Interviewing InfoSec entrepreneur Lance Miller
Lance Miller is a serial security entrepreneur. Perhaps you have had an idea and considered starting up a company to build your dream. Heck, maybe you’ve even started up a company to do it. Lance has built six successful companies around security consulting, managed security services, penetration testing and, most recently, security staffing. Along the way he managed to help create one of the premier security communities on the web. I sat down with Lance to discuss how he’s achieved his success, where he sees the Colorado security community going, and his advice for security practitioners.
My passion is to organize and energize the Colorado information security community as the mecca for information security. As I’ve worked in the community, I’ve been continually surprised at just how many fantastic individuals we have in the area and the wide variety of ways they contribute to the industry. So I set out to start meeting those people, and writing up those interviews for you to enjoy along with me. I am hopeful that one of these stories will inspire you to throw your own hat in the ring and take a chance by trying something new. Click the links below to read previous interviews in the series.
- Dave Navetta – Information Security Lawyer
- Chris Petersen – Co-founder of Boulder-based Log Rhythm
- Johan Hybinette – CISO for Hosting.com
- Jericho – Founder Attrition.org
- Dan Wilson – Co-founder of Denver-based Accuvant
- Mike Kalac – CISO for Western Union
- Brian Krebs – Investigative Security Journalist
- Debbi Blyth – CISO for the state of Colorado
- Rob Eggebrecht – Founder of Intelisecure
- Alex Wood – ISSA International Board of Directors
- Andre Durand – CEO and Founder of Denver’s Ping Identity
My questions are in bold, with Lance’s responses paraphrased below.
You didn’t always work in security. How did you go from running a vending machine company to a security guy?
After selling the vending company, a good friend was VP of Sales at a managed services company in Research Triangle Park (RTP: The hot-spot for technology companies in North Carolina) and he brought me on board to help with business development. After being introduced to their lead security guy, I quickly realized the future was not in networking but securing the data. I began to read everything security related and getting in the hip pocket of our security guru on engagements when possible. From that point on, it was all about InfoSec for me.
After the managed services company I worked for was acquired, the head of InfoSec and I decided to launch our own security consulting firm… and WireHead Security was born. We offered services like penetration testing, vulnerability assessments, code reviews, etc. We recognized that application security was where we wanted to focus. That interest led us to volunteer as the North Carolina OWASP Chapter leaders for a handful of years. I am very proud of the work we did at WireHead. We were known for some of the best deliverables in the industry.
Tell me about InfoSec Island? How did you create and curate what became one of the premier web security communities?
While our original goal with InfoSec Island was to lower our cost of sales with WireHead’s services, we quickly abandoned that model. Instead, we wanted to the focus to be about excellent content and nothing more. With little vendor influence on the Island we were able to provide the community with an open platform to share their thoughts on happenings within the industry. We gave a large platform for new and emerging authors with some truly excellent articles (and a bit of really bad content as well). By far the best thing to come out of InfoSec Island was all the talented people I was able to meet.
I know you no longer own or operate the site. What happened?
Infosec Island was sold to Security Week so that my business partner and I could focus our energies on a new venture: Trusted Metrics, a managed security services provider (MSSP). Looking back I wish we would have held onto the site as it doesn’t receive the love it once did.
That leads us to the creation of Trusted Metrics. That was another big change in your career. What motivated you to make the move from consulting into a MSSP?
We felt that we needed to do more for our clients than just test things. We wanted to offer additional value by not only finding vulnerabilities but by also constantly watching the network and helping remediate issues. We built a robust SIEM that we managed in our own SOC for clients. After one of our clients mentioned Trusted Metrics to a VC group, we quickly partnered up and began to take things to the next level. Not that long afterwards, my mother passed away which caused me to evaluate my life and how I was spending my time. After a lot of soul searching in the mountains of Colorado, I decided to go another direction and walked away from Trusted Metrics. Life is short, follow your heart. I did just that and launched The Cetan Group, a brand new InfoSec consulting firm.
It was Trusted Metrics that brought you out to Colorado. Tell me about that transition. How does Colorado compare to the security community in Raleigh.
I was very surprised to see what the Colorado security community was all about. Coming from RTP, I was thinking I would be coming to an inferior market. I was wrong big time. The Colorado InfoSec community is one of the best in the country. The more I see, the more I feel this way.
In early 2015 you started a new company focused solely on finding and placing security talent at organizations (see write-up on Norse’s State of Security). What led you to do that?
Security is all about the people…not shiny and blinky boxes. I felt that I could be a better steward of the industry by finding the right talent for the right opportunity than any vulnerability assessment or pen test I could ever provide.
What’s your plan for the future? Where do you see Lance Miller in two years?
I am a family guy #1. I am building The Cetan Group and Curity to do two things:
- Make a positive difference in the InfoSec community.
- Allow me to be the best dad/husband I can be.
Having only been in Colorado for a couple of years, you have a great perspective to evaluate our market. What are the best things about security in Colorado? What are the worst?
The best part of the Colorado security community is the number of talented active people. We seem to be more involved in taking the community to a higher ground than we did in North Carolina.
The worse part of the Colorado community is some of the long timers are a little cliquish and have the “get off my wave” mentality. Oh well…this exists all over.
I love getting different perspectives on a couple of common questions, from everyone I interview. So please share your take. What are CISO’s doing wrong? What can we do better?
The only thing that really jumps out to me is that some CISO’s are too trusting of big security vendors’ marketing machine. This seems to be subsiding more and more, however, after each breach there’s another wave of reactive buying.
In reality, there is no silver bullet. We need more CISO’s who are business-minded first and InfoSec second. To me, this is the direction we need to be going, not only at the CISO level but even at the individual contributor level.
What’s your advice for people who are looking to break into the security field? What should they do to land their dream job? Heck, better yet, what should their dream job be?
I always suggest that people figure out what they love and go all out pursuing it. Find like-minded/hearted people and work with them. Dream jobs are not just about money or titles, they are about being happy. Culture is everything… find yours.
Thanks so much to Lance for taking the time to talk with me and share his thoughts on the Denver security scene, and his own path. I look forward to continuing this series and shining a light on more interesting members of the Colorado security community. If there an individual or corner of the security spectrum you’d like to see spotlighted, drop me a note and I’ll see what I can do.