Q&A with Erich Kron of KnowBe4, Former Security Manager for the US Army's 2nd Regional Cyber Center-Western Hemisphere

Veteran cyber security professional Erich Kron works with KnowBe4, a company that is owned in part by legendary hacker Kevin Mitnick, who also serves as KnowBe4’s Chief Hacking Officer.

KnowBe4 is a cyber security awareness company that offers a security awareness training and simulated phishing platform to private and public-sector companies. It trains employees how to make smarter security decisions and create a human firewall as the last line of defense.

Kron holds multiple certifications including the Certified Information Systems Security Architecture Professional CISSP from (ISC)2, and several certifications from Microsoft and CompTIA.

With a BS in IT-Networks Administration, he has over 20 years of experience in cyber security, including with General Dynamics Information Technology and STG contracts involving senior-level IT, network, and security issues with the Department of Defense, among others.

This year alone Kron has spoken in person at 45 different conferences and events and done 51 webinars and counting. We were fortunate enough to have him sit down with us for an interview and share his unique insights into this field.

Q: What are your thoughts on formal education, work experience, and industry certifications when it comes to preparing for a career in cyber security?

Kron: You know, I think there’s a great place for formal education. You kind of have to be someone who’s interested in this outside of traditional education and the workplace. If you really want to be successful in cyber security it really needs to be more of a passion of yours, or something that you find you really like to do because, quite frankly, this is a very fast-moving career.

The world out there is changing by leaps and bounds every day. And to keep up with that you have to really involve yourself very deeply in the whole cyber security thing. So I think the traditional education and learning about this stuff is incredibly important.

What happens in this career sometimes is you end up in these little niche areas where you don’t necessarily get to see everything. And that’s where formal education really comes in. It will open your eyes to areas where you’re really not involved, and you get to see some things that are happening that perhaps your current job doesn’t allow you to see.

For example, if you’re doing an analysis you’re used to looking at logs and sim outputs and procedures; and things like that. The formal education piece can help you get that experience without necessarily being a part of your job.

The other thing that’s actually very important in cyber security is certifications. I know there’s a lot of arguments back and forth about that. What certs matter and what don’t matter. But quite frankly, certifications are pretty important. They at least give employers an idea of your basic knowledge when it comes to certain topics.

So having those certifications doesn’t necessarily mean you’re an expert in that field, but it does mean that you understand a little bit – or you’ve been exposed to the knowledge – and that helps; employers at least understand a baseline of where you’re at.

We’re currently in a situation where cyber security jobs are – there’s quite a few of them out there, especially in the higher levels. Unfortunately there aren’t a lot of people available to fill those spots, especially in the more senior levels.

It’s really been a boom in cyber security recently, and what that has done is to create a gap where you have some of the people that have been doing IT and security for a long time, and then you also have those people who are just stepping in. There’s a need for both ends of that spectrum, but there’s definitely a shortage on the top.

I work for a cyber security certification organization and unfortunately it’s one of the more misunderstood things in the cyber security industry. Like I said, I do believe they’re very important. However it’s important to understand what each certification means.

So, if you’re somebody who wants to really be in the weeds and maybe do red team or ethical-hacking-sorts-of-things, make sure that you’re understanding which certifications you’re going for and what they mean.

On the other hand, if you’re somebody who’s looking to get into a management or more of a support role – for example policy procedures and auditing; things like that – you don’t necessarily need a hacker degree or a hacker certification to get those positions.

Understand what it is that you’re looking for and drive towards those sort of certifications.

The cyber security community – whether it be Twitter or different forums – are typically very supportive in helping people get started and helping people understand that there are more facets to cyber security than just the “hacker spots.” There are a lot of other areas in cyber security that are equally as important although not necessarily with the rock star glitz and glam.

Q: What can you do if you want to start a career in this field and aim high for those senior-level positions?

Kron: I think a lot of what happens between the entry-level and the senior positions is an experience thing in many cases.

Some of it has to do with just the way you think as a person and how you look around yourself; how you see different things.

For example, when you’re in those leadership-sort of positions, one of the things that’s very important is being able to talk to other people in your organization’s leadership.

Let’s face it: a lot of us that get into this field are very technical. That’s what we like to do – live behind a keyboard – and we like to take care of things like that. We’re often times even introverted.

However, as we progress up in the field of cyber security, we’re going to be interacting more and more with senior leadership. With CFOs, with CIOs, even with the CEOs sometimes. These sorts of interactions become more and more prevalent in your day-to-day job.

What that means is that you have to understand how to speak the language of these folks. Quite frankly a lot of that comes from experience and doing it. And also, a good education will teach you the things to look for when it comes to that, and understanding how to deal with statistics and numbers and some of that creative writing stuff that you always thought would be pointless, quite frankly.

