In this blog article series, Mission Team Spotlight, we interview and chat with our knowledgeable team members about their careers, time at Mission, and trends in the industry.
This interview has been edited for length and clarity.
How did you come to join Mission?
I’ve lived in the security world for a long time. Previous to Mission, I worked at Bitdefender, a security company. I was looking around and talking to some folks. I noticed that a friend of mine that I've known for a long time, had ended up at Mission. He and I worked at Rackspace for a long time together. He posted on LinkedIn that Mission was looking for folks, so I sent him a quick note. I trust him, and if he liked Mission, I knew I would. I said, I don't know if you have a spot for me, but if you do, let me know. I talked with Jonathan LaCour (Mission Chief Technology Officer & Sr. Vice President, Service Delivery). We went back and forth about what roles they needed, and it worked out.
For me, it’s the first first time that I’ve sat in the CISO chair. I have spent the last ten years helping customers meet security and compliance objectives. This is the first time I've been responsible for doing them at the top end. I spent a long time at Rackspace doing managed services. I built multiple managed detection response businesses, which are managed security services. I’m very familiar with this area, so it seemed like a good fit.
What got you into security and the industry in the first place?
My background is as a developer. My degree is in computer science, and I used to write code for a living. My devs don’t let me do that anymore [laughs], but I used to be an OK coder and ended up at a company in San Antonio called Denim Group. Coalfire has since bought them, but they were an application security company. I was doing custom development for them but also ended up getting into the security side of the business from the application point of view. From there, I kept doing it. I like the security side of things. I've always been the person who wants to understand the behind-the-scenes. That lends itself to kind of being the security guy. Understanding how things all function together allows you to do a small tweak in your brain and start to understand how you can bring those things down and use them in ways they weren’t intended to be used. I ended up liking security and architecture. Then got into security, product management, building security products for customers to meet objectives, and building security services. Most people in my generation who end up in security kind of fell into it rather than aimed for it in school or the like. These days, there are programs for people to take to start in that world.
You mentioned all the different things you did in the security world. Which of those components do you enjoy most about working in information security?
I built my MDRs with a good friend named Daniel Clayton. He’s an ops guy, and I’m more of the pie in the sky and draw on the whiteboard guy. He always used to joke that I got all the credit when things went great, and he got blamed when everything went badly, which worked out pretty well for me [laughs]. He and I worked together for a long time. Part of the reason we were able to do that is that our goal has always been to reduce risk to customers. That’s the part we like. That’s what we want. No one should have to worry about security stuff. In an ideal world, my job doesn’t exist. How do we take what’s out there and create a scenario where people can be innovative, build cool stuff, and deliver their best work. That’s the interesting part for me. Security has become this thing that's considered a dark art, you’ve got to be a security guy, and you’ve got to know this stuff, but it’s not really like that. Helping customers understand the difference between snake oil and not and how to bring real value to customers to be successful in their business is interesting to me. I also like building businesses and products, and security offered a way for me to do both of those things.
For a business looking to build their security operations, what would you say are some of the key things to keep in mind that would set them up for success?
I’ll give some examples of things where I’ve seen customers struggle. The first is thinking the tools will solve your problem. People, processes, and tools make up a security operations center. Tools are only 10% of addressing the problem. I'd always rather have a well-structured, well resourced, well-experienced team with free and open source tooling over the best tooling that money can buy than not have the right people to run it. Sometimes, the vast majority of the budget and headspace security and business leaders have spent is on buying tools. You end up with a mismatch. You've got a lot of security tools that won't necessarily make you that much more secure.
I see people thinking that you can take an insecure business and just wrap some security around the outside of it, and poof, it’s magic. Many security vendors will try to sell you that story because fixing the gooey center is hard, right? That’s getting lots of other teams and departments on board and focusing on the boring basics like patch management, configuration management, policy, procedure, identity, and access management stuff that is not sexy. People don’t like doing that work, but that is the work that does the most value in securing your infrastructure instead of buying whatever whiz-bang tool you saw.
We see customers struggling when they hire security people, expecting that one person can fix everything. Sometimes hiring a single security role is 100% setting up this person to lead without authority. I would always rather spend my budget to make engineering or IT more mature because that drives business value. If I spend money on security tools, maybe I’ve solved the problem, but all we got was a risk reduction in those cases. We didn’t get any business value out of it.
One thing everyone struggles with is expertise. Security is a difficult, brutal area to hire and retain talent. Focusing on where you can outsource, where you don't want to, and where you can't is important.
