Welcome to Dark Reading’s Heard it From a CISO video series, which offers advice on breaking into and advancing within the cybersecurity field from those who have been there.
Cybersecurity is a field that touches every aspect of modern life, from personal privacy to global business operations. In Dark Reading’s latest episode, Etay Mayor, chief security strategist at Cato Networks and professor at Boston College, shares his journey, expertise, and advice for those interested in entering this ever-evolving domain. With a career spanning decades, Mayor’s unique perspective highlights the many opportunities within cybersecurity and the importance of thinking like an attacker to build effective defenses.
From hacking his school’s database as a curious teenager to earning advanced degrees…
Welcome to Dark Reading’s Heard it From a CISO video series, which offers advice on breaking into and advancing within the cybersecurity field from those who have been there.
Cybersecurity is a field that touches every aspect of modern life, from personal privacy to global business operations. In Dark Reading’s latest episode, Etay Mayor, chief security strategist at Cato Networks and professor at Boston College, shares his journey, expertise, and advice for those interested in entering this ever-evolving domain. With a career spanning decades, Mayor’s unique perspective highlights the many opportunities within cybersecurity and the importance of thinking like an attacker to build effective defenses.
From hacking his school’s database as a curious teenager to earning advanced degrees in computer science and counterterrorism, his journey underscores the value of curiosity and hands-on learning. Today, Mayor leverages his technical expertise and storytelling skills to educate students and professionals alike, emphasizing the need for diverse perspectives in tackling modern cyber threats. His work at Cato Networks and Boston College reflects his commitment to fostering innovation and collaboration in the field.
In this interview, Mayor stresses that cybersecurity is not just a technical discipline but a multifaceted field that intersects with law, policy, marketing, and more. He encourages aspiring professionals to explore the wealth of resources available today, from online tutorials to AI tools, and to embrace the industry’s collaborative nature. Whether you’re a technical expert or someone with a background in law or business, Mayor believes there’s a place for everyone in cybersecurity, as long as they are willing to learn, adapt, and think creatively.
Related:The CISO-COO Partnership: Protecting Operational Excellence
Also, check out our other installments in this series: "Bridging the Skills Gap: How Military Veterans Are Strengthening Cybersecurity" with Bruce Jenkins, chief information security officer at BlackDuck, Jeff Liford, associate director at Fenix24, and Frankie Sclafani, director of Cybersecurity Enablement at Deepwatch; "From Chef to CISO: An Empathy-First Approach to Cybersecurity Leadership" with Myke Lyons, CISO at Cribl; "Fastly CISO: Using Major Incidents as Career Catalysts" with Marshall Erwin, CISO at Fastly; "From FBI to CISO: Unconventional Paths to Cybersecurity Success" with Kaseya CISO Jason Manar; "Cyber Career Opportunities: Weighing Certifications vs. Degrees" with longtime CISO Melina Scotto; and "Male-Dominated Cyber Industry Still Holds Space for Women With Resilience" with Weave Communications CISO Jessica Sica.
Related:Same Old Security Problems: Cyber Training Still Fails Miserably
Cato Network’s Etay Mayor: Full Transcript
This transcript has been edited for clarity.
Kristina Beek: Hi, I’m Kristina Beek. I’m an associate editor with Dark Reading, and I’m here for another episode of Heard It From a CISO. We’re here to hear from experts and cybersecurity professionals about the ins and outs of the field. Today I’m joined by Etay Mayor, Chief Security Strategist at Cato Networks. Thank you so much for being here today.
Etay Mayor: Thanks for having me.
KB: Let’s just get started from the beginning. What does your education and background look like, and how did you first get involved with cybersecurity?
EM: In terms of background, I have a bachelor’s in computer science and a master’s in counterterrorism and cyberterrorism. But I got into computers and cybersecurity as a kid. I’ve always played around with computers. I liked to take things apart. I was also not a very good student, but I was pretty good with computers, so I actually hacked into my school’s database and changed my grades.
KB: Wow.
