Faculty Recognition – Interview with Greg Surber

Greg Surber has more than 25 years of experience in the cybersecurity field in both public and private industries. He has operated in environments governed by an intricate network of local, state, federal, and international policy, from large-scale educational systems spanning a dozen foreign countries to public utilities operating in multiple jurisdictions. His experience encompasses all aspects of cybersecurity from offensive and defensive techniques to regulatory compliance, system auditing, cyber risk management, and policy creation and enforcement. He received his Bachelor of Arts in Sociology/Criminology from the University of Oklahoma and his Master of Science in Cybersecurity from City University of Seattle. He currently holds Security+, CISSP, and Certified Ethical Hacker (CEH) certifications. 

Morgan:  Greg, congratulation on your recent career change. Thank you for agreeing to be interviewed for the STC Thursday Byte. Let’s start off by telling us about your career path that brought you to where you are today. 

Greg: Thanks, Morgan. It’s great to be here! So, I began my journey in cybersecurity many years ago when I took my first job in IT at a little mom-and-pop computer repair shop in my hometown. We had several small business clients all over town who relied on us for support of all their computer needs, from system builds to installation and even networking. The shop owners pushed me to get a couple of industry certifications, CompTIA’s A+ and Security+, as a marketing tactic more than anything. But when I was able to help an important customer track down the source of and recover from a virus that had hit their systems, I was hooked. I easily convinced my boss that helping me down this path would benefit their business, too, so they began expanding their offerings to include more security services. After about a year of building and securing small networks for local dentist offices, accountants, and small industrial clients I decided to go back to school and get my undergraduate degree.  

While completing my Bachelors, I was offered a job with one of the University’s Colleges as IT support. This offered me a break in tuition as well as much more flexible hours, so I reluctantly left the repair shop. I also completed my first internship while finishing out that degree. The State Bureau of Investigation had just contracted with one of the University IT teams to establish a first of its kind in the state cyberforensics lab. I leapt at the opportunity and helped build the foundations of a lab that, to my knowledge, is still in operation today. 

Once I had graduated, I began looking for my next opportunity. I found a position with a US Department of Defense contractor supporting the Defense Information Systems Agency (DISA) as an IT Security Analyst. I worked my way up through those ranks to lead security analyst for Unix systems and eventually joined the Department of Defense as a government employee. Then I got the offer of a lifetime to head overseas and lead a cybersecurity team. 

As the Chief of Information Assurance for the DoD Education Activity in Wiesbaden, Germany I was in charge of the cybersecurity program for a US public education-style educational system supporting over 40,000 students, teachers, and administrators spread across seven European countries. Unfortunately, overseas tours with the DoD end after 5 years, so I had to leave that position behind.  

Relocating to Seattle, I took a temporary position with Boeing, supporting the AWACS and other programs as a cybersecurity engineer before finding a more permanent position with Puget Sound Energy (PSE). I stayed at PSE as a Senior IT Security Engineer for just about 5 years when my wife got her dream job offer. We moved across the country to Boston, where I now live. I currently work for the US Department of Transportation (DoT) as a Senior Principal Cybersecurity Engineer / Architect, leading a small team of security engineers at a DoT research and development agency. 

Morgan: What’s one thing you wish you had known when you began your career? 

Greg: Buy Bitcoin early? But seriously, networking is key. I don’t mean computer networking, I mean the kinds of networks we develop with others of like mind. Find and nurture professional networks of people in the specific areas you find most interesting, be that a particular technology, like wireless, or an industry you want to break into, like medical. Professional organizations like ISACA and ISC2 can help find these contacts. Attending conferences like BSides or DefCon are another great way to meet new potential contacts. And don’t forget to establish personal networks of friends and acquaintances outside of cybersecurity. Not only are those types of relationships important on their own, but you also never know when someone might get wind of an opportunity you would be perfect for. 

Morgan:  How do you continue to learn to stay on top of things within your current role/area of expertise? 

Greg: The easy answer here is, “I read…a lot.” But really, it’s more than that. I do have a dozen or two blogs/newsfeeds/twitter feeds/etc. that I visit basically every day, but I also try to keep engaged in other ways with the cybersecurity world. I have active TryHackMe and Hack the Box accounts, where I practice new tools I’ve uncovered or new techniques I want to learn more about. I download virtual systems from sights like VulnHub to practice even more. Building a virtual lab to test your hacking skills in a safe environment is probably one of the best things I can recommend to anyone interested in this field. 

