Dev.Sec.Lead host, Wilson Bautista Jr., talks with AJ Nash, Director of Cyber Intelligence Strategy at Anomali, about AJ’s learnings from a long-standing career in cyber intelligence as well as the concept and application of servant leadership.
Highlights from the interview include:
- Setting the record straight on jargon used in the intelligence community
- Challenges in implementing and maintaining an effective threat intelligence program
- The cybersecurity talent shortage
- How to get the necessary skills to be successful in the cybersecurity industry
- A humanistic approach to management called servant leadership
Download the 2019 Ponemon Report: The Value of Threat Intelligence from Anomali for further information on the trends and benefits of threat intelligence.View Transcript
So the show today, we have AJ Nash.
Welcome to the show.
AJ NASH: Oh, hey.
Happy to be here.
I really appreciate it.
So what's your role?
Where are you now?
AJ NASH: Yeah.
So I'm the Director of Cyber Intelligence Strategy for Anomali, which is a threat intelligence company platform offering.
We do threat intelligence.
And we do some work tying intelligence back to SOC environments and some other pretty cool research tools.
So you started out in the Air Force as a Serbian and Croatian linguist.
How in the world did you get into cybersecurity?
AJ NASH: Yeah.
That's a good question.
I have a lot of, obviously, friends in the industry.
And it's amazing how many of us say, oh, I got here by accident.
And that's accurate.
That's true for me, too, as it turns out.
So I was a Serbian and Croatian linguist, not a very good one.
So I ended up being an intel analyst, really.
In my unit, we had enough linguists as it turns out.
We were short of analysts.
So I was adopted by the analysis shop.
So I still did linguistics.
But I did more analysis work.
And that led to a career doing intelligence analysis [INAUDIBLE] traditional work-- counterterrorism, and counter-insurgency, and things like that, just war criminals.
And that transitioned into cyber space also very much by accident.
When I was leaving the Air Force, I did some work on counter IED work for awhile.
But after that, I was recruited into a defense contract.
And it turned out to be on cyber, which I knew very little about, honestly.
And they wanted to do a lot of things that involved operations research and computer science and math.
And I actually interrupted the interview and said, I think I'm in the wrong room.
It was a large defense contractor.
But what they needed was somebody with intel background that could tie a lot of what they were doing in science and technology back to intelligence, traditional intelligence, and make sense of it and see if it would be applicable for intel analysts.
So that led me down that path.
And ultimately, most of my career has still been spent doing traditional type intelligence work, just applied to the cyber environment.
It's just another area much like land, sea, and air.
Cyber is another area to focus on.
So it led me down that path.
And I'm very lucky to have gone that direction.
It's a pretty good industry to be in.
INTERVIEWER: Yeah, definitely.
So you're focusing right now on cyber intelligence.
So there's a lot of jargon that's out there that people are kind of confusing between what cyber intelligence is and what cyber threat intelligence is.
Is that the same thing?
Or is it different?
AJ NASH: Yeah.
It's a good question.
So there's a lot of buzzwords in the industry.
I think the biggest challenge we've run into, really, is the differences between data and information intelligence.
So Joint Publication 2-0, which is a US military doctrine, really lays it out pretty clearly.
In simplest terms, data is if I give you a long list of IPs or URLs.
And information would be if I take those IPs and URLs and I add some sort of threat context to it.
And a lot of folks in the industry will sell either one of those as some sort of threat intelligence, which it's really not.
To get to intelligence, you have to have some context.
You have to put in the time and effort to understand what some of these things mean, timelines for when architecture was safe and unsafe, for instance, what motives are involved for adversaries, what you might think would be coming next.
And there are far fewer that actually do that work.
In my opinion, threat is really just a subset of intelligence.
The term cyber threat intelligence caught on as an industry term.
It's become a standard so a lot of people stick with it.
But I've made the argument before and will continue to make the argument that, really, the term should just be intelligence.
And maybe you can drill it down to cyber intelligence.
But the threat piece is really just a subset of that.
We're all trying to work on mitigating threats and lowering risk.
That's part of the output really of good intelligence.
So like I always talk about cyber intelligence and cyber threat intelligence as well.
And my definition is that cyber threat intelligence is like an intelligence feed.
It is not intelligence in itself.
You have to be able to put context, like you said, to its applicability to the organization.
