Summary:

Timothy De Block speaks with Bruce Johnson of TekStream about a truly innovative solution to the cybersecurity skills shortage: the Student-Powered Security Operations Center (SOC). Bruce outlines how this three-way public-private partnership not only provides 24-hour threat detection and remediation serves as a robust workforce development program for university students. The conversation dives into the program's unique structure, its 100% placement rate for students, the challenges of AI "hallucinations", and how the program teaches crucial life skills like accountability and critical thinking.

The Student-Powered SOC Model

Workforce Development: The program tackles the cybersecurity skills shortage by providing students with practical, real-world experience and helps bridge the gap where new graduates struggle to find jobs due to minimum experience requirements.
Funding Structure: The program is built on a three-way private-public partnership involving the state, educational institutions, and Techstream. The funding for the SOC platform is often separate from the academic funding for student talent building.
"Investment Solution": The model is positioned as an investment rather than an outsourced expense. Institutions own the licenses for their SIM environments and retain built assets, fostering collaborative value building.
Reputational Value: The program provides significant reputational value to schools, boasting a 100% placement rate for students and differentiating them from institutions that only offer academic backgrounds.
Cost Savings: It serves as a cost-saving measure for CISOs, as students are paid an hourly rate to perform security analyst work.

Student Training and Impact

Onboarding and Assessment: The formal onboarding process, which includes training on tools, runbooks, and hands-on labs, has been shortened to six weeks. The biggest indicator of a student's success is their critical thinking test, which assesses logical reasoning rather than rote knowledge.
Progression and Mentorship: Students are incrementally matured by starting with low-complexity threats (like IP reputation) and gradually advancing to higher-difficulty topics, including TTPs (Tactics, Techniques, and Procedures), utilizing a complexity scoring system. Integrated career counseling meets regularly with students to review their metrics and guide their career planning.
Metrics and Productivity: The program has proven successful, with students handling 50% of incident volume within a quarter of onboarding, including medium to high complexity threats.
Beyond Cybersecurity: Students gain valuable, transferable life skills, such as collaboration, accountability, professionalism, and "adulting", which helps isolated students become more engaged.

AI and the "Expert in the Loop"

Techstream’s Overkill AI: Techstream uses its product, Overkill, for 24-hour threat detection and remediation, automating analysis, prioritization, and the creation of new detections to go "from zero to hero in 24 hours".
Expert Supervision: Their approach is "expert in the loop" , meaning humans (students and analysts) are involved in supervising the AI, with automation being adopted incrementally as trust is built.
The Hallucination Challenge: Timothy De Block raised concern about students lacking the experience to discern incorrect information or "hallucinations" from AI output. Bruce Johnson affirmed that the program trains students in three areas: using AI, supervising AI, and understanding AI broadly.
Training Necessity: Students must learn how to do the traditional level one work before they can effectively supervise an AI, as experience is needed to detect when the AI makes a bad assumption.

Support the Podcast:

Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.

Contact Information:

Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.

Check out our services page and reach out if you see any services that fit your needs.

Social Media Links:

[RSS Feed] [iTunes] [LinkedIn][YouTube]

Summary:

In this episode of Exploring Information Security, host Timothy De Block sits down with Thomas Ritter, a seasoned attorney specializing in cybersecurity and privacy law, to discuss the often-overlooked legal complexities surrounding incident response (IR). From breach terminology to ransomware negotiations, Ritter shares insights from his years of experience navigating legal pitfalls that can arise when responding to security incidents.

Key Takeaways:

Understanding "Incident" vs. "Breach": Ritter emphasizes the importance of careful communication within an organization during a security incident. Misusing legally significant terms, like "breach," can lead to premature obligations, such as breach notifications, which may have serious consequences for an organization.

Attorney-Client Privilege in IR: External counsel's role can extend attorney-client privilege over critical aspects of IR, including the involvement of forensic specialists. This protection can prove essential if an incident escalates into litigation.

Ransomware Negotiation Nuances: With ransomware incidents on the rise, Ritter provides a detailed look at the negotiation process, advising organizations to work with professional negotiators. He recounts instances where attackers leveraged knowledge of clients' cyber insurance coverage to increase ransom demands.

Tabletop Exercises for IR Preparedness: Ritter highlights the value of tabletop exercises, especially involving executive leadership. He notes that regular, comprehensive drills help organizations refine incident response policies and minimize legal exposure during actual incidents.

Navigating Class Action Exposure: As data breaches often trigger class action lawsuits, organizations must take steps to prepare, including consulting legal professionals to reduce risk through privilege-protected documentation.

Resources Mentioned:

International Association of Privacy Professionals (IAPP): A valuable source for privacy and security trends.

Cybersecurity Law Report: An in-depth publication on current legal issues in cybersecurity.

Ritter Gallagher Blog: Thomas Ritter’s firm provides regular insights on emerging legal topics in cybersecurity.

About Our Guest:

Thomas Ritter is a cybersecurity and privacy attorney at Ritter Gallagher, where he focuses on helping organizations navigate the legal landscape of security incidents and data breaches. For more information, or to get in touch, visit RitterGallagher.com or email Thomas directly at thomas@rittergallagher.com.