Greg Schaffer: Hi, I’m Greg Schaffer, and welcome to The Virtual CISO Moment. My guest today is Andrew Kalat. He is the owner of Rotation Speed Consulting, an independent security consultant, speaker, writer, and the self-described Lord Losing co-host of the long-running Defensive Security Podcast. He has spent nearly three decades helping organizations solve security challenges with leadership roles spanning Salesloft, U.S. Bank, Elavon, Check Point Software, Acuvant, and many others. Along the way, he’s built security programs, led engineering and operations teams, managed multi-million-dollar security budgets, advised enterprise organizations, and helped translate risk into business decisions.
He’s also a private pilot, which we’ll touch on in a bit because I am as well too, although inactive. He’s an author and one of the more recognizable voices in the cybersecurity podcasting community. We’ll talk about that in a moment as well too. We’ll also talk about his journey through the industry and all sorts of other great, interesting stuff.
Andrew, thank you so much for joining me today.
Andrew Kalat: Thanks, Greg. I need to hire you as my marketing guy. That was amazing.
Greg: You know what? I can subcontract that because my marketing person is ChatGPT.
Andrew: Hey, that works. Thanks so much for having me. Great to be on the show.
Greg: We’d love to start out as we usually do. I want to hear your story about how and why you got started in this really crazy industry and what led you to where you’re at today.
Andrew: Yeah, I appreciate it. It’s been an interesting journey, and it’s been a while since I’ve really reflected. But I started in the early nineties. I’m old enough that I had single-line modems when I started.
Greg: Amen, brother. Me too.
Andrew: Yes. Single-line BBSs.
Greg: Exactly.
Andrew: I remember when U.S. Robotics had a deal for sysops that you could get a faster modem cheaper. So I started my own bulletin board just to get a cheaper modem.
Greg: The U.S. Robotics 56K.
Andrew: Yeah.
Early days, I had no idea what I was doing, man. I was just the weird kid without any friends who discovered a whole community online with bulletin boards, and it changed my life.
I grew up in the Detroit area, and there was a very active BBS scene up there. Then, very slowly, the internet came around. I remember those early days of the internet when we first got on the internet via modems with a piece of software called KA9Q that was built for packet radio data transmission. But later, as I learned about TCP/IP, it made sense. It was TCP/IP packets being used.
So I kind of accidentally fell into this industry.
We talked a little bit about being a pilot. I thought I was going to be an airline pilot growing up. Then I found this amazing world of technology and started tinkering and building computers and selling computers at trade shows. Then I got my first job selling software at Electronics Boutique.
From there, I started working for a small company—what we would now call an MSSP—in Detroit called Netrex, which was a managed firewall provider.
This was back in the days when the way it worked was they had a data center, and they ran serial T1 links, or smaller, out to various customers and brought all of their traffic to our data center, ran it through some Check Point firewalls—back in the version one, version two days—and then out to the internet from there.
That was the early, early days.
It was great. I learned a lot. I learned a lot about troubleshooting and helping customers and all that great stuff that comes from doing help desk-type work.
That company got bought by a company in Atlanta called ISS, which eventually got bought by IBM. That moved me down to Atlanta. I came down to Atlanta in 2000 with that acquisition.
Greg: You’re like me. You’re one of those damn Yankees who moved down South.
Andrew: Yes. Because I came from New York and moved down to Knoxville, Tennessee.
Greg: Back thirty years ago.
Andrew: Well, I think after twenty years you lose the “damn” and then you’re just a Yankee.
Greg: Okay, okay.
Andrew: At least in Atlanta. It could be different rules in Nashville.
So I worked at ISS, which was great. It was a startup. It was the dot-com era. We built data centers. We had this huge MSSP opportunity, and it was an amazing time until the dot-com boom kind of failed.
But I still learned a ton from there.
I went to Check Point and started doing sales engineering management for Check Point because I’d run Check Point firewalls for so long in so many different jobs.
I was there for quite a while and learned how to do the softer side of the business. I learned how to work with customers and traveled around and helped them, which was great.
It really filled in some gaps for me because I was a very poorly socialized introvert. It got me out of my shell and doing more public speaking and forced me to learn how to talk to people, which I found very helpful. I didn’t think so at the time, but it was super helpful.
After Check Point, I started dabbling with startups. I was at a couple that didn’t go anywhere, a couple that were okay, and a couple that failed.
I’ll tell you, my failures taught me probably more than my successes when it comes to business.
