In His Own Words
Stefan Baranoff answers a few quick questions regarding his career journey in cybersecurity.
My dad was an electrical engineer, and I grew up with computers in the house. I was probably born with a mouse in my hand. When I graduated from high school, the decision regarding what to do in college was obvious—computer engineering.
I attended the University of Akron, which has a great engineering program, and that’s what I studied. Their program is more hardware focused than software focused—chip design, embedded systems robotics, and other related disciplines. They take a very pragmatic approach. Everything about my education was about training me to go into the workforce.
That experience led to an internship at First Energy, which turned into a job, mostly doing data utilization for their power plants. I was writing software, and also heading out to the power plant to look at where the data you're getting is coming from. At about the same time, I also started working on a hybrid car competition sponsored by General Motors. This was in 2006, the early days of hybrid cars. Part of the scoring was, are you going through the automotive engineering process? That was a fundamental experience for me in real-world engineering. Finally, I worked at a medical IT company whose primary product was printers. Again, a very rigorous environment, very health and safety critical.
After having all these cool experiences, I graduated from college and had to decide what I wanted to do. A close friend from college, Ben Magistro, had graduated the year before and started at the NSA after attending a job fair, and he pushed me to consider joining. Although my friend was working for another office, he was able to get my résumé on [Trinity Cyber founder] Steve Ryan’s desk, which led to an interview and set my whole career in motion.
The way Steve described the job he brought me in for, it was a mix of hardware and software. I'm expecting to show up to an electronics lab, although I knew they were doing something cybersecurity related. I walk into the lab on my first day and it's an office. The ‘hardware’ was racks of servers and routers and switches and internet networking equipment. It didn’t look like any lab I’d ever been in.
My entire first day I was lost. People were using tons of acronyms and I had no clue was going on. I've got a completely non-cybersecurity, non-computer networking background, and had to learn everything security-related on the job.
My background was rooted in solid engineering principles: rigorous, tight engineering with high budgets, high constraints, and no room for failure. And I got thrown into the fuzzy world of cybersecurity where there's some bad guys out there doing stuff and there's a million and one ways they can mess with you. It was … definitely a change.
But I’m a very strong believer in the value of the core engineering process in a lot of areas. An engineering degree means something. I’ve also met people who think like engineers even without the formal training. It’s a way of approaching problems that is universal. A rigorous process of identifying the problem, understanding the tools needed, and then creating those tools.
What I got thrown into at the NSA—while it was cybersecurity adjacent—was building the systems that analysts and operators use to stop bad guys, which is still what I do today at Trinity Cyber. Our analysts and operators have a problem they're trying to solve and they need the tools to do it. They need someone like me to build those tools. I build tools, so I had to learn enough about cybersecurity to be conversant, understand the problems they were explaining, understand the tools I was trying to build.
But I'm not a cybersecurity analyst. If you put me in a SoC, I would get fired in a week. It’s a completely different way of thinking that is way more creative and open-ended. On the other hand, what I do today is still all bits and bytes. Computers, ones, and zeros. At the end of the day, I'm trying to get this computer system to do something that happens to be for the sake of cybersecurity. In a way, that's not really any different from building a microwave or building a spaceship—it's all getting the computer to do what you want it to do.
The difference is, in cybersecurity, nothing is as well-defined as building a microwave. Because you have no clue what the person on the other end of cybersecurity is going to do. It’s a game of chess, so you must be flexible and keep options open so that when things change, you haven't invested too much in one solution. The bad actor on the other side could make changes and can now get around your very elegant solution that took you two years to build —and it took them two days to get around it. That’s the challenge, but also what makes it interesting: that adversarial relationship with a bad actor who is actively trying to subvert your system.
In other words, people don't tend to actively try and subvert bridges. So when you build a bridge, you build it for cars driving across it all day. You don't build it planning for cars to drive across it while people try to drill holes in it and plant bombs underneath. But that's cybersecurity: build this bridge, but make sure it doesn't get blown up, cut in half, drilled into, or whatever else some bad actor might do to destroy the bridge while cars are trying to use it. It's a very different kind of problem to solve in that sense.
But the same fundamental questions remain. Questions such as, how do you maintain quality? How do you define the customer’s goal and solve the problem for them while accounting for constraints of time, money, resources and computing power? In cybersecurity, there are real-world limits on what we can do, just like in normal engineering. In some ways, becoming a tool builder in cyber wasn’t that hard of a transition.
I worked at the NSA for seven years and Steve was my boss. Then I found out Steve was leaving to start a company. We'd been trying for years to start using new technology and ran into challenges as a government agency. Trinity Cyber was an opportunity to do things the way we wanted to do them. To build something from the ground up and get it to the rest of the industry. I jumped at the opportunity.
It's not super common. This is one of my frustrations with the education system—computer engineering and electrical engineering programs don't tend to cross paths with a lot of computer science folks. Security isn’t seen as a core competency for engineering. disciplines. It's mostly people like me who have sort of fallen into it—who had a friend, ended up getting a job somewhere and then transitioned into cybersecurity. I’d say less than 5% of the people that I work with are engineers. There are tons of computer scientists. There are a ton of people who took online IT training courses. There are people on my team who have no degree at all and do a great job. But they're solving a different set of problems than the folks with engineering degrees.
I think part of it is a misconception that cybersecurity is purely a computers-and-networking problem. Computers and networking are the tools, but cybersecurity is the biggest game of cat and mouse ever. It's kind of like a war game or a game of chess. There are all sorts of analogies. At the end of the day, cybersecurity is creative problem solving.
At most schools with rigorous training programs, no one is thinking of security as a core competency within the engineering disciplines. There's this gap between what people think of as the traditional role for people with certain degrees and titles. They're not thinking about cybersecurity as just another set of problems that we need all sorts of different approaches to solve, right? I focus on the engineering route because that’s my background. But you also need data science, computer science, mathematics, biology, you need people from all sorts of backgrounds with diverse ways of thinking.
I would tell them to spend time in the cybersecurity industry, even if it's not what they think they want to do long-term because it applies to everything. Find the innovators. Find those companies that are asking, what is cybersecurity? If you like it, stay with it. If you don't like it, go somewhere else. But I think cybersecurity is a cornerstone at this point for anybody in any sort of a technology-adjacent field to understand because cybersecurity issues apply so broadly. And it's such a unique way of having to think. Building a bridge is easy, building a bridge that stands while both cars and people are trying to destroy it is a completely different problem.
Also, it is such a diverse, cool industry. You'll meet some fascinating personalities and have interesting challenges to work on. And again, as I said before, there is no one right answer in cybersecurity. There are many right answers. The answer is always, it depends, which makes you work and think in a different way than a lot of other disciplines.
I came from a deeply technical background, but one of my colleagues has an art degree. He did graphic design and taught himself coding to build webpages, and now he works on our user experience. How does a user interact with your system? How do we present complicated information in a beautiful, usable, manner? He’s great at that. You don't have to be tech geek with a bunch of math and science and engineering behind you. That's where I came from. But there are so many people that came to cybersecurity from so many different places that bring great value and skills.