We are now live with episode 19 of the Cyber Talent Series!

Join Thomas Rogers, Co-Founder of Skillbit, as he connects with Grant Smith, Red Team Lead at Ally and CEO & Co-Founder of Surface Security, to discuss breaking into offensive security. Grant shares how his experience leading red teams shaped his approach to mentoring talent, evaluating candidates in the age of AI-assisted interviews, and balancing technical expertise with strong people skills. He also discusses the launch of Surface Security, the evolving browser security landscape, and how AI is reshaping both phishing attacks and modern security defenses.

Check it out on the SkillBit (formerly known as MetaCTF) YouTube and Spotify channels!

YouTube

Spotify

Transcript:

Thomas Rogers (0:00)

Welcome to the Cyber Talent Series, where we explore how organizations are closing skills gaps, accelerating onboarding, and building high performing cyber teams. My name's Thomas Rogers. I'm the co-founder of SkillBit, and today I'm talking with Grant Smith. He's a red team lead at Ally, and the CEO and co-founder of Surface Security. Thanks so much for coming on, Grant.

Grant Smith (00:29)
Yeah, thanks for having me, Thomas.

Thomas Rogers (00:30)
Cool. Can you just give a little bit more about your background? Would love to hear how you got started in cyber, and what led you to where you are today.

Grant Smith (00:37)
Yeah, yeah, sure. So obviously, I'm Grant. Started out in offensive security early on, starting in the defense space mainly and working through internships and various job roles there before landing at the Walt Disney Company on their Red Team. Worked there for a few years, did some fun, cool stuff, as you can imagine with Disney, but then moved on to a bank. So I became a Red Team lead there. And then now, transitioned more onto the blue team side and detection side where we're building out detections for phishing attacks and dynamically detecting them rather than relying on threat intel feeds and static signatures.

Thomas Rogers (01:10)
So I know you did a bunch of stuff even before that, before you got into industry. Do you mind sharing what you did dating back to college, youwent to, you know, a second rate university in Virginia. I've never heard of them actually, just kidding. So Grant went to Virginia Tech, which is an awesome school and awesome cyber program.

Grant Smith (01:24)
Yeah.

Thomas Rogers (01:30)
So yeah, could you share a little bit about what you did there? You actually did some work with Skillbit back in the day too. So I'd love to hear more about that.

Grant Smith (01:36)
Yeah, sure. Started off really young, I really wanted to get into security because I wanted to get around things. I like to get around things. When I was a kid, we had parental controls on our family computer. I could only do like 30 minutes of screen time a day.

That wasn't enough for me because I was playing in Grepolis at the time, and I had to build my city. And so found a way around those parental controls to add an admin user through Mac safety boot. And that was my first hack. And I loved it from there. Loved playing pranks on kids in school, hacking into the lab computers through their default passwords and making the computers talk to people when they're on them. Fun stuff like that.

That all kind of came to wraps though when one of our IT admins figured out what I was doing and caught on to some of the stuff that I was doing, which may have not been legal even though was underage at the time. They kind of took me under wing though, didn't report me to the cops or anything me and pointed me to pentesting. I'd never heard of offense security, never heard of pentesting. And they showed me what that was, gave me some resources on it, and so that could go major in cybersecurity at any of these colleges that I wanted to go to. And so I did. I went to Virginia Tech, ended up down there, a second rate university down in Virginia. And I loved it. I joined the cybersecurity club there. That's where I really started to kick things off with my learning through the different club lessons, CTFs that we do. The first CTF I did before MetaCTF was named Skillbit, that was my first CTF, was MetaCTF up at UVA. And incredible learning experience, realized how little I actually know, but how much I love learning in that industry. And yeah, eventually started doing internships, worked with Army Cyber Command, worked with National Security Agency and some other schools and organizations around that space. And eventually, yeah, I was doing some challenges for Skillbit. I was doing some challenges for various CTFs that we were running down at the school. Eventually became president of the Cyber Club down at Virginia Tech for a year right before graduating. From there, landed at the Walt Disney Company on their Red Team and then Ally Financial as their Red Team lead. And now here at Surface Security doing things on our own now.

