OT cybersecurity jobs are everywhere, so why is nobody taking them? | Guest Mark Toussaint

Show Notes

Mark Toussaint of OPSWAT joins to talk about his work in securing operational technology, and specifically about his role as product manager. This is an under-discussed job role within security, and requires great technical expertise, intercommunication skills and the ability to carry out long term campaigns on a product from, as he put it, initial brainstorming scribblings on a cocktail napkin through the creation of the product, all the way to its eventual retirement. Learn what it takes to connect security engineering, solutions experts, project management, and more in the role of security product manager, and how OT security connects fast, flexible IT and cybersecurity with systems that, as Toussaint put it, might be put in place and unmodified for 15 or 20 years. It’s not that hard to connect the worlds, but it takes a specific skill set.

0:00 - Working in operational technology
1:49 - First getting into cybersecurity and tech
3:14 - Mark Toussaint’s career trajectory
5:15 - Average day as a senior product manager in OPSWAT
7:40 - Challenges in operational technology
9:11 - Effective strategist for securing OT systems
11:18 - Common attack vectors in OT security
13:41 - Skills needed to work in OT security
16:37 - Backgrounds people in OT have
17:28 - Favorite parts of OT work
19:47 - How to get OT experience as a new industry worker
21:58 - Best cybersecurity career advice
22:56 - What is OPSWAT
25:29 - Outro

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

 

 

Chapters

• 0:00: Security Product Manager Talks Career Evolution
• 9:10: Securing Operational Technology Environments
• 16:34: Transitioning From IT to OT Skills
• 27:07: Cyber Security Awareness Training Series

Transcript

Chris Sienko: 1:10

Okay, today on Cyber Work, Mark Toussaint of OpsWatt joins me to talk about his work in securing operational technology and, specifically, about his role as product manager. This is an under-discussed role within security and requires great technical expertise, intercommunication skills and the ability to carry out long-term campaigns on a product from, as he puts it, initial brainstorming scribblings on a cocktail napkin, through the creation, creation of the product and all the way to its eventual retirement. Learn what it takes to connect security engineering solutions, experts, project management and more in the role of security project manager, and how OT security connects fast, flexible IT and cybersecurity with systems that, as Mark put it, might be put in place and unmodified for 15 or 20 years. It's not too hard to connect these worlds, but it does take a very specific skill set and you'll find out about that today on Cyber Work.

Chris Sienko: 2:03

Hello and welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry. My guest today, marc Toussaint, is a senior product manager at OpsWatt. Marc joined OpsWatt in 2023, bringing him a strong cybersecurity background and a proven history of providing comprehensive cybersecurity solutions to a wide range of critical infrastructure industries. With 30 plus years of experience at high tech and B2B companies ranging from startups to large multinationals, he is now focused on accelerating the launch and market acceptance of the NetWall product line for OpsWatt. Prior to joining OpsWatt, mark held senior product management roles at Owl Cyber Defense, bell Howell and Pitney Bowes. He's based in Connecticut. Mark holds a BS in plastics engineering from the University of Massachusetts and an MBA from the University of New Haven.

Chris Sienko: 2:59

So, mark, thank you so much for joining me today and welcome to CyberWork. Thanks, chris. Thank you for having me. Okay, I realize I usually ask beforehand, tucson, is that the correct pronunciation of your name? Yes, okay, and OpsWad is how you about it? Okay, I thought as much. Just wanted to make sure. Okay, to help our listeners get a better sense of your background, we always like to sort of dig into where you got interested in this stuff first. So what was your earliest interest in computers and tech and security? Was there like a moment, you know, when you were a kid or a teen or in college or whatever, that really got you excited about it?

Mark Toussaint: 3:33

It really happened after college. You know, I came out of school with a degree in plastics engineering but I was hired by a company that wrote software for the plastics industry and over time I just gravitated towards the software side of the business and at that time a lot of manufacturing was being shipped overseas. So reading the tea leaves, you know it made a lot of sense to move on to the high tech side of you know opportunities out there. So that was really sort of the starting point of, you know, getting involved in technology.

Chris Sienko: 4:08

Now, once you sort of got it's hooks in you like that, did you study formally like in school, did you self-teach yourself, did you get books, did you just kind of ask around Like what, how did you sort of feed the obsession?

Mark Toussaint: 4:21

Pretty much just learned. You know trial and error on the job.