You know the old joke: I made it through another day without using algebra. It’s the same sort of thing. Eventually though you’re going to need those skills; you’re going to need that ability to be able to speak to those folks up in the senior leadership part.

If you want to get things done in your cyber security program, ultimately it’s speaking that language. I think that’s kind of the biggest difference, and most of that is gained through experience.

Q: So you are saying that communication is one of the most important skills you can have for senior-level positions?

Kron: That was one of the things that, quite frankly, as I started moving up in my IT and security career surprised me: how much more I ended up dealing with the people-side of things, as opposed to the keyboard.

In the beginning I was a guy jamming firewall rules and, you know, dealing with that sort of thing. Architecture stuff. That was great. I still love that part.

I’m essentially an introvert, but I’ve had to learn how to leverage my extrovert in order to accomplish some of the bigger things. In order to go to leadership and say, “all right boss, this is what’s going on in this incident and we need to be able to understand this, that, and the other thing.” To be able to clearly communicate that has been absolutely vital in incident response.

And not only in that. In building out our program and going to the boss and saying, “I need so-and-so much money in order to accomplish this goal.” Being able to show how you plan on doing that and which direction you’re going to take in order to accomplish some measurable goals has been something that I’ve had to learn to do.

I don’t like politics. I never will. That’s part of the introverted part of me; I just like to deal with things and move on. But I’ve had to polish those skills when it comes to discussing things with people in the leadership.

I think you’ll find that over the years as you own this career, you’re going to find that you need to work on those communication skills and it’ll become more and more valuable as you move on.

Don’t wait until later to start developing those skills. Start working on them from the beginning.

Q: If you are new to this field, what is the best way to gain real-world experience in cyber security?

Kron: Sometimes you need to do a little work outside of the box in order to get started. And that’s always the biggest challenge: how do you get into something that’s going to want to see some sort of experience without having any experience, right?

The way I started is, I was a geek. I loved computers. I actually started out in electronics. I was in the Navy and I used to fix radar jammers back in the days.

I became more and more interested in computers as time went on. When I ended up getting out of the Navy I had a friend who happened to be involved in computers and I just started learning computers.

I just spent my evenings and weekends kind of delving into that world. Cyber security wasn’t really an industry at that time. Pretty much anyone who wore the IT hat – they kind of dealt with the security thing.

It was more of a combined sort of thing back then. But essentially I learned those things and I took the time to invest in gaining some experience.

Nowadays there are some absolutely wonderful local groups. (ISC)2 chapters. ISSA chapters. Any of those sorts of groups you may have in your local area are fantastic for getting in there and meeting people. Getting involved with people that are there.

There are educational opportunities that are usually free or very low charge; those sorts of things. And you get to meet other people that are in the field already.

That can become invaluable as you try to get that first job. Knowing somebody who will come up and say, “You know what, I know this guy doesn’t have a lot of experience. But I’ve met him here and I’ve talked to him here. He’s interested in some projects.”

That’s invaluable when it comes to getting that first job or getting your foot in the door. From there, you can’t stop and just rest on your laurels. This industry moves entirely too fast to do that.

For example: I myself at home. I have my own lab set up there with some VMs, and I’m constantly tinkering. I’m trying this, and messing around with that. Seeing how this works and that works. Learning as I go.

It’s something I love to do. It’s something I’m fascinated with. So you’re going to need to kind of go into that mode if you want to be really successful.

And furthermore – to get your foot in the door – having that experience, when you do get that interview or someone gets you in for that first interview, and you can say, “You know what, yeah, I run ESXi. I run it at home, but at least I’m familiar it.” As opposed to the candidate who says, “You know, I heard about that once.”

That can make the different between someone willing to give you a chance, and not.

Q: It seems like today there are many different niches for career possibilities in cyber security?

Kron: What else is important to know is, even within cyber security itself, there are a lot of different directions to go. Not everything is what you see on TV. There are definitely places where people are sitting behind a keyboard and they’re doing attacks or active defense, but there are also as many people of equal importance that are writing the policies that are setting things up to help the users not have issues, if you will.

Making your organization more secure through what some people don’t think is quite as exciting as you see on Mr. Robot or some of those other TV shows, but being ready for audits, making sure you’re compliant for what’s going on – those are huge things to an organization.

But they often times get downplayed. However let’s say something does happen in your organization. You experience a breach and you find that you are not compliant with some of the regulations that you’re required to be compliant with. Things can get really really ugly. And it happens very very fast.

So this is where I’m saying there are definitely places in there to try out different types of cyber security whenever you can. Whenever someone gives you a chance to be involved in some other project. Even if it doesn’t seem like it’s something that necessarily aligns with your idea of cyber security, take that. Take that opportunity. Give it a shot and you might find that you really like it.

