What a fun interview with Joseph Carson, Chief Security Scientist & Advisory CISO of Thycotic! Aviva Zacks of Safety Detective asked him about his company’s flagship product Secret Server.
Safety Detective: What was your journey to cybersecurity?
Joseph Carson: I started my career in technology, mostly in computer science, back in 1991, but cybersecurity wasn’t really a thing yet. There were no dedicated courses to study for it in school or university. When I started, it was more focused on electronics, radio signals, communications, and PCs, which were growing and popular. It was the start of the internet era itself in connectivity and networks.
One of the earliest projects that I worked on was the digital transformation of medical records in hospitals, which involved taking all the paper records that were kept in the archives and moving them to a digital format. The two purposes of that were so that doctor-patient times could reduce significantly and that intermediaries wouldn’t need to handle the sensitive medical records.
In the early 2000s, I was responsible for foreign exchange and money markets for the world’s largest global banks. At that time, I was still in a network operation center monitoring activity, fault alerting, and availability. But one of the responsibilities I also had was also the security aspect.
But in 2001, after a well-known DDoS attack happened against GRC.com that also impacted the company I worked for, I decided that the rest of my career was going to be more focused on security, which started to evolve into the more global terms—cyberspace and cybersecurity. I have the ability to put myself in the mindset of an attacker because of my hacking skills along with my moral compass making me an ethical hacker. I use my skills for good by helping people defend and protect against major threats.
SD: What do you love about it?
JC: I’m a tech geek at heart. The first time I got a computer was around the age of eight years old, and I was already programming by the age of nine, doing basic coding and writing basic programs. I got heavily involved in computer games and consoles when I was very young. I wanted to understand how things worked, so I started taking them apart, understanding how they were put together, understanding how to repurpose them for other things.
SD: Can you tell me about Thycotic’s flagship product?
JC: First of all, Thycotic focuses on privileged access management. That allows system administrators, security professionals, and even business users to perform tasks such as access applications, add users, make configuration changes, install software, and conduct vulnerability scans. Essentially, the personnel must be able to manage applications and services that run in the background and gain access to critical resources and data.
Our flagship product, Secret Server, takes control of those privileged accounts, manages them, and secures them, which means that we help make sure that the passwords in those accounts get automatically rotated so that people don’t need to remember them and they don’t need to enter them. We handle that in the background, so they can focus on their job reducing cyber fatigue.
We also have very in-depth auditability, so we know that when a root account, a domain administrator, or a local administrator account or a service account gets used, we can tie that back to the identity that was actually used to either check it out or to log into a system or to install an application. So we provide a very, very strong auditability as well.
And we also have the capabilities of adding additional security controls on top of those. For many organizations, sometimes a password is the only thing protecting very high-level, highly valuable accounts that can sometimes mean the difference between a catastrophic event and just a security incident. By adding additional security controls, we can verify the identities by augmenting passwords with multi-factor authentication and access workflows, which means that if I want to access a database, an application or a cloud environment, I might need a peer or a colleague of mine to authorize my work. Also, the activity or session, whether it is conducted on a remote desktop or an SSH, can be recorded to prevent me from abusing my privileged access.
Thycotic enables organizations to protect those sensitive accounts that can make serious and significant changes to the business, and also provide very, very strong auditability and reduce the risk of those by adding additional security controls in place. All of this is customizable, as is whether the technology is deployed on-premise (within your physical environment) or in the cloud. We provide different flexibility and deployment capabilities to meet the needs of different companies.
SD: What do you think is the worst cyberthreat today?
JC: I think there are two major threats that the world is having at the moment. The most common cyberthreat that we have ransomware. Ransomware can make systems unavailable and cause major financial harm, in some cases leading the company to go out of business. Ransomware is a very destructive, very malicious piece of malicious software.
The second biggest risk that I also see is the ones that have a kinetic impact, meaning that where we see real-world impact from things like the Internet of Things and connectivity, where we see devices that have the ability to impact the real world, whether they’re medical devices, aircraft, autonomous vehicles and delivery trucks, where we see robotic processing or robotic production lines that have real-world moving parts and robots. The concern for me is also malicious activity that could have those devices damage physical things, whether driving a car off the road, or a medical device being turned off, that is life-saving for many people.
SD: How do you think the COVID-19 pandemic is going to change cybersecurity for the future?
JC: I think it’s just accelerated what we were already doing anyway. In the past 10 years, we’ve been moving toward bring your own device (BYOD), the remote workforce, and increased connectivity. COVID-19 has accelerated that move. Meaning that overnight, some companies went from having 10% remote workers to having 100% remote workers. That has accelerated the ability for allowing employees to access systems from outside your managed and secure network. At Thycotic we help enable system administrators and desk workers to maintain normal operations while ensuring the security of privileged accounts, no matter where employees are located.
I think COVID-19 will also see a new wave of innovations and technology, looking at how to allow companies to be more resilient to these types of threats. But I think what its really done, at least from a security perspective, is accelerated the direction we were already heading, which is to the cloud, to more remote access, and managing that remote access in a secure way.