Interviewing Sameer Sait – CSO at Arrow Electronics

Want to know how to go from working as a software tester and release engineering to the CSO for Colorado’s largest employer? Read on to see how Sameer Sait has become CSO for Arrow Electronics, with stops along the way at Fannie Mae, The World Bank, and Mass Mutual. The biggest challenges in building a world-class security program at scale, and where he will focus his efforts in 2017.


My passion is to organize and energize the Colorado information security community as the mecca for information security.  As I’ve worked in the community, I’ve been continually surprised at just how many fantastic individuals we have in the area and the wide variety of ways they contribute to the industry. So I set out to start meeting those people, and writing up those interviews for you to enjoy along with me. I am hopeful that one of these stories will inspire you to throw your own hat in the ring and take a chance by trying something new. Click the links below to read previous interviews in the series.

Sameer and I ate lunch at the restaurant within the Inverness Hotel. While I have had the pleasure of a number of previous conversations with Sameer, during this interview I had the opportunity to learn a lot more.

My questions are in bold, with Sameer’s responses paraphrased below.

As a starting point, how did you get into security?sameer-sait

I didn’t take a direct path to security. When I graduated college, I got into software development and testing working for a medium-sized product company called Remedy Corporation that is known for their helpdesk, change & asset management software.

It was during my master’s program that Sarbanes Oxley (SOX) compliance become a hot topic. This got me interested in the whole IT audit, risk & security field.  I started to focus on IT audit, risk & security and decided to pursue a Master’s in information security. After graduation, I ended up as an IT auditor working on auditing corporate IT systems, including but not limited to, ERP, Mainframe, Web applications. What we quickly realized is that there’s a lot of detailed technical controls that feed up into an auditor’s test plans. That got me really interested in risk management and security and I ended up working in an IT risk management role that reported into the CISO at my next few gigs.

Where were you doing that?

I worked first at a company called TRW Automotive, which is a Fortune 200 company in Michigan. After that, I went to HSBC as an IT risk management lead. I did that for a couple of years, and then my first true security gig was at Freddie Mac. This was right before the housing crisis in 2006.

Did you move for each of these jobs?

Yes, I did. I did my Master’s at Carnegie Mellon in Pittsburgh, went to Michigan for a couple of years, went to Chicago for HSBC, and then to DC for Freddie Mac. I got promoted once while at Freddie Mac to a director role within Information Security. I left Freddie Mac in 2010 to join the World Bank as a contractor in their growing IT Risk Management practice.  My first executive leadership position in security was in 2013 at MassMutual, a Fortune 100 financial services firm.

How did you get that job, going from Freddie Mac as a director to MassMutual?

I think coming from core financial services, having worked in DC where there’s kind of a mecca for security thought leadership, participating in security meetups, being a member of OWASP, ISACA, etc. helped. With the increased emphasis on risk, compliance and security, I was lucky to be part of the increased investment and support from executive leadership. For example, Freddie Mac’s security team grew maybe twofold from 2006 to 2010.

An additional aspect that helped me was putting myself in situations where I could learn and grow as an Information Security professional. I left a cushy gig at Freddie Mac as a director to join the World Bank as a contractor. My wife thought I was crazy – but my reasoning was if you don’t continue to learn and grow in this dynamic field, you’ll get left behind.  The steep learning curve for me was learning the core technical side of security and at least being able to speak the same language as our engineering & operations teams.

When I was pitched the job at MassMutual, the first thing they wanted me to do as the VP of Information Security was build out a Security Operations Center (SOC). It was less about the title for me. It could have been Senior Director of Security at that point. I’d never had the opportunity to build something from scratch. Freddie Mac was established. It grew, but its core security functions were established before I got there. World Bank was established, but MassMutual needed to build a SOC. So I got to build something and work in a domain of information security that I hadn’t worked in before.

arrow-hq

So why the move to Arrow?

While MassMutual was great, and I had the chance to run most of the security capabilities there, Arrow Electronics offered a global CSO role with additional responsibilities like identity & access management, investigations, forensics & eDiscovery. In my 18 months at Arrow I’ve been able to build a solid team. Part of it is Denver. Denver has a much deeper and broader pool of talent compared to Western Mass, which makes finding talent in Denver much easier.

The other piece is that Arrow truly wants to eat our own dog food. If we’re going to sell and distribute all these security products, we’re going to use them as well. We want to show the world, “Look how well that product works for Fortune 150.”

I knew Arrow is Colorado’s largest employer but I didn’t realize you are that large.

From an employee population perspective, Arrow is about 18,500 employees.What I didn’t realize was how global Arrow really is because of our broad coverage in distribution and value added services. What makes my job interesting is 2 aspects:

  1. We have talented sales/solution engineers embedded in our business teams that can go toe to toe with our corporate security folks on product/solution capabilities. What is better than getting validation on our program strategy and roadmap from security product experts down the hallway?
  2. We have a number of small offices across the globe. How do we protect that 20 person office in country XYZ where unique data privacy laws may apply?

What are your responsibilities at Arrow?

My responsibilities include IT risk management (policies, standards, vendor, partner, application risk assessments), security training & awareness, security engineering & architecture, security operation center (SOC), investigations & physical security. We don’t have an internal application security practice yet. Currently, we outsource a lot of this work but are looking to build that capability internally next year.

Does your organizational structure align with those functions? How does your team look?

I have seven direct reports:

  • Director of security operations
  • Director of investigations & physical security
  • Director of IT risk management
  • Manager of security engineering and architecture
  • Manager of identity & access management
  • Manager of training and awareness
  • Manager of EMEA information security

How big is the security team overall?

29 people. We are distributed globally and are aligned with our business lines. For example, I have a security architect aligned with our global components business, one aligned with enterprise computing solutions etc.

Yeah, business unit IT. Some of your security team members are embedded into the business units.

Yes, which I think is good.

Considering the size of the organization, 29 appears a bit low. How do you keep up with the security needs of a Fortune 150 company?

The challenge is to not only keep up, but to be customer focused, think usability, and be on top of everything everywhere in a global company in 50+ countries. The truth is the only way that I’ve been able to succeed at Arrow is because we are embedding security knowledge into different functional IT teams, empowering them, training them, including them in the same conversations when we define requirements, develop solutions and implement capabilities. For example, our desktop engineering team is actually quite strong from a security capability perspective when they look at Windows 10’s offerings compared to one-off vendors. They’ve done a number of proof of concepts with end point security providers and have given us feedback on what they think is more usable, less intrusive for the user, more capable in terms of protecting against next generation threats. We’ve been lucky to have that partnership.

The future of security teams isn’t getting larger, it’s creating champions outside security

I believe the future of security is going to be where the security team doesn’t need to get a lot larger to be able to accomplish their objectives. Instead, the push will be to create security champions across corporate IT.

Does that mean you don’t plan to grow the team from 29?

We are taking a slow approach to maturity. We want to hire the right people, show the value, and then grow where there is a need. We will mature from our current state of providing security services 8 hours a day five days a week (8 by 5) to 12 by 5, to 18 by 6, and eventually 24 by 7. The key is that we will do it by providing increasing value to justify the cost.

So, what is your team focused on?

Right now, and this is an apt interview with the CISO of Ping Identity, the two major initiatives for my team are implementing global standards around  identity & access management and building a global security operations center.

The way I look at it, the future of Arrow security is going to be a reduction in some of the repeatable manual tasks and getting better visibility into employee, data and system behavior. For that to happen, we need to make sure we are spending based on risk to the company. Reducing manual tasks and improving automation is top of mind for me so that the security team can spend time on discovery, analysis and response activities.

What are you most proud about in 2016 that you’ve accomplished?

Number one was the initial setup of a security operations center, realigning the responsibilities where we were a very reactive company where every single alert from any system would have VPs, directors and staff jumping on because of the fear around information security.

Number two was getting a handle on our global standards and minimizing the number of silos between divisions and locations.  

Looking to the future. What are your 2017 goals?

2017 OBJECTIVES:

  1. ENABLING COLLABORATION SECURITY (Cloud & Mobility)
  2. ACCESS CONTROL OPTIMIZATION
  3. ENHANCING SECURITY OPERATIONS

First in 2017 is around collaboration security, so enabling users to work securely whether that is better controls in terms of protecting email, protecting documents in the cloud. Moving employees from their own favorite cloud solution, to use the approved corporate choice. Mobility is a big deal because we’re a global company with a lot of people who are working around the globe. They’re traveling. They’re meeting customers. Our laptops need to be managed as a mobile device, so we should start thinking about how do we protect that holistically in a global standard manner across Arrow.

Do you have thoughts about the continuous drive to replace the old perimeter security paradigm with something new?

Yeah, I see that change coming. Your storage is going to be online, your collaboration is going to be online, so you should be able to walk into an office, choose any desk, pick up any laptop, get your work done, sign off, wipe the device clean and walk away.

It goes away from, “Can I work from home once a month, or once a week?” to “Can I work from any building, any cafeteria, anywhere in the world?” Some companies are moving faster. Some obviously are not.

(Author’s note: To explore this topic more, read Google’s Beyond Corp research [here and here] or my own post about Identity Defined Security)

One of my favorite questions for everyone I interview: What do you see other folks, your peers doing that they should do better? Generally speaking, where do we need to be going that we’re not there yet?

I think my peers in healthcare and finance firms are getting a lot of support from their boards and their leadership, just because of all the recent security events around healthcare records, compliance regulations, finance obviously dealing with money. I think where my peers outside of those groups can probably do better is to sell the 3rd party risk related to vendors and partners., A number of us are getting more reliant on partners and vendors to do a lot of our core business operations.. Getting your executive leadership and board to understand the impact to the the company because of one incident in your ecosystem is important. Like what occurred very recently with DYN (the DNS provider). Making the dependencies clear to senior leadership is critical.

The other piece is, what I’ve learned coming out of financial services is we’ve got to really partner better with our auditors. A lot of good auditors understand the end-to-end business process you are trying to secure. I think once you demonstrate to your auditors that your team is focusing on securing the lifeblood of your company, (the data, money, and other critical assets) they will trust your technical controls to fix a business deficiency.

