We can’t help it. We hear the word “hacker” and our minds instantly go to shadowy figures in dark rooms frantically causing as much malicious digital mayhem as they can. It’s a misconception that bothers Andy Thompson on so many levels. It’s also one of the many reasons he’s a perfect fit as a CyberArk Technical Evangelist.
“Hacking is not a crime,” he says, “And that’s something that I really advocate for. Hacking is near and dear to my heart. I consider myself a hacker — somebody who uses a tool outside of its intended purpose to find a solution.”
This is the original root definition of the term after all — and part of Thompson’s new mission to bring that concept to the fore. Some of the earliest known uses of “hack” have no negative connotations — in fact, the word was used in tech circles synonymously with “to work on.” It was the word used by tinkerers and the technologically curious, people who loved to take things apart to see how they tick … and engineer them to tick better.
“Yeah, that was me,” says Thompson. “I built my own machine at 12. I was definitely the person who would dissect any sort of piece of electronic that I could get my hands on.”
A self-described “jack-of-all-trades,” the Dallas-born Thompson came to CyberArk after a long and eclectic tech career. He gained not only valuable experience but also the realization that what he really enjoyed was talking about cybersecurity at a high level — coaxing people to understand, well, how it all ticks.
Thompson joined the CyberArk Customer Success Team in 2016. His skills and unique experience helped him lead a specialized group that he describes as a “SWAT team made up of CyberArk Solutions Engineering and Customer Success members.” Now a Technical Evangelist for CyberArk Labs, his journey here hasn’t been a straight line, but it’s made him right at home as an advocate for pure hacking culture and an identity-centric approach to cybersecurity.
We recently met up with Andy — virtually — to hear about his new role and how he got there. The following are excerpts from our conversation, which have been ever-so-slightly edited and condensed for clarity:
Your path to CyberArk took you through a lot of industries and organizations. What made you decide that this was going to be your calling?
Technology was just something that I’ve done ever since I was a child. I remember dialing in at midnight on my 286 to get into bulletin board systems.
I graduated with a bachelor’s in information systems from the University of Texas at Arlington. I was going to go to law school — in fact, I prepped taking the LSAT — but then I just had a moral problem with being a criminal defender, which was my original plan. I decided to go back to what I knew: information systems. CyberArk was my first foray into sales, honestly. I was a systems administrator and a website developer. I’ve worked technology in industries from healthcare to movie theaters, bars, restaurants, global retail and IT, doing everything from Windows systems administration to managing Linux/Unix Systems.
Is it true that your own experience getting hacked opened the door to your joining CyberArk?
One of my former employers was targeted in an attack, which I took as a personal affront.
We ended up tracking down the perpetrator, using what I call open source intelligence gathering, and sending law enforcement to his door. One of the agents working the case said to me, “Hey, you got a knack for security. Have you ever thought about doing InfoSec?” The rest, as they say, is history.
Another thing I experienced while working in-house was the frustration of deploying and using a Privileged Access Management platform that just wasn’t very good. I thought, “I got to go find something that works better than this.” Coincidently, it was my best friend since we were 11 years old, Allan Cox, a Principal Solutions Engineer at CyberArk, who encouraged me to come work here. And I’m glad he did, as I truly believe that what we’re doing at CyberArk is a calling. We’re protecting people and data, and at the end of the day, I can go to bed knowing that we’re making the world a little bit better. I know that sounds corny, but it’s true.
What is your day-to-day like now?
My primary role is championing the amazing tools and research coming from CyberArk Labs. Our Labs team — now these are the real hackers. These are the ones who are finding new vulnerabilities and exploits, demonstrating offensive tactics and helping organizations adopt an attacker’s mindset.
Our Attack & Defend Virtual War Room Experience is a great example of how we’re getting the team’s cutting-edge research out to the masses. One of our latest events featured a live simulation with Len Noe demonstrating five of the most notorious breaches in recent history, all based on CyberArk Labs’ attack deconstructions and threat research. I’m loving it.
With all of the industries and organizations you’ve worked for, have there been any consistencies that you can still draw on in your current role?
One thing I see across the board is the human element of risk. Sure, there are vulnerabilities from time to time, but nine times out of 10, you’re going to see attackers take advantage of software or systems that have been unintentionally misconfigured. In fact, the new Verizon DBIR 2021 identified misconfigurations as the most common form of error-driven breach by far.
To give an example, there was a major attack reported a few years back on a large enterprise that all started with a misconfigured firewall. The attacker used it to enter the company’s cloud provider network and gain privileged access to a virtual machine (VM). Then, by compromising access keys and assuming an over-permissioned role, the attacker obtained temporary privileged credentials to the company’s cloud database, which contained troves of sensitive customer data. As a result of the breach, the organization was forced to pay millions of dollars in regulatory fines.
Misconfigurations are rampant and only getting worse — especially in cloud environments. And it sometimes feels like you’re yelling into the abyss because you’re telling people to do something and they’re not listening because maybe it’s more operationally efficient to cut a couple corners here or there — it’s frustrating for sure. But I also get it: I made plenty of snafus in my old sysadmin days and know how easy it is for misconfigurations to happen — and add up fast. It’s my hope that I can help today’s sysadmins and cloud architects steer clear of similar mistakes and find ways to tackle these challenges in simpler, more automated ways.