Chapter 7: Expert Profiles

By now, you know a lot about my journey and how I came into this career. Insight into other people’s paths can give you a broader understanding of cybersecurity as a career. I thought I’d share the spotlight with other successful colleagues, all of whom have a unique path to this industry and whose areas of expertise vary as much as their journey.

Ramses de BeeR, Incident Response in a corporation

Ramses de Beer started tinkering with electronics when he was about eight years old. His parents bought a computer a couple of years later and he began experimenting with it just before the general public started getting online. Those early days led him to study computer science and carve a career in IT.

Today, he’s Senior Security Engineer and Incident Response (IR) Manager at Google EMEA, based in Zurich. He’s a forensic expert with a breadth of experience that includes consultancy, incident response management, and network defense/offense operations. A well-traveled expert, Ramses speaks Dutch, English, French, German, and Spanish.

What are your main Responsibilities?

I investigate potential security issues at Google and Google Services. I also manage teams during those investigations and head certain tool development projects.

What initially drew you to information security?

My first job came when I answered a newspaper ad. Back then, the term hacker didn’t necessarily mean someone breaking into things; it was a generic term for people who like to tinker with hardware and software. The justice department in the Netherlands wanted to recruit hackers to investigate legal cases, so I answered the ad, got the job, and have never looked back.

I stayed at the Netherlands Forensic Institute for about two years and then moved to the Ministry of the Interior. There I spent twelve and a half years performing computer network operations mainly on the offensive side. From there, I went into the oil industry (at Shell) and did consultancy at Mandiant before moving in-house at Google. It’s been a ride—consultancy, government, consultancy, and then in-house commercial space, corporate.

What’s a typical day like for you at Google?

I get up quite early to do my morning routine and get in the office around 9:30 to 10 a.m.. The office is typically dead before 10 a.m., as most people get in around that time. There are usually meetings because we have offices across multiple time zones and staff in Sydney, Zurich, and Sunnyvale. We then have operational meetings, and then there are two possibilities—either I do project work, which means we’re programming, designing, or working with the engineering team to build incident response tools, or we have on-call schedules.

We’re essentially a line of defense for Google, so if there are potential security or privacy issues, our team is paged. We have on-call rotation schedules that I also participate in, which means any one of us can be paged by anyone within Google anywhere in the world when there’s an issue. Because we’re not the first line of defense, the issues we face have already been escalated and need IR experts, and they can be technical in nature and involve a PR/Communications response, a legal response, or involvement from other parties.

What is the life cycle of an IR investigation?

A typical response is either privacy-or security-related. First, we need to dig in and know which type it is. Google is a huge company with many different products and services, and you need to get the right people together to understand the problem. We usually plan conference calls to figure out what’s going on. At that moment, I take the lead and start managing that crisis, which means delegating tasks and control progress across those tasks.

If I’m leading an investigation, I always involve another team member to execute the investigative work. An investigation can take day a day, a few weeks, or months. We also figure out if and when to involve the legal, communications, and marketing teams to know how to address our customers. Then, we wrap up with a post-mortem where we track those activities across Google and make sure the required improvements are implemented.

You’ve moved around from client side as an IT consultant to services at Mandiant, and then into it on the client site. How did you eventually choose the IR side after spending so many years in government?

After twelve and a half years in the government and moving from unit to unit about every three years, I thought it would be interesting to go into Incident Response. I’d remained sane (which can be a challenge when working in government), kept learning, and after being mostly on the offensive side, I wanted to use my knowledge in the defensive side and help defend organizations. I wanted to explore different environments, different customers, and see how I could grow. Mandiant came at the right time because they were among the top companies doing IR at that time.

You’ve worked in a number of locations—England, the Netherlands, Dubai, Switzerland, and in Asia. What’s your favorite place to work and why?

Wherever my wife and children happen to be is always my favorite place. From a professional perspective, I really enjoyed the Middle East. It’s culturally challenging, and you get to address actors from the Five Eyes (1) group which is also challenging and interesting. I’m also partial to warm weather and enjoy the multicultural aspect of the Middle East, which has made me grow tremendously.

Google is flexible in how you perform your work, and I think it works if you can handle yourself and are results-driven. I like to see the team and see them face-to-face, so I try to be in the office as much as possible. I do sometimes take time to work from the Netherlands because that’s where my family lives.

I there a typical path for someone who wants to go into incident response?

