A dialogue with Tadd Wood
ITSPmagazine recently connected with Sr. Data Scientist at Arcadia Data, Tadd Wood. In this ITSPmagazine An InfoSec Life column, Tadd shares his views on how data—and people—play a role in identifying risk and addressing cybersecurity issues.
ITSPmagazine: Please tell us a little bit about yourself.
Wood: I’m a Data Scientist hailing from the Midwest (Omaha, NE) who decided to pick up and move to the Bay Area a year ago. Previously I consulted in various industries (i.e. healthcare, insurance, political campaigns, and construction), but more recently decided to shift my focus to the growing data challenges in information security.
ITSPmagazine: Please describe a recent personal accomplishment you'd like to share with our readers.
Wood: There was a project I worked on recently that was aimed at improving the organization's visibility into their active cybersecurity vulnerabilities lingering in systems and applications. Our end product was an application that allowed managers and engineers to explore data related to their vulnerabilities, which enabled them to better plan and manage their patching schedules. As a result, the organization is much better positioned today to keep their SLAs (service level agreements) as well as those responsible for patching the vulnerabilities accountable.
ITSPmagazine: What inspired you?
Wood: Finding low hanging fruit in security can sometimes be difficult from a data science perspective. We needed to make an impact quickly and it seemed that the organization was becoming more invested in building solutions to help manage and patch its vulnerabilities.
As we started to dig into the organization’s data sources it quickly became apparent that their vulnerability data was more readily available than some of the others we were exploring. However, there were still numerous challenges to be had, despite the availability of the data. Challenges such as lack of control over data source models, stability of data pipelines, and data cleanliness started rearing their head. It also took several iterations before we had a stable data foundation upon which to present our insights; insights that would also need to scale correctly. These weren’t easy challenges to overcome, but it was a lot of fun working on several different problems. It was also motivating knowing the system would work beautifully if everything was architected correctly.
After our first presentation of our solution to the problem we received great feedback; this gave us a renewed sense of hope for the things we had been working on. We took that feedback, kept building, and a few months later were able to go to production with a fully functional vulnerability management system. It was a relief to get to that first major release, but we were excited to push forward and expand our scope as we were starting to get attention from other departments within the organization.
ITSPmagazine: Shifting the focus a little to the organization, can you share a recent team accomplishment as well?
Wood: Making each person aware of how they play role in the security of a company is powerful. Security shouldn't be the responsibility of a single department or business unit. It's the responsibility of everyone in the organization to understand their level of risk and have an awareness of how their actions can have an impact on the company's security posture. By starting to uncover how each person's risk in an organization can be quantified we can then start to change behavior and move the organization towards becoming more secure.
For example, making the organization’s vulnerabilities more visible to each person responsible for patching them created accountability and also helped them understand how much of a risk they were being for not patching them. As a result, managers started checking in with their direct reports more often and departments were able to triage the high severity vulnerabilities first. What was even more surprising was how quickly other departments started to become involved once they saw how this was changing behavior.
Today, the organization has several business units working in tandem to improve the security posture of the company, rather than it being the burden of a single department.
ITSPmagazine: How would you characterize the impact your work has on society?
Wood: Currently we’re working in tandem with the open source community to help promote and further develop the Apache Spot project, which is focused on helping fight cyber security threats using shared expertise, intelligence, and machine learning capabilities.
ITSPmagazine: What do you enjoy most about the work you do?
Wood: Being a data guy at heart, I feel like I can lend my expertise to others on how problems can be structured in a way that reduces their complexity, which then opens the door to moving a solution forward and expanding on it once we have a good foundation in place.
Sometimes they just don't know where to start and getting them to that first checkpoint can act as a multiplier where they start to dream about how else we can start to change the behavior of the organization, which is very exciting to be a part of.
ITSPmagazine: If you had one important question to ask your peers, what would that be?
Wood: Work-Life Balance (WLB). All suggestions welcome.
ITSPmagazine: What's one final thing you'd like to share about the work you've done?
Wood: Witnessing how many organizations are impacted by various levels and types of threats each day, as well as the struggles they face internally with bad actors has made me much more paranoid and as a result I feel that I have an obligation to help the community build better solutions to identify and stop threats before it’s too late.
About Tadd Wood
Tadd Wood is a Data Scientist originally from the midwest. Currently he is working in the Bay Area at Arcadia Data as a Senior Data Scientist.