Alex Wood is a heavy hitter in the Colorado information security community. From working in massive enterprises (IBM, AT&T, and Kaiser Permanente) to building and running the information security program for a mid-size enterprise (QEP Resources), to leading the biggest security conference in the region (Rocky Mountain Information Security Conference) and the ISSA Denver chapter, Alex has done a lot for security in the region. As of August 2015 he was elected to the ISSA International Board of Directors and will represent Denver in the international security community. I asked Alex for some of his time to talk about his career path, the Colorado security community, and more.
My passion is to organize and energize the Colorado information security community as the mecca for information security. As I’ve worked in the community, I’ve been continually surprised at just how many fantastic individuals we have in the area and the wide variety of ways they contribute to the industry. So I set out to start meeting those people, and writing up those interviews for you, the loyal reader, to enjoy along with me. I am hopeful that one of these stories will inspire you to throw your own hat in the ring, and take a chance by trying something new. Click the links below to read previous interviews in the series.
- Dave Navetta – Information Security Lawyer
- Chris Petersen – Co-founder of Boulder-based Log Rhythm
- Johan Hybinette – CISO for Hosting.com
- Jericho – Founder Attrition.org
- Dan Wilson – Co-founder of Denver-based Accuvant
- Mike Kalac – CISO for Western Union
- Brian Krebs – Investigative Security Journalist
- Debbi Blyth – CISO for the state of Colorado
- Rob Eggebrecht – Founder of Intelisecure
My questions are in bold, with Alex’s responses paraphrased below.
Alex, you’ve accomplished a lot in the Denver information security community. How did you get involved in the security community in the region?
I’ve spent my whole professional career here in the Denver area but the first two of the companies I worked for, IBM and AT&T, were extremely large. There are positive and negative aspects to working in really large company: just about any skillset you need is in-house. You’ve got access to great people but because of that, you don’t necessarily have motivation to meet other people in the local security community. I got to the point where I really wanted to connect with local security resources instead of someone in North Carolina or New York or Ireland or India, for that matter.
One of my IBM co-workers was involved in ISSA and suggested I attend a meeting, which I did. It was a pretty small group but it was great to meet some local people. Soon thereafter, I joined ISSA and started attending meetings more regularly. After attending a few meetings, I learned about the Rocky Mountain Information Security Conference and was excited to see that there was a conference like that in our backyard. Paul Herbka, the president of ISSA at the time, began recruiting volunteers to help plan the next RMISC soon after. I was interested in getting more involved. After a short discussion with Paul, he informed me that I was the first volunteer so I would be in charge of planning the next conference. As we began the initial preparations, the Communications Director of the chapter resigned so I volunteered to take that position as well, since I would already need to do communications for RMISC. I did my best to make those communications my own. I think that’s really how I started to get to know people. Whenever I’d introduce myself to people, they’d say “Oh yeah, you’re the guy I get all the emails from!” After a couple years of doing that, Paul informed the board that he was going to be stepping down and I was apparently the only sucker interested in taking over. That got me to where we are today.
Through the whole process, I’ve learned a whole heck of a lot. I’ve gotten to meet many, many people in the local security community. I’ve gotten introduced to other organizations outside of ISSA, such as ISACA, OWASP, PMI, and many others. I’ve had the opportunity to meet lots of other ISSA members from across the country and the world. Through recruitment of sponsors for RMISC, I’ve met just about every vendor under the sun. If my original goal was to meet people in the local security community, I definitely met that goal.
In the 4 years you were the ISSA chapter president, membership increased from 138 to 350, a 254% increase. To what do you credit this growth?
When I first joined the chapter, we had some spotty participation from the board. Everybody was doing their best but we were understaffed and the board members we had were very busy with other responsibilities. As a result, we weren’t very organized and would be trying to find speakers for chapter meetings a week or two before the meeting date. That meant that we weren’t getting much time to promote the meetings. It also meant that many of the speakers that we were getting weren’t of the highest quality. I learned that you need to get high quality speakers and give enough time to promote them to people that would want to come. Once you get people coming to the meetings, they get value out of attending and many will join the chapter. As the chapter got bigger, we started to have a bit of a snowball effect. The more people that came, the more people wanted to come.
Another key to the chapter growth was RMISC. Not only has RMISC gotten better and better, but we have been really lucky to keep the cost to members low while still making a small profit. We used those profits to help finance the chapter operations, including offering chapter meetings free to members, free full-day trainings, and our academic scholarship program. All of those factors have contributed to the growth and I’m really proud of where the chapter is today, as well as excited to see where it can go.
Now that you’re sitting in the coveted ‘past president’ position for ISSA Denver, what do you see as the opportunities for the chapter to grow further?
