Headline
Researcher Spotlight: Liz Waddell, CTIR practice lead
How this Talos team member’s love of true crime led to a life in cybersecurity
By Jon Munshaw.
Liz Waddell is usually there on someone’s worst day of their professional lives. Chief technology officers and chief information security officers can hope all they want that the…
[[ This is only the beginning! Please visit the blog for the complete entry ]]
**How this Talos team member’s love of true crime led to a life in cybersecurity **
By Jon Munshaw.
Liz Waddell is usually there on someone’s worst day of their professional lives.
Chief technology officers and chief information security officers can hope all they want that the day they get hit with a ransomware attack will never come. Unfortunately, for many organizations, they’re nearly impossible to avoid nowadays.
Waddell, the IR practice leader for Cisco Talos Incident Response, is then called in by the time the attacks already happened. While CTIR offers many proactive services to protect against cyber attacks, they also serve as boots-on-the-ground helpers to assist companies remediate attacks as soon as they happen and limit the potential damage.
“When you watch an active ransomware encryption happen, and there is nothing you can do to stop it, it’s the worst feeling in the world,” Waddell said in a recent sit-down interview. “When I lose that ability to control the situation, that’s when it gets really hard for me."
Although at that moment, the targets may think there’s no hope ahead, Waddell and her teammates are there to outline the next steps and improve that CISO’s following days.
Liz Waddell, CTIR Practice Leader
CTIR offers emergency services for anyone who may be the victim of a cyber attack. And while the team brings with it a trove of Talos intelligence, the backing of Cisco Secure technology and Talos’ world-class research team, it’s about more than just the 1’s and 0’s at that moment.
Waddell said as the practice leader, she must be flexible and, sometimes, just a good listener.
“You’ve got to have empathy… No one who’s had a breach is going to be calm,” she said. “You have to put yourself in that person’s shoes and see what they might know on their side. They need someone to show them the way, show them the light, give them some answers.”
These days, there are very few calm days for Liz and the rest of CTIR. The team, along with most of Talos, has been heads-down over the past few months assisting Ukraine with ongoing cyber attack prevention and network resiliency. But several years ago, Waddell never could have imagined she’d be assisting an invaded country during an international conflict.
She actually started her career working in audio and video digital preservation. She spent her days moving physical media into digital formats for a Pennsylvania company, managing projects and even combing through thousands of lines of XML code. Her background in audio preservation is fitting given that she’s the newest permanent host of the Beers with Talos podcast.
Waddell eventually moved on to managing databases and code for a private contractor. But she noticed that as she would process these files and store them, there was little thought given to how to properly protect them.
“One of the things that was always bothering me was we would do all this work, and then what happens to the file afterward, we just ignore,” she said.
On top of that, Waddell was, and still is, interested in true crime — she spends a lot of her time away from her desk listening to true crime podcasts like “Crime Junkies” and “My Favorite Murder.” This led her to be interested in the individuals behind cyber attacks and large threat actors and enjoys creating profiles of adversaries to potentially understand their motivations and next actions.
She decided to merge these curiosities and enter the world of cybersecurity. That’s when she returned to school at the University of Texas at San Antonio to obtain her second masters’ degree in information technology and cybersecurity. Eventually, she partnered up with a mentor in the field and got her first job in incident response. She joined Cisco Incident Response (before it moved under the Talos umbrella) in 2018.
Outside of work, Liz has a number of hobbies,
including taking aerial aerobics classes.
Becoming part of the Talos family changed everything for Waddell, she said. Her favorite Talos memories include multiple meetups with co-workers at conferences (which recently have started to return in-person). Working with CTIR can often mean long hours and late nights, but the bonds she forms with her team members make those moments easier to work through. Sometimes it even means working in unique places, like a treehouse at the San Diego Zoo.
"That was definitely my favorite Talos moment,” she said. “I think my younger self would be very impressed and happy that I found a place where I fit in.”
Since joining the team, she’s moved into more of a leadership role and now regularly speaks at conferences around the country, appears in videos for Talos and Cisco Secure, and shares her security opinions and adventures in corset knitting on Beers with Talos every other week.
But she’s also one of the first people to be on site when a customer calls in an emergency. While she enjoys the challenge of addressing an active cyber attack what’s more important is the satisfaction that comes from seeing the customer through to the other side. Waddell is also placing a bigger emphasis now on creating plans of action for customers so that, if the worst day of their professional lives does come, they’re ready to respond and react quickly.
“Your customer is inevitably going to come to you and say, 'What do I do?’” Waddell said. “When media gets a hold of it, it only gets more stressful. But if you have things planned out and you have a path to go, it becomes a lot less scary.”
If your organization would like to work with Liz or one of her fellow CTIR team members, you can reach out to them here. Talos Incident Response offers a range of proactive services for security teams, including hands-on tabletop exercises, a state-of-the-art cyber range for training and much more.