Greg: They usually do in business and other aspects of life, right?
Andrew: No kidding.
Then I went to Acuvant—which now is called Optiv—but they were a VAR. It was really interesting going to a VAR from vendors because now I had the whole suite of technologies to talk to customers about and figure out, “Hey, what are you trying to do? What’s good? What’s bad?” and really bring all of that to the table.
Of course, it’s still interesting how much pressure you get to sell certain vendors over others. Maybe not always the best solution, but that’s just the way the game is played sometimes.
Then I ended up at Elavon, which was a smaller, thirty-five-hundred-employee credit card processing company. I started doing security work for them as a principal security architect and moved up into leadership roles there where now we’re dealing with PCI and credit cards and all of that.
That got rolled into U.S. Bank. I ended up there for about five years.
Then I wanted to get back into small-company land and went to a software company called Salesloft, which was just starting to blow up. It was just at the beginning of the COVID era, and it got real big, real fast.
It was building software for sales folks. I came in when there was a two-person team and built that into eight people—a whole huge security department.
Ultimately, they got bought by Vista Private Equity, and I actually just left there a couple of weeks ago to take a breath, decompress, and do some side work and consulting.
Among all that, I started a podcast, wrote some books, did some public speaking—a lot of stuff.
So, probably a long answer to a short question.
Greg: Well, I wish you would find a way to do more stuff. You’ve obviously got a passion in the field.
You and I share something. First of all, I started out—did I read somewhere that at one point in time you were a mechanical engineering student?
Andrew: No.
Greg: Okay. I was reading something else then.
The commonality between us doesn’t have to do with that, but it does have to do with being a private pilot. I believe you got your private pilot license in the early nineties. I did as well.
I’ve often thought that there are significant corollaries between how we approach flying and how we approach information security. I’d like to hear your views on that, and then I’ll add some as well, I’m sure.
Andrew: One hundred percent.
I like to say, “You know how you know when you meet a pilot? They’ll tell you.”
The biggest challenge is when you meet somebody who’s a vegan CrossFit pilot. They don’t know what to tell you first.
Greg: The only way you know they’re vegan CrossFit is because they tell you.
Andrew: Right.
But no, I absolutely agree. If you look at the aviation industry—and I’m not a professional pilot, although I’ve got good buddies who are—they have such a robust, mature risk management culture that we could learn a lot from.
It feels like information security keeps trying to reinvent that wheel.
You look at how aviation accidents occur, and it’s rarely one cause. There’s usually a number of systems in place, especially for larger commercial operations, that have a bunch of checks and balances that typically catch a problem before it results in an accident or incident.
Normally, when you really dig into what causes an accident, it’s a bunch of failures that line up in the worst possible way.
I think the same often applies to InfoSec.
I also think the concepts from aviation make a lot of sense. They care about fatigue. They care about checklists. They care about the best way to do something consistently and routinely. They care about studying incidents and learning from them.
We in InfoSec try to do that, but we also have this push to be very secretive because of legal aspects surrounding breaches.
I do find there are a lot of pilots in information security. I think it scratches the same itch.
There’s a lot you can learn from being thoughtful and systematic.
The one thing that really helped me was learning to be calm in a crisis.
When you’re flying an aircraft on your own—especially the first time, and I’m sure you remember your first solo like I do—that cockpit has never felt bigger.
You realize, “Wow, if I screw this up…”
Greg: I had to retire that pair of underwear, that’s for sure.
Andrew: I think every pilot understands that.
I heard this from a great instructor once: you start with a bucket of luck and an empty bucket of wisdom. Your job is to fill that bucket of wisdom before you run out of the bucket of luck.
I think that applies in information security as well as aviation.
You make mistakes and you learn from them.
Greg: Hopefully you’ve done enough risk management and have enough compensating controls so that your mistakes don’t end up being fatal.
You mentioned the first solo. The only thing I really remember from that—it was in Knoxville at McGhee Tyson, which was a Class C at the time, I believe.
I don’t think they do those classes anymore. It’s been about seventeen years since I’ve flown.
I remember thinking, for the first time I had a chance to stop and think, I went through the checklist, got clearance to take off, took off, established myself in the pattern, and then thought, “Okay, I guess I’m on downwind.”
For those who aren’t pilots, that’s when you’re flying opposite the runway while circling around to land.
That’s when I thought to myself, “I have no choice. I have to land this thing.”
Gravity is going to take me down one way or another.
That was a bit of a freak-out moment.