Well, we’ve made great strides but there’s still a lot of room to improve. In 2015 we started having monthly chapter meetings in Boulder (as well as in our traditional Denver Tech Center location), which is a great step forward. The Boulder area was really underserved from an ISSA perspective. I think that there is still room for another monthly meeting in the downtown Denver area. It may seem like Denver, Boulder, and the Tech Center are close but it isn’t always easy to get away from the office for a 60 or 90 minute lunch meeting when you have to add 30 to 60 minutes of driving time. Back to my earlier comment, if we provide high quality content and in this case, in more locations, we will get more people to join the chapter.
Another area that we could grow is in mentorship. We have such great members in all different phases of their careers and in many types of positions. Using the experiences of our members to mentor other members, or students for that matter, can really add value to the membership. There has been some advancement in this area at the International level and we have the opportunity to bring some of that to our local members.
The final area is volunteerism in general. Our board participation has grown but with the growth of membership overall, we have the opportunity to get many more volunteers to help with our programs. We have always solicited volunteers but there is definitely an opportunity to formalize their participation. With increased volunteering, there is the opportunity to create more programs and value for the membership, which will in turn grown the membership base.
While you didn’t start the RMISC, you were a big part of growing the conference. From 2010 when you took over, to 2015, we saw a 72% increase in attendance. What’s the next hurdle for the conference? Where should we take it?
That’s a hard one because I think that we are really at a crossroads with RMISC. We have grown attendance every year for the past 6 years but I think we are nearing the top end of attendance for a Denver area conference. So there are some options. There is no reason the conference has to grow. We are a strong size, we continue to provide excellent content at a great value, and we can continue to be successful doing that.
There is also the opportunity to grow into a regional conference. I think that is a much harder road but it could be one that pays great dividends. There are markets that we can appeal to in Utah, Kansas, Nebraska, New Mexico, and other nearby states that could increase our size. It would take some heavy marketing and we would have to continue to bring in big name speakers like Brian Krebs in order to attract those regional attendees.
We also have opportunities to increase value through changes in format. When I first got involved with RMISC, it was a one day conference. We expanded that to one and a half days with a half-day training to start the conference. We have since expanded to the current format with several full-day trainings for different focus areas. There is definitely an opportunity to expand the pre-conference trainings even more. There are many trainers that would be willing to give trainings of 2 to 5 days. The biggest challenge is to ensure that whatever we do, we still provide great training at a great price.
Even though I’ve stepped down from the RMISC conference chair duties, I know that we’ve got a great team in place for the future and that it will continue to get better no matter what direction is chosen.
Since stepping down from the ISSA Denver board, you have been elected as an international director for ISSA. What are your goals for the ISSA International board?
That’s a great question and I’m not sure I have a definitive answer yet. The platform that I built my campaign around was threefold.
- Increased educational offerings driven by International and delivered by chapters,
- An expanded mentorship program for members and chapter leaders, and
- To enable greater awareness and transparency of ISSA International activities for members.
That said, I really feel like I need to get a couple board meetings under my belt to determine if those are truly the areas of the greatest need. However, I am confident that the third bullet is something that I want to work toward. Getting elected to the International board but not really knowing the issues that need to be addressed shows that there needs to be more awareness. We are a chapter-based organization and most of the activities happen on the local level. Having more inter-chapter and International awareness will only help to make the organization stronger. Whatever I end up focusing on, I intend to bring the same passion that I’ve brought to the Denver Chapter.
Let’s talk about your personal career. What took you from the massive enterprise field with IBM, into a smaller company?
I loved my time at IBM. It was where I got my first job in security. I worked in the Managed Security Services group there before IBM bought ISS. It was such a great experience because we had a great team of people. The group was pretty small and full of really bright people, many of whom are still doing great things in the Denver security community. I ended up working in that group for most of my 10 years at IBM. One benefit and drawback of working there was that I worked at home for much of the time. To many people that probably sounds like a dream, and I did love it for a long time, but it became where I was missing the physical connection with the people with whom I worked. For the most part, there weren’t happy hours or water cooler talk, which you take for granted when you work in an office. It is also hard in such a large organization to feel like you are making an impact. I really wanted to be somewhere that I could see the results of what I was doing make a positive impact on the company as a whole.
IBM and AT&T have a long history with each other and periodically swap functions between them. So as I was contemplating what I wanted to do with my career, a funny thing happened. It turned out that the group I was in at IBM was transferred to AT&T. One day I worked for IBM and the next I worked for AT&T. I was doing the same job with the same responsibilities but getting paid by a different company. I decided to give AT&T a shot for a few years which allowed me to work for a few different groups within the company, but at the end of the day, I still had the same issues. Almost nobody I worked with was even in Colorado so I still longed for some of the “normal” parts of working in an office.