(Author’s note: I blogged on this topic a couple years ago)

What advice do you have for folks who are new, who want to get into the security industry?

What I’ve realized in security, very different from traditional business roles, is that it doesn’t really matter where you went to school. What matters is your passion for the field and that you are able to learn on the fly. A lot of coursework is about events and theories that we discovered two, three years ago. It’s a little bit behind the curve. Networking, learning from your peers, and using all the resources available online to figure out what really drives you is the secret to success. A lot of people come to me and say, “I want to get into security like you did, through risk management and audit.” I don’t know if that’s a path for everyone. If someone is a computer science major, very strong in development, very strong in technical skills, the right path might be appsec. The right path might be a vulnerability analyst or a SOC analyst.

Further, taking the initiative to not get pigeonholed is probably the second best advice I can give. The thing that I did was I put myself in situations where, even though I wasn’t technical, I became a valuable part of an appsec team. How did I do that? Appsec is not just all about scanning code. It’s also about researching and understanding the vulnerability and being able to speak intelligently to it, and project managing the remediation activities. It is important to not limit yourself just because you are not technical.

It’s not always about the 18 year old taking a class in security. It’s also about the mechanical engineer who’s thinking about securing an IOT device. It’s also about the developer, infrastructure analyst or desktop support analyst who wants to learn about security. I think we can leverage a lot of people who are moving sideways versus just moving up. It’s a lot easier, and you get paid better as well.

I know you just moved to Denver a couple months ago, but you’ve been somewhat involved in the CISO community here in town for over a year. So far, what do you think about Denver?

I think Denver’s got a lot of resources and talent to become a security hub. There is a push by the local universities to build specific majors around security. I think that the community is supportive.. What I like best about Denver is that I see a lot of humble leaders who realize that there’s a process to get to where they’ve gotten to, and they’ve never shied away from sharing information. I think we need to leverage that to become kind of, not just the Rocky Mountain security forum but maybe even the Midwestern security forum, to the West Coast security forum. I think there’s a lot of capability here we haven’t tapped into.

This has been fun. Anything else you want to say before we sign off? Do you have any catch phrases you want to make sure we include?

Empower your people to grow and be ready to take your job, or any job

I was listening to this leadership series on a podcast. A couple of things stuck with me. One was hire people smarter than you. Something I really like about Denver, going back again, I see leaders who are willing to hire people that will challenge them for their own jobs, pushing them to move on or move up or move away. That’s awesome!

The second thing is, when you hire those people, when they turn to you and say, “What should I do?” respond with, “Well, what do you think we should do?” Always turn the question back on them and empower and guide them, “It’s your decision. I support you.” When you have leaders reporting to you especially, that’s the single best thing you can do to give them confidence to take your job. Not just your job. Any job. Put their feet to the fire and say, “You make the decision. I’ll stand by you, but I want you to make the best decision based on the facts in front of you.”

Thanks so much to Sameer for taking the time to talk with me and share his story of becoming a CSO for a Fortune 150 company, and the Denver security scene. I look forward to continuing this series and shining a light on more interesting members of the Colorado security community. If there an individual or corner of the security spectrum you’d like to see spotlighted, drop me a note and I’ll see what I can do.

Advertisements

Interviewing InfoSec entrepreneur Lance Miller

Interviewing InfoSec entrepreneur Lance Miller

Lance Miller is a serial security entrepreneur. Perhaps you have had an idea and considered starting up a company to build your dream. Heck, maybe you’ve even started up a company to do it. Lance has built six successful companies around security consulting, managed security services, penetration testing and, most recently, security staffing. Along the way he managed to help create one of the premier security communities on the web. I sat down with Lance to discuss how he’s achieved his success, where he sees the Colorado security community going, and his advice for security practitioners.


My passion is to organize and energize the Colorado information security community as the mecca for information security. As I’ve worked in the community, I’ve been continually surprised at just how many fantastic individuals we have in the area and the wide variety of ways they contribute to the industry. So I set out to start meeting those people, and writing up those interviews for you to enjoy along with me. I am hopeful that one of these stories will inspire you to throw your own hat in the ring and take a chance by trying something new. Click the links below to read previous interviews in the series.

My questions are in bold, with Lance’s responses paraphrased below.

You didn’t always work in security. How did you go from running a vending machine company to a security guy?

After selling the vending company, a good friend was VP of Sales at a managed services company in Research Triangle Park (RTP: The hot-spot for technology companies in North Carolina) and he brought me on board to help with business development. After being introduced to their lead security guy, I quickly realized the future was not in networking but securing the data. I began to read everything security related and getting in the hip pocket of our security guru on engagements when possible. From that point on, it was all about InfoSec for me.

3f8847dTalk about WireHead Security. What did you focus on there?

After the managed services company I worked for was acquired, the head of InfoSec and I decided to launch our own security consulting firm… and WireHead Security was born. We offered services like penetration testing, vulnerability assessments, code reviews, etc. We recognized that application security was where we wanted to focus. That interest led us to volunteer as the North Carolina OWASP Chapter leaders for a handful of years. I am very proud of the work we did at WireHead. We were known for some of the best deliverables in the industry.

Tell me about InfoSec Island? How did you create and curate what became one of the premier web security communities?

While our original goal with InfoSec Island was to lower our cost of sales with WireHead’s services, we quickly abandoned that model. Instead, we wanted to the focus to be about excellent content and nothing more. With little vendor influence on the Island we were able to provide the community with an open platform to share their thoughts on happenings within the industry. We gave a large platform for new and emerging authors with some truly excellent articles (and a bit of really bad content as well). By far the best thing to come out of InfoSec Island was all the talented people I was able to meet.

I know you no longer own or operate the site. What happened?

Infosec Island was sold to Security Week so that my business partner and I could focus our energies on a new venture: Trusted Metrics, a managed security services provider (MSSP). Looking back I wish we would have held onto the site as it doesn’t receive the love it once did.

That leads us to the creation of Trusted Metrics. That was another big change in your career. What motivated you to make the move from consulting into a MSSP?

We felt that we needed to do more for our clients than just test things. We wanted to offer additional value by not only finding vulnerabilities but by also constantly watching the network and helping remediate issues. We built a robust SIEM that we managed in our own SOC for clients. After one of our clients mentioned Trusted Metrics to a VC group, we quickly partnered up and began to take things to the next level. Not that long afterwards, my mother passed away which caused me to evaluate my life and how I was spending my time. After a lot of soul searching in the mountains of Colorado, I decided to go another direction and walked away from Trusted Metrics. Life is short, follow your heart. I did just that and launched The Cetan Group, a brand new InfoSec consulting firm.

It was Trusted Metrics that brought you out to Colorado. Tell me about that transition. How does Colorado compare to the security community in Raleigh.

I was very surprised to see what the Colorado security community was all about. Coming from RTP, I was thinking I would be coming to an inferior market. I was wrong big time. The Colorado InfoSec community is one of the best in the country. The more I see, the more I feel this way.

In early 2015 you started a new company focused solely on finding and placing security talent at organizations (see write-up on Norse’s State of Security). What led you to do that?

Security is all about the people…not shiny and blinky boxes. I felt that I could be a better steward of the industry by finding the right talent for the right opportunity than any vulnerability assessment or pen test I could ever provide.

What’s your plan for the future? Where do you see Lance Miller in two years?

I am a family guy #1. I am building The Cetan Group and Curity to do two things:

  1. Make a positive difference in the InfoSec community.
  2. Allow me to be the best dad/husband I can be.

Having only been in Colorado for a couple of years, you have a great perspective to evaluate our market. What are the best things about security in Colorado? What are the worst?

The best part of the Colorado security community is the number of talented active people. We seem to be more involved in taking the community to a higher ground than we did in North Carolina.

The worse part of the Colorado community is some of the long timers are a little cliquish and have the “get off my wave” mentality. Oh well…this exists all over.

I love getting different perspectives on a couple of common questions, from everyone I interview. So please share your take. What are CISO’s doing wrong? What can we do better?

The only thing that really jumps out to me is that some CISO’s are too trusting of big security vendors’ marketing machine. This seems to be subsiding more and more, however, after each breach there’s another wave of reactive buying.

In reality, there is no silver bullet. We need more CISO’s who are business-minded first and InfoSec second. To me, this is the direction we need to be going, not only at the CISO level but even at the individual contributor level.

What’s your advice for people who are looking to break into the security field? What should they do to land their dream job? Heck, better yet, what should their dream job be?

I’d point people who want gain entry into the InfoSec industry to read Lesley Carhart’s (@hacks4pancakes) “Starting an InfoSec Career.” Part 1-3. Part 4-5. Awesome insight.

I always suggest that people figure out what they love and go all out pursuing it. Find like-minded/hearted people and work with them. Dream jobs are not just about money or titles, they are about being happy. Culture is everything… find yours.

Thanks so much to Lance for taking the time to talk with me and share his thoughts on the Denver security scene, and his own path. I look forward to continuing this series and shining a light on more interesting members of the Colorado security community. If there an individual or corner of the security spectrum you’d like to see spotlighted, drop me a note and I’ll see what I can do.

 

 

Sitting down with Andre Durand – Ping Identity Founder and CEO

Sitting down with Andre Durand – Ping Identity Founder and CEO

What does it take to build a market leading company in an industry that does not yet exist? According to Ping Identity founder Andre Durand, it takes vision, conviction and patience. Almost 14 years after it was initially started, Andre’s Denver based security firm is now the leader in digital identity, with almost 400 employees and serving 50% of the Fortune 500. I sat down with Andre to ask how they have achieved their success and what he sees the in the future for security.


My passion is to organize and energize the Colorado information security community as the mecca for information security.  As I’ve worked in the community, I’ve been continually surprised at just how many fantastic individuals we have in the area and the wide variety of ways they contribute to the industry. So I set out to start meeting those people, and writing up those interviews for you to enjoy along with me. I am hopeful that one of these stories will inspire you to throw your own hat in the ring and take a chance by trying something new. Click the links below to read previous interviews in the series.