Thomas Rogers (03:46)
Sweet. I mean, I think a theme for your background is just learning by doing and just figuring things even before you maybe necessarily like fully understood how to do something or why to do something. How much of that has like played into your professional career, approaching problems that you see at work? I love kind of this, the hacker mentality of rather than like just figuring stuff out versus, you know, deliberating too much or overthinking anything.

Grant Smith (04:14)
Yeah, exactly. That's the mentality you kind of have to have if you're working in engineering and cybersecurity. If you work in, even as like an entrepreneur, in cybersecurity, you have to be able to think on your feet and make decisions based off the info that you have and that you're able to research and figure out within a short span of time because you're always reacting to constantly changing situations, whether it's you're responding to an incident that you've got to figure out what you need to contain as fast as possible rather than figure out every single device on your network that could possibly be infected and contained. No, you need to start with contain this and then we'll expand out from there as much as possible. That's just an example. And yeah, as an entrepreneur, like you're doing the same things like I was in a business major. I don't I've never managed finances before I started a company and never did any of that.

And you kind of just have to learn about it. You gotta learn on the fly. You gotta do your research, but also still over research and not get too sucked up in making everything perfect. You do the best you can and you keep moving forward rather than pausing for too long and falling behind.

Thomas Rogers (05:20)
So when you talk to people that are trying to get into CyberNow or maybe you know your direct reports or people that you've worked with closely that are early in their career, how does that shape the advice that you give them? Curious the types of questions you hear and kind of advice you give people who are wanting to grow in their career but maybe aren't quite sure what to do.

Grant Smith (05:41)
Yeah, yeah, I really tell them to find an area to focus on. Security is like a broad industry. It's not just, oh, I know active directory or I know networking. It's cloud security now. It's AI security. There's compliance and GRC. There's so much other stuff out there that falls under security that have their own different niche roles. And if you can fill that role, most teams aren't looking for just a security person, they're looking for somebody who can fill a specific role, such as cloud security or AI security or a red teamer that knows web apps or person that can do their SOC 2 compliance and make sure it's up to date.

There's all these different roles out there. They're so specific and so niche you can find what you love, do that, become an expert in that, and then find a role that fits that rather than just be an expert at nothing but generalist at everything.

Thomas Rogers (06:32)
What have you learned about, I guess, the communication side of things within cyber, whether it's working with other teams in the organization to share things you're finding, whether it's people that you're working with directly on your team. Cause I think a lot of kind of individual contributors when they get started in their career and engineers in general, I think a lot of people like to kind of be in a silo and just do the work and really enjoy that. So how has your perspective on communications changed?

Grant Smith (07:00)
Yeah, it really changed when I became a lead. As just an engineer or intern or red teamer, all those different roles, all ICs as you said, individual contributors. And you don't really have to worry about what's happened above you too much. You report up your findings, you report up your project, you fix that issue, report that bug. And then it's just handled by somebody else, you don't really have to see it's like a remediation follow-up.

As a lead and as you get higher up in an organization, you start managing those handoffs from one team to another, and you start managing those relationships between teams. And specifically in Red Teaming, that involves a lot of trust because you're coming to different orgs or different and saying, hey, we're going to go into your live production system and not take it down. Please trust us to do that. And it's hard. It's hard to do that. It's hard to convince people that.

So you have to have a good track record. You have to have good relationships with other folks that they might trust already. And it's a lot of building relationships, networking, and building trust with other teams. And that's just my experience in the offensive side of things. With every other team, it's essentially the same thing, though. You have to, as a SOC manager or security automation manager, you have to have the trust of other organizations and different teams to say, hey, let's install these agents on your machines, and we're not going to mess them up. We're not going to slow them down, but please just trust us on that. And so that just takes trust and networking and time. It's all people skills at that point.

Thomas Rogers (08:40)
I think a lot of people think that when you think about a pentester or OpSec engineer or something, they sort of skew towards the technical skills being the most important part of the equation. And I think that obviously is important. But how would you, assess that versus, you know, some of the things that you just talked about? And how would you kind of blend the importance of those two?

Grant Smith (09:03)
Yes, technical skills obviously are huge security. Having strong technical skills is important, especially for an individual contributor role, but it's not everything. I want you to be able to do these highly technical things and then be able to report out those specific findings in a way that people can understand, not just other security engineers, and even they might not fully understand it, even if they're the app owner or system owner. You have to be able to translate to them on a technical level so that they can remediate it and also translate it for higher ups in some sort of executive summary type manner.

