Episode 3 features Jeff Rathmann, the CEO of Silo City IT a cybersecurity and pen testing firm located in Buffalo, NY. Jeff talks about his job as a cybersecurity expert, skills needed to excel in the industry, and shares is favorite resources for becoming a better cyber security specialist.
(electric music) - And explore careers that involve data. In this episode, Brian Barrey will be interviewing Jeff
Rathmann, the CEO of Silo City IT, a cyber security and pen testing firm,
located in Buffalo, New York. Jeff will talk about
what skills are needed to be successful in the
industry, tools to get started, and the future of cyber security. Stay tuned to hear more.
(electric music continues) - Thanks for joining us, Jeff. - Thanks for having me. - To start us off, could you
tell us what cyber security is, in your own terms?
- By definition it's usually
how I like to explain it for the most part, but
a summarized definition is really the protection of
any data stored and transmitted between electronic systems. A lot of people think of it
solely as protecting computers
and data on computers, and
not realizing how much data is out there on sensors
and your smart light bulbs, and your phones. And so it's really protecting
all of those and all of the data that's on those
and transmitting between them.
- Yeah, there's a lot of
data out there, right? - Right, right. - So as a cyber security firm, your work would include defending against
potential network attacks. Can you give us some more
details about what specifically
your firm does? - So at Silo City IT we really
have two primary focus areas of our business, one being
penetration testing services, and that involves identifying
where organizations are vulnerable to network attacks
and web application attacks,
and phishing attacks, and providing remediation
insight into how to prevent those attacks from happening,
from what we call bad actors or the hackers who are
going to try and get in. And then the other aspect is
really managed cyber protection services, and that involves things
like end point protection to protect laptops and
desktops from attacks with malware and viruses, and then adding on patch
management, where we're patching
all the vulnerabilities
that Microsoft and Adobe and all the big vendors
come out with every month to make sure that those aren't areas that you can be attacked. And we do a variety of other
things; firewall as a service,
secure remote access, and
multifactor authentication, have really been a large
part of what we've been doing since COVID, hit to
enable those organizations that didn't previously have
the ability to securely access their internal networks,
enabling them to have
a tele-work workforce. - And if our listeners are not
sure what some of those are, the definitions can be looked up on, just a simple Google search, right? - Right, right.
And I'm always happy to, if any
listeners want to reach out, I'd be happy to explain anything
to them or send them links on where they could get
some of those explanations. But yeah, each of those terms,
you will find a plethora of information when you Google them.
- Very cool. So now that you talked a bit about what your responsibilities
are, could you tell me a bit about what a typical day
or week looks like for you? - Typical day would probably be easier
than a week. (chuckles) Every day is different,
some days I wake up at six and I have constant meetings
throughout the entire day, whether they're zoom meetings
or lately been having some more in-person
meetings like we used to,
but if I'm not in either
phone calls or meetings, I'm usually working
actively on client projects, whether that's running
penetration tests remotely, or working with our vendors
to identify feature requests that we have from our customers.
- So do-
- So I would say, every day is very, very
dynamic in my schedule. I really don't know what's
going to be on there, until I wake up that morning. (chuckles) - Now as a CEO of a company,
and I know it can be very time-consuming. Are you still able to set aside time for personal development or conferences? And if so, what kind of
activities do you do? - From a conference
perspective, I do try to take
some time out and focus on
specific areas of interests, whether that's industry-specific
things like medical or financial or legal, and
try to attend some events, focused on those or conferences,
focused on those really for target industries for the business,
but others especially in
the cyber security side, Black Hat and DEF CON, which
are typically held in Vegas. This year, there were held virtually, and so the last five days or so, I've been just live streaming
on multiple computers,
catching different
briefings here and there, and again, that's a big thing
from a networking perspective. There are some chat
rooms that are associated with a lot of that, where
it's just a bunch of hackers that are talking, and most
of the time due to the rules
that they have in place on those forums, there's no badgering, there's
no negative talk allowed, and they're just sharing information and everyone's teaching each other, and it's a great place to learn.