For this interview I was fortunate to sit across from Andre at the Palms Restaurant in downtown Denver and talk one on one. Andre Durand is a wildly successful serial entrepreneur right here in the Denver area. He started his first company, Durand Communications, in 1993, and built the world’s first Windows client/server bulletin board. He sold the company to Webb Technology in 1998. In 2000, he started Jabber, Inc, which commercialized the Jabber instant messaging open source platform started by Jeremie Miller, and was sold to Cisco in 2008. In 2002, Andre founded Ping Identity.

My questions are in bold, with Andre’s responses paraphrased below.

You’ve obviously done a lot of interesting things in your career. Why Ping Identity?

I became interested in identity from the first day Microsoft introduced Passport (now Microsoft account). The entire notion that we could have a single identity for the entire Internet was mesmerizing.AndreDurand

In the 2001-2003 timeframe, the internet community woke up to the larger idea of identity and in classic fashion, decided we needed standards in order to scale identity use-cases across the Internet.  Out of these early efforts, the concept of federated sign-on was born, a simple yet powerful notion that we wouldn’t need to have separate sign-ins to every website.

During this same time, October of 2001, I started to see that this was a massive need. Part of my nature is that I love to create solutions (and companies) to solve massive problems. I was sitting on a sail boat in the Caribbean when it struck me that this was an opportunity I should not let pass me by. I decided I should start a company to address this need.

What was step one?

I was on that boat because I was on a three month sabbatical from Jabber, October to December 2001. I decided to cut my sabbatical short and come back after six weeks. I used those six weeks to determine if I could raise the money needed to start this company the right way, or if I would go back to my job. I knew it would take a year or so to learn the identity space and create a viable solution. And I knew that I couldn’t do it alone since I am not a developer. So I decided that I needed to raise seed capital to get through the first couple years.

How did the fund raising go?

Because I had started and sold my first company already, I had great contacts. I was able to go back to those same investors and ask them to support Ping Identity. Since they had done well working with me previously, it was fast and easy. I secured the money within the six weeks I’d set aside, and was able to start Ping Identity in January 2002.

How did it go leaving Jabber?

They were incredibly good about it. They actually let me use an empty office in the 1899 Wykoop building, in downtown Denver, to start the company. They were glad to have me around, and I was glad to have the space for the new venture.

Tell me about day one with your new company.

The strangest thing was setting up my new email account and by 11am not having a single email in the inbox. Of course, nobody knew the address, so there shouldn’t have been, but it was an odd feeling. That’s when it really hit me, “What did I just do?” What do you do Day One in a newly created company? I was the only employee, nobody even knew we existed.

So I decided we needed a logo. I created a logo, printed out a piece of paper with it, and “Ping Identity World Headquarters.” I taped it outside my office door and decided that was a good day’s work. I went home.PingIdentity

Tell me about Ping employee number two. You said you needed a developer for this to work, right?

To start Ping, I got back together with the cofounder of my first company, Bryan Field-Elliot  While we hadn’t worked together at Jabber, he was just the person for the job, ultra bright and really talented at taking big ideas and distilling them down into products that were meaningful.

You mentioned that you needed to spend time getting educated on identity. How did that process go?

Three months into the company, I was Googling for anything I could find on identity and really frustrated that the only thing I could find was a whitepaper only tangentially related to what we were targeting. The truth is, identity wasn’t a market, nor was Identity Management even a term. No one even knew they had an identity problem much less want to fix it. I called my first investor that day and said, “Phil, we’ve got a problem. I think we just started a company in an industry that doesn’t exist. But don’t worry, I’ve reserved www.digitalidworld.com and if you invest $5k, I’ll do the same and you and I can start the industry conference to build awareness around the looming identity problem.” With that the first identity conference was born. Over the years, we grew that conference to about 900 people and sold it to IDG in 2007.

So you weren’t waiting for the industry to start to see this as a problem, you were actively out there changing the conversation to discuss identity?

Yeah, it was daunting. We had started a company in an industry that didn’t exist. We had to help create the industry to support our company. Our conviction was that the whole security industry paradigm was wrong.  We had a solution we believed in, enough to build an entire company on.  However, it’s not easy to convince the world of that overnight.

What’s the new perspective you were trying to drive through the industry?

Traditionally in security, we put our most valuable assets in one place, a green zone if you will, and then erected a perimeter around them. This perimeter was then responsible for safeguarding our network, our people, applications and our data. In this model, we put trusted in things on the inside, and wall off the things that are unknown and presumed untrusted on the outside. Starting about 2008, that model really started to break down. Some applications left our perimeter and moved to the cloud with the adoption of software-as-a-service (SaaS). Today about 20% of applications are SaaS. Following this in 2010, users created the bring your own device (BYOD) issue by demanding that their smartphones connect to corporate resources while off the corporate network. The third wave, which we are now seeing, is that those remaining applications that are on the corporate network are getting moved to cloud infrastructure providers.

So the perimeter we worked so hard to create has become less relevant as the assets they were there to protect have moved. In this new reality, everything of value is simultaneously ‘outside’ the perimeter, and yet must be treated as an insider. What ensues is a shift from perimeter-centric thinking to identity-centric thinking, as secure access becomes the mandate for a digitally transformed enterprise.

The challenge we foresaw is in knowing which users have access to which resources. That is the essence of an identity access problem. We need a better notion of who the user is, what they can do, and what the implication of that access is.

How do we deal with that changing paradigm?

We need to rethink the model and answer different questions. How do we ensure users have intended access to resources across geographically and organizationally diverse lines? We need tools that allow us to provision that access centrally, while controlling those wildly different systems. That is a federation problem.

Of course, as we put more things behind the same single sign on, there are positives and negatives. We’re funneling all traffic through one account, or one door, so we really need to make sure that door is exceptionally sturdy. Strong multi-factor authentication is more important than ever.

Reimagining identity in a distributed cloud infrastructure truly is a new architecture. We’re not building a monolithic technology stack that presumes my users and apps are in the same domain.

Let’s backtrack to the beginning of the company. You told me about creating your logo on Day One and bringing in your developer. How did you get customer number one?

During that first year as a company, we were getting involved in the online identity community, engaging in discussions around creating open standards, and getting to know the players. Our first customer was American Express, who we signed in the summer of 2003.

The 18 months we spent in between starting the company and making our first sale were spent learning, developing the industry, developing relationships with those few people who highly valued digital identity, and figuring out how to solve this problem. In fact, we met the CISO for American Express during that time. He had been involved in the standards effort, he recognized that we were doing valuable things by implementing the standard, and asked us to embed the standard toolkit into one of their websites.

You made your first sale in 2003, was that the start of a huge run of sales?

No, not right away. We didn’t start to see strong adoption until we created our first federation product, which was in the 2004-2005 timeframe. And even the first version of that wasn’t quite market viable. We were missing some protocols, and we were missing the integration kits needed to make the experience turnkey into applications using SAML.

But it was in the 2004 timeframe that we identified what the pattern was that would start to make a difference in the industry. It just took time to implement the vision.

Did the market also see that same vision?

The key for market adoption was businesses starting to move to SaaS. It wasn’t until the industry really began adoption of SaaS products that they began to feel the pain of having so many systems to provision with so many different configurations and security profiles. As companies looked to solve that problem we became a welcome solution. Adoption was pretty meager initially, in the 2004-2005 timeframe. It really began to pick up in 2008.

When did you transition from working to generate demand in the market to responding to the demand that already exists?

It’s been a mix over the years. In the early years we spent most of our time trying to create demand, doing webinars, training, and our user conference. But in the last couple of years it’s flipped and we’re now trying to keep up with the demand. The analogy I use is that at the beginning we were pushing that heavy boulder up a hill, trying to reach the top. Yes, it is hard work pushing that boulder, but you can stop and take a break to catch your breath when you want. Once we reached the peak and the boulder started rolling on its own, we’ve been rushing to catch up. While it’s less work in some ways, it’s more difficult in others. We can’t take a break or the market will get away from us.

How did you make it through those lean years as a small startup? Weren’t the expectations from investors crushing?

Our conviction of the vision is what led us through the metaphorical desert. We always had conviction that there’s another side, and that we’re going to get there. There was never a question in my mind whether we’d make it; it was always simply a question of when.

I still have the business plan I had created in 2003, which is now covered in dried Sriracha from a spill at the bottom of a drawer. That plan is still 80% accurate. Some of the words have changed, and the order of some events may have switched, but what we’ve seen play out in the past decade is fundamentally the same as that original business plan.

We were very fortunate to have investors and board members who bought into that vision have the same conviction. Jeremy Allaire, creator of ColdFusion and a great visionary, was a board member for us. He was the lead with General Catalyst Partners to make our A-round venture capital investment. He could see what was coming down the road, and help articulate it. He was a powerful force in maintaining the investor conviction during the years where identity was becoming a conversation point, but was still years from exploding.

From a leadership perspective, how did you steer the company from a two man start-up looking to create a new industry into the market leader in the digital identity field?

The problem Ping Identity is working to solve is a big one. It’s not one where we can create an appliance or service and declare mission accomplished. As a result, we have had an entrepreneurial rhythm where we acquire capital to build out our vision, prove the plan, and go back to the market for additional capital to expand the vision. We have done this every couple of years. Each step along the way we are better summarizing the market opportunity, lowering the technical risk, and better convincing investors to go the next leg of the venture with us.

Going hand in hand with that has been the endless pursuit of talent, in every fashion. Leadership talent, engineering and development talent, marketing talent. Everything. When I summarize my role at the organization, it is to bring the investment side and talent side into the same room, and infect them both with the same vision. Then doing it over and over at larger and larger scale. Better able to execute the plan against the market opportunity at every step.

So, why Colorado? Why have you made this the home for Ping?

I moved here in 1998 and met my wife. Later I started my second company, Jabber, right downtown. Over the years, I have fallen in love with Colorado. Colorado really embodies a challenge that I take seriously. How can we win the right way? How do we perform and deliver stellar results without sacrificing attitude and culture?

The challenge I have created for myself is to figure out how to win in balance; how to achieve financial results without compromising the things that matter. I believe Denver is the ideal place to do this. The people here understand the importance of balance and value it.

Is your intention to keep the company here in Denver?

We are a very distributed company, with offices throughout the world. However, my intention is to keep the headquarters here in Denver and continue adding talent wherever it makes the most sense. Our model has been to hire the best people and be flexible on the location.