So that's the way I kind of look at cyber threat intelligence.
That's a part of an overall understanding of an organization's [INAUDIBLE]..
Cyber threat intelligence and cyber intelligence are not the same.
So that's interesting.
AJ NASH: I think that's a reasonable way to look at it as well.
I've tried to limit confusion.
I see what you're saying and certainly there's a solid [INAUDIBLE] there.
I do find it's challenging sometimes.
We're doing it in an environment right now where much have the private sector still is trying to learn this.
The intelligence community has been doing intelligence for decades, 50 years modern and probably a couple hundred years if you want to go further back.
And this is starting to bleed into the private sector.
And it can be very confusing for folks who have a history that has nothing to do with this, like computer science backgrounds or business backgrounds or whatever they might be.
So it's important to try to help them simplify some of this thing.
But I do understand what you're saying.
There's a nuance that it certainly makes sense.
It's just a more complicated conversation, I think, to have sometimes.
INTERVIEWER: So what do you think about the cyber intelligence publication that Carnegie Mellon just put out in regards to how organizations can put that kind of capability in place?
AJ NASH: It's a good question.
I'll be honest.
I haven't read the publication yet.
I'm aware that it exists.
But I haven't had a chance to read it yet.
So I'm a little bit on the back foot.
But in general, on how to install intelligence programs, it's a big chunk of what I do.
My role primarily is either building programs which I've done in a couple of large organizations or consulting with others on how to build their programs out.
So I haven't tried to target Carnegie I'm going to hypothesize that some of the same thoughts are there, because I've talked with them previously, in that you need to start by understanding your stakeholders and who you're actually serving and what the needs are, which is a huge gap I think most organizations miss.
is starting from what are we trying to accomplish, and who are we trying to accomplish it for, and at what levels.
And then from there, you can start talking about intelligence requirements.
So when I build programs or consult with people, I use the traditional intelligence lifecycle which is planning and direction first.
And then you can start talking about your collection plan and things of that nature.
And I think most organizations miss the planning and direction piece.
They jump right in, we need intelligence.
And we're going to hire a couple of people and we're going to buy a bunch of tools and feeds.
And we're going to have this intelligence.
And they're missing the core piece you need to start with, which is planning this out and understanding what you're trying to accomplish, who your audience is, and what your needs actually are.
And then the other piece a lot of organizations have a tough time with is understanding their own environment.
Just like warfighting, we're all familiar with this.
You have to know the terrain.
You have to know your own environment.
And a lot of organizations have a challenge with that.
They don't have configuration management databases that are up to date.
Or they don't have a crown jewels assessment that's been done.
Or they're lacking a strong sim solution.
Maybe they haven't tuned it properly yet or they're struggling with it.
And it's very hard to take intelligence and operationalize that and make sense of it and make it applicable to your needs if you don't know what your own needs are and you don't understand your own environment.
So again, I'm hypothesizing a bit.
I haven't read the paper yet.
But I'm going to go ahead and gamble that I'm probably close to a lot of what they talked about.
Because that's pretty traditional.
And I've had some chats with some of the really smart people at Carnegie Mellon on this.
INTERVIEWER: And you're appreciating everything that I've been saying.
You've got to know your internal requirements before you sit there and try to get tools and try to make sense of everything.
You've got to put all the fundamentals together.
AJ NASH: Yeah.
And it seems simple.
It seems like something that would make sense.
I'm always a little surprised even when organizations are really smart and great engineering.
I've never seen engineering work opportunity yet where people didn't start with a giant requirements document before they start building out software or hardware or solutions.
And yet in intelligence, folks are just jumping in.
And I think it's a combination of a need and a little bit of energy to get towards a solution quickly.
And some of it's just a lack of understanding.
We're still working to educate the people in the private sector on what the intelligence is and how it works.
And frankly, there's a lot of vendors that take advantage of that ignorance and sell whatever they have as the solution, which is not ideal.
INTERVIEWER: Completely not ideal.
So the skill sets, now we had talked about that the industry or just the commercial sector is just lacking the skills.
Where do people start?
Where do they start?
AJ NASH: That's a great question.
So obviously, it's easiest if you can bring somebody in who has the background.
So hiring out of the intelligence community is something I certainly encourage at least for your key hire.
The person who is going to build your program ideally has traditional intelligence background.
