In our latest episode, Troutman Pepper Partner Sadia Mirza chats with Joe Tarraf, chief delivery officer at Surefire Cyber, to discuss Joe's journey to cybersecurity, the crucial role of communication in delivering services, and his favorite New York City restaurant.
It's official! The Unauthorized Access podcast has returned, now with a slightly different spin. Our monthly podcast will spotlight the human aspect of cybersecurity, bringing you closer to the remarkable personalities shaping the industry. In our latest episode, Troutman Pepper Partner Sadia Mirza chats with Joe Tarraf, chief delivery officer at Surefire Cyber. They discuss Joe's journey to cybersecurity, the crucial role of communication in delivering services, and his favorite New York City restaurant. Also tune in to find out if Sadia genuinely misses Kamran, and who Joe considers to be one of the best human beings in the industry. Sadia certainly echoed his sentiment.
Unauthorized Access: Unauthorized Access Returns With "Get to Know Joe"
Host: Sadia Mirza
Guest: Joe Tarraf
Sadia Mirza:
Welcome to Unauthorized Access, the podcast that once used to tell you about what's going on in the cyber world today and has now shifted to the human element in cybersecurity. And by that, I mean a podcast dedicated to the who's who in the cyber and incident response community. My name is Sadia Mirza and I lead the incidents and investigations practice at Troutman Pepper. I used to co-lead this group with Kamran Salour, my dearest best friend, but since he's not here anymore, I just get to be the leader now. I miss him dearly. And Kamran, if you're listening, which I fully expect you to be, you are always a welcome guest on my podcast. I am joined today by my dearest brother, Joe Tarraf, who is the Chief Delivery Officer at Surefire Cyber, and my very first guest on this official who's who podcast. Dearest brother, thank you for joining me today.
Joe Tarraf:
Thank you for having me.
Sadia Mirza:
It only took us about four months to get this on the calendar and truthfully, and Joe, I know you probably know this part of that was because I was a little bit sad to record this without Kamran, but in light of like I think he's written 18 incredible articles without me at this point, I figured it was time for me to start doing some things. Honestly, I wouldn't want to do this with anyone else besides you on the first one, but thanks again.
Joe Tarraf:
Thank you very much. I am honored and humbled, Sadia.
Sadia Mirza:
Okay, brother, this is going to be our first series of really who's who, and so this is going to go into questions about you letting everyone in our IR and cyber community know a little bit more about Joe. First, we're going to start off with you telling us a little bit about yourself, hobbies, where you grew up, favorite foods, all of the details that make you you, nothing that's going to be used for any kind of identity theft or fraud protection purposes. But just tell us about yourself.
Joe Tarraf:
Sure, happy to. And I think we'll take that order and flip it around a little bit. So let's start with where I grew up. I was born in the US, spent the first short period of my life here, but my formative years, much of my childhood and early teens were in Lebanon, and then I moved in my early teens to Canada, to Montreal. So I spent another lifetime there, about 17, 18 years or so in Canada and Montreal, and then finally moved back to the States about five or six years ago. A little bit everywhere. Whenever anybody asks me where you're from, I always say I'm confused and I think that also leads into the accent that I have. So a lot of people realize, obviously, that I have a bit of an accent, but nobody can pinpoint where that accent is from. Adds an air of mystery, which is good, I guess.
Sadia Mirza:
Joe, this reminds me of the first call that I had with you. I remember me and Kamran were in New York, and also I'm going to talk about Kamran like 25,000 times on this podcast apparently, but as you would expect, right, and I imagine Kamran's listening, smiling somewhere now, but I remember we were in our New York office. We had not worked with Surefire before. It was just our first scoping call with Surefire. None of us knew what to expect. And you got on the call. I just want you to know that when I met you in person and who I thought you were on the call was completely two different people. I did not know where your accent was from. I honestly couldn't even tell your age. I couldn't tell anything, but when I met you in person, I'm like, "Oh, wow, this is Joe."
Joe Tarraf:
I've had the same reaction. Funnily enough, there's another journey in the industry that I work with quite often, but never met in person. When I first met him in person, this was years ago, he actually did a double take when I shook his hand and introduced myself. He's like, "Joe, I thought you were in your 60s and you smoked half a pack of cigarettes a day." This is new. So that's a common reaction, Sadia. I guess I have one of those voices.
Sadia Mirza:
Yes. Okay. Joe, so you've lived in lots of places. If you know me, I am a major foodie and I'm always concerned about what people like to eat, and so from all these places, I want to know what your favorite cuisine, favorite foods, what's that?