You’ve been working with CISOs as customers for the past decade. What advice can you give us as a group? How can we get better?

I am not in a position to give advice, as I know that’s an incredibly difficult job. But I do have my own biased perspective on where security should go.

I believe that identity is the lynchpin of security in the future. If we define security as giving the right access to the right people, irrespective of what device they’re on, then having an identity architecture that can get us there is fundamental.

One step beneath that high level vision, I believe that our mobile phone is the ultimate authentication token. It’s got biometrics, it’s always connected, and it has behavioral information to tell us who the possessor really is. Second is the question, what are we authenticating to? Is it just to a specific service? Or are we authenticating to a federated environment where our identity can be passed around to all the services we need internally, in the cloud, or wherever we need it? And finally is the concept of access security, or access control. Traditionally we have viewed access control as a pretty manual process, with periodic check-ins to make sure things still look okay. But if we’re performing monthly or quarterly reviews of access, how do we catch a bad actor red-handed? We need an automated, intelligent way to ensure that people have the right privileges.

We are in a moment where CISOs should be paying attention. We are just on the cusp of seeing the means to accomplish that type of architecture emerge. I believe that within 12 months we will be able to accommodate most of model. CISOs should be considering now how they will leverage this new model in their environment, and be prepared to adopt.

What’s your advice for individuals considering getting involved in a career in security?

Right now is the biggest period of intellectual property theft in the history of the world. And we have a massive talent gap among the defenders. So we need more people, and we need great people. My experience is that the security industry has drawn the best and the brightest talent. I’ve seen a certain personality type consistently: those who have strong instincts to protect. That is not to say that you couldn’t learn to practice security without it, but I do believe there’s an inherent level of interest you should to have to do this naturally.

Final question: What should people do to get ready to be hired for the next great job at Ping Identity?

I have become a believer in hiring for attitude and aptitude, not for skills. That doesn’t mean that skills and experience don’t matter, but I would rather find someone who is a hard worker and a fast learner. The company already has so much institutional knowledge that we can bring people up to speed quickly as long as the person has a solid technical background and is willing and able to learn.

Thanks so much to Andre for taking the time to talk with me and share his thoughts on building Ping Identity, the future of the security industry, and the Denver security scene. I look forward to continuing this series and shining a light on more interesting members of the Colorado security community. If there an individual or corner of the security spectrum you’d like to see spotlighted, drop me a note and I’ll see what I can do.

 

An Interview with Alex Wood – ISSA International Director

Alex Wood is a heavy hitter in the Colorado information security community. From working in massive enterprises (IBM, AT&T, and Kaiser Permanente) to building and running the information security program for a mid-size enterprise (QEP Resources), to leading the biggest security conference in the region (Rocky Mountain Information Security Conference) and the ISSA Denver chapter, Alex has done a lot for security in the region. As of August 2015 he was elected to the ISSA International Board of Directors and will represent Denver in the international security community. I asked Alex for some of his time to talk about his career path, the Colorado security community, and more.


My passion is to organize and energize the Colorado information security community as the mecca for information security.  As I’ve worked in the community, I’ve been continually surprised at just how many fantastic individuals we have in the area and the wide variety of ways they contribute to the industry. So I set out to start meeting those people, and writing up those interviews for you, the loyal reader, to enjoy along with me.  I am hopeful that one of these stories will inspire you to throw your own hat in the ring, and take a chance by trying something new. Click the links below to read previous interviews in the series.

My questions are in bold, with Alex’s responses paraphrased below.

Alex, you’ve accomplished a lot in the Denver information security community. How did you get involved in the security community in the region?

I’ve spent my whole professional career here in the Denver area but the first Alex Woodtwo of the companies I worked for, IBM and AT&T, were extremely large. There are positive and negative aspects to working in really large company: just about any skillset you need is in-house. You’ve got access to great people but because of that, you don’t necessarily have motivation to meet other people in the local security community. I got to the point where I really wanted to connect with local security resources instead of someone in North Carolina or New York or Ireland or India, for that matter.

One of my IBM co-workers was involved in ISSA and suggested I attend a meeting, which I did. It was a pretty small group but it was great to meet some local people. Soon thereafter, I joined ISSA and started attending meetings more regularly. After attending a few meetings, I learned about the Rocky Mountain Information Security Conference and was excited to see that there was a conference like that in our backyard. Paul Herbka, the president of ISSA at the time, began recruiting volunteers to help plan the next RMISC soon after. I was interested in getting more involved. After a short discussion with Paul, he informed me that I was the first volunteer so I would be in charge of planning the next conference. As we began the initial preparations, the Communications Director of the chapter resigned so I volunteered to take that position as well, since I would already need to do communications for RMISC. I did my best to make those communications my own. I think that’s really how I started to get to know people. Whenever I’d introduce myself to people, they’d say “Oh yeah, you’re the guy I get all the emails from!” After a couple years of doing that, Paul informed the board that he was going to be stepping down and I was apparently the only sucker interested in taking over. That got me to where we are today.

Through the whole process, I’ve learned a whole heck of a lot. I’ve gotten to meet many, many people in the local security community. I’ve gotten introduced to other organizations outside of ISSA, such as ISACA, OWASP, PMI, and many others. I’ve had the opportunity to meet lots of other ISSA members from across the country and the world. Through recruitment of sponsors for RMISC, I’ve met just about every vendor under the sun. If my original goal was to meet people in the local security community, I definitely met that goal.

In the 4 years you were the ISSA chapter president, membership increased from 138 to 350, a 254% increase. To what do you credit this growth?

When I first joined the chapter, we had some spotty participation from the board. Everybody was doing their best but we were understaffed and the board members we had were very busy with other responsibilities. As a result, we weren’t very organized and would be trying to find speakers for chapter meetings a week or two before the meeting date. That meant that we weren’t getting much time to promote the meetings. It also meant that many of the speakers that we were getting weren’t of the highest quality. I learned that you need to get high quality speakers and give enough time to promote them to people that would want to come. Once you get people coming to the meetings, they get value out of attending and many will join the chapter. As the chapter got bigger, we started to have a bit of a snowball effect. The more people that came, the more people wanted to come.

Another key to the chapter growth was RMISC. Not only has RMISC gotten better and better, but we have been really lucky to keep the cost to members low while still making a small profit. We used those profits to help finance the chapter operations, including offering chapter meetings free to members, free full-day trainings, and our academic scholarship program. All of those factors have contributed to the growth and I’m really proud of where the chapter is today, as well as excited to see where it can go.

Now that you’re sitting in the coveted ‘past president’ position for ISSA Denver, what do you see as the opportunities for the chapter to grow further?

Well, we’ve made great strides but there’s still a lot of room to improve. In 2015 we started having monthly chapter meetings in Boulder (as well as in our traditional Denver Tech Center location), which is a great step forward. The Boulder area was really underserved from an ISSA perspective. I think that there is still room for another monthly meeting in the downtown Denver area. It may seem like Denver, Boulder, and the Tech Center are close but it isn’t always easy to get away from the office for a 60 or 90 minute lunch meeting when you have to add 30 to 60 minutes of driving time. Back to my earlier comment, if we provide high quality content and in this case, in more locations, we will get more people to join the chapter.

Another area that we could grow is in mentorship. We have such great members in all different phases of their careers and in many types of positions. Using the experiences of our members to mentor other members, or students for that matter, can really add value to the membership. There has been some advancement in this area at the International level and we have the opportunity to bring some of that to our local members.

The final area is volunteerism in general. Our board participation has grown but with the growth of membership overall, we have the opportunity to get many more volunteers to help with our programs. We have always solicited volunteers but there is definitely an opportunity to formalize their participation. With increased volunteering, there is the opportunity to create more programs and value for the membership, which will in turn grown the membership base.

While you didn’t start the RMISC, you were a big part of growing the conference. From 2010 when you took over, to 2015, we saw a 72% increase in attendance. What’s the next hurdle for the conference? Where should we take it?

That’s a hard one because I think that we are really at a crossroads with RMISC. We have grown attendance every year for the past 6 years but I think we are nearing the top end of attendance for a Denver area conference. So there are some options. There is no reason the conference has to grow. We are a strong size, we continue to provide excellent content at a great value, and we can continue to be successful doing that.

There is also the opportunity to grow into a regional conference. I think that is a much harder road but it could be one that pays great dividends. There are markets that we can appeal to in Utah, Kansas, Nebraska, New Mexico, and other nearby states that could increase our size. It would take some heavy marketing and we would have to continue to bring in big name speakers like Brian Krebs in order to attract those regional attendees.

We also have opportunities to increase value through changes in format. When I first got involved with RMISC, it was a one day conference. We expanded that to one and a half days with a half-day training to start the conference. We have since expanded to the current format with several full-day trainings for different focus areas. There is definitely an opportunity to expand the pre-conference trainings even more. There are many trainers that would be willing to give trainings of 2 to 5 days. The biggest challenge is to ensure that whatever we do, we still provide great training at a great price.

Even though I’ve stepped down from the RMISC conference chair duties, I know that we’ve got a great team in place for the future and that it will continue to get better no matter what direction is chosen.


Since stepping down from the ISSA Denver board, you have been elected as an international director for ISSA. What are your goals for the ISSA International board?

That’s a great question and I’m not sure I have a definitive answer yet. The platform that I built my campaign around was threefold.issa-international

  • Increased educational offerings driven by International and delivered by chapters,
  • An expanded mentorship program for members and chapter leaders, and
  • To enable greater awareness and transparency of ISSA International activities for members.

That said, I really feel like I need to get a couple board meetings under my belt to determine if those are truly the areas of the greatest need. However, I am confident that the third bullet is something that I want to work toward. Getting elected to the International board but not really knowing the issues that need to be addressed shows that there needs to be more awareness. We are a chapter-based organization and most of the activities happen on the local level. Having more inter-chapter and International awareness will only help to make the organization stronger. Whatever I end up focusing on, I intend to bring the same passion that I’ve brought to the Denver Chapter.

 Let’s talk about your personal career. What took you from the massive enterprise field with IBM, into a smaller company?