And the fact that DEF
CON this year was free, - Oh, nice. - Really helped out. 'Cause you're gonna have to fly to Vegas and it's usually like $2,000 to attend so,
for a high school or college student that would be kinda difficult to do. - Yeah, it's a steep price
there for them.(chuckles) - Right, right. (chuckles) - Or for anyone. (chuckles)
- Right, yeah, yeah. Yeah but overall I would say
I'm trying to get better here, finding some more time for myself and trying to stay sane in that manner. I have two young kids and
my wife and should trying
and spend time with them, really
is where my priorities are whenever I can get away from work. - Yeah, it's a big balancing act, right? - Right, right. - So after telling us about
your role in the company,
can you tell us what the
favorite part of your work is? - Personally, I really
enjoy working with a variety of different customers
regardless of industry, but every engagement is different. And having a personal
interaction with clients
and identifying a problem
and coming up with a solution is always something that
I've been passionate about, regardless of what it is. And so really just having
that personal connection, working with someone and working with
so many different unique people
and solving their issues, that's really something
that I thoroughly enjoy. And I will say that, from a high school and college perspective, soft
skills are a huge portion of business today, and
there are so many people
that are on the technical
side that fall into being so technical and focusing
on those hard skills that they don't really
work on their soft skills and their business acumen. And if you're a mad
scientist and don't need
to talk to anybody and know everything, and you can work for the government and stay in a basement and
code, more power to you. But if you wanna be in an
entrepreneurial role someday, or you wanna be in kind of the mixed area
of like a sales engineer
or you're technical and working in sales, you
need to have those soft skills to be able to communicate. And that's a big portion of,
I feel what differentiates us from a lot of the other firms
that are doing cyber security,
is they don't have engineers
that can really speak to customers unless they're
super, super technical. - Yeah, right. Totally understand,
you have to communicate and get the ideas across, right?
- Right, right. - Now, how about telling our
listeners about something that was a challenge for you at work, and how did you overcome it? - When I was working as
a government contractor,
prior to having my company,
I had a previous company and I was deployed overseas,
working on installing and architecting communications
for the military. And we ran into a variety
of issues trying to set up what you would think of as
like a typical office use
of someone accessing
whatever type of programs, whether it's Microsoft
Word or it's websites or whatever it might be,
by trying to allow users in a very remote area of
the world to communicate over a satellite, to try
and access things like that.
Proved to be quite difficult. And so there was a lot of collaboration between different vendors
that we were working with, and a lot of different team
members on each portion of the communication that we
really had to work together
and everyone dropped
everything, to make sure that we could prioritize this and
get it up and operational so that people could do
what they needed to do. And that was probably the first time that I really understood
a full teamwork involved
in engineering type role. It's not something that,
you're not a sports team or anything like that, it's
troubleshooting an issue and having to work together,
and just everybody dropped everything to work for the mission.
Which was very satisfying
once it was all done, and we were able to get
everything up and operational, and at least people be able
to do what they needed. - That's amazing. Yeah, it takes a team, right?
- Right, right. - So switching gears a little bit, as a teacher, I often have students ask, what skills or education they need to join a certain career path.
Can you tell me what you
think are the most important, hard skills and most
important soft skills, because I know we've talked about that, when you work in your field? - Sure, sure.
So the hard skills,
especially in cybersecurity, they're evolving every day. Attackers are coming up with new methods, and we're seeing a lot of that
in present times with COVID that attackers have created
new malware specifically
for COVID, ransomware
that's targeting COVID, a lot of phishing campaigns,
and so being able to keep up with threats that we're seeing
today and analyzing those, and figuring out how to stop that, is a very difficult skill.