I think in information security, we have those same moments in the middle of incidents where it’s, “One way or another, this incident is going to resolve, but I have to do all I can with my training to bring it down with as little risk as possible.”
Andrew: Agreed.
You have to stay calm. You can’t panic. You can’t give up. You can’t pull over. You have to get that plane on the ground.
You also can’t start making things up on the fly—no pun intended.
That’s why we practice. That’s why we have checklists. We have engine-out checklists. We have emergency procedures.
Greg: To your earlier point, when you look at aviation accidents, it’s never really one thing that causes it.
The last thing is simply that the airplane impacted the ground in a very unnatural manner.
But how did you get there?
Fuel starvation is a common cause. Flying into IMC as a VFR pilot is another.
I remember hearing a statistic that if a VFR-only pilot flies into instrument meteorological conditions—clouds—they have something like one hundred seventy-eight seconds to live if they have no instrument training.
The question is: what decisions led to that?
Why did you fly when weather conditions suggested that might happen? What was your backup plan?
It’s the same thing in information security. That’s why we have compensating controls. That’s why we have layered security.
Andrew: One hundred percent.
You touched on another really important point.
In aviation, we have pre-thought-out, pre-planned, pre-practiced procedures for most emergency situations.
It’s basically disaster recovery in the air.
We train them extensively—hopefully.
I think that’s one thing we don’t do very well in information security.
We say we have an incident response plan. We say we have a playbook.
But what I often see is that it’s written, updated once a year, and nobody has time to practice it.
It’s not intuitive. That muscle memory isn’t there.
One thing we know from aviation is that stress makes it harder to think objectively.
That’s one reason it makes sense in both aviation and information security to have these pre-planned decision trees and reaction trees.
You’re already under stress. This takes some of that burden away.
We’ve already decided in a peacetime environment what we’re going to do.
We’ve lost the engine? Immediately pitch for best glide. That gives me the most time to figure out what to do.
Find a place to land. Head toward it. Attempt to restart the engine. Work the checklist.
As opposed to, “The engine just quit. What do I do?”
You don’t have time for that.
I’ve seen organizations during incident response where executive leadership, who haven’t bought into the response plan, start making things up on the fly.
Once emotion enters into it, you’ve lost a lot because you’re no longer thinking clearly.
Greg: That’s an excellent point.
Another thing that came to mind as you were talking through the engine-out and best glide scenario is that sometimes we practice things that we never plan to use, but we want to get close enough to the edge to know what it feels like so that we can avoid it.
What I’m thinking about here is spin training—or at least getting close to a spin.
For the non-pilot folks out there, a spin is basically when you enter into an uncontrolled stall. A stall is when you lose lift over the wings. Normally, if you enter into a coordinated stall, meaning you’ve got your rudder set correctly and your ball is centered—for those of us with steam gauges—the airplane loses lift symmetrically and falls forward. Then the airplane flies again.
But if you lose lift asymmetrically, one wing drops and you enter into a spin, which requires additional recovery procedures. You apply opposite rudder, stop the rotation, and then recover.
The reason we practice that isn’t necessarily because we expect to recover from a spin someday. It’s because we want to know what it feels like right before it happens.
The only time you’re typically flying really slow and making turns outside of training is when you’re in the pattern. If you get into a spin in the pattern, you generally don’t have enough altitude to recover.
I think there’s a corollary in information security. If we have enough monitoring in place, we can recognize when we’re getting close to the edge. We know we’ve hit a danger point and need to stop what we’re doing, pull back, and correct the situation.
Andrew: One hundred percent.
You touched on something else too.
When certain failures start stacking up, you may be able to sustain one failure, maybe two failures, but three or four failures can put you in a really bad situation.
I think the same thing applies to InfoSec.
I’ve got this weird incident over here. I’ve got a strange log event. Somebody’s connecting from a weird IP address at a weird time.
You start getting these pre-problem indicators.
If I can see them early enough and react to them early enough, I can probably stop the spin into the ground.
The challenge in information security is that we have so much information coming at us that determining what matters and what doesn’t matter is difficult.
The same thing can happen in aviation.
Pilots can vapor-lock because they’ve got too much information coming at them. You can get information saturation.
I’ve seen that same thing happen with SOC analysts and incident response.
What are the indicators I really care about? Which instrument gauges do I really want to look at to figure out what’s happening?
You mentioned VFR and IMC.
One of the weird things about flying is that we’re built to be on the ground. Gravity normally goes one direction.