I loved my time at IBM. It was where I got my first job in security. I worked in the Managed Security Services group there before IBM bought ISS. It was such a great experience because we had a great team of people. The group was pretty small and full of really bright people, many of whom are still doing great things in the Denver security community. I ended up working in that group for most of my 10 years at IBM. One benefit and drawback of working there was that I worked at home for much of the time. To many people that probably sounds like a dream, and I did love it for a long time, but it became where I was missing the physical connection with the people with whom I worked. For the most part, there weren’t happy hours or water cooler talk, which you take for granted when you work in an office. It is also hard in such a large organization to feel like you are making an impact. I really wanted to be somewhere that I could see the results of what I was doing make a positive impact on the company as a whole.

IBM and AT&T have a long history with each other and periodically swap functions between them. So as I was contemplating what I wanted to do with my career, a funny thing happened. It turned out that the group I was in at IBM was transferred to AT&T. One day I worked for IBM and the next I worked for AT&T. I was doing the same job with the same responsibilities but getting paid by a different company. I decided to give AT&T a shot for a few years which allowed me to work for a few different groups within the company, but at the end of the day, I still had the same issues. Almost nobody I worked with was even in Colorado so I still longed for some of the “normal” parts of working in an office.

When I finally decided to move on, I knew I wanted to be at a smaller company that was based in Colorado. I also knew that I wanted to be in a position where I could be a leader in the security program so that I could see the impact on the company. I felt like I had a pretty diverse skill set and wanted to be able to lead while still getting my hands dirty in the day-to-day technical stuff from time to time. So I started looking around for different opportunities. There were several places that I had interviews but didn’t get the job. I was a little disheartened, but looking back I think I learned a lot through the process. I hadn’t effectively communicated what I could bring to the table during the interview. In the end, I learned better how to articulate the value I can bring to an organization as a security and risk leader. And I landed a position at QEP which was perfect for me.

There was no security program when I started so it was a challenge and an adventure building one, but I learned a lot through the process. I got to wear all the hats: security engineer, CISO, compliance officer, assessor, and more. I also got what I was really looking for: building relationships with real live people that I worked with and the ability to make a difference for the company. The time I spent at QEP was great and I wouldn’t change a thing, except maybe getting a couple more people on my staff. But who doesn’t want that?

And after successfully implementing a security program with QEP, what led you to make the move back into a large organization?

Well, there was still a lot of work to do maturing the program at QEP when I left and I wasn’t looking to leave. The opportunity to move really just happened. I knew some people at KP and I had heard good things about the company. There was a lot of growth in the security/risk management/compliance space and it seemed like they were very serious about building the program. Healthcare is an exciting industry right now for security, and around technology in general, so that made it appealing. The size of the company was something that I definitely had to take into account, but with the way the security organization was positioned, it seemed like there would definitely be ways to make an impact. In the 11 months that I’ve been there, I’ve seen that to be true. I think that I made the right choice in moving.

In addition to all that, I’ve been a member there for almost my whole adult life so I know the service we provide from a consumer perspective. When I went to QEP, I ended up on a traditional health plan and I was lost. The integrated model that we have is something that I really enjoy and it is one of the reasons that we provide such a great product to all our members. When you believe in your product, it makes working at a company much more rewarding.

Where do you see yourself in a few years? What’s next?

Well, I’ve been through a whole lot of change in the past year or so. I’ve given up the ISSA Denver Chapter and RMISC reins. I’ve started a new job. I’ve been elected to the ISSA International Board. It really has been a whirlwind of activity. I think it might be good to settle in to with what I’ve got for a bit. I don’t know what the future will bring, but I’m looking forward to it and hope to keep contributing to the community we’ve built here in Denver.

Alright… into the last couple questions. First, what advice do you have for CISOs out there now? What are we doing wrong, and what can we do better?

Assess and plan. It is really easy to get caught up in the tactical parts of our job. An incident is going on now. A project needs to be completed. That stuff all has to be dealt with, but if you aren’t taking the time to assess where your whole program is today, then you have no idea what you need to work on. Completing that assessment and comparing it against where you want to be (or where management, regulators, or others think you should be) shows you the gaps you need to fill. Then you have to start getting into the hard stuff. How are you going to fill those gaps? Which gaps are you going to address first? And of course, how much is that going to cost in people, time, and dollars. Once you’ve got that plan, you can focus more on the tactical aspects of getting it done. Don’t rush that planning though. Make sure you’ve got the plan fully backed before you start to implement it. You also have to make sure that it isn’t just your plan but that it matches what the rest of your organization is doing and that your management agrees with it.

For those people interested in getting involved in the security field, what is your advice? How should they get their foot in the door to come take your job some day?

 The key to succeeding in our field is to understand how systems, processes and technologies work. This is essential for you to be able to think about how someone could misuse or abuse the way the systems and processes are intended. From there, you will figure out the best ways (controls) to limit that misuse. Understanding how things work is the most important. To be good at that, you need to have the desire to build and play. Most of the best security folks either started somewhere else in IT or were curious enough to build their own systems to play with. System administrators, network engineers, systems analysts, and other similar job types require you to understand deeply how something works and provide a good base of skills. I see some people trying to jump into security without having that basic knowledge first. You’re skipping a step. Understand IT systems first.

Another key is to work with the community. There are so many people in Denver with great knowledge and most of them are willing to share. If there is someone that is in a job you want to be in, ask them to be a mentor. If there is someone who has more knowledge than you in an area, ask them if they can help you develop your skills.

There’s a great opportunity for all of us to use the knowledge we already have to improve the state of security in Colorado. If you have knowledge on a subject, come present it at an ISSA meeting. Or OWASP or CSA or ISACA, depending on the subject. Let’s all help each other get better.

Thanks so much to Alex for taking the time to talk with me and share his thoughts on the Denver security scene, and his own career success. I look forward to continuing this series and shining a light on more interesting members of the Colorado security community. If there an individual or corner of the security spectrum you’d like to see spotlighted, drop me a note and I’ll see what I can do.

 

An Interview with InteliSecure Founder – Rob Eggebrecht

Talking Security with InteliSecure Founder Rob Eggebrecht

Here’s the recipe: Take one good idea – add some hard work and a good partner – bake for a couple years and you get… One profitable and thriving enterprise. At least, that’s a central part of the American dream, right? Rob Eggebrecht’s story of starting InteliSecure (formally BEW Global) in his basement and growing it into one of Colorado’s most successful security firms is both familiar and unique. In this profile we’ll learn how Rob used the tried-and-true model to build up a business in a nascent field, watch it come within a hairs-breadth of folding completely, and ended up with a unique piece of the Colorado security landscape.

 


My passion is to organize and energize the Colorado information security community as the mecca for information security.  As I’ve worked in the community, I’ve been continually surprised at just how many fantastic individuals we have in the area and the wide variety of ways they contribute to the industry. So I set out to start meeting those people, and writing up those interviews for you, the loyal reader, to enjoy along with me.  I am hopeful that one of these stories will inspire you to throw your own hat in the ring, and take a chance by trying something new. Click the links below to read previous interviews in the series.

This discussion took place back at one of my favorite local places: Hapa sushi. This time Hapa at Landmark. If you like good sushi but haven’t tried it out yet, you’re missing out. I recommend the tempura lobster and dragon rolls.

My questions are in bold, with Rob’s responses paraphrased below.

Rob, let’s start at the beginning. How did you get into the security business?

RobEggebrechtTelecom. In 1999 I was working for Level 3 in London as a Director of Metro Private Line, Ethernet and Dark Fiber. The demands of security were starting to get heavier at the time, and I recognized that it was a field that was going to continue to grow. Some of my former colleagues from the old Qwest (before US West), were starting up Virtela, where they were going to do managed MPLS networks. I asked if they were planning to do any security with it, and they said they were planning to do managed firewalls. I thought that was a good place to be, so I joined the team.

I moved back from London and took over the position of international business development for Virtela. I was there for some time when a recruiter contacted me for a new company called Gemplex, which was looking to do the same thing as Virtela. They brought me out to Denmark as their Senior Director of Global Business Development.

At Gemplex we built out a big MPLS network and managed firewall infrastructure, and were ready to ramp up, right when the telecom crash came. One evening in 2002, at 2:00 in the morning I got a call letting me know we had been acquired and that I was being laid off. The layoff came with a decent package and gave me a chance to think about what I wanted to do next.

How did the layoff impact you?

I really didn’t like the feeling. It was nice that they had taken care of me but I what I really wanted was to be working and building something.

I was 32 at the time and I had heard that if you want to start a company on your own, you need to do it before you are 35 or else you just won’t have the stomach for the uncertainty. So I realized this was my best chance to build a company. In December 2002, I started building BEW Global, now InteliSecure in my basement.

At the same time that I started working on InteliSecure, I also took a position with Qwest. However, I knew it was a short term arrangement as I built up my company.

What did InteliSecure look like at that point?

Initially it started as a reseller for Virtela’s managed firewall and VPN services. I had built up quite a list of contacts throughout my career, and I used those relationships to start selling as an agent of Virtela.

Six months later, June of 2003, I had enough success to quit my job at Qwest and dedicate myself to InteliSecure full time.

How long did you go it alone?

Not long. In July of 2003 I recruited Chuck Bloomquist to partner with me. Chuck was CTO at Kit Carson Rural Electric at the time, in Taos New Mexico. He had found a nice job down there and was working in a low stress position down there. I called him and made this very compelling pitch… “Hey, how about you make 80% of what you’re earning now, invest your own money into this company, and get after it with me.” Unsurprisingly, he wasn’t convinced.

So I drove to Taos to convince him in person that we could build something special together, and to come join the team. Fortunately, he came aboard, and we had a team. From the beginning, same as now, I played the Business Development role while Chuck was the technical guy.

Initially he stayed down in Taos, and did some remote support for me. But in January 2003 he moved up to Denver and joined me full time. We basically played the traditional role of sales and sales engineer, knocking down deals for Virtela’s services.

How and when did that change?

What’s cool about the model we had was that it came with some recurring revenue. As we sold those deals for Virtela, we didn’t just get paid when we closed the deal, but also each month as the customer continued to pay. So we started to build up a run rate to cover our salaries.