There was no educational path before, but now there is. The educational path geared toward forensics is computer science or security engineering. Then you can start into forensics— computer or digital forensics— and get involved in investigations. Once you’ve acquired some experience, it’s easy to move into Incident Response. I don’t think you can start in Incident Response or incident management because you need some experience first.

What makes a great IR specialist?

The greatest IR specialists I’ve learned from are those who have perfect balance between their technical skills and their people skills. They’ve learned to be the (stereotypical) person under the hoodie working on his own, but also the person in a room full of people to whom they can communicate on every level, be it the technical person sitting next to them or the C-level executive sitting across the table.

An IR specialist needs to understand forensics on different levels (i.e., system level, network, PR) as well as what different stakeholders need to hear to be able to condense and translate technical skills and technical investigations. Because you’re leading the investigation and not doing or solving everything yourself, you need to understand who you need and when.

What advice would you give to someone entering the field now?

You should be adaptable and ready to be in the type of environment where a peak or crisis can happen at any time. If you’re the type of person who likes peaking and then downtime instead of a constant workload, you should go for it. You should also have a technical background, but you don’t have to be a forensic guru to start. Lastly, you need people skills—or a social sciences background—to handle the stressful situations, read people, and understand how they behave.

Are there any misconceptions about what Cybersecurity experts do?

Many young people are scared off because they have this idea that you should be a huge nerd, tinkering with computer from a very young age to actually do this, which is not true. You can do this from 9 to 5, not take on any side projects, and not work on this stuff 24/7, and still be successful.

Another misconception is that you need to become a manager or have a leadership role to grow. But leading is something you do at every level—as a nerd or as a social person in a crisis—so you don’t need a title, but rather, take responsibility and find opportunities to lead at every level.

What are some of the advantages or Benefits of following this path?

In this world, the learning never stops. So, if you’re eager to learn and use your creativity, this is definitely the field to get in to. You’ll learn from technical challenges, from the different types of customers, and corporate and country cultures. And the work never stops, so there are a huge opportunities for anybody who wants to grab it and go for it.

Would you do anything differently if you wanted to follow this path today?

I probably wouldn’t have had a formal education. I went to school in the Netherlands, which I think was extremely overrated. Although I studied computer science, I don’t think I learned that much—most of my learning was autodidactic, so if I had to do it again, I would probably skip the formal education. (That’s not necessarily the advice I’d give others, though.)

What about certifications?

They measure not only a certain base level of knowledge, but it tells me that this person is focused enough and has the backbone to do what’s needed to finish the certification. And in this business, there’s a boatload of certifications from very generic overviews of varying (information) security topics, to different technical courses, and at different levels. But certifications are just a starting point, and it’s up to the interviewers to test your day-to-day problem-solving skills, and most certifications will not help you there. You still need the experience.

What are the pros and cons of working in the government, a consultancy, or a tech company?

Let’s start with the government. To me, the government is both interesting and annoying. It’s interesting because you have an immense amount of time, freedom to develop your skills, and it’s not results-driven culture. So, these are a positive if you start your career and want to develop your skills—there’s no pressure and you have an immense amount of time, and usually funding, to pay for your skills development. The most negative aspect is that it’s slow. Because it’s slow, you won’t get promoted or further your career easily, which can get very frustrating. You need to know what you’re getting into. I tell people to make sure they move internally every two and a half to three years to stay sane.

Consultancy is great if you want to work in a high stress environment, meet new people, and deal with new technical challenges and environments each week. It’s a very fast learning and grooming school where you can also improve your people skills.

As to the negative aspects, you should have more maturity and be able to handle yourself in this high-stress environment. There’s usually a great deal of travel and demanding customers, which can cause burnout, so you need to know when to slow down. I tell people who want to start out in consultancy that they’ll gain a ton of experience, but it will be compressed in a week instead of five years.

The positive side of working for corporate organizations is that they have standard procedures and policies in place. So, you land into a framework where they think for the long-run and you can focus on your job and instead of procedural policy creation.

The con is that all these procedures can hamper your creativity. If you want to work at a bigger corporation, make sure you get your hands dirty. Pick up some projects that will allow you to express your creativity and keep your skills sharp. Otherwise, you may get sucked up into the bigger multinational policy worlds and end up in the same job until you retire (which is okay if you want that!).

Have people’s or companies’ attitudes toward security changed since you started in this field?

Consumers are becoming more and more aware of the privacy challenges when using internet services on a daily basis.

On the commercial side, companies are improving constantly in the privacy and security space to balance three things. First, they need to make profit. Second, they need to keep users happy.

