Steve Sisk

Steve Sisk

Principal Security Services Consultant
Fortra
 

Steve Sisk is a Principal Security Services Consultant at Fortra. Steve has engineered and administered IBM i, Power Systems, and predecessors for more than 26 years in single-entity and multi-entity environments. Prior to joining Fortra in 2016, Steve has held a variety of positions including lead architect for an IBM Global Services Strategy team, solution architect and lead engineer designing and implementing solutions for compliance requirements of general controls, PCI DSS, and HIPAA in large IBM i installations of numerous organizations. Steve's experience spans supply chain, finance, health care, insurance, ecommerce, retail, utilities and manufacturing. Steve holds the PCI Professional certification.

 

Q & A with Steve Sisk

 

What’s the most interesting or impactful project that you’ve had the chance to work on, whether it's with a customer or internally developing products? 

Two projects come to mind that I’ve done with customers, and they were both centered around remediation. So, in other words, correcting the security vulnerabilities and taking an extremely vulnerable system and changing it into a deny by default, least access required environment to close these exposures. Sometimes those projects can take up to two years. It's not like going over and flipping a switch when we do remediations. Instead, we try to set the customers up so that they don’t have to try to rip and replace or do a major overhaul in the future.  

 
We try to do it with the future in mind so that when the customer brings something new on board, they can integrate it very easily. One customer that I’m referring to was in retail while the other was in the financial sector. But both of them took somewhere between one and two years to complete. The thing that's fairly interesting about this process is that it’s not only a technical change but also a cultural change within the organization. We try and make people become security minded and that’s been revolutionary in some environments where people are adopting a security conscious mindset that’s totally different from a year before. We not only help the customer make the changes, but we educate them as to why we're making those changes and how it figures into the overall stability and viability of the business.  
 

From your experience, what is the biggest barrier holding customers back from strengthening their security? 

It’s kind of like the old adage of taking a horse to water. Well, the horse isn’t going to drink unless it’s thirsty. So a lot of my job is helping that customer become “thirsty” and understand that leaving their systems vulnerable is an even bigger problem than they could have previously imagined. I think a lot of customers can’t fully comprehend the repercussions of weak security until they’ve been educated on that, understand that an attack can happen to them, and that – even thought they trust their employees – that their security policies shouldn’t reflect that. 

 

What changes do you foresee in the world of cybersecurity in the coming years? 

I think the role of AI will continue to expand. I certainly don't think it's the end all be all, but I think its presence and the role it plays in security will continue to increase. That will lead to the identification of patterns and possible breaches that would have otherwise flown under the radar. Threat actors have gotten smarter and they know that in order to infect a lucrative target they have to do it slowly. That’s where I think AI will play a big role in sniffing out these more advanced, underlying threats.  

 

How has the cybersecurity landscape changed since you got your start? 


Well, I would say that the tooling has gotten better, which is always a good thing. And though I wouldn't call it an iconic trend, I would say that within the community of customers that we serve there seems to be a greater consciousness of security within their environments. And that hasn’t been a trend that has grown exponentially by any means. Instead, I would say it’s been more of a steady, linear progression which is still a really good thing. When I first started in security, the attitude from prospective customers was more so “Why would I worry about that?” And now, that understanding is there. So, I would say the awareness has completely changed for the better.