InteliSecure has been known as the DLP experts, how did you get there?

We ran into a fantastic new technology. Chuck and I found out that we had a mutual acquaintance, Tom Donahue. Tom had created the first DLP system, Vericept. They were headquartered right here in Denver. Chuck set their technology up in the lab and started using and testing it. He was convinced, and then convinced me, that we could do something really cool with DLP.

We started bringing this solution out to our banking customers, and they couldn’t get enough of it. They loved DLP and were excited about it. We sold 40-50 Vericept deals in 2003 and 2004. But then we started running into Vontu’s DLP solution all over the place, and they were kicking our ass. So we got an introduction to Vontu, Chuck baked them both off, and decided he liked them both. And we made the decision that we’d start supporting and reselling both of them.

We would engage potential customers, perform an evaluation of their needs, and made a recommendation about which solution was the best fit for their technical and business requirements, and financial constraints. We made our first hire; Hillary Laird, who is still with the company today. Next thing you know, it’s 2006 and we’re a two million dollar a year DLP value added reseller (VAR).

What was next?

We started getting into web and email gateways, because they integrated so closely into DLP. We become Vontu’s go-to service provider. Heading into 2008 we were up to 12-14 employees at a $3-4m revenue clip. Then the economy took a nose dive.

How did that impact you guys?

It was the start of a dark time for us. At the time we were acting as a VAR. There was no residual income, meaning every month we start at zero and try to make enough sales of DLP, web and email gateways to fund operations. Bottom-line, we were running out of cash and the future looked grim.

What did that mean for you guys? How do you dig out from that kind of a hole?

In Florida, while the rest of the family was playing in the pool over spring break, my dad, Lew Eggebrecht, one of the creators of the IBM PC and a mentor for me, sat down and dug into the business with me. The next step was to come up with a plan for our company to go from 20% services and 80% VAR, to an 80% services and 20% VAR model within 5 years. He told me that it was up to me and Chuck to come up with that plan, and then pitch the concept to him, and if he was impressed, he would help us dig out of the hole.

I was thinking, “Great, he’s going to write us a check.” But no, he guided us to call each one of our vendors and tell them we were going to stretch. His advice was phenomenal. He said if we keep selling their products, they will help us get out of this hole.

How did Chuck take this news?

Shortly after, Chuck and I flew to Pittsburgh to close a large deal. The conversations during this trip were the hardest we ever had. I’ll never forget this moment. We were sitting in the Intercontinental Omni in downtown Pittsburgh. The question on the table was, “Are we staying together? Do we really want to do this?” Both of us are getting older and wondering if it really makes sense to start back from zero with this company. All our money was tied up in InteliSecure, and we both had some attractive employment opportunities with big companies with no risk and a reliable paycheck.

It was Chuck who said, “I think we can do this managed DLP thing.” He had a bank that was ready to pay us $3000/month to manage it for them, and we knew we could grow from there. We agreed to get after it, and do it. This was in June of 2009 and started the next chapter for us.

Sounds like that was a step on the road to becoming primarily a services company

Unfortunately that chapter started by laying just about everyone off. We kept just me and Hillary on the sales team, and Chuck and Chris Benz on the technical team.

By the end of 2009 we hired two more people. We started building out a security operations center (SOC) and signing up new DLP customers. In 2010 we had 6 new managed DLP customers sign-up for good revenue, making maybe 20-25k a month.

In the fall 2010 we had a massive financial services company that came to one of our DLP webinars. Hillary set up an on-site meeting with them, to talk about a DLP project they were kicking off. I figured we’d get there and meet with one or two people. Instead, we walked into a room with 20-30 folks from their side. They were excited about what we were offering for managed services, but I was skeptical that a company of our size could land this big client. But it went well, and before we even got on our return flight to Denver they called us and asked us to come back out for another on-site meeting.

They were in?

They wanted us to do all of their DLP implementation. 9 months later we closed a deal for $400,000 of implementation services. Then they asked us for a quote for managed services for their on-going DLP program. Our contact with the client warned us that they have been known to crush little companies and suggested we consider an appropriate price. We came back with a second quote and again, the customer said with the size of the user base, he wanted us to make sure we were really sure we could support it for the long term and we might want to increase our price!

Incredible

In the end they signed what would be the biggest deal ever to-date with InteliSecure for approximately $1M annualized revenue. Not only that, they let us start billing them while they did the implementation. So we were able to build the team and get ready before we actually started working their incidents. We had six full months to get the team in place and trained before we handled the first alert from their system. It’s almost like getting venture capital, allowing us to grow and build in advance of the rush.

What a fantastic opportunity to build up the company the way you want it.

Yeah, it really allowed us to mature and grow so much more quickly than we could have otherwise. One part of that was due to this large customer’s requirements for us as a vendor. They handed us a third party requirements document that we couldn’t possibly comply with initially. But I reviewed the document, and told them that we would be compliant and ISO 27001 certified within 12 months.

Yeah! I remember seeing your marketing and webinars around that time, walking us through your certification process

Previous to this I had already received the ISO 27001 Lead Auditor certification. This exercise gave us the chance to internalize the requirements, and to firm up our place in the market as an expert on ISO. Throughout 2011 we grew and matured.

So we were billing a significant run rate of managed DLP. Then we get a call from an international manufacturing company. Apparently they had run into our big client at a conference, and been referred to us. Next thing you know, we land another significant managed DLP deal.

In 2012 we got ISO certified and moved from Castle Rock into the Denver Tech Center. The new location gave us a lot more room, and more access to talent. We brought in Gary Schilsner, previously CFO for Virtela to our leadership team as CFO.

It sounds like you guys had arrived.

2012-2014 we were growing like gangbusters. At the same time, Chuck and I were getting burned out. The company was undercapitalized and we were putting in long hours constantly. We needed help.

Gary suggested we go out and get capital. It worked out well; in the summer of 2013 we started getting calls from venture capital firms looking to invest in us. We were in a hot industry and we had eclipsed the magic $10m revenue market. The phone was ringing regularly.

We went through about 5 months of due diligence with one of the investors, and hammered out an agreement to sell the company to them. When we got to the closing table, as a result of that one deal slipping into the following quarter the venture capitalists reduced their offer and the deal did not happen.

That must be been exhausting, to go through all that and end up with no deal

I was so tired. This was middle of March 2014, just last year. I couldn’t imagine going through another 5 months of diligence with another firm. It was at this point that In 2014, Frontier Capital got involved. I really didn’t even want to talk to another VC firm, but Gary, our CFO, had been talking to them already and convinced me to take their call.

Initially I could tell this firm was attractive to work with. Their website had pictures of a rafting trip they did. They had already invested in companies similar to ours, and they really understood our industry.

So, was it the start of another round of due diligence?

Yes, we agreed to give them all the due diligence the previous firms had already done. They would get one week to do their on-site diligence. Third, they needed to close the whole deal within 75 days. Frontier called back and agreed to those terms.

Official-InteliSecure

Sometime shortly after that you guys changed your name from BEW Global to Intelisecure. What happened there?

We had always called the managed service part InteliSecure. We all liked that name and the allusion to “Intelligent Security.” We had been talking about this for a while. The investors agreed, so in October 2014 we formally changed the name.

So, what is next for InteliSecure?

We will become a $100m company in the next three years. We’ve built up a stellar team. It starts at the top with our executives, and goes down through all layers. We have a great mix of experienced pros from outside the company and home-grown talent.

What’s your biggest challenge?

Finding and retaining talent in this market. Security people are at 0% unemployment and there’s strong competition for talent. We work to address that by creating an exceptional work environment, where people get to do highly innovative work in a great environment with extremely attractive compensation and benefits packages.

What advice do you have for people looking to get into the information security industry?

You need to be an expert on the business side of things to be effective. Understand the context in which you work, not just the systems you’re running. The cool thing about that is, if you end up getting bored with security someday you still have value to your company as a business process expert. You can help the business in a lot of different ways. If you just focus on being an expert in technology you will likely never have the chance to move away from those.

How can you expect to be a C-level without understanding your company’s revenue?

What advice do you have for CISOs?

Basically the same advice. Learn your P&L (profit and loss). Understand what makes your business’ payroll every two weeks. How can you expect to be a C-level without understanding your company’s revenue, it’s structural operating costs, what contributes most to revenue, how that drops down to EBITDA, and what generates cash? If you don’t have that kind of insight you can never walk into the CEO’s office and show how your security program will protect the company’s most critical assets and capabilities.

Thanks so much to Rob for making room in his schedule to grab lunch, and opening up about his Colorado success story. I look forward to continuing this series and shining a light on more interesting members of the Colorado security community. If there an individual or corner of the security spectrum you’d like to see spotlighted, drop me a note and I’ll see what I can do.

An Interview with Colorado’s CISO – Debbi Blyth

An Interview with Colorado’s CISO – Debbi Blyth

Have you ever wondered how someone can go from a job as a mainframe administrator to CISO for the state of Colorado? In this profile I sat down with Debbi Blyth and learned how her career took her along that very path. I learned about Debbi’s background, her plan for Colorado, her advice for new entrants to the security industry, and her advice for current CISOs. If you find yourself hungry for more details about Debbi’s plan for Colorado security, attend the June meeting of ISSA Denver – Debbi and coworker Trace Ridpath will be presenting details on their Secure Colorado program.

 


 

My passion is to organize and energize the Colorado information security community as the Mecca for information security.  As I’ve worked in the community, I’ve been continually surprised at just how many fantastic individuals we have in the area and the wide variety of ways they contribute to the industry. So I set out to start meeting those people, and writing up those interviews for you, the loyal reader, to enjoy along with me.  I am hopeful that one of these stories will inspire you to throw your own hat in the ring, or take a chance and try something new. Click the links below to read the previous interviews.

Not only do I need to thank Debbi for taking the time to sit down with me, but also for her lunch recommendation. This discussion took place at Park Burger near DU on Pearl Street. The ahi tuna burger was great, and the blue cheese chips were even better.

My questions are in bold, with Debbi’s responses paraphrased below.

What’s your background? How did you get into the security field?