I've always been a strong proponent of being a capabilities-based organization. Look at your business needs and the threats to your organization in the security landscape. Use those to develop a categorized list that determines the threats you see to your business. This approach is how you can get a customized view of your security needs and then, based on that, answer the question, “what capabilities does my security operation need to address those threats?”
Then and only then do you go out and look at tools that have those capabilities. If you first talk to security tools salespeople, they're paid very well to convince you that you need their tooling. Whatever story they tell will be a great story, but it might not be your story. Understanding what your risks are is useful in the saying, I need a tool that can do these specific things to meet my security threats. You then go out to the market and look for those capabilities. It’s much more focused.
What challenges or trends do you see emerging in the information security space and the next five to ten years?
I think the general trend of continuing to have challenges in staffing will be true everywhere and certainly will be in cybersecurity. I also hope that the types of folks that decide to get involved in cyber become more diverse than it is today. Cyber is still a white male profession. The number one goal of a cyber person is not to be the best technical person in the world but to interface with the rest of the business and build rapport with those folks to achieve objectives. You need a diverse group of people in cybersecurity roles to achieve that. I hope that diversification continues, but it is, unfortunately, happening at a slower rate in cyber than in areas like the different engineering disciplines and bioscience. We’ve got some work to do in the community there.
We've also seen a continued acceleration of technology changes driven by rapidly evolving business needs in the last five to ten years. I don’t think that’s going to change. I hope that we will see a continued focus on the fundamentals of improving the maturity of businesses rather than this focus on trying to buy some security lipstick and put it on the pig.
We'll continue to see an increase in outsourcing 24/7 monitoring functions. It is so expensive to build your SOC. I’ve built two of them with lots of help from smarter people than me, and they are brutally expensive, eye-wateringly expensive things to run, and most organizations shouldn't be spending that kind of money.
How are we at Mission differentiating ourselves in the AWS cloud environment security landscape?
We’re AWS-specific at Mission. AWS is all we do. There are certainly use cases for multi-cloud usage, and many companies will find success with them. Still, it is challenging to build a reliable operation that uses different technology platforms. They are very complicated, and they change at a high rate of speed. Most companies shouldn't be looking at multi-cloud unless they have a good reason.
If you're in the AWS camp, that’s Mission. That’s all we do. We live and breathe AWS. That means we can get a depth of expertise that is more difficult for other folks to get. From a security perspective, what that means is I’m very interested in Mission being the operations team that understands security.
I've seen a gap where customers buy a costly security tool or service. They are paying a lot of money. That will result in some alert coming to you as a boss or business owner. Then you have to do something with that alert. We’ve found that many companies don't know what to do in that situation. They'll get an alert, but they may not have a security staff, or the security staff may not know what to do. They may not be experts in the platform enough to know what to do there.
Mission understands security. We can get very detailed technical security information from our security partners, then help customers understand how we can use the AWS platform to solve those issues and keep them from happening in the first place. Our goal is to help customers be successful in using AWS. Part of that is securing the workload. Part of that is making the workload compliant for those customers who need to go through audits.
That’s an area where we can accelerate customers because developing the expertise to secure an AWS environment and make it compliant is a lot of effort. It’s an area where customers can work with a provider like Mission to focus on what their business does. They didn’t start their business to do SOC II compliance. Those are areas where we can help customers.
What do you enjoy most about working at Mission?
The number one thing that I like about MIssion is that everybody thinks about ‘how do we do what's right for the customer?’ We’re looking to get you more runway if you're a startup. If you’re a big company, we’re looking at how to get you more margin.
I also love that we’re a fully remote company. We're figuring out how that works because nobody's got it down yet, but being fully remote allows us to hire diverse talent from wherever we want. We’re not limited to whoever happens to live in one area. It allows us to be global. It will enable us to get very different perceptions and opinions in the business, which can help us understand and empathize with customers and drive better results.
I like that we are open to experimenting with things to try and make them better. Sometimes it doesn’t work, sometimes it does, and we’ll continue experimenting. I love that that is one of the critical things our CEO thinks about. It’s less about did we make the number this quarter, although I’m sure he cares about that. Still, he’s also asking whether we are building a business that can last and function, where people are happy to work. At the end of the day, we hire top-level talent and rent them out to customers. We're not in business if we can’t attract and retain top talent. Figuring that out and being top of mind for the CEO is always something I like to see because that is our business. Figuring out how we help employees be flexible or help people be engaged, how we build relationships across the organizations where we don’t necessarily see each other very often.
We’re also still small enough to get direct feedback from everybody. We still get everybody on a call every week. I like that we can admit that when we’re doing something wrong. They say we tried to make it work, and it didn’t work. I think it’s great that we’re willing to iterate and learn and get people engaged to feel like they can make real change in the business because they can.