1. Leveraging more than two decades of experience in the tech industry, you currently serve as NetIQ’s senior director of solution strategy. What exactly does this role entail? Yes, that was the most recent position I held (for about 3 years) at NetIQ, which was ultimately acquired by Micro Focus, a UK-based software company late last year. Today, I serve as Vice President, Product Marketing and Solutions Strategy – so a broader and deeper role that includes the NetIQ product portfolio in addition to others under the Micro Focus‎ brand. This means I work closely with everyone from product management; those who set the direction for the engineering teams, through to the marketing organization and the sales teams globally. I mostly work to ensure that we are able to fully understand the challenges our customers face on a day to day basis. It’s also my duty to clearly communicate the company vision for our solutions to the market, our partners, and of course, our customers. It’s challenging and rewarding, which I suspect is something that can be said of pretty much any job in the InfoSec industry today.
  2. You earned a combined Bachelor of Science degree in computer science and prehistoric archaeology. The computer science component is very much in line with what might be expected of an IT/IS professional, but the prehistoric archaeology component looks like an off-the-beaten-path choice. Why did you choose this focus, and does it help you do your job? I can’t claim that my archeology skills necessarily have a direct translation to the work of technology and security, but I think it’s fair to say that anyone entering these fields will need to have a range of skills and experience. The problems we face are complex, and the solutions require all of us to be highly versatile in the way we think about the world, the experience we draw upon, as well as the way we plan and communicate. Technical skills are always going to be necessary, but to get ahead in this profession, those skills need to be paired with good communication, the ability to think laterally about problems, and a sound understanding of a broad range of topics. These days, philosophy, literature, history, even archeology, all have something to offer the technologist.
  3. What hard and soft skills does someone in your position require in order to be successful in the IT/IS industry? Speaking from personal experience, the key to success has always been in the ability to quickly assimilate technical information and then translate that into the actual real-world impact. Being able to see past the technology, to grasp the meaning and the relevance of features in a piece of software are absolutely essential. So, of course, is the ability to communicate, both internally within the business to senior managers and other departments, as well as externally to customers, industry analysts, and journalists. Ultimately, to be successful, one has to be able to take complex ideas and simplify them. The “simplify” piece is always quite difficult.
  4. Although no two days are alike in the industry, can you provide a bit of a summary in terms of what sorts of things you could do on any given day? I spend a good deal of my time planning and ensuring communication between people both internally and external to the organization. It’s terribly easy to become siloed, and as a result misalignments can occur between the direction the products are headed, the way we market solutions, and the needs of the salesforce, partners and customers. Just keeping everyone on the same page is pretty much a full time job. That said, I also try to keep abreast of the news and technology developments; because in this industry things can change very quickly indeed.
  5. What types of threats do your customers face today that maybe were not really on the radar when you became the senior director of solution strategy for NetIQ in 2012? We’re seeing a couple fairly significant trends colliding to make customers’ lives a bit more difficult than they were even three years ago. The first is that employees and the business in general have much more power over the way IT is delivered than ever before. The days of the highly centralized IT strategy, administered by the CIO’s office are pretty much gone. The second trend is that more and more activity is taking place driven by remote employees and partners who need to get access to data from mobile devices. These two problems mean that it’s very difficult for security teams to exert the level of control they might want – employees simply won’t tolerate overbearing security controls that get in the way of doing business. It’s a combination that attackers are only too aware of and thus exploit – often attacking by appearing to be an “insider” within the business to establish a foothold in order to steal data.
  6. Are customers and prospective clients generally receptive when you recommend solutions that can safeguard them from the threats popping up on the landscape with increasing regularity? I think customers understand that the problems they face are complex, and the solutions to address them have to be flexible and well integrated. As a result, we tend to work closely with customers to help them understand where their biggest risks are, and then help them align the right solutions to the problem. The days of vendors trying to sell the next security silver bullet are thankfully coming to a close. What customers need now are vendors and partners who work with them to solve problems today, but in a way that positions them for longer term success, too. It means they have to demand more of us (their vendor), but in the end we all benefit.
  7. What sorts of best practices should companies adopt in order to avoid or at least lessen the likelihood of being hurt by data protection or encryption problems? When organizations have problems with data security, it’s usually the result of some fairly basic challenges that have been allowed to grow over time to the point where they cause real damage. We always recommend thinking clearly about who users really are, what information they actually need access to, and putting in place the controls, and monitoring, to ensure that unnecessary risks are eliminated. The single biggest failure we see is an inability to really manage who users (people or systems) are and what they can get access to. In the end, almost all major breaches revolve around some flavor of that basic challenge.
  8. It sometimes appears as though businesses lean towards being reactive rather than proactive – only getting the solutions they need after they’ve been compromised by cybersecurity attacks. Would you agree or disagree with this statement? And why? Much as I’d love to think that everyone is as focused on information security as much as we are, the reality is that businesses tend to see security as a cost, an overhead. To a degree it’s inevitable, since it’s hard to attach revenue to improved security practices. Unfortunately, the prime time that security questions tend to be asked by the boardroom is usually after a breach has occurred. However, I do see very promising signs that more and more organizations are taking a proactive approach to security. The visibility of some of last year’s major breaches is really putting security on the board agenda now, and in the long run, that will help companies be more successful in integrating security into ongoing business plans and strategies.
  9. Are there emerging threats that, while not currently on the radar, could pose serious problems in the near future? There are always emerging threats that will take us by surprise. As someone once said, the attacks only ever get better. And while it’s difficult to prepare for every eventuality, I would say companies that take InfoSec seriously, and get the basics right tend to weather whatever the newest breed of attack is better than those that ignore the problem or simply don’t invest upfront. Obviously the cloud continues to open new areas of risk for businesses, although it should be noted that so few breaches hit the headlines as the result of a cloud service being compromised. I think that the biggest questions today revolve around the Internet of Things (IoT). We know the IoT will change the rules for information security because of the incredible complexity it will introduce, but as of today, we don’t know what that impact will be. The game is changing, but we just don’t yet know what the rules will be.
  10. What advice would you give to college or university students interested in entering the IT/IS space? First, I would definitely encourage anyone thinking of joining this space. There’s a real shortage of InfoSec professionals out there, and you’ll be in demand! The second thing I would tell them is to, above all, keep an open mind and stay flexible. Whatever the industry looks like today, I guarantee it will look very different five years from now. That’s the challenge; and that’s the opportunity. Technology can change almost everything, and in InfoSec, things change fast.