I was laughing to myself the other night while remembering this one customer that was just crazy to deal with, but actually made me a better security professional in the long-term.
This particular customer, let's call him Kairos, practiced laser-focused paranoia. His meticulous nature extended to even our company's service level agreements, where nestled amidst the clauses and subclauses lay a decree so peculiar, so singularly Kairos-esque, that it bordered on the absurd. He had us put in writing, in the SLA, that in case of an incident, the SOC is never to call him or his company directly. We were to only update a ticket on the portal, mark it as "Critical", and then wait for him to call us. His fear was that a voice recording impersonating one of the SOC engineers would try to call and social engineer him for company information at a vulnerable time. Usually when faced with the specter of cyber intrusion, the SOC—the bastion of defense—was to lead the charge to recovery and response. But for him, we were to remain dormant and ready, until beckoned.
There once came in a high-CPU alert for his firewall that was labeled Priority 1 - meaning the firewall was on the verge of DOS'ing itself. I had no choice but to call. A simple proactive and informational call, or so I thought. As my voice carried over the ether, it was met not with the warmth of appreciative human interaction, but with the icy chill of suspicion by Kairos. "You sound like a machine," he accused of me, his words dripping with skepticism, his paranoia casting a shadow over our discourse. All the while, his firewall was about to explode.
With a deftness honed by countless encounters with the eccentricities of this guy, and with a sense of urgency, I found myself uttering the words: "Kairos, how can I convince you that I am flesh and blood, not steel and circuits?"
In that moment, as the silence hung heavy in the telecommunications air, I glimpsed a flicker of uncertainty in Kairos' voice, a hesitation born of the realization that perhaps, just perhaps, his fortress of paranoia had met its match. And though our exchange ended without resolution and my manager had to get involved, the firewall was promptly manually rebooted and the high CPU utilization stabilized. I departed with a newfound respect for Kairos who dared to challenge the boundaries of our conventional wisdom when dealing with vishing.
As a security professional I understand his paranoia. His constant overthinking. The need to keep processes uniform across all systems. Anything out of place or occurring outside the strict procedures based on company policy is an agitation, a precursor to something eventually going wrong and breaking. Much like the actual CISSP exam, if answers are not part of a pre-established process, it is wrong. Everything required the careful precision of a surgeon's scalpel.
Whenever Kairos submitted a change request to our ticketing system, a palpable tension would ripple through the security engineers stationed at their cubicles. While some would eagerly seize the opportunity to tackle his requests head-on, others would cautiously step back, opting to avoid the whirlwind of eccentricity that often accompanied his communications. And it's not like they were highly complex change requests, sometimes it would be just adding a single host to the "Source" column of an already existing firewall rule. Dealing with anything Kairos was akin to navigating a labyrinthine maze, where each twist and turn held the potential for unexpected obstacles. It was a test of patience, resilience, and diplomatic finesse—a trial that only the most seasoned of security professionals dared to willingly undertake.
Perfection was not merely a preference for Kairos; it was an imperative born of the crucible in which he worked: healthcare. A sector fraught with the weight of responsibility and the promise of consequence. As the network security engineer for a sprawling medical insurance conglomerate, Kairos bore the responsibility of protecting information that affected both lives and livelihoods. This was most evident when designing his IPSec VPN tunnels with other branch sites. Each tunnel was carefully crafted with specific parameters that had to be followed to the letter by security engineers. If they didn't, Kairos would ask to escalate to the highest level senior engineer on shift, or call the VP of SOC Operations to get someone who can do the job. Even for a simple change to the firewall. He did not tolerate incompetence.
If Phase 1 of the VPN tunnel called for Diffie-Hellman Group 2 and Phase 2 required Perfect Forward Secrecy using Group 5, that's exactly the configuration the SOC engineers better have. The pre-shared key was always 16-25 characters which included special characters. Encryption was always secured with AES256. Integrity secured with SHA1, don't even think about choosing MD5. And the IP addresses that are supposed to be going back and forth through the VPN domains could be just a few hosts on a network or an entire subnet of machines. And if static routes needed to be added on the firewall for any new servers behind it, it couldn't be done on the same maintenance call as the VPN tunnel, it had to be done on a completely separate call. On a Saturday night. At 2 a.m.