Chris Sienko: 4:24

Okay thanks, yeah, so we had a past and frequent guest, susan Morrow, who started out in chemical engineering, and she said she enjoyed the process of securing her specimens in the network more than she enjoyed actually doing the work, and so that's how she knew she was a person for security. So it sounds similar for you as well. So, yeah, so I usually will look through a person's LinkedIn profile to get a sense of their sort of career trajectory, and yours is fascinating and varied, but also it's pretty focused, because that you've had several product manager roles at companies known for their technical products, like Bell Howell and Pitney Bowes, while also always frontlining the security component in each one. So can you tell us about your career evolution and what you learned at each stage of your journey, maybe a couple of transformational moments or projects, and what those gave you as far as skills or qualifications?

Mark Toussaint: 5:17

In terms of transformational moments. I mean, at one point I evolved into a sales role and did that for a couple of years and I really wasn't that happy. I didn't like cold calling and just some of the aspects of the role weren't for me and kind of came to the conclusion that I needed to figure out. You know where to next and you know I came across a book called what Color is my Parachute?

Mark Toussaint: 5:44

Oh yeah, you know it really helped you focus on what skills you're good at and ultimately you know the skills that you're good at. You're most likely going to like what you do if you are able to find a role. So in that time period I did a lot of work with the automotive industry and Ford, gm, and really what I enjoyed most about it was working with them to help them define you know what they needed in products, and that, you know, sort of led into my first product manager role, where that was just an area that you know I really gravitated to because it really it took a combination of technical and sales skills to be successful in that role.

Chris Sienko: 6:25

Yeah, well, that's, that's that was. That goes nicely into my next question here, because a lot of our listeners sort of get a sense of what kind of work they want to do in cybersecurity by hearing what people do in cybersecurity. So I was going to ask if you could talk me through your average day as a senior product manager at OpsWatt. Are there certain things that you do every week? Are there certain tasks that are common? And yeah, and talk a little more about the sort of cross point between the sales of it and the technical expertise of it.

Mark Toussaint: 6:54

Yeah, I mean an average day like, for instance, this morning I came online and I had three requests for support one in Turkey, one in the Middle East, one in one of them in Taiwan. So typically, you know, I would address technical questions or commercial questions that our solutions engineers around the world have, or commercial questions that our solutions engineers around the world have. You know I may later on today meet with the marketing department to review, you know what efforts around my product lines are ongoing and what we want to do next. That will be followed by a customer call supporting, you know, sales activity. Other days, you know will be more, you know, focused around. If I have writing to do, maybe I have to write product requirement documents and things like that.

Mark Toussaint: 7:41

I'll block out time, but it's really, you know, a varied role and you know every day is a little bit different, but you know supporting the sales organization and then you know, looking, engaging with customers to understand. You know, looking, engaging with customers to understand, you know what their needs are and how the market is evolving. Part of that you know. For instance, today I'm arranging meetings for subject matter experts in a different vertical market that we don't address today to try to understand how might we, you know, move OpsWap products into a new vertical market segment? And you mentioned on the role. It's a unique role and one of the challenges of product management that makes it a hard thing to do is that most product managers are individual contributors, so nobody works for you. Yet you rely on all the functional disciplines within an organization to be successful, and you know you have to have credibility and you have to be able to be very collaborative to get to where you need to be from in terms of the goals of your product line. So that's something that's unique about the role.

Chris Sienko: 8:50

Yeah, that was what I was going to say is hearing that you're working with, like, client success and you're also working with the engineers. You're very much the sort of conduit in terms of the problems, the solutions, but also seeing the big picture. So you're juggling a lot at the same time, aren't you Exactly? Yeah, yeah. So today's topic we've been talking a lot about operational technology, industrial control, manufacturing, the last couple of episodes here, and so, thanks to a few all-time inquiries and a lot of great introductions, this is going to be the focus of this month of CyberWorks episodes. So I wanted to talk to you about the OT side of things. Can you get our listeners up to speed on the current challenges we face in a set of increasingly connected operational technology environments?

Mark Toussaint: 9:34

on the current challenges, we face in a set of increasingly connected operational technology environments. Yeah, I mean, you know I don't think it's any secret that critical infrastructure has been, you know, a central target for bad actors out there to hack. And it's critical because if you, you know, if you are breached, there are, you know, power outages, there can be safety issues, you know people can be harmed if equipment, you know, doesn't do what it's supposed to do. So there's also financial risks that, if you know, associated with getting hacked. So you know it's important that we can secure the OT environment and protect, you know, inbound threats and you know there's any number of technologies out there that really you know provide sort of a defense in depth approach to securing these OT assets.

