Join us today with another interview in our blog series: Authenticated Answers! We sat down with Tony Parrillo, the VP, Digital Engineering Global Cybersecurity at Schneider Electric.
At Valimail, we take our work seriously but try not to take ourselves too seriously. This value inspires us to get to the heart of what makes people unique and how it affects their careers to provide valuable advice, inspiration, and insights to people working with email daily.
In this lighthearted interview series, we connect with experts from the email, IT, security, ISP, and authentication spaces to learn more about them and their experiences.
Listen to the full interview here or keep scrolling for the highlights:
About Tony Parrillo
Tony Parrillo has been with Schneider Electric for seven years and is responsible for the cybersecurity for all their industrial activities and R&D facilities. He helps support the product and how the products are manufactured and delivered.
He started his career as a naval aviator and made over 600 arrested landings on aircraft carriers during his service time in the Navy.
What’s an email security myth you wish more people would stop believing?
The biggest one that kills me doesn’t pertain just to email, but definitely in phishing, is that there’s a perfect system out there. That if we buy the right tool, it will ensure a phishing email will never make it to a person.
I try to explain that there are really, really smart people on the other side who are finding ways around everything to get that email into your inbox. Even if there was a magic solution, down the line they’ll find a way around it.
And they’ve refined their techniques of making it seem urgent and getting you when you’re not thinking clearly on Monday morning before your coffee. So you’re going to click on that before you actually think about it, and they’re great at it, and no matter what step we take, they take another step.
But everybody believes, from executives down to the factory workers, that there is a magic bullet that is going to block them all.
I usually talk a lot about the human firewall. And I tell people, you’re a smart person. You’re here for a reason. You’ve succeeded in your career due to critical thinking and other reasons. So you need to apply that to every email in your inbox; don’t just zip through. So it’s training, awareness, and getting the message across.
What’s the smallest hill you are willing to die on?
So that’s a tough one, because I’ve been doing this for twenty-five years, and I’ve seen all kinds of ups and downs, and I’ve seen a lot of executives who have high-risk or low-risk tolerance.
And I work with teams with specific business reasons for why we need to do things. So even when you’re up against the best practice, there may be a reason not to use that best practice.
So much is case-by-case. There have been times when I’ve said absolutely no, we cannot do this, but I haven’t said that in a while. I will say, in general, long, nuanced discussions about the risks usually come to some sort of compromise.
Early in my career, we were the department of no, and I had bosses who were super tough and said no to everything. And I watched that happen, and I watched how it wasn’t always productive.
So I try to never just be the office of no. I try to be the yes, but. Or we could do that, but why don’t we do it this way? I think everybody is more willing to have a measured discussion about the risks and what we should do to move ahead.
How did you get started in IT/Security? What do you love about it?
I love that it’s so dynamic, and it’s so exciting. It’s so interesting and changes so rapidly that you have to keep up with your professional education. You have to keep up on what’s happening in the environment, both on the threat and defender sides. I think that came from when I started in naval aviation.
I flew EA-6B Prowlers, which were electronic warfare. That was my gateway into cybersecurity because electronic warfare involved jamming, deception, and all kinds of things like that against air defense systems. Then, at some point in my career, the Navy transitioned me to the wired cybersecurity industry.
You always have to be engaged. I tell people it’s like playing tennis and chess at the same time. So you’re playing tennis, and you have to keep hitting those incidents and stop them. But at the same time, you have to be very strategic and plan how you’re going to use your resources and things like that.
If you could instantly fix one major security flaw in the email ecosystem, what would it be?
The whole IT ecosystem was designed to be completely open, all the way back to ARPANET. And it’s the same with email. So it’s designed to be very easy breezy, so anybody can really impersonate anybody.
We’ve been cracking down on that, but obviously the thing is trying to get to levels of authentication and find out who sent the email. We’ve done the PKI signatures and stuff like that. So the non-repudiation of who the email came from is the toughest part.
And the inventors of email were very optimistic. They didn’t run it through a threat model because there was no reason to in those days, and everybody thought it was going to just be used for good. And of course, everything that’s used for good can be used for bad as well.
What’s the funniest or most bizarre phishing email you’ve ever received?
I’ve gotten some phone calls from some people with some emails, and some were definitely very entertaining.
I will say the biggest type of those calls was back when ransomware was much more individual, where they would lock up people’s computers, and they want you to pay a hundred dollars or in Bitcoin. Now that it’s a bigger business, the bad actors target big businesses because that’s where the money is.
What’s a non-technical skill that has made you a better security leader?
A sense of humor.
Cybersecurity tends to be a pretty boring and negative practice. You never get to tell someone that you have great news. The best news you could have is that nothing happened.
It can get a little dark. So you need a sense of humor to lighten things up and keep people motivated.
There are times that you’re going to be working long, crazy hours. There will be other times that something’s going to happen, and it’s going to be demoralizing, and you need to keep a fresh face and be optimistic and keep your team optimistic that everything’s going to work out in the end.
It also helps when you’re teaching new people. I can tell when people start zoning out when you talk about cybersecurity. I’ll throw a joke or two in, and it snaps them back in, and they pay attention a little bit longer.
Sometimes working in cybersecurity feels like a death march. We’re going to keep going forever, because every time we do something, the bad guys respond, and it’ll keep going forever. But I also point out that that’s job security. That’s not the case for many other areas of IT that have waxed and waned over the years.
How would you explain DMARC to your grandparents, friends, or relatives?
I would explain Domain-based Message Authentication, Reporting, and Conformance (DMARC) as a stamp you get at the Post Office. You bring a letter to the Post Office, and the Post Office says it was definitely sent from someone in your home. It can’t be down to the individual, but at least they know it came from your house.
So it’s much more secure than any other previous systems where you can just throw an anonymous letter in the mailbox, and it just shows up. And you’re never really sure who it’s from. There may be a postmark or something like that, but you don’t get a lot of information.
DMARC is a big step forward in determining who the actual sender is, and if you couple it with good practices on the sending side, you can have pretty strong assurance that a human being sent that email. And that’s important for business deals or for any agreements.
Hopefully we’re going to be using it more and more. And that way, we have better assurance of the emails that are flowing around the Internet. And there’s still so much spam, so much garbage emails out there that are generated and just sent out hoping you know the spray and pray attach technique.
I think the Google, Yahoo, and Microsoft DMARC requirements are a step forward in the right direction. They’re probably three of the biggest providers, and almost everyone I know has a personal Gmail. So the fact they’re all pushing in that direction is definitely a big step forward for us and having the ability to know who’s sending you what.
Liked this interview? We have a whole collection of Authenticated Answers guests to read.