EM: That’s how I started with cybersecurity. I got caught and punished. By the way, I taught other kids how to do that so they could change their grades. Me and academia have a very interesting relationship, but that’s how I got into computers and hacking. I started with no formal education and then built it up from there.
Related:Bridging the Skills Gap: How Military Veterans Are Strengthening Cybersecurity
KB: What does your formal education look like?
EM: I graduated high school, did my undergrad, and then my master’s. At the same time, even during my undergrad studies, I got into the industry. I started working and doing project management in anti-fraud and cybersecurity.
KB: How would you describe your journey into becoming a chief security strategist? What does your professional career look like?
EM: In terms of my professional career, I started with project management in the anti-fraud space. I got into understanding the very early days of phishing and malware — how attacks happened and their implications for organizations. I quickly moved into the area of threat intelligence and dove into what happens behind the scenes. I studied how threat actors think, operate, what they talk about, and what their forums and markets look like. I ran the RSA research lab, where I had teams of reverse engineers and penetration testers. At the same time, I discovered I was good at taking complex technical stories and translating them into a human-readable format, making stories out of them. I started appearing at conferences and talking about the research we found. That combination of technical understanding, hands-on cybersecurity, and the ability to build reports and presentations paved the way for me.
KB: What has it been like working at Cato Networks?
EM: It’s been amazing. I’ve been with Cato for five years now. I started the threat intelligence area at Cato, focusing on AI and threat intelligence to understand threat actors. We built something called CTRL, the Cyber Threats Research Lab, which combines all the research groups at Cato. It creates a knowledge base that helps our clients and educates the market about what we see and what threat actors are planning.
KB: I also understand that you’re a professor at Boston College. What do you teach, and what have you learned from your students?
EM: Yes, I am a professor at Boston College for cybersecurity. My course is called Designing Defensive and Offensive Capabilities, but I’ll let you in on a secret — it’s just because I couldn’t name it Introduction to Hacking. That’s what it is. I teach non-technical students, not computer science students, how to think like a cybercriminal or a threat actor. One thing I’ve found in my career is that we have very good defenders and researchers, but many don’t think like attackers. What you end up with is a checklist approach of what needs to be done, but we need to look at things from the attacker’s perspective. In this course, we study how to attack systems, collect information, use AI for operations, and perform social engineering attacks. Students come in expecting to see the latest security tools, which they do, but they also hear me say that one of the best hacking tools is a hard hat and a yellow vest. That’ll get you in anywhere without many questions. We try to think outside the box and perform operations — not actual attacks — but how we would work as attackers.
KB: Do you have students who, after taking your class, decide cybersecurity might be something they’re interested in pursuing professionally?
EM: Yes. Most of my students are from security policy or the law side of things. Many of them discover that you don’t have to be super technical to be part of a cybersecurity group in an organization. It’s great to be technical, but what I’ve found, almost every semester, is that students from completely different areas of study bring ideas I’ve never thought about. They show me how I still have tunnel vision, and their thinking is completely outside the box. It’s fascinating to see their train of thought.
KB: Considering how these students think outside the box, which is needed in cybersecurity, how would you say is the best way for someone to enter this field?
EM: First of all, don’t be afraid. Many people think there’s a high barrier to entry, and while there is a requirement for some technical capabilities and knowledge, the industry needs external perspectives. It’s very different from when I started almost 30 years ago, when you had to find specific books or someone who could explain things to you. Now, there’s so much knowledge out there — YouTube channels, videos, classes, master classes. There’s a wealth of information to start educating yourself. People should also know that the industry, while it has many companies, is a small world. I’ve yet to see someone approach a cybersecurity executive with questions and be ignored. People approach me on LinkedIn, and I don’t know many who would ignore such requests. The industry is open to talking, and you can approach executives who might seem on a pedestal — they’re not. We all started somewhere. Just go for it. What’s amazing about cybersecurity is that it’s constantly evolving. We’re learning new things on a weekly basis.
KB: Would you consider cybersecurity a field that is growing?