Now the challenges there, of course, are if you're not in the intelligence community, it's hard to hire from the intelligence community.
You don't know where to start.
And I also caution people that, frankly, almost everybody's resume is going to look pretty impressive.
So you've got to figure out a way to weed through those resumes, understand what the person actually did as opposed what they were a part of, what their team did.
So I often consult with people and say, hey, listen, I'll happily review some resumes for you and make some phone calls.
[INAUDIBLE] dig in and find out what this person's role really was and what they actually accomplished.
I give people some red flags to look for.
If somebody says, I can't tell you anything, it's classified, it's probably a good indication you need to move on from them.
At worst, they're fictional on their resume.
And at best, they're just not very good at communicating things, which you're going to need them to communicate.
But assuming you don't have that, so your question really is about how do you get the skills.
So let's assume you don't have military or intelligence background.
There are some good university programs.
Obviously Mercyhurst, they teach at the Kent School.
So that's straight out of the CIA.
Great program for how to do intelligence.
There's some schools we've started building cyber intelligence specific programs where they combine their computer science program with some traditional intelligence.
James Madison University comes to mind.
Robert Morris University comes to mind.
I'm not trying to plug any specific universities.
I didn't go to those schools.
But there's a few out there.
I know there's a small school in North Carolina, which name eludes me right now.
So there are programs to do that.
And then there's some training, obviously.
GCTI is a good course.
It's really good fundamentals.
And then beyond that, it's getting into the industry.
So I'm a believer, you build the program, you start with a trained professional, a really seasoned intel person.
And then you start building that team up.
But everybody doesn't have to be a senior intelligence analyst.
You can bring in academia.
You can bring in junior analysts to learn as they go along and build a cohesive team.
You don't have to have 30 people who've all got 20 years experience.
But those are places to start getting those skill sets.
I think GCTI is really good.
And I think some of these schools are really good.
INTERVIEWER: So when do you think that we're going to see establishment of an intelligence capability and cyber security teams be more broadly accepted?
AJ NASH: Yeah.
Really, really interesting concept.
So I think there are several voices that are pushing that.
Good voices that are having that discussion.
I think, like many things, it takes time to adopt.
I feel really good, frankly, about the progress of intelligence in the private sector.
Five years ago, there really wasn't much of any.
Now we have mandates coming down from boards, not even just CSOs but all the way up from the board saying, we have to build intelligence programs.
The next step is the why.
We've got folks now that are building programs who aren't really sure what they're trying to accomplish.
But we started by understanding there's a need.
And I think now we're working on the professionalization.
And I think there are some strong people helping to do that.
I know a few really good ones in the industry that speak regularly about the foundations of intelligence and how to build programs.
[INAUDIBLE] wrote a great book.
Chris Cochran at Netflix is a pretty good guy.
I know him well.
And he's building a really good program.
And he's a good communicator.
I could probably list off several other people.
So there's some experts in the community.
There's a guy named Jeff Barden, who I don't know how many people know about.
But he is absolutely an expert on how to build programs and teach.
He used to teach university on the subject.
So there are folks out there that are helping to push this message.
And I'm trying to do my part as well.
I'm having discussions at C level with folks and saying, hey, you need to think about intel in a much bigger role.
I'm disappointed and frustrated right now that where we are still has intel buried in SOCS in a lot of cases, sometimes buried below the blue team even.
So we've got to look to elevate that.
That's the next discussion.
How do you get value out of all this spend on your intelligence program?
And that's to elevate the program so you can serve a wider audience within your enterprise.
You can serve physical security.
And you can serve executive protection.
You can serve the procurement organization, the M&A organization, and a much larger audience than just defensive cyber operations.
So I think that's the next generation of where we're going to go from an intelligence standpoint.
I do envision the next five to 10 years that we'll see intel really pushing up towards the c-suite level even, being in a position where they're up at that CIO type level working with them.
Maybe there's a Chief Intelligence Officer of an organization.
Or at least they're working under the CIO much closer to c-suite and working with a much broader audience of people they can support within their industries.
I'm hoping to see that it improves all over the place.
It would be great.
AJ NASH: Yeah.
I'm pretty excited about it.
I'm certainly spending a lot of time having those conversations.
And they seem to be pretty well received.
I think people want to go there.
It's a challenge.