And finding somebody that can do both of those effectively is really hard. And so we'll do technical assessments of applicants, and they might be able to solve every machine in the lab that we give them during the assessment. But then the report is terrible because we don't understand what they did. We don't understand why they're doing it this way, how the system can be fixed, how it can be remediated. You need to be able to translate all of those both in writing and verbally during your brief out app owners and system owners and executives if it gets up to that point.

Thomas Rogers (10:09)
How much harder has AI made that evaluation? Like trying to figure out a person's skills and like what they understand and kind of all that stuff.

Grant Smith (10:17)
It's made it a little bit harder obviously there's people using AIs in interviews and there's all these different apps to do it nowadays.

But there's a cost benefit you got to deal with it. You can't stop everyone from using AI and you can't detect everyone using AI. And so we use AI in the workplace now. Every organization basically is moving that route. And so it's becoming more and more okay to use it. And so I think allowing them to use it on different tasks in a manner that doesn't compromise their integrity or the integrity of the test.

So whether it's just simply asking AI questions about certain things or having to write a quick script for you, like that's totally fine. Like you're going to do that in the workplace anyways. But when we're doing like a technical interview, and we see somebody clicking off to the side or like reflection in their glasses of an AI summary appearing on their screen, that we don't fly with and we're not going to pick that person. And you can't catch them all, but it eventually comes out based on just how they're speaking, you can tell they're reading something. You do have to know your soft skill, but AI does help throughout the process.

Thomas Rogers (11:21)
And that's where I think the assessing for the soft skills is so much more important understanding the person holistically. And you can tell if someone understands one of the labs, you're talking about the labs that you all use in assessing candidates. If you ask someone to talk you through it, they might be able to write a report or an LLM can write a report for them, but if they can't explain or you ask a couple of follow up questions, I feel like it's just like going deeper into more of a case study process than just a traditional like, let's check the box and prove that they know they have a baseline technical capabilities.

There's so much more other important stuff. And that doesn't even hit on some of the behavioral stuff. Is this person curious? Are they a hard worker? Are they good to work with? A lot of those things, which you can kind of suss out in, these sort of case studies, cyber range environments.

Grant Smith (12:18)
Yeah, exactly. And it's so easy to tell if somebody actually likes what they do, loves what they do, is interested, just based on like a few personality based questions. Like you didn't even have to dive in technically. But if we're talking about, what did you do back in school? And they're like, oh I was part of the Cyber Security Club here. I started the Cyber Security Club here because there wasn't one or joined these different CTFs when I was in school. You can tell that person likes what they're doing and is active in the space really interested in expanding their skillset.

Thomas Rogers (12:51)
One of the ones we asked recently was what was the most interesting CTF challenge you've seen recently? Because yeah, lot of the candidates we talk to will share how excited they are about CTFs and how often they do them. And then you ask them what's most interesting CTF question you've seen and they don't have an means they probably aren't actually as active as they say they are.

So yeah, interview is such an art just trying to dig deeper than surface level and try and understand it. It's really, I think the hardest part is actually like, I don't think I ever did a virtual interview, obviously until post COVID. And so like so many of the interviews before that were in person, and I think there's a lot you can pick up when you're able to do interviews in person that you, it's tough to catch virtually. And yeah, people can't just like tab switch during a in-person interview.

Grant Smith (13:36)
Exactly.

Yep, exactly. Makes it lot easier.

Thomas Rogers (13:45)
So now you've had some leadership roles. I know you're earlier in your career too, but even dating back to college, like at Virginia Tech, leading the cyber club. How do you think about leading in cyber? What do you think are some of the most important with regard to that?

Grant Smith (14:00)
Yeah, leading cyber is similar to some other leadership roles and not similar in other ways. It's an interesting one because it's such a technical field, such a fast paced field, ever changing. But some of the core leadership principles of delegation and caring about your people.