In flight, because of the forces involved, you’re fooling with your inner ear. Your body thinks you might be in one attitude or condition while the aircraft is actually in a completely different one.
You’ve got to learn to trust your instruments.
Greg: Absolutely.
Andrew: Not that your gut is wrong, but your gut has to inform strong reasoning for why you’re taking the actions you’re taking.
You have to trust your instruments in aviation, and in InfoSec you have to trust what your telemetry and tools are telling you.
Greg: For our non-pilot friends, one of the things an instructor often does during training is put you under a hood so you can’t see outside and then ask you to close your eyes.
The instructor says, “Just keep the airplane straight and level.”
The instructor then sits there chewing gum, whistling, whatever, for a minute or two.
Eventually the instructor says, “Okay, look at your instruments.”
You’ll often discover you’re in a descending spiral and had absolutely no idea.
The centrifugal force has taken the place of gravity. You still think you’re sitting normally in your seat.
In information security, if you get to the point of complacency—where you aren’t receiving enough inputs and are relying entirely on intuition and gut feel—you can ride that “everything is fine” feeling straight into a major breach.
Andrew: That’s a great point.
Here’s the thing I think is challenging for some of us in information security, especially those of us who are pilots.
In aviation, we always have the option of scrubbing the flight.
If my minimum equipment list isn’t met, or if I lose a key instrument during preflight or run-up, I can turn the plane around, take it back to the hangar, shut it down, and go home.
We don’t often have that choice in business information security.
We still have to do risky things sometimes.
Because human life is involved in aviation, there’s generally more ability to say no to a flight without major consequences.
Although pilots do fight something called “get-home-itis,” where they convince themselves to take risks they shouldn’t because they really want to get somewhere.
That same pressure exists in business, but usually at ten times the level.
Usually lives are not on the line, but often we’re advisors. We’re not pilots in command from an information security perspective.
We don’t have the authority to bring the business to a stop because we think an information security issue is imminent.
Greg: Right.
Andrew: Then it becomes a matter of understanding that you may have to accept risk you’re uncomfortable with.
I think the tough part for us, especially those of us who are pilots, is that when you’re pilot in command, you are the complete final authority over the aircraft.
In business information security, we’re essentially advisors.
Greg: That’s a very good way to put it. I’d never really thought about it that way, but you’re absolutely right.
And it’s tough because you don’t have that control.
One other thing you mentioned, since we’ll finish out this flying analogy, is how aviation does such a good job with postmortems.
Sometimes it’s an actual postmortem, unfortunately.
The National Transportation Safety Board publishes preliminary and final reports on every aviation incident in the United States.
I receive those reports in one of my feeds, and they’re fascinating because you learn from them.
We don’t really have something equivalent in information security.
I understand why. Organizations don’t necessarily want all that information out there.
But it would be useful to have some sort of clearinghouse for publicly available information that is much more thorough than what we have today.
Some elements exist, but certainly nothing as ubiquitous or detailed as NTSB reports.
Andrew: I agree completely.
Sorry again to the non-pilots, but there’s something called a NASA report.
If you’re a pilot and you screw up—fly into the wrong airspace, violate some rule, whatever—you can self-report.
In general, it comes with a degree of amnesty. You’re not likely to have the FAA breathing down your neck.
The problem in information security is that there’s no equivalent “get out of jail free card” that gives us the freedom to share all the details because of the legal liability involved.
I can tell you that last year at Salesloft, I was involved in a massive breach that generated a lot of media coverage.
Someone came in, stole a bunch of OAuth tokens, went into Salesforce, and scraped a bunch of our customers’ data.
That’s all public information, so I can talk about it.
What was really fascinating was being in the middle of it while also reading all the press coverage.
I could see what we were legally allowed to disclose and what we weren’t.
It wasn’t that we were trying to hide anything, but our lawyers had such a stranglehold on what details we could release because of all the legal implications.
The news coverage was accurate, but very limited.
I knew from the inside exactly what happened, where we screwed up, what went wrong, and what we did well.
That’s the kind of information I’d love to see the industry share more openly, but the legal liability makes that very difficult.
Greg: Because with NTSB reports—and NASA reports—there are incredible levels of detail.
This is what happened. These were the maintenance records. This is the flight history.
Everything in aviation is documented.
Well, we could stay in this rabbit hole for quite a while. I really didn’t anticipate spending this much time talking about piloting and InfoSec, but it’s amazing how many parallels there are.
Greg: Let’s pivot a bit.