Every demand for perfection, every meticulous scrutiny of detail, was not merely the idiosyncrasy of his mind, but a necessity in Kairos' reality. And he demanded the same from me and the rest of the SOC.
And all this was just for creating 1 VPN tunnel on their firewall. Just 1. Any mistakes on our part, aside from the initial few hiccups when bringing the tunnel up, Kairos would immediately ask us to escalate to a senior engineer, making us call our on-call person.
I don't know about you, but calling a senior engineer at 2:40 a.m. on a weekend is an absolute last resort and not to be used flagrantly. But Kairos didn't care. He was paying our MSSP money to create these VPN tunnels and he wanted every resources available to make sure it goes smoothly. Kairos didn't care if the on-call engineer had a family with a newborn baby that just went to sleep at 3:47 a.m., his firewall change was more important.
You can't blame him. Kairos was just like any of us security professionals just trying to do his job without breaking anything that holds highly sensitive data. Data, which if compromised, could damage his company financially and by reputation.
There once was a a break in the iceberg of his cold personality. He had submitted a big change. A big, serious, complex, mission-critical, and whatever other cybersecurity terms you can put in there for something serious, type of change. We were to perform a physical upgrade of his Checkpoint x000 series security gateway to something a bit more powerful.
This meant that we had to do the following:
Manually create 300 objects on the new Checkpoint firewall
Manually pre-stage all the settings for IPSec VPNs
Manually enter static routes into the firewall's clish
Manually create the over 250 firewalls rules on the new version of SmartDashboard
The goal was to configure as many settings as possible on the new firewall that when the maintenance window starts, all we'd have to do is establish SIC, and then push policy. Basically: it would take over 60 hours of backend work to make sure that 60 minute maintenance window went perfectly.
Long story short: everything went off without a single issue. What we call a perfect game in tennis. Everything worked as expected. 6-0, 6-0. Game. Set. Match. No forced errors, no unforced missteps—only a flawless procession of calculated rehearsal brought to performance.
Because here is the thing:
What Kairos didn't understand about me, or rather, came to realize later on during this maintenance window, was that I also demanded a high level of perfection from myself that sculpts every task into a masterpiece of precision and excellence. A level that goes beyond just professional satisfaction or pride, a level that goes beyond personal achievement. It's a level that will echo years into the cybersecurity light cone.
It was during this maintenance call at 2:00 a.m. on a Saturday that I really got to know Kairos. In between waiting for either the policy to push to the firewall from the Checkpoint CMA or waiting for users to confirm successful connectivity to the newly added server, Kairos finally opened up a little.
Kairos had a high-pressure job, and the job of information security fell on him and only him. One mistake by him or the SOC for any of the changes to his company's firewall could easily mean a multi-million dollar data breach.
Kairos had a family with a son starting 4th grade and negotiating being on the spectrum on a daily basis. It can get rough sometimes. Maybe the inability to tolerate mistakes and demanding perfection at his job was a way to balance out the inability to have full control of his personal life.
Kairos needs a vacation. But he can't take one just yet because he's still training his new assistant who was hired 3 months ago and is nowhere close to taking over his responsibilities, even if it meant temporarily, over July 4th weekend.
Gone was the steel-hardened facade of the Kairos we all knew during the day shift who demanded our full attention. Here, at 3:14 a.m. in the middle of the night, while going over a critical firewall migration, did the real Kairos show himself, even if just in-between the lull of maintenance testing.
Sometimes when you go through it with someone else, real just recognize real.
No regrets or hard feelings because with each encounter with Kairos, each arduous exchange, I found myself challenged in ways I had never anticipated. His inquiries, though often rudimentary, forced me to reassess the depths of my own knowledge, to articulate complex concepts with simplicity and clarity.
Going over each line of my CISSP book word-for-word, line-by-line, zeroing in on any slight errors, I learned that from Kairos.
Creating CISSP videos packed with notes and an attention to detail that no one will notice except me, I learned that from Kairos.
I think there is a Kairos in all of us who shift from the imbalanced juggling act of our personal lives to demanding nothing less than absolute perfection from ourselves in our professional lives, with the eventual goal of becoming a better security professional.
Thanks for reading fellow CISSPs. Luke Ahmed