Those are the two big ones that I've taken away and a lot of us who are technical in the cyber space don't like to trust other people to do the stuff that we used to do or we think we could do better, at least for right now. And so when you get into a leadership role, you can't do everything. There's not enough time in the day to do it. Then you're going to burn out real quick. Finding a way to give tasks off to people that you trust and that can handle them, even if you don't trust them right off the bat, building way for them to learn about how to correctly do it in the way that you would do it yourself and teaching them and mentoring them that way, that's the biggest part.

So that now you trust this person, you've given them the insight. Yes, they might get it wrong one or two times, but now, after that second time, you can trust them with that task because they're doing it exactly how you would do it, hopefully, or maybe even better because they have more time to do it.

And then with caring about your people, it's very straightforward for the most part. If you don't care about your people, they're going to burn out. They're going to not like you. They're not going to work with you. It's tough.

You've got to come in caring about your people every day, caring about them outside work. They come in to work. They're not leaving their personal life at the door. It's not severance. They're going come in. And if they're having a bad week, bad month, bad day, that's going to affect their work performance. And then that affects you. And so you got to treat them like humans. You got to ask them about their life in a professional way. Obviously, you don't want to dive into random stuff about their life if you don't need to, but you've got to give them time, take care of themselves, use what flexibility you have as a leader in that organization to give them the space that they might need, give them the time they might need. Or if they're really excited and they're just like, hey, or not just excited, but they want to distract themselves with work, like, hey, I got this task that is really down your alley, like you're really interested in this, go focus on this and get your mind off whatever other thing you might be thinking about. So it's not just like giving them time and space. It's also, okay, here's this work that you really want to do rather than this really mundane work that you're already feeling pretty bad today, go focus on this fun project instead.

Thomas Rogers (16:21)
What have you learned about feedback? I'm sure it's fresh enough for you where you've been on the receiving end of in the workplace, which isn't always the most fun. And then you also presumably have had to deliver feedback as well. What have you learned about, how to do that?

Grant Smith (16:33)
Yeah.

Don't beat around the bush. Be direct and to the point. When you're giving them feedback, don't just say, ok, everything's good, everything's good until it adds up and it's bad. Cut things off when they're starting to get bad away rather than waiting for it to get worse, which it hopefully won't. And also that allows them to fix that issue right than they keep doing the same old thing that you don't like or is reflecting poorly on you as a leader and yeah. It's really being upfront with people. People like honesty, people can tell when you're being dishonest or beating around the bush. Just be straight up with them. Don't give them any BS, essentially.

Thomas Rogers (17:12)
I totally get that. I think that the last part of your prior answer when you talked about just caring about people, I think that sets up and makes the feedback thing so much easier when you have the relationship with the person so that they understand that this is coming not from like a place of did something wrong, but from a place of like, know there's more in there and this wasn't, you know, the quality that we need or, you know, something like that. we had a whole episode a few weeks ago that was about like psychological safety within teams of feeling like, yes, this person cares about me and is invested in my career. So when the feedback comes, it's not, you know, oh no, the world is falling. It's like, hey, this person works with me and cares about me and wants me to do my best work. So yeah, I mean, I think that that sets it up and makes it so much easier.

So I want to shift a little bit. So I heard an interview recently Brian Chesky, the Airbnb founder, and he was talking about it was actually a very bullish position on AI and just how the future is going to be. It's almost going to like cut out the pure people manager, where managers are going to be kind of player coaches where they're going to be doing work too, but they're also going to be there as leaders and managers, but not just managers. I mean now you're running a startup, obviously doing a lot while leading. And then I assume as a red team lead, you're also, it's kind of similar. You can't just delegate everything. So been your experience with by doing? And I guess how much real work are you doing these days?

Grant Smith (18:48)
Yeah, I'm still doing a lot of real work. So, when you first started giving that quote from him, I was kind of sussed out a little bit, but actually kind of agree with it. And so, AI allows you to do more with the time that you have. And managers and leaders don't usually have a lot of that time because you're sitting through meetings, you're scheduling things, you're delegating tasks, you're organizing, you're meeting with people.