When I finally decided to move on, I knew I wanted to be at a smaller company that was based in Colorado. I also knew that I wanted to be in a position where I could be a leader in the security program so that I could see the impact on the company. I felt like I had a pretty diverse skill set and wanted to be able to lead while still getting my hands dirty in the day-to-day technical stuff from time to time. So I started looking around for different opportunities. There were several places that I had interviews but didn’t get the job. I was a little disheartened, but looking back I think I learned a lot through the process. I hadn’t effectively communicated what I could bring to the table during the interview. In the end, I learned better how to articulate the value I can bring to an organization as a security and risk leader. And I landed a position at QEP which was perfect for me.
There was no security program when I started so it was a challenge and an adventure building one, but I learned a lot through the process. I got to wear all the hats: security engineer, CISO, compliance officer, assessor, and more. I also got what I was really looking for: building relationships with real live people that I worked with and the ability to make a difference for the company. The time I spent at QEP was great and I wouldn’t change a thing, except maybe getting a couple more people on my staff. But who doesn’t want that?
And after successfully implementing a security program with QEP, what led you to make the move back into a large organization?
Well, there was still a lot of work to do maturing the program at QEP when I left and I wasn’t looking to leave. The opportunity to move really just happened. I knew some people at KP and I had heard good things about the company. There was a lot of growth in the security/risk management/compliance space and it seemed like they were very serious about building the program. Healthcare is an exciting industry right now for security, and around technology in general, so that made it appealing. The size of the company was something that I definitely had to take into account, but with the way the security organization was positioned, it seemed like there would definitely be ways to make an impact. In the 11 months that I’ve been there, I’ve seen that to be true. I think that I made the right choice in moving.
In addition to all that, I’ve been a member there for almost my whole adult life so I know the service we provide from a consumer perspective. When I went to QEP, I ended up on a traditional health plan and I was lost. The integrated model that we have is something that I really enjoy and it is one of the reasons that we provide such a great product to all our members. When you believe in your product, it makes working at a company much more rewarding.
Where do you see yourself in a few years? What’s next?
Well, I’ve been through a whole lot of change in the past year or so. I’ve given up the ISSA Denver Chapter and RMISC reins. I’ve started a new job. I’ve been elected to the ISSA International Board. It really has been a whirlwind of activity. I think it might be good to settle in to with what I’ve got for a bit. I don’t know what the future will bring, but I’m looking forward to it and hope to keep contributing to the community we’ve built here in Denver.
Alright… into the last couple questions. First, what advice do you have for CISOs out there now? What are we doing wrong, and what can we do better?
Assess and plan. It is really easy to get caught up in the tactical parts of our job. An incident is going on now. A project needs to be completed. That stuff all has to be dealt with, but if you aren’t taking the time to assess where your whole program is today, then you have no idea what you need to work on. Completing that assessment and comparing it against where you want to be (or where management, regulators, or others think you should be) shows you the gaps you need to fill. Then you have to start getting into the hard stuff. How are you going to fill those gaps? Which gaps are you going to address first? And of course, how much is that going to cost in people, time, and dollars. Once you’ve got that plan, you can focus more on the tactical aspects of getting it done. Don’t rush that planning though. Make sure you’ve got the plan fully backed before you start to implement it. You also have to make sure that it isn’t just your plan but that it matches what the rest of your organization is doing and that your management agrees with it.
For those people interested in getting involved in the security field, what is your advice? How should they get their foot in the door to come take your job some day?
The key to succeeding in our field is to understand how systems, processes and technologies work. This is essential for you to be able to think about how someone could misuse or abuse the way the systems and processes are intended. From there, you will figure out the best ways (controls) to limit that misuse. Understanding how things work is the most important. To be good at that, you need to have the desire to build and play. Most of the best security folks either started somewhere else in IT or were curious enough to build their own systems to play with. System administrators, network engineers, systems analysts, and other similar job types require you to understand deeply how something works and provide a good base of skills. I see some people trying to jump into security without having that basic knowledge first. You’re skipping a step. Understand IT systems first.
Another key is to work with the community. There are so many people in Denver with great knowledge and most of them are willing to share. If there is someone that is in a job you want to be in, ask them to be a mentor. If there is someone who has more knowledge than you in an area, ask them if they can help you develop your skills.
There’s a great opportunity for all of us to use the knowledge we already have to improve the state of security in Colorado. If you have knowledge on a subject, come present it at an ISSA meeting. Or OWASP or CSA or ISACA, depending on the subject. Let’s all help each other get better.
Thanks so much to Alex for taking the time to talk with me and share his thoughts on the Denver security scene, and his own career success. I look forward to continuing this series and shining a light on more interesting members of the Colorado security community. If there an individual or corner of the security spectrum you’d like to see spotlighted, drop me a note and I’ll see what I can do.