, I’ll really date myself now, say I became a C N E for nove. Um, and then I also, yeah, and an exchange. Yes, which, you know, was a good platform, bad marketing maybe. And, uh, and, you know, they didn’t, they didn’t survive the battle and Microsoft, you know, ate them up. Um, but I, I had both sides covered on the Nobel side and the Microsoft soft side. So I had both horses backed. Um, so yeah, I got into systems administration and then eventually I added on network. On that, but it’s all still in that IT realm. And I think a lot of people in the security industry now, we either have a IT background or a military background is two areas that I find. Um, but for myself, um, I got in and I was at wwe World Wrestling Entertainment for a long time. And you know, on my LinkedIn it looks like 17 years, but it’s actually, it was 21 years. Cause there was a break in there where I was still at wwe, but I just spun up. Um, completely different, uh, area. I spun up, um, my own business of a martial arts studio. Cause I was always, I always liked helping. Uh, I, I always liked working with people and I liked, I wanted to start up my own business and learn things from every aspect of the business. And teaching people, uh, martial arts was something I did as kind of a passion project on the side, but it was at WWE in it for 21 years. Um, and. In wwe, a median entertainment company. Um, it was in 2014 ish, I think, um, where security was always part of my job in it, but we didn’t have our own security program. We didn’t have our own security team. So in 2014, there was a very famous hack of Sony pictures because of the movie. Um, Uh, the interview where there was a, the movie was accommodating, was talking about a, a plot to, I guess assassinate the, uh, the dictator, um, which was, I guess loosely basar around the, the head of the North Korea. So there was retaliation and Sony pictures, um, got hit by what. Was a wiper attack. So it’s basically ransomware, but they didn’t take anything for ransom. They just wiped out all, all the systems clean. And Sony, uh, went back to using pen and paper and it was, it was a big disaster. It wasn’t in the news all the time like it is nowadays with ransomware. So companies weren’t as prepared. Um, so being in the media and entertainment, Sector in it was the time I was able to say, Hey, all the security stuff that we’ve been asking for, it’s time we need this. And then the purse strings got open cuz people were realizing that this is real threats. And it was at that time, I kind of started up the security program and built out a security team at W W E. And one of the things I, I told you a little bit earlier, went down the traditional MSS P road to help us out, augment our staff internally, um, then went to the MDR route because I wanted that threat hunting. I wanted that threat intelligence. I wanted really quality, um, sock service people. I could talk to people that were part of our team, uh, without me having to hire them. And that’s, that’s how I got to know eSentire. Um, so. I was just, I think a lot of people that are security leaders or CISOs, they’re kind of mission driven. I know I was right. I just really have this passion for protecting the good guys, protecting the little guy. It’s always been, you can back to the martial arts, right? I want to teach the little guy how to protect themselves, right? So it’s just, uh, it’s part of my dna

[00:32:12] Tim Chase: Is that what made you wanna be a ciso? Just kind of like that whole mindset of, of um, protecting the little guy.

[00:32:18] Greg Crowley: it is.

[00:32:19] Tim Chase: of what drove you down, you

[00:32:20] Greg Crowley: It is, I’ve always seen myself as a defender, as protecting the little guy as, you know, being on the side of good, so to speak. Um, so yes, that is absolutely what wanted me, drove me to becoming a ciso. Two pieces of it on the security side, on doing that as well as, again, loving to work with people and becoming a leader. Being a leader. So if you combine leadership and security, then the outcome of CISO is kind of inevitable properly. Um, and then working with eSentire as my MDR provider at the time, um, I really got to know the company and saw how good they were, and I was like, all right, well, rather than just helping protect one company, how can I go out and help protect a whole bunch of companies? And that’s how, uh, I got, I knew the leadership team and, uh, just was a very natural fit for me to, to slide in as ciso free centi.

[00:33:12] Tim Chase: And that’s a, that’s a great way to, to talk about that, cuz that was gonna be kind of my last question before we do some, um, some kind of, some rapid fire questions was, you know, what was kind of that point where you decided to move over to, to e sensei? So it really kind of was the extension of that mindset of, um, you know, I’m helping protect, you know, wwe, but what if I could do what I’m doing at w w E Times a hundred or times a thousand like you wanted to have. Um, that that was kind of the mindset that you went into when you went over to Easton Tire.

[00:33:41] Greg Crowley: Exactly. And it’s, you know, you run into a lot of companies, a lot of services, a lot of technologies, you know, in the security space. Um, and when you find one that really does what they say they do, and you could see the real benefit. That was just exciting to me. So, I mean, that was, that was just, uh, it was a great opportunity and I’m loving it.

[00:34:03] Tim Chase: That, that, that’s awesome. Yeah. That, that’s important. I think you and I both think the same way. Like we wanna go somewhere where we can make a difference, right? Like when I, when I made a move and, and uh, you know, I came over to where I am currently at Lacework, it was like, I want to go somewhere that makes a difference.

[00:34:16] Greg Crowley: Yeah, you wanna make a difference. You wanna make that impact.


[00:34:20] Tim Chase: you know, which is why we’re in security, right? Because it, you wanna make the impact. It’s always changing. Nothing, uh, nothing stays the same. That’s the one thing that will stay the same is that it’s always

[00:34:29] Greg Crowley: That’s right.

[00:34:30] Tim Chase: Um, so just a few questions here. So rapid fire questions, um, and, and just, uh, gonna throw ’em out. Um, so, so one, uh, what is your martial art of choice? Oh, okay. That, that’s interesting. 

[00:34:46] Tim Chase: what is the one tool that you can’t live without?

[00:34:50] Greg Crowley: Oh, I, I don’t know. I, I, I will say that one thing I, I like right now is what Microsoft is doing with their security stack. I think the way that they’re putting defender together is, uh, really well done.

[00:35:05] Tim Chase: Solid. Yep. What is the most important habit an IT leader can have?

[00:35:12] Greg Crowley: Habit of listening. Ab absolutely listening and building relationships.

[00:35:19] Tim Chase: what one tip would you offer listeners to increase their cybersecurity?

[00:35:23] Greg Crowley: focus on the fundamentals. Focus on the hygiene first. Don’t try and rush it. Gotta get those right.

[00:35:29] Tim Chase: Perfect. And for anyone who wants to connect with you, what is the best place to do that?

[00:35:34] Greg Crowley: Uh, find me on LinkedIn, Greg Crowley, c i s s P.

[00:35:37] Tim Chase: That does it for us today. Listeners, thanks so much for tuning in. If you liked what you heard today, don’t forget to subscribe and we’ll see you next time 

[00:35:44] Tim Chase: on the Code to Cloud podcast.

About the guest

Greg Crowley
Greg Crowley

Greg Crowley is an accomplished executive with over 20 years in Information Technology and Cybersecurity with extensive experience in managing enterprise security and mitigating risk for global hybrid networks. Greg believes that as a leader in the cyber world, being able to communicate and execute a strategic vision to defend and protect is the most important part of his role. Prior to joining eSentire, Greg oversaw the overall cybersecurity function as Vice President of Cybersecurity and Network Infrastructure at WWE (World Wrestling Entertainment). He spent over 17 years in various leadership roles across engineering, infrastructure and security within that organization. Greg holds a Bachelor’s degree from Queens College. He is a Certified Information Security Manager (CISM) and a Certified Information Systems Security Professional (CISSP).

Try Lacework for free

Spot unknowns sooner and continuously watch for signs of compromise. Take us on a test drive to see for yourself.