In the early 90’s I worked for a company called Galileo International (later TravelPort), supporting their mainframe systems. Initially, my goal there was to be an MVS systems programmer. My boss approached me at one point and asked me to help with Unix administration and automation. In that role I had the opportunity to look at network and system events and figure out how to automate responses to them.

At that time the firewalls were managed by the networking team. They continually had problems with firewall management. At some point they recognized that the devices were really Unix under the hood, and handed off the firewall systems to me. As soon as I was given responsibility for the firewalls, I dove into learning the technology. I stopped by SoftPro Books (edit note: SoftPro’s closing left a big hole in the Tech Center!) and bought all of the firewall books they had. As I started reading the books I realized how big an undertaking and responsibility I had in front of me.

Debbi

I hear you made an interesting friend at work during this time.

Indeed I did! I met my husband at work. He was working on the Unix team. There was a little inside joke at work that ended up with him getting the nickname “hacker,” because a vendor of ours didn’t like the configuration changes he made to their product. So, I changed his username to “hacker.”

One day I got a frantic call from a user calling to tell me that there was a hacker in our system. He had seen the hacker account logged into the system. I played it very straight on the phone. I learned across the cube wall and asked “hacker” (later, my husband) to log off the firewall, then got back on the phone and said, “Is the hacker gone now? I think I eliminated the threat.” While we were very serious about security, we worked hard to also keep it fun!

So at this point, you were still not officially reporting into the security organization?

No, in fact the security director at the time used to call me up and tear into me for stepping in his team’s area. I was doing a lot of security work, trying to implement the firewall rules appropriately. There was  some contention between our areas.

At the same time, the firewalls were taking up all of my time, and was really where my interest lied. I was so focused on getting those tuned appropriately that I wasn’t appropriately focused on my normal Unix administration and automation. After running the firewalls for 2-3 years, I reached out the security director and proposed that I move over to his team. He accepted my proposal and created a position for me in security.

So, did you bring the firewall administration over with you?

No, the day-to-day administration stayed in the infrastructure area. Security was responsible for the policy and oversight for the firewalls. My new role was much broader in nature. I was so excited to learn. I took as many classes and trainings as I could. Initially I spent a lot of time learning network security – routing and switching, and how to secure that area.

Eventually I shifted my focus to application security; specifically software development lifecycle security. Back in the mid-90’s our business wasn’t reliant on the internet. But now in the early 2000’s it was a key component to our business. I recognized that our developers were creating all of these web applications that were essential to our business model. I believed that this was where we were most vulnerable. So I worked with the development team to start doing some OWASP Top 10 testing, and secure coding training.

How did you learn about application security to help run this effort?

A few ways. I started attending the monthly OWASP meetings. I read application security books. I also worked with a local company RedShell. They were doing some consulting for us, and they provided a lot of guidance on application security. I wasn’t an expert on it by any stretch, but I knew enough to ask questions like, “how are you handling authentication?” and “how are you sanitizing input?”

Pushing into appsec is always a challenge for a security department that’s traditionally focused on infrastructure. How did that go for you?

There was definitely some resistance. At about that time, in 2005, our director left. I hadn’t expected it, but my bosses promoted me to the security manager. I became a reluctant manager. I had really planned to stay completely technical. I loved the learning and the hands-on work. But, it wasn’t really an option – I was just told I was the new manager of information security. I was the only female on the team at the time… and I honestly believe they picked me for the manager role because I LOOKED the most organized!

In my last months at Travelport, I was reporting to the VP of Network Infrastructure. He kept telling me to leave the developers alone, and stay focused within the network. He thought of me as being a network security manager… the firewall people.

The reporting structure can really make a difference, can’t it?

Yes, when you report into a strictly infrastructure area, it is no surprise that you’re considered to be an infrastructure security department.

What came next for you?

I worked at Galileo/Travelport for almost 20 years. In 2009 I got a call from a recruiter for TeleTech. I listened to their pitch, and it sounded like a fantastic opportunity. I came on as their director of security and compliance and got to run the program. It was at that point that I decided that I really was on the management track and I should embrace it completely.

At TeleTech I reported directly to the CIO, initially as Director of Security, eventually as Executive Director. I worked for them for just over 5 years.

How was TeleTech?

I enjoyed working for TeleTech, it was a great opportunity. I got to build up the program and learned so much about running a program and developing a strategy in a large organization. I really didn’t have a desire to leave, but when the state came knocking, I had to answer.

Colorado Capitol Building

How did you end up with Colorado?

When I read the job description for the Colorado CISO position I was floored; it seemed to be describing me exactly, and what I would love to do. Additionally, I love the idea of getting to serve the citizens of Colorado.

Tell me about Secure Colorado, and what you’re doing to implement your program throughout the state.

I came into my position a year into the Secure Colorado program, which is funded and scheduled to run 2014-2016. The program has four big tenets.

  1. Safeguard and protect state data and assets. To support this initiative, we adopted the 20 Critical Security Controls (formally SANS Top 20).
  2. Conduct research and partner with higher education institutions and other entities to take advantage of and contribute to security research. Utilize cutting edge technology.
  3. Create strategic partnerships with other state and local public agencies and divisions, including law enforcement and other organizations. Share intelligence and best practices. We meet monthly with these external groups to share information.
  4. Compliance, especially with federal requirements. Historically, some agencies have been better at compliance than others. We have rolled out a strategic and consistent approach to tracking and managing risk.

These principles provide high-level guidance, and my job is to ensure the program continues rolling along effectively, make course-corrections as we go, and ensure that our program is staying on track.

In year 1 we worked on getting the first five Critical Controls rolled out. I wouldn’t suggest that we are done, but we’ve got an initial iteration completed.

Can you provide an example of course-correction?

Sure. For example, the last couple of years have made it clear that anyone can be breached. As a result, as we continue to refine our program, we will incorporate a larger focus on incident response than the program had originally. We want to make sure our organization is ready to handle that inevitable breach.  It’s not really a course correction – the program direction and goals are still valid and relevant.  However, at this time, we are selectively highlighting a few areas in which we will deepen our level of maturity.

Can you provide some specific examples of controls you’ve rolled out, and the impact of them?

We implemented the McAfee suite. It provides network and end-point security, such as malware, application whitelisting and hard-drive encryption. Getting this standardized approach has provided great benefit to us. We aren’t completely done with the deployment, but we’ve already seen a 75% decrease in malware instances.

What comes next in the deployment?

We will continue to mature those first five critical security controls while we work on getting the next batch of controls deployed. For example, we currently have rogue system detection on the network to alert us when a device plugs into the network. Currently, a person has to manually go figure out what is going on with the rogue device. The next step in maturity would be to automate that response.

Secure Colorado is a 3-year plan, but we know that even if we do our job perfectly, the job still won’t be done. We will have more work to mature and refine the controls. When the Secure Colorado program was created, the previous CISO assembled a committee of private and public sector security, privacy, and business professionals to vet our plan and give feedback on how to improve it. I am reassembling that group (along with some new members) to review the status and discuss how it should change in the future. I hope to do this update process on an annual basis.

Secure Colorado is a public document, and you all can view it here.

Do you have plans for what comes next for Debbi Blyth after CISO of Colorado?

I feel like I have reached the pinnacle of my career. I am working with a fantastic group of people who I enjoy daily, and I’m making a real difference for the people of the state. I have no plans for something different in the future. My boss (the CIO) is appointed by the governor, so there’s no guarantee what will happen when we have a new governor, but I am thrilled to stay where I am for the foreseeable future.

One of my favorite questions… for someone who is just looking to get into security, what do you recommend as their first steps?

I strongly recommend that they start technical. Firewall administration, networking, application security or another technical discipline will give them the background they need to be successful in the industry. They should be taking security classes and pursuing security certifications. At whatever level they can. Maybe start with Security+ until you have the work experience to get the advanced certifications.

The main key is that you just need to spend time with security to learn it. Go talk to the security department at your current company and ask to help them. Get experience helping with projects, or just helping out. It’s a great way to find out what you like about it, and whether it will be a good fit for you. Many times the way I have hired into my team is pulling in the people who have been my allies in other departments.

What advice do you have for CISOs and other folks who run a security program?

Security is all about relationships. Build relationships with those who are running the business, doing mergers and acquisitions, marketing, with product testers. These relationships are the biggest component to being effective in your role. A lot of decisions are being made on a regular basis, and if you don’t have the right relationships you won’t know about the decisions until they’re already made.

Debbi, you just put it perfectly. Our success is all about the relationships.

The CISO’s who get fired are the ones who nobody can get along with, or who are considered “the department of ‘no’.” Saying no doesn’t make us more secure, it just means we will be left out of the conversation.

Thanks so much to Debbi Blyth for making room in her schedule to grab lunch, and opening up about her Colorado success story. I look forward to continuing this series and shining a light on more interesting members of the Colorado security community. If there an individual or corner of the security spectrum you’d like to see spotlighted, drop me a note and I’ll see what I can do. Please join us June 10th and hear Debbi’s plan for security.

An Interview with Security Journalist – Brian Krebs

An Interview with Security Journalist – Brian Krebs

Have you ever wondered what it’s like to break the news of a massive data breach? Be the target of the Russian mafia? Brian Krebs, from Krebs on Security, is the most recognizable name in the information security news arena. I am very excited that Brian has committed to performing the opening keynote for the 2015 Rocky Mountain Information Security Conference (RMISC). As we look forward to Brian coming to town in May, I eagerly requested the chance to interview him as a part of my Colorado security interviews series.

My questions are bolded. Brian’s answers are paraphrased below

brian_krebs

Before we dive into where you are today, let’s discuss where you started. How did you get into journalism originally? And how did you end up getting to write for the Washington Post?

My association with The Washington Post actually started when I was 9 years old, when I helped with and later acquired a rather lengthy paper route from my siblings, delivering The Post to a network of more than 200 homes in my neighborhood.

As a teenager, I was quite active on my high school newspaper. At one point, the educator who oversaw the paper intimated she wanted to make me editor of the publication, but I think I was frankly too interested in girls, spending time outdoors and other things to take that seriously.

