1. You have an undergraduate degree in integrated science and technology, and a master’s degree in engineering management. When you graduated and were looking for your first job, what did you envision you’d be doing? Thanks for making me feel old – it’s a little challenging to remember that far back in my career. For my first job, I cast a wide net and applied for positions ranging from software development to systems integration. I honestly didn’t know what I would end up doing but as I got exposed to more career options, I aspired to be an enterprise architect or chief engineer. I probably couldn’t verbalize it at the time but I quickly determined that I am good at synthesizing a lot of detail, making decisions quickly, and being able to explain the situation and conclusion to both techies and the C-suite. Those skills are what eventually led to more of a sales and marketing focus while still being able to understand the details of technology. On top of that, I like to build things so that’s probably how I ended up as an entrepreneur.
  2. Your first job out of college you were a systems engineer. A couple of years later, you transitioned into consulting, and then were hired as a senior security engineer. What additional training did you have to get after you were out of school in order to become a security engineer? I’ve never had anything but On the Job Training (OJT) but I have been lucky to work for bosses that allowed me to take chances. Before transitioning into the security space, I had a lot of exposure to mainframes, Unix servers, networks, database systems, and software development. I believe strongly that you need to understand the details of an environment in order to secure it. Shifting from building solutions that monitored and managed networks to building solutions that monitored and managed network security was not a big leap. Also, the reality is there wasn’t a lot of security training available at that time. There were SANS conferences and the body of knowledge for the CISSP certification but I and probably most people at that time transitioned into the security industry absent a lot, if any, formal training.
  3. How has the security landscape changed since then? Is the role of a security engineer now much different than it was back then? The single biggest change has been the increase in attack surface. To explain, let’s use a building as the analogy for a company’s network. In the early 90s the building had no windows and only one door that everyone used to enter and exit. The building was fairly easy to secure. The security engineer was largely responsible for firewalls and remote access. The expansion of corporate websites and e-commerce in the late 90s was the equivalent of adding a ground-floor window to the building. A vandal walking down the street could crawl through the window, and walk around the foyer. At this time, the security engineers needed to worry about intrusions to a limited scope of their network and the propagation of viruses and other malware. Advanced persistent threats existed but most people were focused on fraud and vandalism. Fast forward to today and our building has a front door, back door, side doors, 25 windows, and, since we’ve run out of space inside, storage sheds all over the property. This is analogous to the near total dissolution of the corporate network perimeter, the explosion of unstructured content, and the adoption of Cloud and other shared storage and computing. The point is that business have catastrophically increased their attack surface. The role of the security engineer has expanded from keeping out the bad guys, to also trying to detect the bad guys that are on the network, and keeping them from stealing anything of the value. The challenge is that the attack surface grows faster than the security teams can address the threats of the expanded attack surface. Security engineers have evolved from generalists (cross-functional application, host, and network skills) to specialists (cryptography, web content filtering, data loss prevention, etc.).
  4. It looks like since then, your focus has turned toward data security, especially data encryption. Can you give some examples of why data encryption is a big deal? What does an IT manager need to understand about data encryption that he or she might not be aware of? Data encryption is viewed as the ultimate security control in the event that all other layers of security have failed. The problem is that data at rest encryption doesn’t address sophisticated threats to data because data isn’t at rest. Data is dynamic and constantly being created, modified, and distributed. IT Managers need to understand that the effectiveness of encryption is, in part, a function of where the encryption and decryption occur. The other component that makes encryption effective is the management of encryption keys. To determine which encryption technology best meets the business’ needs, IT Managers need to understand the true motivation for encryption within their business. For example, encryption of data at rest is appropriate for physical loss or theft of mobile devices but it’s not effective for securing against logical attacks to server-based information. For advanced threats to information, encryption is likely to be a feature that is integrated into an overall solution that includes multi-factor authentication, well governed access controls, and activity monitoring. Relative to key management, the trust and ongoing cost of an encryption solution are based on the scalability and security of the encryption key management as well as the changes that the enterprise must adopt in order to “operationalize” the management of encrypted data. Few encryption solutions are able to deliver key management that is usable, scalable, and secure. I could do an entire interview focused just on the considerations for key management but for this discussion, my single piece of advice is never build it yourself. Encryption key management is a highly specialized discipline.
  5. In 2011, you helped to found CipherPoint Software. There are a lot of security-related software companies out there. What’s unique about CipherPoint? Great question and one that I think about each and every week! CipherPoint’s offerings are unique in that:

We focus on securing document centric platforms and use cases. Almost 90% of all stored data are documents, spreadsheets, and other forms of unstructured information (as opposed to structured information which are rows/columns in a database). It’s major blind spot for businesses and the vast majority will admit to having no visibility of where their sensitive files are stored and who has access to them. Our solutions are capable of preventing the exposure of information to IT administrator accounts. These account have full access to every piece of data and every configuration setting on a server so they are a favorite target for outside attackers. Our technology works to secure information in both traditional data center environments and Cloud applications. Most vendors only provide solutions that can support one or the other deployment. CipherPoint’s approach is unique in that it can be applied to any application, anywhere.

  1. One of the services you help provide is transparent data encryption. Can you explain what TDE is, and why it’s important? The key word in Transparent Data Encryption is “Transparent.” This implies that the encryption should not cause changes to the users’ experience and should not cause the business applications and processes to break. Historically, enterprises could only attain transparent encryption by applying it at the storage layer but CipherPoint’s technology provides the ability to transparently encrypt at the application layer which is exponentially more effective for securing information.
  2. As your company continues to grow, what sort of individuals do you expect to hire? What sort of training should they have, and what sort of things do you look for in an individual that can’t necessarily be taught in a class? Are there any certifications which you feel are especially valuable? Culture is highly important as you scale and the first priority is to make sure that people fit with our culture. We value hard work, individual empowerment, and accountability. Our mottos that drive how we apply those attributes are “Customers First” and “Relief from Pain.” I first look at the qualities of an individual to determine if they are empathetic and inclined to put customers first. Next I look at his or her resume for indicators of a maniacal work ethic. People who have had to perform hard or unsavory jobs typically understand that a win is much more rewarding if you had to get uncomfortable to earn it. Those are the things you can’t learn in a classroom. Either your parents instilled that in you or you developed them out of necessity. I’m not a big believer in certifications but I like the CISSP. If a candidate doesn’t have a four year degree than I think other certifications in their target career are a plus. More than 2 certifications and I question if the candidate is willing to be accountable for producing anything. Collecting certifications is probably more beneficial for people wanting to be consultants as opposed to those wanting to be a permanent member of an interdependent team at a single company. In terms of hard skills, we look for analytical thinking (statistical analysis) and directly or indirectly applicable industry experience. For example, someone that learned how to troubleshoot and repair electronics in the military may make an excellent software quality assurance engineer. Someone who was an enterprise architect may make an excellent product manager or product trainer.
  3. Given the dynamic changes in security and technology, what’s the #1 issue that you think most companies should be focused on that they aren’t adequately addressing? The #1 issue is companies have not evolved strategies security fast enough from building with a single door to the building with 25 windows. We’re still thinking about security as a progression that starts with trying to keep out the attackers. Companies need to reverse their strategy and work from the inside toward the outside – think about security as if they’ve already been compromised. Once companies accept that fact, they will be in a better position to stop data breaches.