Piloting—whether you’re a private pilot or a commercial pilot—is a stressful activity. Certainly another parallel is that information security and cybersecurity are stressful as well.
I like to encourage folks to decompress from that stress as healthily as possible.
I’ve been very transparent on this podcast that one of the things I used to do was twelve-ounce curls to decompress. It was never a serious problem, but I could have found healthier outlets.
Based on when we’re recording this—and when this episode is actually going to drop—this will coincide with my third anniversary of being alcohol-free.
So now I do other things. I’m crazy into mountain biking right now. I’ve gotten much more into the fitness side of things to help decompress.
I always love hearing other people’s stories.
What’s one of the things you do to decompress from the stress of cyber—and flying?
Andrew: What’s amazing is that flying actually was a de-stressor for me from InfoSec.
When you’re flying, you have no choice but to focus solely on that event.
Greg: Yes, yes, yes. Now, it brings its own level of stress too, but I totally agree with that.
Andrew: It does.
By the way, if you’re too stressed from your day job, you probably shouldn’t fly.
That creates its own issues.
Particularly if you’ve had a few twelve-ounce curls.
I will tell you right now, I’m fighting a bunch of burnout. So this is a very topical question for me.
I’m trying to get back into fitness. I find, personally, going to the gym and doing forty-five minutes of cardio while watching a movie on the iPad helps a ton.
I play video games.
I like going to the gun range.
I like to travel.
My wife and I are trying to hit every state park in Georgia.
Spending time with her, that kind of stuff.
I read and watch a lot of movies and TV.
I’ve been out of balance. I’ll be very honest.
I’m trying to get back in balance.
For me, a job—especially in a leadership role in InfoSec—can take everything you give.
I got a little too far to the other side, so I’m trying to get back to my hobbies and the things that help me de-stress.
That’s my approach.
Greg: That’s the biggest risk we have.
Particularly because it seems like both InfoSec and piloting draw Type A personalities.
We tend to want to do a very fine job, a complete job, and be at the top of our game all the time.
It’s just not sustainable.
I think that’s great advice—to take a step back and decompress and unwind from burnout.
Because the more burned out you become, the more you have to spool back.
Once you get post-burnout, what future plans have you got?
Andrew: That’s a great question.
I’m doing some consulting work right now.
You, as a pilot, probably understand the play on the name of my consulting company—Rotation Speed Consulting.
Greg: That’s when you reach rotation speed and take off.
Andrew: Exactly.
Plane nerd reference.
Right now, I’m regrouping.
I’m also looking at getting back into the right opportunity when the time is right.
I’m spending time learning AI.
I’m spending time learning all the crazy things surrounding the security of AI.
Ultimately, whether it’s through consulting, small businesses, medium businesses, or whatever, I’m trying to figure out how I can help and use the thirty years or so of experience I’ve accumulated to be useful to an organization.
Ultimately, I’m trying to find a mission worth supporting.
I’m fortunate in my career where money isn’t as big a deal anymore.
What matters is: do I believe in what we’re doing?
I don’t know what that thing is right now.
I’m trying to figure that out again.
I’ve gotten so burned out that I’m trying to find that excitement again.
That’s kind of where I’m at, to be completely honest with you.
Greg: It sounds good. I hope you find that excitement again.
Certainly, if you go down the AI rabbit hole and start learning that, I’ll caution you.
I’ve entered the world of vibe coding myself.
Not just asking Claude to write code for me and regurgitating it.
I’ve been using ChatGPT and Bubble. I wrote an application to help manage my consulting business, which is actually kind of cool.
But now I’ve become a nerd in that area too.
The Type A personality starts kicking in.
“I’ve got to fix this.”
“I’ve got to do that.”
“I’ve got to add this.”
And then suddenly you need to decompress from the thing you were doing to decompress.
Andrew: Exactly.
Greg: Andrew, this has been an absolutely fun conversation.
I love it.
We probably need to schedule another time to chat more about InfoSec and guns.
I wanted to touch on firearms, proper gun safety, and some of the parallels with information security, but we don’t have time for that today.
I’ll be thinking about it.
The next time I’m out at the range, I’ll probably be thinking about this conversation.
Andrew: I’ll be out at the range on Monday, and I’ll be thinking about it too.
Actually, when this podcast drops, I was at the range the day before.
That’s always the funny thing with recording and release schedules.
I’d be happy to chat more anytime. I’d love to.
Greg: Well, I appreciate you being on.
And everybody, stay secure.