In 1995, a year after graduating with a liberal arts degree from George Mason University, I was in a dead-end job that I absolutely abhorred, and a good friend of mine who’d just gotten a job stocking supplies in The Washington Post newsroom said he thought he could probably get me a job in the Post’s circulation department. I was excited about the prospect of working in or near a major metropolitan newsroom and possibly revisiting my brief stint as a reporter, but I wasn’t wild about the idea of answering phones all day. My friend told me he’d started in the Post’s Circulation Department answering phones, and that if I graduated at the top of my class (they divided up customer service reps into teams there) in customer service, I could probably land a job sorting mail in the newsroom as a copy aide. That was enough for me, and after six months I’d graduated top of my class and applied for a job as a copy aide, which I got. Since I could type more than 100 words per minute, they had me split my time between delivering mail and faxes in the newsroom and taking dictation from reporters in the field. After doing that for about 16 months, I got a job as an editorial aide on the Editorial page, responding to letters to the editor and occasionally helping with the layout of that section.

I had a variety of editorial aide positions at The Post until 1999, when I accepted a job as a full time writer for a Post-owned tech newswire called Newsbytes. When The Post sold that off in 2002-2003, the three of us Newsbytes reporters in the Washington DC Bureau were mercifully folded into washingtonpost.com. There I wrote about tech policy, and increasingly about security. In 2001, my home network had been completely compromised by a computer worm, and I sought to learn all I could about security at that point. By 2004, when the Blaster Worm caught the world off-guard and caused Microsoft’s famous Gates memo on rearchitecting the company around security, I was surprised that security was not a full-time beat at The Post. In 2005, I was given, I think, the second blog at the site then, Security Fix. I ran that blog until 2009, when washingtonpost.com was merged with the Dead Tree Edition of the paper and they eliminated my job.

I’ve heard you tout the advantages of being an independent investigative journalist. For those of us outside the world of journalism, what’s the difference, and why does the difference matter?

Much of journalism is following the reporting of other journalists, and grinding out new copy that advances the story in incremental or dramatic ways. This is as it should be, since there is always more to the story, and each piece that runs is merely a rough draft of history, as they say.

One of the things I enjoy about being independent is that I don’t have to follow the story du jour or chase other reporters’ scoops; more often than not, I am making a decision about what *not* to cover. Instead, I can invest the time and energy into developing stories that nobody else has, with a vantage point that is hopefully unique.

The caveat here is that this sort of journalism is very expensive — both in terms of the time commitment involved and the resources. The great risk inherent in all investigative journalism is that you spend weeks or months chasing a lead or hunch and wind up with little that is useful from a story perspective, beyond perhaps having developed some new sources for a future piece. But because cybersecurity — and more specifically cybercrime — is such a rich and deep field and so intertwined with nearly every aspect of modern life, it is usually not difficult to find timely, compelling and unique stories to tell if you know where and how to look.

At what point did you become interested in information security? Was that before or after you left the Post?

I detail this in the “About the Author” section of KrebsOnSecurity.com, but I got pretty massively hacked, and decided I didn’t want that to happen again. Along the way of learning how not to be a victim again, I was fortunate enough to be introduced to a ton of razor-sharp people who lived and breathed this subject, and were passionate enough about it to share their knowledge. It’s an obsession that took hold of me then and hasn’t yet released its grip.

You’ve become pretty well known for getting your hands dirty; finding your way into the hacker community, and listening to their conversation. Tell me about the learning curve, how high is the barrier to entry?

Depends on how far down the rabbit hole you want to go. There is a tremendous amount the average person could learn just by spending time on (not even interacting with) many popular cybercrime forums – some of which, by the way, aren’t terribly difficult to get into. But going deeper requires a willingness to acquire at least a passing knowledge of another language such as Russian or Mandarin, I think. Even with these language skills mastered, it takes time to get acclimated to the lingo, norms and rules of the underground, and it’s easy to incur an infraction that gets one banned from a community after much hard work getting into it.

That said, most of my work on the forums is done just by listening and lurking. Very rarely do I interact with people on or in these communities. Much can be learned just by observing. Unfortunately, some communities routinely ban users who do not participate in some material way, or at least contribute to the discussion in a way that furthers the interests and goals of the more active participants.

You are known for breaking the story about breaches. Many of the high-profile breaches were reported by you first. How do you know about it first?

Depends on the breach. Some of the bigger ones are not easy to hide. It’s a bit like pushing a giant boulder off a cliff into a still pond and then trying to rebuke the ripples. When a major cybercrime event happens, it usually manifests itself in quite noticeable ways in the underground. In the case of the Target breach, for example, one fraud shop began moving batches of millions of fresh, new stolen credit and debit cards onto the market every other day. This is not a normal occurrence, and it’s difficult to hide that kind of breach. That’s because the fraudsters know the goods they have to sell don’t age well, and that they need to move this product as quickly as possible. So, in those cases, they don’t try to hide it; they just get more creative and aggressive about selling it.

The epicenters of other breaches are far more difficult to determine from the data that ends up for sale in the underground. Breaches involving Social Security numbers, medical and healthcare records, for example, are notoriously difficult to trace back to the compromised entity — simply by virtue of the fact that so many organizations hold or handle this information about us. Also, these records are not like credit cards — few of us are going to cancel our SSN and get a new one in response to a breach. Consequently, the data has a far longer shelf life, and the fraudsters who sell it often are content to let it sit on the shelves until someone comes asking for it. Even so, often there are telltale indicators in the data itself that provide clues to its origin. Often, the trick is posing as an interested and qualified buyer, and convincing the seller to part ways with a sample of the information he has for sale in order to do the analysis needed to tell who got hacked.

You’ve become pretty ubiquitous in the security executive circles. How do you feel knowing that many CISOs joke about “getting a call from Krebs” when they discuss getting breached?

I suppose it’s kind of a back-handed compliment, in that I’m the guy nobody wants to talk to. But in reality, they’re far more likely to get a call from law enforcement, which seems to be doing a lot more of these notifications every day. Unfortunately, very often when I make the call, the victim company has already been notified by law enforcement. Almost invariably, this means that the victim organization’s data (and that of their customers) not only went missing, but that it is actively being sold, traded or shared on the underground markets.

You have certainly changed the way security is reported and discussed. What are your plans moving forward? How do you plan to innovate and improve on what you’re already doing?

This is a question that is probably best left unanswered in-depth, for a variety of reasons (at least for my part). But I will continue to strive to create original content that is useful, timely and as easy for my mom to understand as it is compelling to a seasoned security pro. That is a never-ending challenge, and it’s a balance I strive for in all my stories.

Ultimately, I’d like to be more successful in corrupting more of my mainstream media colleagues into going out on their own and delving into this subject deeply. I would never shrink from more competition on that front, and to the contrary strongly believe that there would be even more exciting opportunities for collaboration between and among some my very skilled and passionate journalist colleagues.

Do you have any advice for current CISOs? What are we doing wrong, and what can we do better?

Most failures in security can be traced back to a failure to explain — in *very* simple and succinct terms — how security contributes to the bottom line of the organization. No executive or board wants to hear about what can’t be done or reasons why the business should be in any way restricted from achieving its goals.

The job of the CISO is part diplomat, part technocrat, part salesman, and part scapegoat. Not all CISOs are cut out to wear and juggle these various hats, and that’s an all-too-common unfortunate reality. Ultimately, it is the job of these shape-shifters to devise ever more crafty ways to educate the board and senior leadership about the criticality of security in helping the organization achieve its overall goals, while hopefully avoiding major catastrophes along the way.

In journalism and in the practice of law this the practical equivalent of “leading the witness” or “lobbing softballs,” but in reality it’s about the reverse: It’s about presenting scenarios that force decision makers to ask certain questions. More specifically, it comes down to helping leaders get to the point where they’re compelled to ask intelligent questions about how the goals of the security folk fit into the overall goals of the organization. And there’s the rub: Often, higher-ups don’t ask because either they don’t want to know the answer, or (more frequently, I think) they’re afraid that their ignorance of the subject will show in the way they ask the questions in the first place. Finding subtle yet persistent ways to help them acquire the knowledge and appreciation of the subject matter so that they feel comfortable asking those questions is the hard part.

Fundamentally, that leading process is about deftly explaining how the organization can learn and profit from the mistakes of competitors. I’m a huge fan of the “Despair” de-motivational franchise, which seeks to lampoon the can-do, motivational slogans often championed by executives and other high-powered people. My favorite is the one with the picture of the half-out-of-water shipwreck which carries the punchline: “TAGLINE”: IT COULD BE THAT THE PURPOSE OF YOUR LIFE IS TO SERVE AS A WARNING TO OTHERS.” 

The greatest compliment that CISOs and CSOs often give me is that I help them scare their bosses into taking their jobs seriously, and I think to a certain degree — indeed, if from nothing more than a keen sense of self-preservation — this comes naturally to CISOs/CSOs. But unless one also has a plan to propose in the event of such teachable moments — a way to shamelessly capitalize on the brief attention to the subject that such events offer — then these are wasted lessons and opportunities indeed.

What would you say to someone looking to get into security? Is it a good career path? What disciplines would you specifically recommend (or recommend against)?

That probably depends on what one wishes to do with one’s skills. On the bright side, specializing in security is a bit like taking up a career in healthcare: the prospect of unemployment for anyone with a strong mastery and specialization in either of these fields anytime soon is fairly close to nil. So we’ve got that going for us…which is nice.

From the perspective of a CISO or CSO position, it’s probably at once the best and the worst career anyone can contemplate, for all the right and wrong reasons. I know a fair number of these executives at different companies pretty well, and I can tell you they are some of the most passionate, hands-on, articulate and frustrated people I know. They have to be: If they’re not — or they’re not allowed to be — they’re busily looking for a new job pretty soon.

The more you know about cybersecurity and cybercrime, the harder it is to see things in black and white. On the other hand, the greater and broader your knowledge, the easier it is to explain the criticality of this subject to those who perhaps aren’t as nuanced in the topic — whether they be readers or executives. For better or worse, these are the tensions that tear at anyone steeped in — and responsible for educating others on — cybersecurity.

Thanks so much to Brian for his time. If you haven’t already signed up for RMISC, please come join us, and see Brian speak in the evening on Tuesday May 12th it should be great. For more of the Colorado security interview series, click the links below.