Episode details:

Unlock leadership strategies to elevate your cybersecurity career and get perspective on quality pentesting providers versus commodity ones with Tunde Oni-Daniel's expert insights.

We’re welcoming Tunde Oni-Daniel to Agent of Influence with NetSPI Field CISO, Nabil Hannan, to discuss leadership skills and quality penetration testing. Tunde is the head of technology, operations and engineering at OneMain Financial, where he’s responsible for balancing business demands with technical delivery to secure data in a highly regulated industry. He brings 27 years of security experience across industries and has deep expertise in building business driven security programs. 

In this episode, you’ll hear his journey from cybersecurity technologist to team leader and advice to enhance the skillsets of anyone considering their own career evolution. He also discusses tangible ways to evaluate the quality of pentesting providers and how to tell a highly skilled one from a commodity one. 

Show notes:

Walk us through the journey of your career path and how it evolved over time.

Tunde’s journey to becoming a leader was unexpected and rooted in a deep passion for technology. From a young age, he reverse-engineered devices to understand their inner workings, driven by a desire to solve problems and improve upon existing technology. This hands-on approach fostered a deep understanding of the technical aspects of his field. 

As his career progressed, he realized that solving technical problems required collaboration and that technology solutions were a team effort. He found himself naturally transitioning into leadership roles, where he leveraged his technical skills and learned to work with and lead teams effectively

A pivotal moment came during his transition to the military, where he studied leadership and observed various leadership styles. This experience highlighted the importance of intentional leadership, as opposed to simply being thrust into a leadership role. He noticed the difference between effective and ineffective leaders, which motivated him to develop his own leadership style. 

As such, Tunde adopted a servant leadership approach, focusing on enabling his team to succeed. This strategy proved successful, as it encouraged team members to follow and support the overall goals. By stepping in to guide teams through challenging situations and promoting positive experiences, he drove successful outcomes and fostered a collaborative environment. 

Tunde’s journey underscores the importance of continuous learning, teamwork, and adopting a leadership style that resonates with both the leader and their team. By focusing on servant leadership, he’s been able to drive transformation and achieve success throughout his career. 

“I realized that one couldn’t solve technical problems alone, that it required a team sport. No matter how good you get at solving problems, you need other people in that evolution to get things properly solved.”

Have you experienced situations in which leaders are promoted because of their technical acumen, and not necessarily because of their people management skills? How do you navigate that?

Tunde discusses the common issue of promoting technically skilled individuals into leadership roles without ensuring they have the necessary people skills. He points out that while these individuals might understand the technical steps to move projects forward, they may lack the ability to influence, negotiate, and navigate through challenges effectively. 

He highlights that technical experts are frequently placed in leadership roles because of their technical know-how. However, this often leads to ineffective leadership if they cannot engage and develop their teams. He notes that these leaders might prefer working independently rather than managing people, leading to team inefficiency. 

Tunde shares his own journey of preparing for leadership by focusing on communication and business skills. He pursued an MBA to gain a better understanding of business dynamics and improve his financial acumen. He emphasizes the importance of continuous learning and self-improvement, particularly in areas that don’t come naturally. 

“Learning is always a continual state of mind. We need to continue to be in a state of learning. I learned well in a class where someone is conveying information. So I went back to class to learn more about how I work and to improve my communication and leadership skills.” 

What are some techniques to influence people and convince them to get on board with your security initiatives — especially given the challenge of cybersecurity being seen as a cost center?

Tunde emphasizes the importance of demonstrating the value of security investments. One key metric he uses is the return on security investment (ROSI). This involves showing how the organization’s investment in people, processes, and technology for security purposes provides tangible value, despite diverting funds from other areas like customer enablement or infrastructure. 

Tunde explains that to justify these investments, it is crucial to prove their effectiveness through various metrics. For example, when implementing an endpoint detection and response technology, the process involves tracking the entire implementation timeline, successful deployment, and the subsequent improvements in detection and response metrics. Program management plays a critical role in this phase. 

Post-implementation metrics are then used to showcase the improved state of the security ecosystem and the return on the security investment. He highlights the significance of showing reduced incidents, improved detection, and better response rates as indicators of successful security investments. 

He stresses that businesses want to ensure their investments are yielding value and not hindering operations. Therefore, it’s essential to demonstrate that security measures enable the organization rather than obstructing its effectiveness. By presenting clear and impactful metrics, leaders can successfully communicate the value of security investments to their company stakeholders.

“Ultimately it comes down to how you show the value in metrics, and the value of what’s being done. Organizations want to know they’re getting their value for what they’ve invested… and make sure it’s not blocking business but enabling the organization.” 