There's so much going on in your day and a lot of it is just talking to people and getting things organized. Being able to do those individual tasks, if it's able to automate some of those away in a way that is acceptable to you, then yeah, hell yeah. Like I don't know how many PowerPoint slides I've had to make and if Claude or ChatGPT or Perplexity or whatever can make slides that are good and acceptable to me and meet the standard, then I'm going to use it to automate doing that task so I have more time to go to my extra meeting that day or something, which obviously I'm not super excited to do it all the time, but you have to do it as a leader and you're always fighting to have more time to do more things because the more you can get done, the more you can do as a leader, and especially as a startup, the more you can do, the faster you can grow.

Thomas Rogers (20:05)
Yeah, I think, yeah, just people able to get more stuff done than usual. And like I said, I think it was a pretty like pro AI case. It wasn't like, oh security isn't going to exist in the future or anything like that, which I've seen some of those takes too. So I was better than usual. Cool. I want to pivot and go to Surface.

So could you tell us a little bit about what Surface Security does. I know you all just got out of stealth this week, so and you have an awesome pull over already with a great logo. So for the people that can see the video. So yeah, tell us about surface.

Grant Smith (20:39)
Thank you, thank you.

Yeah, so Surface is a enterprise browser security platform and it's essentially a security analyst in your browser. So it allows you to see visually in code level to detect vision attacks along with doing a number of other things that you would do from a security perspective anyways in the browser. So that's data loss prevention, that's shadow AI detection and prevention, all while maintaining your data sovereignty. So just like your security analyst goes and signs an NDA, they're not going to go export all your sign logs to some third party cloud or something. We don't do that either. So we deploy in the environment. We maintain that data sovereignty. We'll also give you that adaptive and detection of phishing attacks and various other data loss cases.

Thomas Rogers (21:30)
What led you to this?

Grant Smith (21:31)
Yeah, it was really a gap I was seeing at every place I worked at. So when you're in offensive security, the most popular way to get in is through phishing. Still, it's a problem that just has not been solved yet. And the only way really detect these types of attacks is to learn about the environment and build that up over time and continually learn over time.

And so looking at where people are logging into, what those login pages look like, because when a attacker comes in, they're going to clone or make it look like it's a clone of your internal login page, which is different from the standard Microsoft login page or your Octa page or Duo, whichever platform that you're using.

So if you create static signatures, which every other provider does currently, of those different login pages that are publicly available, it's not going to cover those targeted attacks on users or targeted attacks on organizations. And so we build a ML algorithm and a platform that does that all from a browser extension, from crowdsourcing from employees and contractors.

That data of where they log into, what it looks like, and able to detect cloned and impersonated logins from that. And then because we're already in the browser, we do all those different data loss prevention and Shadow AI detection, attack service mapping as well. And then one final thing that we were missing at every org I was at was maintaining that data. We don't want every login page fingerprint and every credential that they type and all that leaving our network.

And so we deploy in their environment or in their cloud that they can maintain that and control what leaves and what doesn't.

Thomas Rogers (23:05)
That's super interesting. I'm familiar with one other browser security startup that's grown a lot in the past few years, but I'm curious your perspective on where browser security is going. Cause it's, it's still new-ish. Ithink one of the analogies I heard with browser security is trying to make like an existing browser secure is like trying to turn like a Toyota Camry into like a sports car or something, like a race car. And it just wasn't built for that. Soyeah, it just seems like very logical that you would start from a place of security and then kind of go from there. It seems like we're still early on in browser security so like, where do see this going?

Grant Smith (23:33)
Yeah.

Yeah, we definitely are early on. Obviously there's some players in the market, there's other companies out there doing browser security, but they all have their niche that they get into. So whether it's just focused on security and not data loss prevention, or it's just isolation and not detecting attacks and phishing identity hacks, or it's data loss prevention and not really focused on security. And they all have their different area. And that's okay if that's what they want to do.

But being that browser, being in the browser, why would you not do all of them? And in a better way to adapt to how AI attacks are happening right now. So whether you go to Claude right now and ask it to build a fake login page for your website, and it's actually just Microsoft, and you just replace the logo there from it, or you have it build or have it spin up a new attacker in the middle type attack where it's like Evil Jinx, if you're familiar with that toolkit.

All those different attacks, you can't signature them easily. There's no easy static signature that you can just plug in and do throughout. And you can't rely on threat intel feeds because somebody has to have looked at and caught that attack for it to go into the intel feed.

