Cybersecurity Experts: Conversation with Nick Shaw

Nick, where did you work before you joined Tripwire?

That’s right, I started at Tripwire in January 2019 and it’s been quite a ride. I’m finding it to be extremely enjoyable. I know a lot of my colleagues have been here ten years or more, which is something I really appreciate. Right before Tripwire, I was at Rockwell Automation, helping establish effective industrial cybersecurity solutions with clients at two well-known food and beverage companies. I was the technical lead for OT architecture so I worked very closely with the customers and was really well integrated as part of their onsite cybersecurity team. We tried to be very collaborative and establish ourselves as long-term partners working hand-in-hand, which is something I see a lot here at Tripwire. As you can imagine having relationships like this, I spend a lot of time on the road with customers. I’ve lived my whole life in Rochester, but I travel so much now I joke I really only get my mail here!

Were you always interested in the industrial side of cybersecurity?

When I was at RIT (Rochester Institute of Technology) a decade or so ago, like many computer science majors, my goal at the time was to head west and work for Apple, Google or some other big tech company, but I got involved with a co-op work program at school and it really opened my eyes to the flourishing world of industrial manufacturing. That got me really excited and put me on this path. I really liked the company I was working with. It offered turnkey industrial incineration and I did a wide variety of tasks including programming PLCs (programmable logic controllers), setting up servers, designing network architecture and even wiring panels in the panel shop. The incinerators we were operating were huge—up to 14 stories tall and 25 feet wide. We were pumping fuel into them and they were incinerating various materials, so you can bet it was vital that we monitored everything as carefully as we could. They were really like big bombs, so I was very aware of the need to absolutely optimize safe operations and protect the integrity of the process from any type of vulnerability.

How has industrial cybersecurity changed since then?

We would design security best practices into every system as best as we could, but the best practices ten years ago weren’t that advanced.

"For example, the mindset at the time, even among proactive companies, was that if the OT network was not connected to the IT network or directly to the outside world, you were safe.”

Now we know that’s dangerously simplistic thinking and that there are many ways in which an “air gapped” system can become infected or hacked. Fortunately, mitigating those dangers is fairly easy—low-hanging fruit. When you see them in action, cybersecurity measures like segmentation and zoning are amazingly impactful considering that you can start implementing them tomorrow.

What have you been enjoying most about working with Tripwire and its customers so far?

I think I’m most excited by the culture here. As I mentioned, it’s very collaborative, both with customers and with colleagues, which I like. It’s a lot different than working for a huge company with tens of thousands of people like where I was before. For example, I really feel that my colleagues and I, at this 500-person company, have a huge say in what Tripwire does, what it offers and the direction the company is going. We talk directly with senior leadership and give them specific feedback and input from customers. So far, I’ve already seen a lot of our inputs put into products and even how we approach the market. A number of my colleagues and I bring a lot of customer perspective on how a non-regulated industry, such as manufacturing, views cybersecurity.

Manufacturers are not required to implement cybersecurity controls by law like a North American Electrical Utility company does for NERC CIP compliance. They might be looking at a cybersecurity investment as an “expense” or “tax” that takes money away from investing in more infrastructure to support operational gains. So they need to understand that if they have an incident—which is becoming more and more likely—the cost of downtime and waste could easily far exceed the benefits they may have gained from an investment in direct operational improvements. Similarly, cyber incidents don’t always involve hackers—less dramatic circumstances like a change in a configuration can lead to product not being produced as efficiently or at the same level of quality as before, causing real damage to process integrity. I think that these are very important, business-saving observations that need to be communicated more frequently. That’s why we’ve been doing so more and more now in how we talk to customers about our offerings and the benefits that they can bring.Do your customers find value in the Tripwire connection to Belden?

It’s funny, I didn’t even know that Tripwire was owned by Belden until we were far down the path of employment discussions, but when I found out, that gave me even more confidence as a professional building a career in industrial cybersecurity in making the move to Tripwire. Everyone in industrial networks is well familiar with the quality of Belden industrial cables, Hirschmann switches and Tofino firewalls. That reputation and 100+ years of industrial experience is something that no one else in the cybersecurity space can match. It really shows that industrial is and always will be a priority for Tripwire. Relatively, I’m still the new guy but I’m part of calls every week about industrial market trends and discussing both short- and long-term product development efforts, and I see Tripwire continuing to make significant investment in pushing the envelope in industrial cybersecurity products. So I personally see firsthand that Tripwire and Belden are committed to ongoing innovation and development of industrial solutions for the long term, and I feel good about sharing that knowledge and confidence with my customers.