Morgan: What are some of the things you’re researching and/or learning right now? 

Greg: I have gotten really interested in the security of the Internet of Things. I have been researching various tools aimed at helping vulnerability and security researchers tackle this growing problem. And I have never lost my love of finding new tools, figuring out how they work, and applying them to problems I encounter (or, sometimes, make for myself). 

Morgan: We hear about success, but I think it is more powerful for our readers to hear you talk about your biggest failure (which I prefer to call biggest lesson); can you tell us about your ‘biggest lesson’, and what you learned from it? 

Greg: You might notice a common thread among many of my answers: communication. While I thoroughly believe it is the number one skill to build for success in most arenas, including as a cybersecurity professional, I must admit it has not been a skill I always had, or one I have found easy to develop. Back when I worked for the College, while I was completing my Bachelor’s degree, I got my first ever, and most dire, “professional improvement plan”, commonly referred to as a PIP. Since it was a small college, with just under 20 total faculty and staff, it was a much less formal process than many face at larger organizations, but it had a profound impact on me. Basically, the Assistant Dean, my direct supervisor, brought me in for a review. She began by extolling my virtues in performing my duties, but she then noted that there was quite a bit of acrimony within the college about my failure in keeping everyone informed of progress. Although the actual work I was performing more than met her expectations, the fact that she had to track me down to request status updates, often for projects I had long since completed, was unacceptable. If things did not improve, and quickly, she would have no choice but to investigate alternative options. Well, that was certainly a wake-up call! I had been operating under the idea that, if I completed my work well and on time, I was performing my duties properly. However, I was forgetting one very important adage: the job is not done until the paperwork is complete. That means communicating with all interested stakeholders not only throughout the project, but also notifying them when it is complete and ready for them. 

Morgan: What advice would you give someone wanting to pursue a career similar to yours? 

Greg: Communication is key. You need to learn how to communicate across multiple media – spoken, written, presentations in front of audience, both large and small. Understand that you will be frequently called upon to explain some highly technical issue – a virus outbreak, why a specific ACL needs to be set on the perimeter firewall, or how this new tool could potentially save the business thousands (millions?!) of dollars. Often the audience you must communicate with is not as steeped in the jargon as you. Sometimes they may be…let’s say this politely, “less than technically inclined”. Being able to explain the same situation to the technicians who will be implementing a tool and to your boss’s boss’s boss, in ways they both can understand, is a skill that will take you far. 

Morgan:  Great advice! What are the best resources that have helped you along the way? 

Greg: Again, I find reading helps broaden the vocabulary and provide alternative views on how to present complex information. Writing is better. Even if you are the only one who ever reads it, I encourage everyone to establish a regular habit of writing down the important things that happened during the day. When selecting reading material, make sure that you are selecting from across several different perspectives. If all you ever read are technical documentation, then you may become well versed in writing for a technical audience, but you might have difficulty getting your point across to a less technical audience. If you only ever read high-level management books, then you might begin to understand how executives think, but you might be missing key details about how the technology actually works. If you read both, and selections from all the stages in between, you begin to see the correlations between the technical requirements and the executive focus. This can help you translate from one to the other. And let’s be honest, they really are two different languages that require a skilled translator to ensure the meaning is not lost. 

Morgan: What is the one common myth about your profession or field that you want to debunk? 

Greg: Pretty much every movie or TV show you have ever seen is laughably wrong. From the graphical, cityscape-like file systems of Hackers to the ability of the hacker on a laptop in a bar to break into secure DoD systems, despite some pretty serious distractions, in under 60 seconds. The truth is much less flashy, requires a lot more tedious attention to detail, and is ultimately more creative than those movies ever hoped to show. 

Morgan: What have you read or listened to recently that inspired you?  

Greg: There was a book published a couple of years ago called “Tribe of Hackers”, edited by Marcus Carey and Jennifer Jin. It’s a collection of interviews, not unlike this one, but with the 70 most influential people in the hacking community. Each person’s story is unique, as was their path to where they are, professionally. Just understanding that there is no “right way” to do it has been very therapeutic to me. 

Morgan: Where can our students connect with you online? 

Greg: My CityU email is surberjames@cityu.edu. I am also almost always reachable via Teams at that same address. Those are probably the best two ways to reach me. I try to respond to either as quickly as possible, usually in less than 24 hours. 

Morgan: Thank you for taking the time to be interviewed.