And there's so much involved in that that I think it really
depends on the skill sets of the individual and really
what they enjoy doing, because you can go on the
side of malware analysis, and malware research, where
there's brilliant people
around the world that work
on this all day, every day, where they dissect ransomware,
and try to figure out how to decrypt it and how to block it. And those are the people that we need so that we can protect
ourselves from 10,000 new pieces
of malware that are created a day. Aside from that, there's
some really great companies and really great capabilities, leveraging artificial intelligence
with cybersecurity now, and also threaten intelligence
is a very big portion
that you don't see all
that often, unless you're in very large companies or large vendors that specifically focus on it. And it's a skill set all in itself, because being able to have
people who understand how to go
into the dark web and find things. We have an engagement coming up that we're starting later
today, that we're going to be running a dark web investigation for a particular organization
that was having someone
who was being harassed. And we're trying to see if we
can identify on the dark web, if anyone was stalking
about that particular person or their organization, and there's a lot that's involved in that.
But it's a skill set on its
own, and it's a fun thing to do if you know what you're doing. And probably the last one I would bring up would be threat hunting. That's not currently, as far as I know,
in any schools really? - Yeah, I don't think I've
heard too much about it. - That's really involving,
not looking at antivirus and end point protection,
but having the ability to dig through and forensically
investigate multiple systems
or even an entire organization to identify if there are any current threats
that have been undetected. So in research, if any of
your listeners are looking up any of these key words,
they'll probably run into a keyword called APT or
advanced persistent threat.
And a lot of threat hunting
involves trying to find if something has been essentially
sitting on your network for a long time and just
hasn't been activated yet. And that's what typically
happens when you see in the news, all of these data breaches,
and there were tens of millions
of credentials involved in
data breaches just last week. And so a lot of times an
attacker will come in, they'll drop something in,
whatever method they took, and then just leave it sit there until they're ready to execute on it.
And unless you're performing
active threat hunting, you're never going to find it
until it's usually too late. So that skill set in itself
is very valuable right now, and there's not a whole lot
of engineers that can do it. So those would be three big
hard skills that I would say
are in need right now, but we need more cybersecurity people,
regardless around the world. So any topic, any interest,
the attackers are always ahead and we're always trying to
catch up and stop what we can. So the more people we can get
in our arsenal, the better.
- Yeah, it's pretty scary
stuff, right? (laughs) - Yeah, yeah.
- You need more people to stop it. - Soft skill wise, really
presentation skills, I've found to be very essential,
and I've seen it more
and more in universities. They're starting to teach
entrepreneurship, and a lot of that involves being able to
adequately present topics, whether they're random topics
that are thrown at you, or whatever it may be,
but being able to present.
It doesn't matter what it is. A lot of what I do outside
of the technical side, it's being able to present
the results of something to an organization after
we've worked on a project and if you can't explain the results,
if you can't present them to
everyone across the board, from the CEO down to the
technical team in their IT group, then your message isn't
going to get across. And most likely your services or your job is going to be looked
at as unsatisfactory,
because of the fact that you weren't able to communicate what you
were doing properly. - Cool. So are there any applications
such as Power BI or Excel that you often use in your work?
- I would say-
- Anything that you we talk about? (chuckling) - (laughs) In general, I mean
having a good understanding of all of Microsoft
Office or Google G-Suite, either are used across the
board right now, and just being,
I'm not saying being able to
write every kind of formula, in macro and everything in
Excel, or anything like that, but just having an understanding
of how to do basic things in there and PowerPoint,
same thing, just being able to have an understanding
of how to actually use it
and create a presentation, and whether it's G-Suite or Microsoft. Those are definitely things that we use on a regular basis,
anytime you're presenting, you're typically using PowerPoint,
and anytime we're writing
proposals, they're Word documents. But outside of those, there's
so many tools that we use from the services side that's
penetration testing tools, there's hundreds of those. From a business side, CRMs
or customer relationship
management capabilities, and being able to track
your communications with your customers and
track lead generation efforts and marketing efforts, there's a lot on the
business side of things.