And you've got to work your way up.
There was a time when the CSO position didn't exist.
And then you kind of worked your way to that.
There was a time when the CIO position didn't exist.
So these things take time to grow and develop.
And I think intel is the next stage is [INAUDIBLE]..
I think HR was probably the last one.
You started seeing Chief HR, which didn't used to happen.
And I think organizations are seeing intel in a fashion where I feel like that might be the next step.
And I think, again, there's some really bright voices.
And folks like Carnegie Mellon, as you mentioned, there's good and good folks within academia pushing how to do this better.
So I think it's inevitable.
I think it's going to happen.
People want to get proactive.
They want to get ahead of threats.
The only way to do that's going to be through intelligence.
And then the other piece is how you're going to tie that to all these new technologies, machine learning and AI.
And getting that all sorted out as well is going to a big part of it.
So it's going to be a very interesting ride, I think, for the next 10 or 15 years.
INTERVIEWER: So now let's talk about servant leadership.
You have that on your LinkedIn profile.
But I don't think that everybody really understands what that means.
What does it mean to you exactly?
AJ NASH: Yeah.
I'm super passionate about this.
I'm glad you asked.
So I have a master's in organizational leadership from Gonzaga University.
And servant leadership was the foundation of that.
So in a nutshell, there's two different types of leadership.
And again there's others, but just in a nutshell for this discussion, there's two types of leadership.
There's the hierarchical approach which basically says I have my title.
I have my position.
And my responsibility is to tell you what to do.
And your job is to get it done.
And that's how this organization works.
I tell you what to do.
And you do it.
My job's to make you do things.
And that's how a lot of organizations work.
They're kinder and gentler about it.
But essentially, that's how a lot of organizations work.
And the other approach is what we know as servant leadership.
Some people call it the upside down pyramid as well.
The concept is I'm not supposed to use my position to make you do things.
My position comes with responsibilities to you, as a manager, as a leader.
My job is to assess what your needs are, what the organization's needs are to help put people in the right positions to succeed and then keep blockers out of the way.
Make sure they have what they need to succeed and then do my part to help them do that and get out of the way and let them do good work.
Hire the best people.
Give them the best opportunities you can.
And have good communications.
Stay in contact with them.
Understand what's going on.
And just let them know, I work for you.
In politics, you have politicians who talk about how they serve their community but some do and some don't.
It's the same concept.
And whenever I've been in positions of leadership, to me that's a responsibility.
I lead you.
I work for you.
And my job is to figure out what your needs are.
It's not about my ego.
It's not about my title.
It's certainly not about my paycheck.
It's what can I do to make you more successful.
And in turn, it will make the organization more successful.
And actually caring about the people, so it's a very humanist approach to leadership.
And I'm a massive proponent for it.
I have serious issues with the old school hierarchical approaches from many different reasons.
And I'm a big believer that if you connect with people and you figure out what their needs are and you work to support those needs and to just block obstacles and be that iron umbrella for your team that everybody will do very well.
It'll be a very successful opportunity.
The cultural will be good.
Everything else sorts itself out.
The mission takes care of itself if the people are taken care of and the culture is a good culture.
People want to be there.
And from a business standpoint, for those who want to argue it, it's expensive to turn people over.
And if you have a healthy culture where people that are enabled to succeed are empowered to get things done, they're less likely to leave, too.
So it's a win-win for the organization and for the individuals.
I've used that actually since I was in the Air Force.
That's not one that came out of the school or anything.
I just kind of came up with it at one point.
I think basically, there's a lot of stuff raining down on you wherever you are.
[INAUDIBLE] And I just said, listen, as long as you guys keep me informed of what's going on in your life and give me a heads up so I don't catch bullets in the back from leaders above me, I'll be the iron umbrella.
And I'll keep stuff off of you so you guys can get your job done.
And to me that's the responsibility of leadership.
Leadership isn't about power.
It's not about authority.
It's really about serving others and about the responsibility to them.
I totally agree with what you're saying.
I've always held that mindset in regards to leadership as well.
And the Marine Corps is the same way.
The junior enlisted eats first, the officers eat last.
So it's the same kind of mentality.
So you learned this in grad school.
Are there any books on this topic that the listeners can pick up?
AJ NASH: Yeah.
There's a lot of books on servant leadership.
So is it Greenleaf?