Chris Sienko: 10:21

Yeah, so yeah, I've had a bunch of great guests on the show talk about industrial control and infrastructure, and many of them went straight to the OT challenges, especially Emily Miller and Leslie Carhart and Teresa Lanowitz, so I know a bit about the issues around the sort of delicate balancing act. The sort of delicate balancing act of sort of harnessing modern network and cloud network security practices to connected networks of machines that aren't necessarily built to those same flexible specifications for things like firmware vulnerability, patching and so forth. So in your work so far, what have you found are the most effective strategies for securing OT systems? And I know it's probably varied from industry to industry, but especially as things like IoT take formerly static pieces of machinery and chain them together in patchwork ways.

Mark Toussaint: 11:02

You know in terms of the challenges, I mean a lot of the. A lot of the OT systems that are utilized, you know, to generate power or refine oil and gas have been in place for 20 years. They're old and they were not designed with security in mind. So there's a couple things in my role with the NetWall product line. We enforce unidirectional data flow so we can get data out of the OT environment to IT to do things like predictive maintenance, analytics and so forth. But we need to deploy these types of technologies so that we can get data out but nothing can get in.

Mark Toussaint: 11:44

There's also threats by portable media bringing in USB sticks, so we need to have multi-scanning technologies and deep content inspection to ensure that you know if a vendor comes in with you know some new firmware that they're not infecting your you know your OT network. So there's any number of technologies. We work with customers a lot to help them with network segmentation and things like that. So there's a range of you know, analytical and network-based tools out there that you know. Really, as I mentioned before, it's not any one single technology, it's a defense in depth.

Chris Sienko: 12:28

Yeah, so I mean, like I said, I've heard so many different kind of approaches and that's one of the things that's so interesting about this is there's so many different approaches. But it sounds like yours is very much like a very strong sort of perimeter wall around the OT. That is kind of like a porous wall that only sort of allows you know sort of outward through your product there. I mean, it's a lot different from other things that I've heard where you know they're getting very sort of granular in securing you know individual processes and so forth. Sure, yeah, that's interesting. So you mentioned memory sticks and other sort of incoming threats. What are some of the most common attack vectors for security compromise across industry and connected OT security issues? What are the ways that attackers are getting in?

Mark Toussaint: 13:10

Yeah, I mean it could be. You know remote access, which opens up threat vectors into the OT network. It could be, as I mentioned, portable media. And in addition, you know organizations have historically a lot of connections out of OT or into OT, whether that be for remote access, whether it be for vendor support, and so often you know they have, you know, ports open and access into the network that they don't even know about. So you know we work with customers and try to get them to inventory all their connections into and out of you know, the OT network.

Mark Toussaint: 13:49

I saw a presentation once where a company counted they had 238 connections into and out of OT. Many of them were no longer used yet they had open ports to the outside world. So and then, if you know, if you get in through one of those open ports you know we saw there was a water treatment plant in Pennsylvania where it is suspected that they had PLC controllers that used the default factory passwords, which are readily available on the Internet. So that combination of a threat vector in and then poorly configured devices is a recipe for disaster.

Chris Sienko: 14:33

Yeah, no, 2023 seemed to be the year of asset detection, like it was the first time I heard everyone talking about know every single connection point in your network, because the thing that you, you know, had an intern on seven years ago and thought was disconnected is not actually disconnected and it's still a point of contact.

Mark Toussaint: 14:50

That's absolutely correct.

Chris Sienko: 14:51

Yeah, yeah, yeah. So that's going to be a big part of this, I think, going forward like this, so, yeah. So, as I say at the top of the show, mark, the goal of CyberWork is to help students and new cybersecurity professionals sharpen the skills needed to enter the cybersecurity industry, whether at a single company like OpsWatt, or as a freelancer or consultant for hire, Like what are you know and you have like a rank of skills across the board because of your need to sort of connect with different departments. But what are the most important skills or experiences or trainings or certifications or soft skills they need to actively pursue OT security work.

Mark Toussaint: 15:32

You know a lot of, a lot, of a lot of people come into OT from IT. It's a much bigger field and so you know it can be challenging to get into the OT space because it's a different set of skills than the IT world. But, you know, take classes, get certification. What I can say is that there's a lack of candidates in the OT arena that really are knowledgeable and have experience in OT, so that there's, you know, there is a great opportunity out there for people that have those skills. So I think you know there's OpsWAT has, you know, basically a university that we, you know, make available. There are certification programs out there. Try to do something to get you know the OT on your resume. You know, and, like I said, there's a lot of opportunity in the OT space because there's not a lot of people that are trained in OT technology, that are trained in OT technology.

Chris Sienko: 16:34

Yeah, Is there sort of a bulk set of skills that people who come to it from IT to OT like what are the big things that you see are missing in someone's skillset when they make that jump?