And then you get into the accounting side with QuickBooks or Xero
or whatever you're using. So there's a lot of aspects, it depends on what you're looking at,
but I would say for someone who is interested in
getting into cyber security,
the first tool set that I would recommend they look into would be Wireshark. - Okay. - It's free, a lot of tutorials,
a lot of free training, and really will allow them
to get a good understanding
of communication between
systems on the network side, and if you can get
really good at Wireshark, then you can be a good
cyber defense engineer. We can train you after that. But if you can understand how systems
are actually communicating,
that's a big portion of the analysis that we have to do. - Well, I think that's huge
for our listeners there to hear that, a specific program that they could maybe take a look at.
So I know this isn't one
of our questions but, about how many programs would
you say, or applications that you say that you
would use altogether? Just a rough estimate. - For our services or for overall
like our penetration testing
and things like that? - Yeah, just overall. - Close to 200. - Okay, wow! (chuckles) - Yeah. (chuckles)
On the penetration testing
side, there's a few capabilities now that are on that cutting edge side that we're focused on,
where we can automate a lot of the penetration testing, and that's a big push for us.
We're continually expanding our
capabilities in that manner, but another great area
for students to learn is going on to GitHub
and just running searches through repositories for different topics. You can find so much information on there
and you can find a lot
of training capabilities, especially in cyber that are all free, that people have designed;
AutomateLab build outs, and they've just done a
lot of the work for you, where all you've to do
is pull down their code
and off you go. It's a big resource for
us when we're looking at new types of attacks
that we should try. And a lot of the malware
researchers that I was talking about earlier, a lot of
them, when they perform
their research, they
will put the signatures that would be used to identify that particular strain of malware, we'll put those on GitHub
to share those out. So it's a really big community,
all those free resources
from this past DEF CON, they posted all of those
scripts and everything that everyone wrote on
there, they're all on GitHub. So there's a wealth of knowledge there. It's where a lot of our
tool sets come from.
- Yeah, that's awesome, a place you can go to kind of find out
some more tools to use. - And they're all free. - Yeah. - Very helpful.
- Bonus.
- Especially while learning. - (chuckles) And finally,
before we let you go, is there anything else that
you'd like our listeners to know that we didn't cover? - I would say, especially
those that are in high school
or just starting out in college, start looking at different skill sets and just experimenting, if
you're interested at all, whether it's cybersecurity
or IT in general, start getting out to,
whether they're events
like I was talking about, or
whether it's just information and forums and things like that online, but start as early as you can. 'Cause that's when you're
going to be able to build up, your background and be able to come out
of school more valuable. And the more that you
can learn the better, and a lot of what we do is
just learning on a daily basis. Like I said, everything changes regularly. So just establishing
yourself as far as learning
as much as possible and
always wanting to learn. If that's not something
that you like doing and you don't like experimenting, then this field may not be
for you because regardless, you're always going to have
to learn something new.
So my biggest advice would
just be reach out to anybody and everybody you can, and just start experimenting with things. We've been working with some
universities on coming up with workshops and I'm
hoping probably next year
we'll be able to at least
start posting some information on our site for training for just different open source resources like I was talking about, and
some of the different things that we use, that anyone
would be able to set up
at home just on their laptop. - And just for our listeners, what is your website address again? - It's silocityit.com. - Thanks.
Thank you so much for
joining us today, Jeff. And to all of our listeners, check out our previous
podcasts, where we have spoken to professionals working in
evaluation and manufacturing. For more information
about starting your career
as a data scientist, go to, dataanalytics.buffalostate.edu. Don't forget to subscribe so
that you get notifications each time we release a new episode. And join us October 1st
for the next episode of
"Buffalo State Data Talk".
Some content on this page is saved in PDF format. To view these files, download Adobe Acrobat Reader free. If you are having trouble reading a document, request an accessible copy of the PDF or Word Document.