Joe Tarraf:
Again, growing up in a bunch of places, you just get exposed to a lot of things, so it's pretty eclectic. I do like food for better or worse, so it's hard to pick one, but I have to say, if I were to pick one food, if it were my last meal or something like that, I'd have to go back to Mom's Lebanese cooking, like the old traditional stuff that I grew up on. So it would be that. I think that would be my go-to cuisine if I had a gun to my head.
Sadia Mirza:
That's true for me too. I love everything. At the end of the day, it's always my mom's food and my family's from Pakistan, and so it's always her food that I would go back to. Okay, I'm going to stop talking about food after. One more question, Joe. You're in New York, right?
Joe Tarraf:
Yes.
Sadia Mirza:
Okay. Favorite restaurant?
Joe Tarraf:
Oh, there's plenty. Do you have a favorite cuisine in mind?
Sadia Mirza:
No. It's a broad question for you. If I had to go to one spot, what's the one place you would say people need to go to?
Joe Tarraf:
Keeping the theme in mind, the sort of Mediterranean Lebanese food in mind, and I am not paid by this restaurant or associated with it in any way, shape, or form, but I would probably try out ilili in Midtown. That's I-L-I-L-I.
Sadia Mirza:
Okay. That's what I've about to say is you have to spell it for us so we can go look at the menu. Okay, very good. Now that we've talked about the important details, why don't you tell us a little bit about Surefire and what is the chief delivery officer?
Joe Tarraf:
It's a completely made-up title that I made for myself is the reality. It's a running joke between the CEO, Billy Gouveia and I, is that I made up my own title. What it really means, all joking aside, is I oversee the delivery of our services at Surefire Cyber. So we are an incident response firm. We are an IR firm. All we do day in and day out is help organizations deal with cybersecurity incidents like ransomware, business compromises, et cetera. When we started the company, my job was to build up the team, build up our response processes and build up our response capabilities and to make sure that we are supporting all our clients and partners the way they deserve to be supported. And my continuing job is making sure that we continue to do so and scale out our capabilities as we grow more and more.
Sadia Mirza:
Joe, I feel like, and this is probably a discussion for you and Billy, I feel like I should get some kind of payment for how much I advocate and promote Surefire. You being the chief delivery officer, I'll say the one thing, and this isn't just because this podcast, you guys have heard me say this a million times, even though it's a made-up title, I've seen you act as the chief delivery officer on a lot of incidents. You always came into incidents when maybe insured needs a little bit more handholding.
It's something about your communication style that I think really stands you apart, and you know I always talk about communication being what makes or breaks your response. And I think this is true of the entire Surefire team, and it's not surprising to me with you being in the role that you're in, that your communication style is what helps deliver a superior product over, again, I love lots of firms, but over some of the competition. I think that's what stands Surefire part. And so my point is, chief delivery officer makes sense to me when I've seen you do what you do on the matters.
Joe Tarraf:
Thank you, and you're too kind, but you're absolutely right. That's why we love working with you, and that's why we make I think such a good team is that we do have the same philosophy and the same kind of approach to things. And you're right, communication is key in situations like this. When everything's on fire, that's what makes or breaks the response, and that's what creates, I think, the most impact for victims. The technical work is important.
Obviously, the quality of the delivery there is very important and so on, but at the end of the day, if we are able to reassure the victims that what you've got the A team here, we've got you, we've got you back, we're going to get you through this. And if we're able to do that in a way to instill a bit of calm in them and to instill a bit of confidence in them, then that's when we're doing our job right. We've got a pretty good approach to things. And do you know what's impressive about it on my side, is that we didn't actually need to plan that out when we worked together. We didn't need to actually sit down and work that out. It just fell in organically.
Sadia Mirza:
Yeah.
Joe Tarraf:
Which is great.
Sadia Mirza:
Well, I wondered, Joe, even when you're interviewing people, I feel like you must be subconsciously looking for that style because it doesn't exist in everyone but the team that you've built out. I think everyone has that in them, like the ability to deliver feedback or explain next steps with confidence and be able to reassure the insured or the client that they're in good hands. It's probably something that you don't realize that you are intentional about it. It was more subconscious for you because I feel like that's the product you deliver and probably what you are subconsciously looking for your team. But all around, I think that's the best thing about Surefire is the communication style and that you can have teams that are very good at the technical aspect, but if they can't get on the call and deliver the message that needs to be delivered, that kind of leads us down a bad path.
Joe Tarraf:
And I think that works both ways. That's equally important for your side, for the legal side, for counsel side too, right? Not to turn this into, "Oh, you're the best or you're the best," but that's why we love working.