Mark Toussaint: 16:47

Well, you know, for instance, coming from IT, they haven't had hands-on experience with PLCs and RTUs. The protocols that are used in industrial control systems are very foreign to the IT world. So you need to learn about what types of hardware technologies are there. You need to learn about what protocols customers use to communicate within OT and then from OT to IT. So those are some of the. You know the things that are different. And again, you know the IT hardware and software world has very frequent refreshes and you know, in the ot world, as I mentioned, you may build a system and install it and get it up running operationally and you and just leave it for 20 years, 20 years, and that's very different in the it world yeah, no, absolutely now.

Chris Sienko: 17:47

Um, yeah, that's a. That's a really good point. To that end, do you do people who are getting into this from it or more kind of tech side of things need to have any kind of like engineering or physics background or anything like that? Or do you just need to know how to do the securing rather than how to sort of find people?

Mark Toussaint: 18:05

Yeah, I think you know there's people that are in the OT from a very wide range of backgrounds. They're not all from IT. Many of them, you know, come from the engineering side of the world. So it's a real range of types. But you know, many of the control system engineers are, you know, came from that engineering world and then you know, from the cybersecurity standpoint, they have had to sort of evolve to develop those skills. And likewise, with the IT side, you know they've needed to evolve to build out those OT skills.

Chris Sienko: 18:38

Yeah, yeah, no, that's a really, really great point. Now, yeah, so like if a listener is coming to this and they're thinking this sounds interesting, but they're unsure about whether this type of work might be for them, can you talk about your favorite parts of the work you do? What are things that keep you excited and keep you pushing to do your work every day?

Mark Toussaint: 18:58

Well, you know, I like working with customers and understanding you know their needs, their requirements and as well as the market. And you know, from a product management standpoint, you get to see the product lifecycle, literally from, you know, scribbling on a bar napkin to developing that product, launching that product, uh, managing it through its life cycle and then, you know, bringing the product to end of life when it's, you know, no longer, no longer useful. So it's it's very, you know, unusual for you to be able to touch that whole, you know, lifespan of a product and manage that. So I find that exciting. I also, you know, I like, you know going from, like I said, taking you know concepts and ideas and you know morphing those into a product strategy and then bringing that to market. So you know just the role I find always very interesting and, you know, never sort of rubber stamping. Yeah, you know, your day doesn't consist of that.

Chris Sienko: 20:05

Well, and also because people who are just starting their career journeys don't always think of you know, can only think of, like the fun, sexy parts of a job. What are the things about your job that you really have to be okay with doing over and over again, that people might not think of, like certain reports or certain like oh, I gotta do this meeting again.

Mark Toussaint: 20:22

I gotta do this thing you know, I don't, I don't know that I I can think of anything like that every day. There's a bit of variation, okay, uh, all many customers are, you know, have different sets of circumstances that you need to work with, and you know the idea that you know you're looking at. You know where do we go next with this product, where do we, or what products? You know, are there unmet needs in the market where you know we can bring a product to market to fulfill that need? So I don't know that. There's one aspect of the role that I, you know, is sort of drudgery.

Chris Sienko: 20:57

OK, yeah. So when, when someone is, you know, done with their studies and wants to get into, you know, and is in that uncomfortable space of like I have no experience, but I need experience, like like for for OT environments like this, is this something where you could like volunteer with like a local you know industry? Like, how do you get experience when you're like fresh out of school or like a new face, like that?

Mark Toussaint: 21:23

Well, I think you know from my role, from a product management it's often difficult. Most product managers don't start off out of school as a product manager. They come from either the technical side or the engineering side and in many cases you know from a marketing type role. So it's often not just a you know you're where you want to be immediately. You have to sort of plan ahead and get yourself in a role that positions you to do that. Now, from the OT side, I think anything you can do for getting trained on cybersecurity, getting certifications, as I mentioned. There's not a lot of these skill sets out there, so there is opportunity. So from a technical OT perspective, I would say try to take some classes in cybersecurity or get some certifications. There's a lot of different approaches that you can go to get that experience on your resume.

Chris Sienko: 22:28

With regards to there being so many open spots and so few sort of available candidates. Is this a skills mismatch or is there just not enough people interested in this type of work? Do you think Like what's the mismatch?

Mark Toussaint: 22:42

I think it's probably a skills mismatch that a lot of you know a lot of cybersecurity. You know trainees came come from the IT side and you know, even though, even though there's a lot of opportunity in OT, it is not as widespread as opportunity for IT because there's so much more IT effort than there is, you know, ot effort.