I'm trying to think of his name now.
AJ NASH: Yeah.
So he's sort of the father of this.
A lot of his books were foundational to the work we did.
Kouzes and Posner has a few books on the subject as well.
They were pretty well published on it.
So I apologize, I don't have a title right in front of me on this.
I could put my library for you if you want.
We can give a reference on the back end of this.
But there's a lot of good books.
Greenleaf is certainly [INAUDIBLE] the father of this concept, I think, and was a big foundation for my particular grad school work.
So anybody can Google the term servant leadership, essentially, and he's going to come up first.
Kouzes and Posner will come up repeatedly as well as authors who wrote books on the subject.
I think it's a remarkably simple concept, to be truthful.
There's a lot of different bits and pieces to it and how you apply.
But the concept itself is remarkably simple.
It's caring more about the people you're entrusted with than about yourself.
There's still going to be some level of management, of course.
You have to make sure people show up on time for work if that's the kind of environment I work in.
There's productivity numbers and there's metrics and there's all those things that still have to happen.
It's not as though we live in a fairy tale where if I'm just nice to people, they'll do great work and everything will work out.
So there's still management as part of your organization.
It's just leadership principles come into play.
Am I doing this because my boss told me to do this?
Am I doing this because I understand where I fit in with an organization and I know I've got somebody that's there to support me and help me through it and give me what I need to succeed?
And one of those two is much more pleasant and, frankly, much more successful in the long term.
If people live in a very hard hierarchical organization, they'll do it for a while.
And if you're paying enough, they'll do it a little bit longer.
But you'll never get the best out of them.
They do enough to meet the needs that they're forced into.
And they look for a better opportunity.
Especially now, I think for maybe the first time in our history, we've evolved to a point as a workforce where people aren't just willing to suffer for their job anymore.
The economy is pretty strong.
There's a lot of other opportunities.
There was the old school, my grandparents, you took a job whether you liked it or not.
This is what you did.
And you do it for 30 or 40 years or 50 or whatever.
And then you get your little gold watch and you get your retirement.
And you die.
And the generations past that, from say Gen X through Y and Millennials and now whatever the next generation is called, they think less and less about that.
It's more about work-life balance.
Am I making myself miserable?
Is work killing me?
Which could be proven that stress does that to you.
And people are conscious of that.
So they're not going to suffer for their job anymore.
So for organizations that don't adapt and change because they think it's the right thing to do-- they may want to adapt and change because they think it's the only thing to do to survive in business, but you're not going to keep great talent if you don't find a balance.
It can't all be candy and popcorn and unlimited vacation.
People have to to get work done still.
But there's a lot more that can be done in the servant leadership space, I think.
I think that's really good points that the workforce is changing.
And I think that, especially with our industry, we see that.
We see that a lot of cybersecurity folks are getting snatched up from here to there because maybe the salaries are higher.
But maybe it's leadership.
That may be an issue.
Are we missing this kind of leadership in our industry to help retain talent?
Or do you think it's just a money thing?
AJ NASH: No.
I don't think it's a money thing.
There's certainly some people that leave for money.
But ultimately, I think people still quit managers not companies.
And they quit their boss before they quit their job.
Money, again, money is always part of the equation.
If somebody offers somebody they're probably going to go.
But frankly, in this industry most people are pretty well compensated to the point now where the extra what makes them stay or go.
Because it's uncomfortable when you change jobs.
You're still the new kid in school.
You've got to learn things.
And however great the interview was and how much they wooed you, you know it's never perfect.
I think people want to feel that they're important.
They want to feel that they're doing something meaningful.
They want to feel that they're cared about.
And you can only fake that so long.
So if the organizations think, well, I'll just check the boxes and pretend these things.
And if I do these five things, they'll believe it.
People see through that eventually.
It has to be genuine.
So for organizations that are healthy in that regard, that genuinely care about their people and are worried about true work-life balance and are taking the time to communicate and fulfill the needs of their team, whether it's personal growth or professional growth or extra time off if needed for medical issues or family or whatever it might be, I think that's where retention comes from.
I know plenty of people, myself included, who have turned down positions that would have paid them more money because they liked where they were and they felt appreciated where they were.
And they felt that they were in a good spot for themselves from a mental health standpoint.
Chasing the money only takes you so far.