Sadia Mirza:
No, no, no. Please go ahead Joe. Go on. Go on. I like this part. Go on. Tell everyone.
Joe Tarraf:
Again, the way that you approach the advice that you give to clients, it's proportionate. It's explaining clearly why you're giving that advice and why you wouldn't give other advice. It's not a formulaic approach that you take. You take each case as it is, you understand the circumstances of it, and you base your advice based on the circumstances of the case and the matters of the case at hand, and you give it in a very clear language that they understand without losing them in the process, which is a gift in and of itself. So right back at you.
Sadia Mirza:
Thank you very much, Joe. That's the whole purpose of this entire podcast is just to have this back and forth and so on. Every episode people get to tell the world how green I am as well. That is the podcast I have created. Joe, I'm curious, how did you get started in incident response in cyber? What brought you to this industry?
Joe Tarraf:
I was in cyber my entire career. I practically started out in cyber and I did quite a few things within cyber. Obviously, cyber is a big field. You've got the proactive side, the advisory side, the governance side. I did quite a bit of professional services and implementations of cyber solutions. I was in the periphery of managed services at one point, and then I did IR, so I did the full spectrum of cyber. But what really spoke to me about IR is when you work in cybersecurity, you're making an impact no matter where you're working at, which field you're working with in cyber, you're making a positive impact.
But why I really, really liked incident response is because I felt that that impact was a lot more tangible and a lot more immediate, if that makes sense. Parachuting into an incident where everything is chaos, where the victim started, and then you take them through that journey of going through the incident and coming out of it and there's a light at the end of the tunnel and you get them to that light at the end of the tunnel and you just see that you were able to help in that aspect.
It's just very fulfilling. You see the impact that you do right away, and it just feels good to help get people that have had some very bad things done to them by very evil people is the simplest way to put it.
Sadia Mirza:
That's a sentiment that probably a lot of people in this space feel because one, it's a tough industry in terms of being on call essentially 24/7. So I think I have a very much a love-hate relationship with it, but it's those moments where you've helped someone who's basically had the worst day of their life get through that and being able to reassure them that it's going to be okay and you're going to get them through it. I agree that's the best part of the job for me. But then it's figuring out the right balance because I think there's a lot of burnout in this industry too. People like that feeling, but then it gets tough because you're on call 24/7. It's tough, right? It's tough. But any tips on that work-life balance? You could give one tip on how to make sure you keep some kind of work-life balance, what would it be?
Joe Tarraf:
It depends on where you sit. So on my side, that's making sure that my team is well-supported, that's making sure that I have enough people there, that I scale out the team the right way to not have people be on call all the time and all that, but if I were sitting on their side, probably know your limits. At the end of the day, you're responsible for your own wellbeing to a large degree, and nobody is going to be able to set those limits for you except yourself. So don't be afraid to raise your hand and say where your limits are being challenged. That's not a weakness far from it. And don't be afraid to ask for help. That's what everybody is here for. One of our core values, if you will, or tenets within the company is, and we got this from Billy, our CEO, the two cardinal sins in our line of work is not helping when being asked for help and not asking for help. So just follow that mantra and if you need help, just ask for it.
Sadia Mirza:
Yeah, this reminds me of, I remember last week and you know this, I had caught COVID. I felt like I kept saying that I'm recovered, but I wasn't recovered. I knew I could feel the exhaustion in me, but every day I would wake up and be like, "Oh, yeah, I'm better. I'm better now." But I wasn't. This speaks to Marissa and her team at Crumb, and I can't say how much I appreciate this understanding. And again, it goes back to the human aspect of incident response. And so I remember I got a claim, they had reached out on Sunday for a matter, and I remember at that point I never wanted turn down work. I never want to do that. It's never in my interest. I want to get all the claims I can, but I was feeling so exhausted at that point, and I knew other members on my team also had COVID, and so I just knew given what we had on our plates, no one was in a good situation to take that on.
And so I had reached out to Marissa and basically said, look, "I appreciate you thinking of me, but I'm down with COVID right now, a couple other team members," and her response was everything. It made me feel so much better. It was just, "Sadia. Thank you for your transparency. We actually appreciate that. We hope you recover. Let us know." And it was just like the best feeling knowing that you can set those boundaries when needed without feeling like you're going to be penalized later on or anything like that. There's lots of good people, but to your point, Joe, you have to let it be known when you need the help or when you need some space, otherwise you're not going to win ultimately in the end.