Chris Sienko: 23:08

So there's a lot of space for people in OT, but there's a lot, a lot of space for people in IT is what you're saying yeah exactly. Okay, got it. So it's a scale of things. Okay, all right. So as we wrap up today, mark, I wonder if you could tell our listeners the best piece of career advice you ever received, whether it was a mentor or a teacher or colleague that gave it to you.

Mark Toussaint: 23:25

You know I kind of touched on that that you know, find out what you really like to do and there's a good chance that you know. Once you find out what you like to do, you'll be good at it. You know plan ahead. You won't get to where you want to be right away. And you know, in terms of my role, you know you need to understand the technology. You need to understand, you know the skills of the product management role in order to be credible and successful. So, yeah, I think.

Chris Sienko: 23:59

Yeah, know what you want to do with yourself before you start doing something.

Mark Toussaint: 24:04

It's simple, but it's, you know, it's true.

Chris Sienko: 24:06

It's simple, but it's. You know it's true. It's simple, but it's true. Yeah, exactly so. Okay, so before we go today, Mark, you've talked a little bit about it, but tell us all about OpsWat and the work that you do to protect crucial infrastructure.

Mark Toussaint: 24:16

Okay, you know OpsWat's been around for 20 years and our focus is on securing OT environments. So we have a very broad range of products that, as I mentioned, it's not a single product, it's a defense in depth approach. So we have products for scanning portable media. We have products that enable you to go out and discover all of the IoT assets. Look at what versions of firmware are on those.

Mark Toussaint: 24:43

My role is in what we call data diodes and unidirectional gateways. My role is in what we call data diodes and unidirectional gateways and it's a hardware-enforced security that assists customers in getting that valuable data out of OT to the IT world so that we can do business analytics, predictive maintenance and so on. We have industrial firewalls and just a whole host. There's been a trend in the industry where traditionally OT cybersecurity you know there was more of a best in breed approach where you had many, many vendors in your shop and now, as the industry has matured, it seems we're going full circle. So customers now are looking to purchase you, to purchase as much as they can from a single vendor, just for efficiency and one organization to work with. So that's something that we're seeing in evolution and OpsWatt is well positioned for that because of the breadth of the product offering.

Chris Sienko: 25:46

Yeah, yeah, and I was going to say we hear that a lot about. If you sort of patch together your system from lots of different things, you don't really know which ones are the most secure and which aren't. So if you're working all from the same vendor like that, I imagine that's got to be a bit of personal relief as well. Yeah, exactly, yeah, so all right.

Mark Toussaint: 26:02

Well, one last question for all the marbles here If our listeners want to learn more about you, mark Toussaint, or Opswot. Where should they look online? Well, opswot, you know Opswotcom. We have a real wealth of information. You know, we pride ourselves on being thought leaders in the OT space. So there are white papers, there are, you know, e-books. There's just a wealth of information on the Opswot website and you can just Google me and see some of the things that I've done presentations and things like that. There's any number of things out there available on the web.

Chris Sienko: 26:39

Oh good, so there's actual. You have speaking engagements and things that you've done that are recorded. Yes, oh cool, all right, well, I will go check those out as well and hope our listeners do as well. So, mark Tussauds, thank you for joining me today. This was a lot of fun, all right. Thanks, chris, for having me, and thank you to everyone who watches, listens and writes into the podcast with feedback.

Chris Sienko: 26:56

If you have any topics you'd like us to cover or guests you'd cosec institutecom slash free, where you can get a whole bunch of free and exclusive stuff for cyber work listeners. Learn more about our new security cyber security awareness training series. Work bites, a smartly scripted and hilariously acted set of videos in which a very strange office staffed by a pirate, a zombie, an alien, a fairy princess, a vampire and others navigate their way through age old struggles of your whether it's not clicking on the treasure map someone just emailed you making sure your nocturnal vampiric accounting work at the hotel is VPN secured or realizing that, even if you have a face as recognizable as the office's terrifying IT guy Boneslicer, we still can't buzz you in without your key card. Anyway, go to the site and check that out for the trailer.

Chris Sienko: 27:38

Infosecinstitutecom slash free is still the best place to go for your free cybersecurity talent development ebook. Here you'll find in-depth training plans and strategies for the 12 most common security roles, including SOC analyst, pen tester, cloud security engineer, information risk analyst, privacy manager, secure coder, icf professional and more. One more time, that's infosecinstitutecom slash free, and the link is in the description below. One last time, thank you to Mark Toussaint and Opswa, and thank you all for watching and listening Until next week. This is Chris Senko signing off, saying happy learning.