Personally myself, I’ve always been very technical, but I’m also not the hacker type. I don’t code, I don’t necessarily go down that route.

But what I do and have done very successfully is build very strong programs. In other words, access and identity management. Taking that and making it as secure as it can be, as easy for the users as it can be. Which in turn makes it easier for us.

If you require a lot of crazy things for access management or identity or passwords and things like that, people tend to be people and go around the system.

There’s a trick to getting in there and making it so that people are able to comply with the policies which make your organization more secure without it being a burden on them. That’s actually kind of a magic, quite frankly. Unfortunately it’s one that’s not noticed by a lot of people.

Q: Have you ever seen security breaches or hacks as they took place in real time?

Kron: My personal experience: I spent about 10 years working with the Department of Defense in a classified facility. So a lot of those sorts of things I can’t really talk about – the really interesting ones. However, we have seen a number of attacks happen against organizations I was a part of, since then and before then.

We had wide-scale viruses hit during the mid-to-late ’90s. We were fighting virus issues back then. One example: I was standing out in the hallway with a couple of the leaders of the organization – I was the IT manager at the time.

We were chatting about things. We had these little two-way pagers – we called them Barbie laptops – and as I’m talking to these folks all of our pagers went off at the same time. That’s when I knew, okay, something is not right.

I made a b-line straight in, unplugged the email server, and sure enough. We’d been hit by a virus. And that was a zero-day. We actually worked with a very large organization, and they sent us an email, and it actually took the anti-virus finders about two days before they were able to actually come up with a signature to find and remove this virus. It was a very interesting time. This stuff has been going on for years.

The bad guys have gotten more and more clever, and more and more technically adept at it. As we have as well. But the battle has been going on for quite some time now. It’s just getting more focused.

Q: Are there any particular niches in cyber security now that you can forecast as becoming much more important in the future?

Kron: When it comes to the future of cyber security and some of the niches that may be there, I don’t know, honestly, that there’s one that you need to focus on.

Quite frankly you need to work on things that deal with your natural skills and things that you enjoy doing. Because this is one of those jobs that if you don’t like what you’re doing you’re going to burn out very fast.

I worry sometimes that people are drawn to the spotlight with the things we see on TV and in the movies, and don’t really understand what they’re getting into. And they really drive towards being a part of that rock star mentality of the red team guys, the hackers, the ethical hackers, and such.

That may not be something that’s natural for you. And if you keep trying to put a square peg in a round hole, that’s not necessarily going to work out for you. So I think there’s a lot of important areas in cyber security that we need to focus on.

I think there’s a shortage of people, or there’s going to be a bigger shortage of people, that are interested in trying some of these other areas. Like policy development, architecture, and defensive side; what we call blue team. These are defensive people – not necessarily the ethical hackers – but the ones who are trying to get ahead of things and work on patch programs; those sorts of things to secure their infrastructure.

Try not to get caught up in the glitz and glam and make yourself go that direction because it seems cool. It’s a matter of finding the things that are natural for you or you will burn out pretty quickly.

Q: Do you have any advice for people considering the private sector or government work?

Kron: Some of the biggest differences I’ve found between, say, the Department of Defense and the private sector comes back down to certifications, quite frankly.

In the Department of Defense especially, there are some regulations that require certification for certain job titles. The private sector is typically a little more lenient on that when it comes to it, but in order to get your foot in the door in DoD and a number of government sectors that follow the same thing – the regulation is 8570.1 – what happens is that for your job they want you to show some certification.

That is the one place where I think certification is absolutely vital in order to get your foot in the door. Many times they’ll hire you without certification if you agree to get it very quickly, but if you really want to beat out those other folks and have a step in the game, some of the basic certifications based on which organization you want to go for will certainly help.

Things like security plus are definitely a door opener when it comes to just checking that box in HR. 

Now, in the private sector I’ve found that certifications are somewhat recognized but much less required. My experience was that I’d been doing this a number of years. I had a CISSP-ISSAP which is an architecture concentration of CISSP, and yet, I was being shut down at the door by organizations because I didn’t have a degree.

So I went back in about 2013 and I actually got my degree even though I had a lot of experience and a lot of different background and certifications. I was not able to get past those points when it came to that.

So depending on where you’re at and what direction you want to go, a degree is definitely an important thing when it comes to certain points in your career, but it can be a door opener in some.

However in other areas such as DoD, the certification can be your door opener, where it’s not in the private sector.

Q: What are some of the most common cyber security threats one is likely to encounter?

Kron: Some of the main cyber security threats that I’m seeing right now, and even going into the future I think, have a lot to do with ransomware. This has happened over the last few years and it’s just exploded on the scene and quite frankly caught a lot of people off guard.

