JOSH DAVIES | PRINCIPAL TECHNICAL PRODUCT MARKETING MANAGER, FORTRA | LONDON
Tell us about your journey into the Cyber Security industry
I did not always see myself in cyber security, initially going down a legal career path. I’d encountered cyber security in my legal studies, and found it fascinating how cyber criminals were able to evade prosecution by operating in grey areas. I have always been a bit of a jack of all trades and gravitated towards new challenges and when I was given a chance to prove myself as a level 1 analyst, I threw myself at it.
“I had transferable skills and the ability to learn quickly, so despite my lack of any formal education in computing, being able to learn at pace was even more important as the threat and technology landscape shifts and evolves so frequently. It's the ultimate equaliser!”
Cyber roles:
I began work in the ‘log review’ team, manually reviewing the last 24 hours of company logs to identify abnormalities or suspicious activity. This was largely a compliance exercise, and these days is almost entirely automated. Then, I moved on to incident triage and response. My role involved triaging live attacks and potential incidents, identifying the techniques used and investigating the surrounding data to determine whether the attack had been successful.
As I grew into the role, I started participating in threat hunting exercises, manually investigating threat data to find the attacks that go undetected by analytics engines, usually because they are so new (zero-days / emerging threats) or because they are hidden amongst loads of noisy, legitimate activity.
“I found threat hunting very rewarding, especially when we would identify novel exploits or track sophisticated threat actors and advanced persistent threats (APTs).”
I then found myself working as a Solutions Engineer - this was a presales role, supporting sales from a technical standpoint, ultimately understanding organisations’ security challenges and positioning solutions that could address those challenges. I had planned to move into digital forensics for a consultancy company but took an opportunity to apply my technical skills to a sales role. This began my journey away from security operations but opened many other security-related doors.
Tell us about your current role
I now work in product marketing for Fortra.
“Fortra is a new name in cybersecurity, created in late 2022, it unifies many well-known security brands such as Cobalt Strike, Alert Logic, Outflank, Tripwire, Agari, PhishLabs and Terranova, to name a few.”
Fortra delivers security products and managed security services. Our vision is to unify the many disparate areas of security, to create a unified security platform which breaks down silos and optimises the potential of each solution by integrating them together in a meaningful way.
I’m currently Principal Technical Product Marketing Manager at Fortra - I often joke that there are so many words in my title because they were trying to hide ‘marketing’ from me.
My role involves, among other things:
- Commercial product management, identifying new opportunities for product and service development
- Analyst engagements, briefing market analysts on our latest capabilities and direction
- Competitive analysis, understanding rival security services and tools
- Thought leadership: evangelising on security best practices, raising security issues and encouraging discourse around new challenges and emerging technologies
- Product releases, creating content such as use cases and product documentation
- Supporting marketing initiatives from a technical perspective, ensuring they are accurate and responsible in messaging
“Someone once told me that the world needs: 1). clean energy, 2). clean air and water, and 3). clean information, and that security is part of challenge 3. I really like that, and while I’m removed from the ‘foot soldier’ work of responding to cyber-attacks, I believe that the work I do contributes towards better security for everyone.”
One of the big points I champion, is the need for collaboration within security. This is collaboration across internal teams, companies, security vendors and governments. Security needs to be seen as everyone’s problem, attempting to solve it in isolation may keep you safe, but every successful hack can be monetised. Money that can then be reinvested into the adversaries' operations can lead to more sophisticated and successful attacks. The Ransomware criminal industry is a great example of this.
I get to work with loads of business units. Obviously, marketing, sales and product, but I also get to touch all areas of the business to make sure I understand what they are doing and tell the complete story of what we achieve together. This includes engineering, customer success, support, deployment, threat intelligence and SOC.
What does a typical day look like?
I mostly work from home but try to get to the office regularly. My company has a large US presence, so I have a lot of afternoon meetings with the US. Occasionally I travel to conferences to give talks, or support events. I also meet with our partners to discuss innovations and strategy and, occasionally, customers.
My day varies based on my current projects, which is great. It will usually be split between researching latest developments in security tooling and the threat landscape, creating content around products and services, writing blogs or articles, creating presentations, educating and enabling on security, or doing market analysis.
What are your career goals for the future?
As a former law student, my intention was to do security and eventually transition back to law as a “cyber lawyer”, being able to combine expertise in cyber security and law. Cyber law is still quite a murky area, with a lot of issues around attribution and global cooperation. I’m sure we will see the field develop and I may find myself combining my skills.
However, there are so many avenues in security to explore. I have always had half a plan but am sure to approach any opportunity available with an open mind. My journey through various security roles has shown me the variety of career paths available. I aspire to hold a CISO role in the future, and to be able to create and implement a security strategy for an organisation.
But who knows where this will take me! I would never have expected I would have a role in marketing when I began my cyber security journey.
What is the best thing about working in the cyber security industry?
It is fast paced and dynamic. Tech changes, people change, and threats change. In a game of cat and mouse, the good guys will always be the cat chasing the mouse. You need to be constantly learning, challenging preconceptions, and evolving. It is a great leveller, that allows junior analysts and security veterans alike to have informative inputs on the topics of today.
“It has a great purpose and it’s exciting. Discovering and dealing with a compromise offers a level of drama and intensity that you can experience from a desk.”
What advice would you give to others thinking about pursuing a career in cyber security?
Do it! The ‘cyber skills gap’ continues to grow, despite a surge in the number of qualified professionals, there has been a greater increase in open security positions. That said, it can be scary.
“Find a community of people who can support you, where you feel comfortable asking questions, where you are drip fed information on and around security so that you’re constantly improving, even if it's through osmosis.”
What would you say are the 3 most important skills you use in your role, and why?
Problem solving, Communication and Collaboration.
What do you like to do in your spare time?
I'm a keen athlete and a gamer. I like to cook and collect music which I sometimes mix on some old DJ equipment. Outside of my professional life for Fortra, I run a cyber education website, socials and discord server with four former colleagues and friends. Our aim is to democratise cyber security knowledge, catering to those with an interest, those wishing to get into the industry, and even those already in.
We are working on a certification course with funding from the Welsh government. We are four security professionals without a formal education in security before being successful in the security industry. Our course looks to combine the theoretical knowledge needed, with practical skills that will help people hit the ground running in their first cyber security job.
How can the cyber security sector offer better support to retain and progress those currently in the industry?
Organisations should focus on development of their analysts with certs, exposure to different roles and dedicated training time during work hours. The security industry is moving towards a hybridisation of cyber security roles, so look to expand their responsibilities when they are ready. The easiest way to lose a security analyst is to bore them. Of course, there is a challenge that you invest in an analyst, and they move on, but organisations should invest in other areas, such as compensation, culture, and perks to retain staff. Employees should be encouraged to be given a platform and share their cyber experiences and knowledge with the community.
When you transferred into cyber, what transferrable skills were the most useful for you?
Law included a lot of analytical, problem solving and critical thinking skills. Security is essentially the same, except it is machines that are subject to ‘laws’ in how they are created to function. Humans then look to abuse these functions for malicious purposes. In applying these ‘laws’ to every situation, we can determine the outcome and make a value judgment on whether this is a legitimate or illegitimate use.
My education in ancient history was also helpful, although it is less obvious. Looking at critical moments and understanding how it influenced subsequent events and society resonates with forensic investigations where you must identify the breadcrumbs of compromise and post compromise activity while devising hypotheses to inform where to look next. Another parallel is being willing to explain when you’ve done a lot of work and found nothing as that is also valuable insight!