Rich: It was quite an envelope-stretching experience. And that's something that I actually speak on and I encourage everybody to push yourself, learn new things, and don't be afraid to try things you don't know if you're qualified for.
Caroline: From Cobalt at home, this is "Humans of InfoSec", a show about real people, their work, and its impact on the information security industry. I am so excited to welcome my friend today, Rich Greenberg. Rich is a well-known cybersecurity leader and evangelist, CISO advisor and speaker with over 30 years of management experience, strategy, and thought leadership in both IT and information security. He is an ISSA distinguished fellow and has received their honor roll designation. He's been selected as a finalist, wrote the (ISC)² America's Information Security Leadership Award in the senior Information Security Professional category, and the "Los Angeles Business Journal" CIO of the year in security. On top of all of that, Richard has formerly served on the OWASP global Board of Directors, led the OWASP LA chapter, and has been co-chair of the highly successful AppSec California conferences, one of my favorite shows. Rich is the kind of guest where we can spend the entire episode just reading his impressive bio, but as luck would have it, we have him joining us today to share it himself. Rich, thank you so much for joining me today. I'm delighted to be speaking with you.
Rich: Caroline, it's always a pleasure. You are an awesome person in the field as well, as we all know. And so, as soon as you invited me, I was delighted.
Caroline: Thank you. You know, I have just the best memories of us 2016, 2017, 2018. So many good times there together at the Annenberg beach house. I'm really hoping that I can make my way there again sometime soon to join you for another event.
Rich: Yes, we plan on continuing that. You missed last week's ISSA, but we have AppSec SoCal coming October 20, another opportunity. I know you can't make that one, but maybe some other folks can. And then next year, we have some more events scheduled there.
Caroline: Yes. Good stuff happening in the information security community in Southern California. Rich, there are so many things that I want to ask you. And maybe we can start at the beginning. Tell me about Richard, just about to step into the cybersecurity world. Bring me back to the time in your life when you decided to be a part of this crazy industry.
Rich: Well, like many people at my age, and I won't tell you that right now, I did not study InfoSec, I did not study IT. I was actually an architect. And one of my first jobs out here when I came in 1990 to lovely Los Angeles was the flight hardware development for JPL. I had to learn how to use computers at that point because this was going to be the prototype job for the company that would be utilizing AutoCAD. Up until this point, they would be all hand-drawn drawings, both floor plans, sections elevations, specs, you name it. And so, I had to learn AutoCAD. And the more time I spent with that, the more I started doing more and more IT things. I moved on to a couple of other companies. And don't ask me how, somehow I became a Novell NetWare administrator for a company. And then I got a job as a Unix systems administrator for a different architecture firm. And I must say, I was on the phone with HP, Sun, Microsoft, and Autodesk help desk support many hours of many days learning my way through the Unix command line interface. It was quite an envelope-stretching experience. And that's something that I actually speak on and I encourage everybody to push yourself, learn new things, and don't be afraid to try things you don't know if you're qualified for. There's basically a general fear of failure in corporate America that has to change. People need to be experimental and look for more creative ways of doing things.
Anyway, I was working in the county of Los Angeles as an IT director. And I had to address the needs of the business to share a brand new information system that we were building to collect data throughout 100 sites. And this goes back to about 2002 or something along those lines. And it wasn't something that was already built. We had some dedicated lines we were using, which could be pretty expensive. And so, I created a VPN infrastructure and was building that. And then the C by O of the county started to send me threatening emails that I was creating a backdoor. And so I decided, let me get some formalized InfoSec training. And I did that. I then got my CISSP. And lo and behold, once I started...and this wasn't planned, this was just, "Hey, I got it, let me use it." Once I started putting the CISSP after my name, threatening emails stopped, it gave me some creds. And I was like, wait a minute, you know, after a couple of weeks, I said, "I haven't gotten a nasty email in a while, what's going on?" And I realized, what changed? I just put those five initials after my name. And that was it. And then I got a formalized role shortly thereafter, as the CISO for the LA County Department of Health Services, that's where all the hospitals are. So, that was my story. Kind of a long-winded answer, but I thought that the audience would appreciate some of the background.
Caroline: I think folks certainly do. You know, I think a lot of the folks who join us and listen to the stories that we share on this podcast, they may be...at whatever stage of their InfoSec career, they may be considering jumping into the field. And I think that your gift of sharing with us your story is really helpful. Thank you. You mentioned security at the Los Angeles County Department of Public Health. I understand that you ran that program for more than 15 years. I'd love to hear more about your work there. In particular, I want to ask you if there are any special projects that you feel particularly proud about.