With Bitcoin becoming more and more popular – Bitcoin is a type of cryptocurrency that’s very hard to trace, it’s not by any specific government like that – and it has enabled the bad guys to be able to do things where normally it would be risky to do. For example, pretty much anything involving paying a ransom.

Where the bad guys usually get busted in on the exchange of money for the items. That’s always a risky place. By leveraging cryptocurrency that’s pretty much dropped off as far as a risk goes, or dropped very very low.

So what we’re seeing is, we’re seeing the bad actors now leveraging different types of ransom attacks, whether they be crypto ransomware that encrypts all of the files on your computer, or your network even, and then charges you in order to get that back or get a decryption key. Or where they’re ransoming things like your organization’s proprietary information; essentially the secret sauce.

For example, if the bad guys were able to get a hold of the 11 herbs and spices for KFC, what would that be worth for KFC to pay for? Hackers have this mindset now, and they have a way to monetize that without a lot of risk.

And I see different types of these ransom attacks taking place more and more as we move forward. The other thing that’s happening a lot more right now are data breaches.

Just huge amounts of data are being pulled in, being taken off the servers, and all of this bad stuff that’s going on. And now this sort of information is able to be used against the victims.

Not only is your identity at risk – and identity theft is a real thing – but they are also able to crack things much more personally when it comes to attacking through phishing emails, through those sorts of attacks that are social engineering attacks. Now they know who you bank with. They know what credit cards you have.

Let’s be honest. The value of a credit card on the dark web these days is extremely low. They go through numbers so quickly and replace the credit card numbers – the life of them is so short – the value is extremely low on those.

But, when somebody can get a hold of information such as your social security number, those sorts of things, and the information – the metadata – that goes along with it.

In other words, I know you bank at Citibank, therefore when I send you a phishing email I’m going to make it look like it came from Citibank and you’re going to be much more liable to open that email if we can put the last four digits of the card number in the right-hand side of the email and say, “here’s your card number,” it lets people put their guard down.

These sorts of targeted attacks to get into organizations, to get you to launch malware, to get you to put in your credentials; those sorts of attacks are on the rise and they’re going to continue to be on the rise for quite some time.

Q: What is Kevin Mitnick up to these days? How has he influenced the direction of your company?

Kron: As far as Kevin Mitnick goes, he’s a very well known hacker. He actually does red-teaming now too where he’s on the ethical hacker side of things.

But really his story is fascinating. If you ever get a chance to read some of his books, Ghost in the Wires, his fantastic idea of how this works.

Where Kevin was really strong, he was very good at the people-side of things and socially engineering people to do things and believe things. It’s just a natural skill for him.

We see that happening over and over again still, in the real world these days. That’s a skill that hasn’t really died out. And is actually being exploited more and more. It’s interesting to know that here he was able to accomplish these amazing things back in those days, and yet people are still doing this same sort of thing these days.

As the organization where I work, at KnowBe4, that’s really what our goal is. To try to teach people how to spot those social engineering attacks, through phishing and other means like that, so they can protect themselves against the very things that Kevin used to do and still does in his red-teaming or social engineering engagements through his organization.

We’re really trying to teach people how to spot those things. How to say, “something is not right on this.” Hopefully from the user-level be able to get it to somebody who’s in your security department or maybe something like that. To look at these things and make the actual judgment call that, yes, this is malicious or not.

It’s a very powerful thing, and quite frankly, in the cyber security community many times we have decided to put a lot of effort into technologies, and not as much effort into the people-side of things. Technology is expensive, there’s a debt that comes with technology more than just money, and that is you need to have somebody with the skills to run these sometimes very complex systems.

That’s again, coming back to the skills set shortage that we have, there’s just not that many people – especially in the cutting edge stuff – that have already done it. I think where we need to focus a little bit is on the individuals; on the users that are behind the keyboards that already have access to our networks.

I personally have seen great results by doing that as opposed to just keep putting in more technology that we now must run and maintain and update and pay for. I’ve seen some very good results with that.

I talk to people all the time. When I’m at these conferences or in these events I talk to customers that come up to me and are like, “this is just so good.” And the fact is, when it comes to cyber security there isn’t one thing that’s going to stop it all. Technology is not going to stop all of the attacks or all of the breaches.

The human factor, focusing on them, isn’t going to stop it all either. It’s about building layers of defense. You need some of those technical things. You need the human things. You need good backups in case the person does accidentally click on something.

It’s all layers of defense when it comes to this, which is why it’s important to understand there are people that specify or that work in certain layers of the security onion that focus on these different areas. And they can be very effective by helping combine all of those things to reduce the overall risk.