Jack Koziol, Founder & CEO of Infosec – Cybersecurity Interviews

Jack Koziol, Founder & CEO of Infosec, they specialize in fortifying organizations and their employees against security threats with award-winning security and privacy education. Recognizing cybersecurity is everyone’s job, they provide skills development and certification training for IT and security professionals while building the entire workforce security aptitude with awareness training and phishing simulations. Recognized as a Gartner Peer Insights Customers’ Choice for Security Awareness Computer-Based Training, Infosec is also a Training Industry “Top 20 IT Training Company” and the Security Training & Education Program Gold Winner in Info Security Products Guide’s Global Excellence Awards.

You initially began working cybersecurity at Harris Bank back in 2003, what did your work entail and how has the industry shifted since?

I was the only cybersecurity professional working at the bank in 2003. We had other cross-functional roles at our corporate parent, BMO, but I was the only full-time employee dedicated to cybersecurity at that time. Changes in technology — and their associated risks — have dramatically impacted the industry since my time at Harris Bank. Cybersecurity budgets and team sizes have increased by at least tenfold to keep up with the cybersecurity threats targeting the financial services industry. What I was assigned 15 years ago as an individual contributor is now likely managed by a team of over 100 cybersecurity professionals.

While you were working at the bank you published “The Shellcoder's Handbook”, one of the first books on ethical hacking. What was your mindset at the time of writing this book?

When I wrote the book, the primary forum for exploit-related information sharing was a mailing list called BUGTRAQ. The Shellcoder’s Handbook made this somewhat arcane information more accessible by sharing it with a much wider audience in an easy-to-understand way. So many people at that time wanted — and needed — to learn about exploit writing. I knew I could teach others how to write software exploits with hands-on examples from my own experience. Selfishly, I also wanted to get out of working for the bank and take my career in a different direction.

Could you share the genesis story behind Infosec?

It all started after I published The Shellcoder’s Handbook. Its popularity drove needed interest and awareness of ethical hacking and software vulnerabilities, leading to multiple requests to teach boot camps on the software exploits covered in the book. I used vacation time to teach a few courses but eventually ran out of PTO, so I quit my day job at the bank and spent the next couple of years traveling around the world teaching people with corporate jobs how to hack. It was quite fun.

During that time, the software industry exploded. New tools and platforms introduced more security risks, which lead to an even larger need for cybersecurity training. And as cybercriminals expanded targets from software to include software users, the demand for role-based, scalable cybersecurity education skyrocketed.

It was at that point Infosec scaled our educational services via software as a service, and developed the world's largest cybersecurity education platforms, Infosec Skills and Infosec IQ. Both platforms provide role-relevant, hands-on training to the entire enterprise to empower employees with the knowledge, skills and confidence to outsmart cybercrime. Today, more than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent and teams, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness and phishing training.

Could you discuss some of the more popular cybersecurity certificates and courses that are offered by Infosec?

Infosec provides role-based cybersecurity education for the entire organization — from the accounting department to the SOC team. Since Infosec is vendor neutral, it’s probably not surprising to learn some of our most popular boot camps are those that prepare students for in-demand certifications like the CISSP, Security+ and Certified Ethical Hacker (CEH). What makes Infosec unique is the way we prepare students for their exams. We use a combination of immersive lectures and hands-on labs in the cyber range to help students learn by doing and teach valuable skills that can be immediately applied to their jobs. The Infosec Skills cyber range is one of the most popular learning experiences in the platform, and something we are heavily investing in this year.

On the security awareness and training side, our newly released Choose Your Own Adventure® Security Awareness Games have completely changed the way our clients deliver security awareness and training to their employees. We partnered with the team behind the Choose Your Own Adventure® brand to bring the excitement and mystery of the popular gamebook series to security awareness and training programs across the world. The games put learners in charge of their own security awareness training program with interactive storylines that encourage critical thinking and decision making — while keeping training fun.

How important is building employee awareness of cybersecurity threats?

Building employee awareness of cybersecurity threats provides benefits beyond corporate data security and compliance. Beyond the obvious advantages of helping organizations avoid expensive, often detrimental, security incidents, cybersecurity education programs protect employees both at work and at home. Knowing how to avoid a phishing attack or secure an IoT device can protect employees from devastating personal losses and even threats to their families. Understanding how to stay safe online isn’t just a work thing anymore — it’s a life skill. We couldn’t be more proud to help our clients protect their businesses, clients and staff from cyber threats and bad actors.

What’s the most common method employees fall victim to exploits or hackers?

Most cybersecurity researchers agree that the majority of data breaches can be attributed to human error. The latest IBM X-Force Threat Intelligence Index study reports ransomware, data theft and server access as the three most common attack types in 2020, and scan-and-exploit, phishing and credential theft as the top 3 initial attack vectors. Phishing is a very serious and common security threat and thus, is covered extensively by the media. The reality is while many breaches start with phishing and malware, the extent to which hackers gain access to sensitive information and systems is often a reflection of the organization’s IT infrastructure and overall security posture. The recent SolarWinds incident is just one of many examples where something as simple as a stronger password policy or more effective security awareness program may have prevented a major breach.

Bottom line: cybersecurity knowledge gaps at any level of the organization pose security risks to the organization and should be mitigated with employee security awareness and education.

Cybersecurity is always evolving, how often do employers and employees need to re-familiarize themselves with potential cyber threats?

As security professionals, we’re never done learning. It’s our responsibility to evolve alongside the needs of technology — and the new vulnerabilities they may introduce — to stay ahead of cybercrime. We recommend at least 1-3 hours of dedicated learning per week for cybersecurity professionals, and monthly awareness training and phishing simulations for non-technical staff.

Adult learning experts often quote Ebbinghaus’ Forgetting Curve to drive home the importance of frequent employee training. The theory essentially states that without spaced repetition to reinforce new knowledge, employees will forget 90% of new information within one month.

Hands-on technical training through a cyber range or gamified security awareness through a Choose Your Own Adventure® Security Awareness Game are just a few ways we help our clients learn by doing and maximize knowledge retention. Continuous learning programs like these inspire secure habits while helping build a culture of security at the workplace.

Thank you for the great interview, readers who wish to learn more should visit Infosec.