Rich: Well, as I started saying, I got my start in security in the department of health services as their CISO. And now, public health split off several years later. And during the transition, I volunteered to go over to public health to build a security program there. So I'm a rarity. You've heard the term Greenfield, and no, that's not my last name. I'm Greenberg. But Greenfield means security officer who gets to build a program from the ground up. And so, HIPAA was just coming alive back when I was a CISO at the Department of Health Services. And actually, due to HIPAA, I was named the CISO. If it wasn't for that, it would have been business as usual, particularly in the public sector, as we know, everything moves at a snail's pace. And so, I built a program there. And then I went to public health, which split off from health services. So, the reason for that was, health services is all about getting people into hospitals, public health is about preventing the need for them to have to go to hospitals through education, and awareness, and testing, and clinics all over the place. So, the goals were quite different, plus the hospitals are always in the red. Because as you might recall, if you show up in an emergency room in a public hospital, they have to treat you and many people don't have health insurance. And so, it's a loss leader for these hospitals. So overall, it's in the red, where public health was always in the black. So, for those two reasons, they were trying for 20 years to break apart. And they were successful.
So, I built programs from the ground up when I first went to public health. I was on my own and I lobbied very hard to get FTE as well as bringing some contractors. I find that, just a word about that, contractors are essential and a really important mix for any type of organizational structure because those folks are getting trained and keep you updated more than any of your employees, in general. And so, you're gonna be bringing in people who are actually smarter than you. And that's what I needed. I was working with people, for many years, who I was the leading InfoSec person. And for CISO, that's a dangerous situation, right? You want somebody that you can turn towards and ask advice, and they can bring in a whole fresh thought process from their years of experience. So, two different opportunities and had a really good career with the county. I don't regret it. I made less than many of the people listening who were in the private sector, but I was working with important things to help thousands of people for many years to get health care, build systems that would ensure the health and welfare for many. And I think that's important to do something that's not just making widgets, typical example.
Caroline: I think that's really cool. My father spent 35 years his entire career in a public sector role. And I think that for many of us, if we get to do work that aligns with a sense of purpose, then we're very fortunate. And Rich, that actually brings me to the next topic I want to ask you about which is OWASP. You have contributed so much to OWASP into the community. I can't imagine software security and application security without OWASP. I'd love to know what you think about the work that you've done with the organization trying to find and fix and prevent vulnerabilities in software applications. I mean, it's extremely important work. I'd love to hear what you think about it.
Rich: One thing that I do time to time is a self-evaluation. It's really important we all do that. So, there I am a CISO who has a background with IT because I was IT director before, but I never did coding. Don't laugh, I took FORTRAN and BASIC many years ago and learned about that. But other than that, I felt I needed to improve my application security knowledge because I still have to have impact on the application development team. They had their own director and I had to reach out to them and interact with them. But I don't know about you, but I find that people generally have a hard time respecting someone who knows nothing about what they're supposed to be doing as far as that person's work. So for application development, how am I gonna sit there and talk about application security when I don't know anything about applications? And I'm being quite frank, all right? Of course, I knew some things, but let's be honest. So I started studying, and I found OWASP. And I started reading about all the things that OWASP had to offer, all the tools, all the sandboxes, all the guidelines, and checklists. And I was amazed. I said, "Who are these people creating all of this? This is awesome content." I'd been involved with ISSA for many years prior and there was nothing like this in ISSA, totally different mindset. And the amount of worldwide dedication was just incredible. And the people in OWASP are passionate.
As I said, I had many years experience with ISSA. I was interacting with folks internationally and throughout the country. I was going to the CISO executive forum. So I was meeting a lot of CISOs, but OWASP, it's a whole nother level of dedication and commitment. And many times there would be conference calls for whatever reason or board meetings, and there'll be people expressing their passion on these calls. And that's, to me, what stands out the most about OWASP. The dedication and the passion of the international community is just awesome. And so, my first formal introduction to OWASP people was through Cassio Goldschmidt, who organized and created the OWASP Los Angeles chapter. Cassio is a dear friend I've known for many years. And back in 2010, we put on and were successful in getting the OWASP AppSec USA. And there was a great conference with some of the most amazing luminaries in the field all in one place. I think it's one of the best speaker lineups that I ever did. That was my first time putting on a conference and I've been putting them on ever since.
