This article originally appeared on builtinchicago.org
What started as a late-night phone call ended in a business being brought back from the brink.
In December 2017, a mortgage company and client of West Monroe contacted the Loop-based consultancy with a grave development: Cyberattackers had penetrated their systems.
“They had been hit with ransomware, impacting nearly every one of their systems, and were completely dead in the water,” Senior Architect Andrew Topp, who spearheads incident recovery efforts, said.
Not only had the attackers downed critical on-premise infrastructure, but as West Monroe discovered, they were also demanding a Bitcoin ransom in exchange for a tool to unlock encrypted files. The team quickly set out to retrieve lost data where possible (ultimately, 30 terabytes), reimage every workstation and leverage hosting providers to rapidly recover its downed servers.
Gradually, over the course of two frenetic weeks, operations returned to normal. According to West Monroe, the client ducked nearly $2 million in losses due to their efforts.
“It was a pretty extreme burn rate given the number of people we had to involve — but that’s what it sometimes takes to start from zero and restore these environments,” Topp, a West Monroe member of nearly 15 years, said.
Though the episode happened nearly three years ago, the episode is typical of the challenges the cybersecurity team routinely tackles at the fast-growing firm today. According to the company, cybersecurity consultants help clients across industries weather malicious behavior like ransomware, data breaches, impersonation attacks and business email compromises.
“We’re helping companies understand how prepared they are to withstand a cyberattack — and then recommending how to reduce both the likelihood and impact of one of these events if they were to occur,” said Senior Manager Christina Powers, a 7-year company veteran who focuses on private equity clients.
For Sean Curran, who leads the cybersecurity practice, the remote state of the world adds a new dimension of considerations that are as daunting as they are stimulating.
“Every person’s home network is now a security domain,” he said. “It’s an opportunity to start thinking out of the box, which is something that I find exciting.”
What makes practicing cybersecurity at a consultancy unique? According to teammates, the breadth of clientele, tech and challenges that make for anything-but-routine days.
Curran: No client is the same. No day is the same. Those who work in consulting really have to embrace the concept of change. Not only do our consultants get to learn cybersecurity, but they get to learn how businesses operate, which we take into our personal lives as much as anything else.
Powers: You’re able to provide value across different industries and of different sizes. I think getting that experience helps you learn and grow faster in a consulting career than in an industry career. Given that the challenges that each company faces differ, it keeps the work exciting.
Topp: I get to see different industries’ security tolerances and levels of preparedness — and develop some amazing troubleshooting skills. I see more unique scenarios in a shorter amount of time than if I were managing an internal environment or working in a different industry.
No client is the same. No day is the same.”
Topp: I get to see all of the technology decisions a client has made, and I have to challenge myself to be competent in as many areas as I can. If one client picked Azure as their cloud provider, and the next client picked AWS, I need to be reasonably sharp in both. We can’t effectively threat-hunt, recover or rebuild a platform if we don’t understand it. It forces us to have at least some basic understanding of what every setting does and how every platform operates.
Once I figure it out on a new product, I can add it to my arsenal. I’m dangerous in more areas versus being limited to a specific product or platform. I can’t be specialized like that because then I’m not useful on the next project if I only know products that the next client doesn’t have.
Powers: As we work with a variety of companies, we see a lot of different technologies. From a hands-on perspective, we’re working very heavily in and understanding the ins and outs of Office 365 for the assessment and threat-hunting work that we do in that space. For threat-hunting, we’re leveraging internally-developed technologies built on the AWS platform, Graylog and a number of unique AWS features that allow us to analyze big data.
Powers: Internally, since we often have teams that are a little bit smaller, teammates get a lot more leadership exposure. Also, if we’re doing something industry-specific that’s broader than just cyber, we’ll be working with individuals across other practices here, such as healthcare and life sciences, which is a good way to get additional exposure.
With clients, I’m typically working most closely with the CIO or the CISO, while also working with more technical and tactical resources like system administrators or IT leads. We often meet with the boards to present our findings. When junior teammates get to lead meetings or present findings, they’re able to get that exposure as well.
Topp: As younger consultants work these incidents, they get to develop relationships with clients’ senior management at a frantic pace. There’s no better way to develop a trusted adviser relationship with a client than pulling their business out of the fire. There’s the ability to build those relationships incredibly quickly to a degree that I didn’t have when I started my career.
While hard skills undoubtedly inform success, Curran said that he prizes a pair of crucial intangibles in cybersecurity teammates: aptitude and attitude. “Those two things will get someone much further than technical skills alone,” he said. “In many cases, technical skills are things that we can teach.”
Curran: Being a leader means helping grow and mentor the team. I also have a philosophy to never ask anyone to do something you wouldn’t do yourself. I’ve been in the weeds doing as much on projects as anyone else has. A leadership role is being less command-and-control and instead more in tune with what the team’s doing and working alongside them.
Powers: People are very willing to take time to teach and walk through things. Given that we’re often working on smaller teams, there are a lot of leadership opportunities for junior staff, like leading a meeting, presenting findings or owning a workstream. Having a collaborative culture helps people be more successful and more confident in their work.
Topp: I’ve sat on conference calls at 2 a.m. with Christina and Sean decrypting files on client servers. All of our leadership is willing to get in the trenches when things get tough. I think it makes the team more willing to go the extra mile for somebody. It’s not about “I’m the top dog, so I don’t have to do the less exciting tasks.”
Curran: The number of attacks and their impact is truly eye-opening to everyone who maybe thought they were immune to them. Then add in the COVID-19 situation: How do you secure an environment that no longer revolves around a brick-and-mortar data center and office space? Every person’s home network is now a security domain. It’s an opportunity to start thinking out of the box, which is something that I find exciting.
Powers: I think what keeps cybersecurity exciting is that every company needs to be thinking about it. We’re constantly seeing new challenges, and we’re continuing to work with that very diverse group of clients and industry.
Topp: Companies are moving to new platforms with different security controls, capabilities and functionalities. It’s a whole new challenge for us to secure these new environments, recommend hardening projects or preventative projects, and then recover them if they are impacted. And it’s exciting to be building a business where we can be a thought leader.