Joe Tarraf:
Exactly. And to your point, you'd be surprised how much people are willing to help. Knowing Marissa and her team, I'm not surprised at that answer at all.
Sadia Mirza:
No, she's wonderful. And then I also got an email today just saying, "I hope you're feeling better." I'm like, "Yes, Marissa. I'm feeling better." It's just so incredibly sweet and kind, and these are the people that make this industry really what it is. Joe, there's so many things that we can talk about. All the good things that you and me are doing are tabletop that we do for clients. I love that these high-level tabletop workshops for clients, really for executive teams. I'm thinking about the one that we did for the last client. It was basically a walkthrough of a BEC exercise, giving the client understanding of what happens during the incident response, so what to expect from the moment that you have detected an incident all the way through notifications.
And I want to tell you the feedback that I got right after that tabletop from that client was, "Thanks to you and Joe, we really figured out the areas where legal and security need to be collaborating. You brought that to light," and they were so appreciative of it. I have been selling that, selling it in quotes, to so many clients because I thought that was one of the greatest value adds a lot of that information you don't find out until afterwards, right? Until after an incident has happened. So I want to say thanks for the partnership and the collaboration on that. I know it's been a huge value add on our side.
Joe Tarraf:
It's a lot of fun doing it. Thank you for bringing me into that. I'm glad that it's making an impact and I'm glad that it's informing people. And you're right, you could tell by the engagement when we're going through that it's making them think of questions that they have never thought about before. So we're taking a lot of the opaqueness within the process of the response and shed some light on that, and it's generating a lot of questions, which ultimately makes them more prepared and better equipped to handle things. I'm glad that we're making an impact. It's always fun doing those with you.
Sadia Mirza:
Yeah. And definitely even questions from the legal side. Some of the GCs that we work with, they never think about what are the logging capabilities and why do they necessarily care? But in that one that we recently did, you could see the GC was like, "Oh, okay, well, now I care. Now I understand why logs matter and I want to know what is our log retention period." It's a great workshop. If anyone listening is interested in the workshop, feel free to reach out to me or Joe. We've been putting it on for a lot of the clients and we're happy to talk to others about it.
Joe, we are unfortunately running out of time. I know, I know it goes by so quickly, but I have one final question for you to close us out. This podcast, the way I want people to think of it as an opportunity to shine a spotlight on the people in the industry that really make it what it is. If you had to pick one person in our industry, in IR, in cybersecurity, who really shines, it could be because they're incredible at what they do or they're just a wonderful human being, I want to know who you would pick and why.
Joe Tarraf:
Well, the obvious answer to that Sadia is obviously Sadia Mirza, right? She's so wonderful all around, but I'm assuming we are keeping present company excluded from this question.
Sadia Mirza:
Present company excluded. That is the obligatory joke that everyone will need to make on this podcast, and I will laugh like I've never heard it ever before. I know we didn't talk about it before this podcast as well, but yes, present company excluded, who would you pick?
Joe Tarraf:
I really enjoy working with Linda Comerford at AmTrust because she's wonderful. She's wonderful in the sense that not just her professionalism, she's just a really cool person. She really cares about her insureds. She really wants what's best for them. She goes the extra mile for them. She knows her stuff really well, and she's a great source of guidance for us when we work together. But she's just a great person and a great partner to have. She was the first one that came to mind when you asked me that question. If she's been on the podcast, then great. If not, I would certainly have her on.
Sadia Mirza:
Number one, I love Linda and Linda knows this. Before we recorded this, I was on the call with Linda for about 20 minutes talking about everything other than work, and I agree. She is, outside of being an absolutely incredible partner, she is just the kindest human being, and if you talk to Linda, the goodness in her truly shines through, especially if you heard her on call. She really cares about her clients. She really is passionate about her work, but she's also just very sweet. That was a very good pick, Joe. She has already been on the podcast. She's always welcome on the podcast. I love Linda.
Joe Tarraf:
I'm not surprised that we agree, Sadia.
Sadia Mirza:
Yes. Yes. Yes. Brother, thank you so much for again, joining me on the podcast. Again, I didn't want to do this without Kamran, but I'm glad you being on made it easy. I want to thank everyone for tuning into this episode of Unauthorized Access. If there is anyone listening who has someone in mind that they think we should highlight in the next episode, please feel free to send me an email at incident.response@troutman.com, and I will certainly keep them in mind. Brother, thank you. Thank you very much. It was a pleasure talking to you today.
Joe Tarraf:
Thank you very much, sister. Likewise.
Sadia Mirza:
Take care everyone.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.