Caroline: So cool. You know, I think it's not always typical that you hear a person talk about their experiences with Novell, and Unix, and FORTRAN and making VPNs, and then also playing this role of community leader. You were also a Los Angeles chapter president and global board of directors. You know, I think it's just really interesting that not only have you sought out, throughout your career, continuous learning and an appetite for taking on technical topics, and educating yourself and seeking learning resources, but in all the time that I've known you, Rich, I really think of you as a connector of people. I think that that is very cool. I wanna share a fun fact with our listeners. So, folks, not only is Rich an ISSA distinguished fellow, what you may not be aware of is that this particular designation is limited to just 1% of ISSA members. In order to achieve this title, you need to have 10 years of documented exceptional service to the security community and a significant contribution to security posture or capability. It's a big achievement. And Rich, for those of us that find ourselves inspired by you, would you tell us, where do you get your drive? Where does your motivation come from to keep on just giving and giving and giving and nurturing this cybersecurity community?
Rich: Well, first of all, thank you for the kind words. It's humbling and I do appreciate it. Let me take you back to where I first got involved in volunteerism. I wasn't doing a whole lot. You know, I donate money to nature organizations and Red Cross and different things of that nature, but I wasn't putting my time into anything, really. I would go regularly to the ISSA lunch meetings, and they kept asking me to get involved because they could see that I was outgoing and social. And they said, that would be a good, you know, besides my knowledge of InfoSec. But now I have a young baby and, you know, I don't really have the time. But then I start realizing, you know, I was a person that trained myself decades ago to get four to five hours sleep a night. And I was very functional, I was very active in sports and constantly staying in shape until some things happened. But I was happy with four or five hours sleep. And my family would go to sleep earlier and there I am sitting at night. And I said, you know what? I have this time, I could do something, you know, constructive with it, rather than just sitting and watching television. I didn't watch much television. I said, let me do that.
And I joined the ISSA as their very first...we created a position as the vendor director. And I built the news of sponsorship prospectus and all of a sudden start getting us a lot more vendors, which enabled us to lower the price for attendees who are members. And so, we doubled our attendance, we quadrupled the amount of money, and everything just went on from there. And I said, "Hey, this is very doable." It's not impacting my life negatively, because I have the time when no one else is up in my house. I can work for a few hours late at night. And then Tin Zaw succeeded Cassio as the OWASP chapter leader. And then Tin was stepping down and he said, "Richard take over as well." I'm already running ISSA. He says, "You can do it." So I did that. And I kind of did the same thing. I brought much more vendors. And we went from, like, 12 to 15 attendees up to 60 to 80 at the OWASP meetings. And a lot of that was due to, you know, being able to bring in vendors to sponsor and serving buffet dinners to the attendees. You know, you've heard of the "Field of Dreams" quote, "Build it and they will come." Well, in LA, it seems to be serve dinner and they will come.
Caroline: Fantastic. I mean, I think this can really be a lesson for folks who may be listening, you know, if there is a local community in your region, join. And if there's not, consider partnering with folks, maybe some of the vendors in the area in order to get one started. And then, I think one of the cool things actually about the pandemic was that so much of the community, there's nothing like being together in person. But when we can't, for one reason or another, there are great virtual groups as well.
Rich: Absolutely. I can't encourage people enough. Just use Meetup, if you'd like, and do a search, and you'll find that there are a dozen groups not far from you, most likely, unless you live up in farmland, that you can attend that are related to something of interest to you, if not your field itself.
Caroline: So good. Richard, thank you again so much for taking the time with me. It's so great to reconnect with you. We appreciate you being a part of this podcast and for your generosity with your time and with your story.
Rich: I'm very happy that you invited me. Can I do a quick 10-second commercial?
Caroline: Yes, please.
Rich: So, take a look at planetcybersec.com if you're in the Southern California area. We have five conferences throughout the year that we put on and I think they're really wonderful. We handpick top speakers. So, that's all I wanted to share with you.
Caroline: Wonderful. Yes, I certainly hope to make it there for an in-person myself, hopefully sometime soon.
Rich: It'd be great.
Caroline: "Humans of InfoSec" is brought to you by Cobalt, a Pentest as a Service company. You can find us on Twitter @HumansofInfoSec.