Lastly, companies are working to improve their products to address the privacy challenges, but they still need to make money, so balancing their big data repository with the growing awareness of privacy issues will be a continual challenge.

I think the next three to five years will usher in some very big changes and consumers will become more aware of the balance between using the internet and privacy and sharing information.

What hasn’t changed?

Basic internet is still strung together with ancient technologies. For example, we have DNS—a backbone technology and the phonebook of internet—that, in its simplest form, translates Web addresses like www.example.com to an IP address. That’s a very ancient technology that has hardly changed in twenty to twenty- five years. Some basic components of the internet that we now rely on to perform financial transactions or store medical data are still the same. We’ll need to change a few of those basic building blocks to get to an internet where governments, corporations, and customers feel confident about sharing things. Companies and researchers need to address the basic building block issues to get on a higher level and keep the growth sustainable.

Are there areas where we’re improving?

As an industry, we’ve brought the security knowledge and focus up to board level. That’s a big gain. The focus of external organizations on privacy and security issues is also deeper, and I think that’s where our industry has grown in the last twenty years.

But we’re still a long way from where we need to be. We need to understand that the privacy and security industry needs to take own its responsibility; the board level needs to enable them to fully take on that role and implement good measures, so that the services we’re offering are actually acceptable. We still need to fill this gap.

What would you change about this industry?

Right now, different sectors of the tech industry are dictated, dominated by some very big players, and have become so big that they are more powerful than certain countries. I do not think that’s the correct way forward because these companies are profit- driven. It might be good idea to split up these big monopolies. Splitting them into smaller parts would make it easier for consumers to address those companies and to actually have influence in those companies to change it in a way that’s best for them. Humans want to have control themselves, but big companies usually think they know what’s best for consumers. I don’t know how I would split them up, nor when or who should control what, but I do see the current problem with big companies controlling large amounts of privacy-related information, having huge control over negotiations on even a national level. Since they’re also steered by profits and shareholders, it’s not the way to go.

What is the government’s role in protecting its citizens and enterprises?

Government should have a significant influence. The security and privacy industry and space has grown from a niche nerd’s markets to something that dictates the basic stuff in our life—financial, medical, and communications with your loved ones and when you’re in crisis. I think those building blocks are so basic and important in a society that it should be the role of a civilized government to take responsibility to ensure those basic building blocks are at a certain level. But governments are slow and often playing catch-up with legislation. And multinational companies have enormous power to influence governments in different ways.

How do you see the industry evolving in the next five years?

I think it will be focused on two things. First, it will become a normalized, mass consumer good that everyone can use. Second, it will be partly driven by smart algorithms, be it machine learning and artificial intelligence. In five years, it will be driven by [new] companies that commoditize the security industry, take the specialist, “expert sauce” out of it, and combine it with a set of machine learning and artificial intelligence that will simplifies its functionalities for the users.

What comes after IR? What’s your next career goal?

I’m a quite simple guy. I’m going keep doing my daily activities that I like doing. Sometimes, that’s going to the beach having a beer with my family or friends. Other times, it’s hacking away all night. Or taking the lead on a certain project or leading a team into a major incident. So, I don’t know what the next step in my career will be, but I know for sure that as with all other steps so far, it will be interesting. I’ll meet new people and visit interesting places and learn about more cultures, which will help me learn new things every day.

Tells us about an embarrassing incident or personal mess-up.

I’ve made a ton of mistakes, but here’s one of the most embarrassing. Way back, when I first started, I got a call from a colleague a bit older than me.

“Ramses, tomorrow we have a discussion with our director of our department. I feel a bit sick. I can’t join this conversation. Could you go instead of me? Another colleague is joining as well.”

“Sure, no problem.”

I never asked what it was about. So the next morning, I show up at 9 a.m., the director of the Dutch forensic institute—the top executive—is in the room, and my colleague and I sit across from him.

“I really don’t know what it’s about,” I whispered to my colleague.

He looked at the director and said, “Well, (name of director), Ramses and I are here to tell you that we’ve lost trust in you, and we wanted to say that we don’t want to work for you anymore as a department.”

What? I had joined that organization only about six months before.

The director, who had known my colleague and had history with him, looked at me instead and asked, “Ramses, what is this about? What are you saying?”

I learned early on to always get the context of a conversation, understand who I’ll be talking to, what their objective is, and not assume anything in advance. This mindset works well and helps me stay focused on what is important.

Endnote

1. FVEY is an intelligence sharing alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States.