There's studies out there to suggest that anything over $70,000 a year, I believe, is the number, your peak in terms of how happy you are, $70,000 was the number per year.
After that, people aren't measurably happier no matter how much more money they make.
So it really comes down, at that point, to what kind of mental health you're going to have, what kind of physical health you're going to have.
Jobs that treat you poorly, that make you miserable are really bad for you.
So I don't think money is a great way to steal talent away or a great way to retain talent.
If people are just doing it for the money, you're not doing their best.
I totally read that study that you're referring to.
And it's very interesting.
Everybody would say, I need six figures.
I need to be in the mid-100s to be happy.
Well, you're going to pay for it somewhere.
AJ NASH: Nothing comes for free.
I've made less.
I've made more.
And I don't know that my happiness has changed all that much between then.
Because it's never enough.
That's the truth.
Oh, if I just made this much, if I just drove this car, if I just had this house.
You find it's never enough.
And I'm guilty of it.
I do the same things.
I'm no better than anybody else on the subject.
But I know when I step back it hasn't made-- it's fleeting.
The thing I wanted, the next milestone you want to hit, as soon as you hit it, you're like, OK now I want to hit this next milestone.
You can always look into the next one.
So it isn't about that.
And I am at a point now where, for my career, I want to be places where I have opportunities to do good things and be appreciated for those and have them do things that I think I'm equipped to do.
In a plug for where I'm at now, I'm really happy because of that.
I'm in a great role right now where I get to do what I think is good work that's meaningful that fits my lifestyle and what I want to accomplish.
I'm really happy about it.
And I've got friends that are doing bigger jobs and making more money and have bigger titles.
So I'm jealous a little bit of some of that stuff.
But ultimately, I don't think I'm living their life.
Because I don't think their life would fit me.
I'm happy for them.
It's what they want to do.
But I'm not sure it would fit me.
That's really a great way to put it.
So final question.
From your level, what advice can you give our listeners to improve their careers in cybersecurity?
AJ NASH: That's a good one.
So I'll start with the cliche.
Never stop learning.
I know you and I have talked.
I've got several books that are half read right now.
And I'm really embarrassed by that [INAUDIBLE] shelving books that are fully read.
But I got several half read books that I'm working through.
You're never going to know enough.
And you're never going to be able to keep up.
So there's always opportunities to learn more.
The flip side of that is don't think you have to know everything and constantly read everything.
You can't let that be something that overwhelms you.
Because again, you're never going to know enough.
So I'm a big believer in humility.
I know what I know.
And I try to be good at what I'm good at.
But I also am realistic and honest and go into many conversations telling people this isn't my background.
I'm not remarkably technical.
These aren't things I've done.
Here is the area where I'm successful.
Here are people I can bring in.
And I think that's another key piece is build the right network.
Don't try to be everything for everybody.
You won't succeed.
And don't try to hide the fact you're not everything to everybody.
Because people figure that out and you'll come across as arrogant or dishonest.
Build the right network.
Be a team player.
If you're great at intel and you don't know anything about packet capture analysis, don't pretend you do.
Bring in somebody who's great at that.
If you're an amazing reverse engineer and you don't know anything about foundations of intelligence, reach out and make friends with people who have intel backgrounds who aren't reversers.
Build a strong network.
And make sure when you build that network it's bi-directional.
People who are LinkedIn massively collecting all these big CEOs as their friends on LinkedIn and CEOs and CSOs and all these people, it's understood.
People understand when you're just doing that to collect a network that you think you're going to use later for your benefit.
If you're not willing to give as much as you're willing to take, just don't connect to people.
So to me it comes down to that.
Learn every day.
Be honest about the fact you'll never know everything.
Build a really good network.
And be as much of a giver as you are a taker.
And overall I think that'll take you a long way, in this or any career, quite frankly.
I find those things to be really, really useful.
I'm never smart enough but I seem to be OK at some of my things.
And that's how I feel about it, and how everybody should hopefully get to a point where they feel.
This is great advice.
Thank you so much for your time today, AJ.
AJ NASH: Oh, man.
Thanks for having me, Wilson.
I really appreciate it.
This is a very cool podcast.
I've listened to [INAUDIBLE] episodes showing online right now.
And very cool, man.
I really appreciate having the opportunity to chat.
INTERVIEWER: All right.
AJ NASH: All right.