As an organization that is heavily regulated and requires pentesting to meet various demands, can you explain the quality differences you see between pentesting providers and share specific questions you ask to determine their true capabilities?

In discussing the importance of quality in penetration testing, Tunde emphasizes that a high-quality pentest delivers genuine value. He distinguishes between thorough penetration testing and what he terms “drive-by” pentesting, which involves superficial methods like unauthenticated scans or basic vulnerability assessments. Tunde stresses that effective pentesting requires clear rules of engagement and a well-defined scope. This includes specifying whether the test is black box, red team, gray box, or another type. 

He further explains that a comprehensive pentest should outline the environment being tested, including whether it involves production or non-production systems, and should consider various factors such as user involvement and physical security. Tunde notes that a quality pentest is characterized by an organization’s deep understanding of the client’s needs and the ability to develop a tailored strategy for risk mitigation

In summary, he advocates for a nuanced approach to pentesting, where quality is determined by the depth of engagement and the alignment of the testing strategy with the organization’s specific risk profile and needs.

“If they come with the capacity of understanding my organization, who I am, what we’re trying to solve for, and then they’re able to bring a proper strategy to the campaign, the source, or the risk mitigation, then it’s a different kind of conversation in regards to a proper quality test.” 

What questions do you find effective in determining the technical competency of a pentesting provider, particularly regarding the qualifications of their assigned testers?

Tunde highlights a common issue he refers to as the “bait and switch” strategy in penetration testing. He stresses the importance of ensuring that the person leading the conversation is directly involved in the campaign. Often, the person who presents well or has strong technical knowledge may not be the one executing the test. Therefore, he always asks whether the person he is speaking with will be involved in leading the campaign. 

From a strengths perspective, Tunde emphasizes that the practitioner should have a deep understanding of the code, especially for application pentesting. This includes knowledge of syntax, programming languages, and the specific codebase in use. Such expertise allows for the identification of potential vulnerabilities and the development of effective attack strategies. 

Tunde also notes that a thorough evaluation should include a review of both open-source information and the company’s external presence. He warns that a superficial review of available resources can lead to disappointing results. Ensuring that proper rules of engagement are in place is crucial to avoid unauthorized access and to accurately define the scope of the assessment.

“Rules of engagement are very important to ensure you’re not poking around on people’s systems.Rules of engagement are very important to ensure you’re not poking around on people’s systems.” 

What methods can be used to evaluate the quality of pentest results after completing a test with a provider?

Tunde addresses the importance of validating penetration test findings to ensure their accuracy. He notes that if a finding is flagged as a false positive, it undermines the reliability of the results. Therefore, it is crucial for the penetration test provider to thoroughly validate the efficacy of each finding before reporting it as a risk. Accurate validation prevents the misclassification of informational data as high-risk threats and maintains the trustworthiness of the provider. 

He also discusses the impact of technological advancements, particularly large language models (LLMs) like ChatGPT, on the field of cybersecurity and penetration testing. He acknowledges that automation and sophisticated techniques can enhance efficiency by speeding up tasks and combining exploits. However, he emphasizes that complex vulnerabilities, such as blind SQL injections or remote file inclusions, require human ingenuity to fully exploit. These types of vulnerabilities involve patterns that need persistent and creative approaches to address. 

While LLMs can support the process, Tunde believes that we are still far from automating penetration tests entirely. Not all codebases and libraries are standardized or mapped in a way that models can fully understand and exploit. As new code and techniques continue to evolve, there remains significant work to be done before achieving complete automation in penetration testing.

“Ensuring that the pentest provider validates the efficacy of the finding before it’s actually provided any degree of risk is a very important thing.” 

Is there any advice you would give to individuals early in their cybersecurity careers to help them accelerate their journey and make it more fruitful?

Tunde offers this advice to those in the industry, “Don’t give up. Stay persistent and keep learning. Always remain in a constant state of learning because the field is continuously evolving.” 

He emphasizes the importance of staying engaged and adapting, noting that acquiring new knowledge and skills enhances one’s capabilities. 

“Stay hungry to learn. Learn how to get better. Continue to transform yourself and continue to improve yourself. You never know what you’re going to need. It is information. That information is not lost. Information is transformed, utilized to make yourself better and improve yourself every single day.” 

To catch more episodes, visit us on YouTube, your favorite podcast platform, or at NetSPI.com/agentofinfluence. If you’d like to join the conversation or suggest a guest, reach out to us at podcast@netspi.com