Organizations rely on Digital Shadows to be an extension of their security team. Our global team provide the latest tooling, relevant research, much needed context, tailored remediation advice and managed takedown support to make our clients’ jobs easier and more efficient.
In our Security Spotlight Series, we bring our team out of the shadows and into the spotlight. In this edition, we profile Dr Richard Gold, Digital Shadows’ Head of Security Engineering.
Name: Dr. Richard Gold
Team: Security Engineering
Title: Head of Security Engineering
Q: What areas do you focus on as Head of Security Engineering?
A: My team and I work on pre-product development – that is researching interesting and novel security techniques to see how we can integrate them into the product. We also focus on internal security, which includes performing security assessments such as Purple Team exercises, where we model and replicate both offensive and defensive attack techniques in order to learn how to best protect the organization.
Q: How have your past experiences helped you in your role at Digital Shadows?
A: For the last 20 years I have spent a lot of time doing networking, working with operating systems and programming – the three pillars of security engineering. I’ve always had a passion for security since I was a teenager, so working in this field is a dream come true. Doing a PhD also taught me the value of persistence, to keep going even though the solution may be quite far down the line and all hope seems lost.
Q: What have been your highlights working at Digital Shadows?
A: What I really enjoy is having an idea, doing some initial proof-of -concept work and then taking that into production alongside our engineers. Seeing that go live and then provide value to our customer is really exciting. Also, we’ve done a lot of large-scale reconnaissance projects for major financial institutions and enterprise organizations; these were always really instructive experiences to learn what organizations look like from the outside and how attackers use this information to perform their attacks.
Q: How do you see Digital Shadows’ work providing value to customers?
A: Our goal is to protect our clients and help our clients protect themselves. In Security Engineering we try to emulate attacker tradecraft as closely as possible and automate that in a scalable fashion to deliver to our customers. Through our research we seek to reduce our clients’ uncertainty around the risks that they face online.
Q: In your experience, what is the single biggest threat or risk that organizations fail to deal with effectively?
A: Two words: security debt. This is the accumulation of missed patches, unchanged credentials, misconfigurations, and the lack of attack surface reduction typically caused by the scaling issues that appear as organizations grow. These things add up over time to cause some very significant risks to organizations.
Q: What is the most commonly misunderstood problem in cyber security?
A: That you can buy your way to security without putting the time in to really get to know your environment or your tools. Security is all about the details, and that’s a big job. You need to understand how your environment operates, where the flaws are, and how attackers can then take advantage of those flaws.
Q: What advice would you give someone starting out as a security engineer?
A: Learn networking, operating systems and development. Security is really a mindset – it’s about how you view these technical areas. You need to have experience of using, building, maintaining systems to appreciate the challenges.
Q: What is one thing that most people don’t know about you?
A: I have been training traditional Japanese martial arts for over 12 years.
Interested in hearing more from our team? Check out our blogs or subscribe to our weekly threat intelligence podcast, ShadowTalk.
Richard Gold is an information security professional experienced in both offensive and defensive security, as well as security engineering. He has worked for Cisco on web proxies and Secure Development Lifecycles (SDLs), AGT International on Internet of Things/SCADA and, currently, Digital Shadows in various security-related roles. He is particularly interested in open source intelligence (OSINT) reconnaissance, Advanced Persistent Threat (APT) campaigns and offensive security techniques. He is a Certified SCADA Security Architect and holds a PhD in Computer Networking.