And so that's already too late at that point. So if you're being targeted by somebody and somebody's doing spear phishing or even if just a mass skill phishing attack against your organization with a targeted kit, you're not going to detect that with the current tools out there because they all rely on things that take too long, and AI's fast as we know. And so because we're able to put that security analyst in the browser, we're able see, OK, like you still have to look like the Microsoft login page in some way. You still have to say Microsoft, you still have to say that organization's name, you still have to say, please log in here, or net, or enter your credentials here, whatever the term might be. And so we're able to visually see that.

And also, of course, we're able to detect at the code level, different phishing techniques that are done there. And so a combination of those signals, that goes into our patent-dependent surface division algorithm. And we're able to figure out, ok, this is a phishing page. And we're all able to do that in the blink of an eye and catch those attacks, even if they're targeted, even if they're brand new kits out there.

Thomas Rogers (25:57)
Makes total sense. I'm curious what the user experience you'd expect is kind of like. With the browser, I know it's obviously one of the most used types of applications that exist today. So how are you thinking about that?

Grant Smith (26:10)
Hey, again, we're wearing many hats as entrepreneurs. So from the user side, it's really quite simple. So it's a browser extension. It plugs into your browser. You don't have to go rip out and replace your browser as some of these other solutions make you do. It doesn't slow down your browser It just plugs right in. You don't have to do anything on your end. It's just configured by your IT admin. They push it out by a group policy, and then it's live. No check into the server that's deployed inside of your network. So there's not really that much latency unless your VPN connection is really spotty. But it's all deployed for you in your network. And then on the end user side, it's just an extension. And so unless you visit a phishing page, you're not really going to see it. And when you do visit a phishing page, yeah, it's going to pop up and block it and tell you why, and give that info to your admins.

Thomas Rogers (26:56)
Cool. So you've led red teams, you've worked on red teams, you're leading a startup, and you've worked at some big companies. So what's that been like?

Grant Smith (27:06)
Yeah, it's really, again, the wearing many hats. When you're in a large organization, you have a lot of goals but it's all focused on this one thing, like just this one area of security or this one objective. When you're at a startup, you have so many objectives and goals and they're all over the place, whether it's financial, marketing and sales, your go to market plan, your technical sides are actually building the applications and features.

You have all of that that you're managing and it's difficult, but it comes back to just being driven to succeed. And so if you're at a large organization, if you fail one of those goals, like, yes, depending on the goal, it can be bad, but it's usually not the end of the world. And it isn't at a start up either, but those goals mean a whole lot more to you as a startup and being your startup, it means a whole lot more to you as well. So you're just a lot more driven in a startup to get those goals completed. It's not just about your performance review anymore. It's about, ok like does this company fail or grow really fast? Like that's what it comes down to.

Thomas Rogers (28:05)
Yeah, that's a great way to put it. So we ask the same closing question every time. And the question is, if you were starting your career in cyber today, what would you tell yourself?

Grant Smith (28:17)
Good question.

I would probably tell myself to just build stuff earlier. Yeah, so myself included, a lot of people in security want to go do those certifications, tools, and just follow the perfect path. You see all these images online of the perfect certification career path. You go get your EJPT, your OSCP, and you're on the offensive side or defensive side. You're getting your blue team level one, whatever. Whatever those different certifications might be.

But what really grew my career wasn't certifications. It was building things, it was breaking things, competing in CTFs, meeting people through those, joining those communities, and then just putting people around myself that are better than which is hard.

Like I came into school at Virginia Tech and I was like, I know so much because I hacked into all these computers at my high school that were very insecure.

No, I didn't know anything. I came to school and there was a kid there that could do ROP chain exploits as a freshman as well. And I had no clue what the hell that was. And so like advanced binary exploitation stuff was way out of my league at the time. And it really hit me like a brick wall. You kind of feel bad. You get that feeling of not knowing as much as you should, but you really got to grow from there and persevere through that.

Build stuff, break stuff, have your wins, have your losses and surround yourself by people that are better than you.

Thomas Rogers (29:38)
Awesome advice, great place to close. Well, thanks again so much, Grant, for coming on. Congrats on coming out of stealth and excited to see where Surface goes in the next few months and years.

Grant Smith (29:50)
Thank you. Thanks for having me, Thomas.

‍