Hello World! Let me introduce myself – my name is CQ. Don’t ask me what that stands for, I really can’t remember without checking my driver’s license. I’m an SE for a high-tech networking and security manufacturer. I love this job! I get to spend my time with a variety of wonderful customers, I often get to expense sushi lunches, I am constantly learning new things, and all I have to do in return is perform an occasional miracle or two.
I am starting this column to share some of my trials and tribulations with you. I won’t bore you with an SE’s job description or resume, you can Google those things. Instead, I intend to periodically share anecdotes and challenges from my real-world travels as a senior systems engineer. These will include technical, professional, training, and even business issues. Yes, to be a successful SE, you absolutely need to master all of those topics – although this is primarily a technical job, it also entails building relationships with the customers, understanding their businesses, and working as a team with other colleagues (sales, marketing, product management, etc.) from your company. If you just want to sit in your pajamas and produce Python code all day long, then this job really isn’t for you.
Today’s discussion topic could be subtitled, “Selling Something Isn’t Always the Best Solution.” With that in mind, I want to tell you about a mid-sized university that was deathly afraid of ransomware. And they should be – after all, at least a dozen major universities were hit with ransomware attacks in 2023, and those are just the ones that we know about. Sadly, over half of them actually paid the extortionists.
We had already successfully sold this customer all possible types of security platforms, and I was confident that they were all properly installed and configured. To date, we have installed all of the following solutions:
- Antivirus, anti-malware, and endpoint protection software
- Firewalls with advanced threat protection
- Email filtering
- Cloud services (CASB)
- Sandboxing for downloads and email attachments
- Threat intelligence with lists of known command and control sites
- Multi-factor authentication
- AI-based behavioral analytics and monitoring
No solution is ever absolutely 100% bulletproof, despite the claims of our enterprising sales folks. However, this solution really was as good as it gets. And yet, the university was still worried about ransomware. Of course our ambitious sales team wanted to sell more features, interfaces, and services. But frankly, none of these would actually further fortify the school’s defenses.
We decided to meet directly with the customer in a casual setting that included adult beverages in order to try to better understand their concerns. We spent a lot of time going over various technical scenarios, while trying to pinpoint the weakest link in their current security architecture. It turns out that their biggest weakness wasn’t any hardware or software – it was the users. (Remember the incredibly expensive MGM breach last year? It happened because someone phone-scammed and voice phished (“vished” as the cool kids say) a member of their Help Desk team.)
Instead of selling the university more equipment, we had a member of our Technical Education Department work with them to develop “best practices” training curricula for all of their users. We raised awareness regarding phishing emails, texts, and other media. We taught them to avoid clicking on suspicious links. And we emphasized the importance of verifying any requests for sensitive information.
The bottom line:
Additional Revenue: $0
Happy Customer: Priceless
Stay tuned for more nerdy columns about my experiences as an SE.
By C.Q. Ritty