EM: Yes, it’s constantly growing and expanding because of the different elements being added. If you had asked me this question 25 years ago, I would have said cybersecurity is part of IT and very technical. Now, you see cybersecurity in politics, marketing — there’s no single industry not affected by it. The reverse is also true. If you’re a chief information security officer in a large organization, you want stakeholders from every field to help you. When a breach or attack happens, it’s not just an IT issue — it’s a business issue. You need lawyers, marketing people, technicians — everyone needs to know what they’re talking about. It doesn’t matter where you look; you need people from every part of the organization. It’s definitely growing and constantly expanding.
KB: How does someone know that cybersecurity is what they’re interested in? With tech at the top, there’s IT, cybersecurity, and other branches. How does someone know cybersecurity is the right fit?
EM: I think you don’t know until you try and play around with it and start studying. Even within cybersecurity, there are so many branches. You don’t have to be the firewall person. You could be the lawyer who understands cybersecurity. There are so many elements to it. Cybersecurity doesn’t just affect us at work; it affects us at home with our families. You’ll run into it all the time. Try a course and see if you’re interested in hacking systems or understanding the laws and regulations around it. Some people really enjoy that. There are so many disciplines within cybersecurity.
KB: Cool.
EM: Just the firewall person. You know, you could be the lawyer who understands cybersecurity. There are so many different elements in it. One of the unique things about cybersecurity is that it doesn’t just affect us at work; it also affects us at home with our kids, our families, and our day-to-day lives. You’ll encounter it whether you like it or not. Try a course and see if you’re interested in hacking into different systems or understanding the laws and regulations related to it. Some people really enjoy that. There are so many different disciplines within the broader field of cybersecurity.
KB: OK.
EM: It’s extremely diverse. I teach at a university, and my top two researchers who report directly to me don’t have degrees. They studied on their own. They were curious, started playing around with things, and became extremely professional at what they do. That is a completely legitimate path. Another path is formal education. The technical and hard skills are always good to have.
But those external views and people coming from different areas, bringing different perspectives, are always interesting. Let me give you an example. One of the projects we do in my course is around OSINT (open source intelligence) and how much information you can collect from the web—things people post on Facebook, Instagram, or other platforms. I teach this and then ask my students to apply what I’ve shown them. About three years ago, one of my students, who was in the military but not a technical person by nature, came back with her project. She showed me how she used Venmo to identify social groups, who’s friends with whom, who’s no longer friends, and mapped out relationships.
I didn’t even realize Venmo made everything public unless you set it to private. She took all the logs and analyzed the relationships between different people. It wasn’t that I didn’t know how to do it — I didn’t even know it was possible. That’s why I value the different perspectives people bring from various disciplines.
One thing a former detective might bring to the table will be very different from what a student from the football team at Boston College might contribute. It’s fascinating to see these diverse perspectives.
KB: What about soft skills or qualities that help people succeed in this field? What have you noticed in people you’ve managed or taught that allows them to excel?
EM: It’s extremely diverse. My top two researchers, as I mentioned, don’t have degrees. They were curious and self-taught. That curiosity and willingness to explore are key qualities.
The technical skills are important, but those external perspectives and the ability to think differently are just as valuable. For example, in the OSINT project I mentioned, the student’s unique approach using Venmo was something I hadn’t even considered. That kind of thinking — looking at things from a different angle — is incredibly important in cybersecurity.
KB: Are there any final thoughts or takeaways you’d like to share with people interested in cybersecurity, those thinking about pivoting into the field, or anyone with a general interest in it?
EM: The main thing I’d like people to take away is not to be shy about trying and experimenting with different areas within cybersecurity. If you want to try hacking into systems, there’s a wealth of information available — videos, tutorials, masterclasses, and even AI chatbots to help you figure things out.
If you’re interested in thinking outside the box or understanding how an attacker might approach things, you can help organizations move beyond checklists and adopt more forward-looking strategies.
Give it a try, and don’t be afraid to approach cybersecurity professionals with questions. I’m sure they’ll be happy to help.
KB: Thank you so much for taking the time to speak with Dark Reading today. I really appreciate it, and I know this will be helpful for people interested in joining the cybersecurity community.
EM: Happy to have been here and thank you for the opportunity.