On October 29th, we held the inaugural Sqreen Summit, a virtual event on the future of application security, the latest from Sqreen, CISO priorities in 2021, and the changing role of the security engineer.
In this post, I wanted to share some highlights and takeaways of that latter breakout session: The Changing Role of the Security Engineer. It’s well worth a watch, and you can do so on-demand here.
In this fireside chat with Sqreen’s VP of People, Alison Eastaway, Jacolon Walker, former CISO and security engineer at OpenDoor, Collective Health, and Palantir, shared his career journey through security, the impact that the changing world of security has had on his role as a security engineer, the key traits and approaches for success in security, and advice for anyone looking to break into or move up in the field. It was a lively discussion with some great pieces of advice, so we wanted to highlight them here.
1: Security is changing, and advancing in security means exploring and changing as well
Security is a changing space. 15 years ago, it was very network and infrastructure-centric, and over the years, the focus has shifted to other areas, with applications in particular taking a more prominent role recently. Today, everything is much more SaaS-based, which changes the dynamics from non-scalable hardware deployments to much quicker cloud deployments.
The security point of view has changed tremendously because everyone is in the cloud these days.
As you think 3-5 years from now, there’s a lot of alerts and fatigue that you have to consolidate and make useful for that security engineer or that executive. So the future will deal with not just taking care of organizations that have technical issues with migrating to the cloud, but showing them where their main issues are. You buy these tools, but you need to make sure you’re giving the right signals to your team.Jacolon Walker
Establishing a career in security means moving and shifting with the times as well. Getting involved with different layers and points of views lets you see a bigger piece of the pie, and strengthens your ability to be effective in meeting the particular security needs of your company. Broadening your scope means interacting with and understanding the needs and risks of other teams. This makes communication much more important.
We’re also going to see more trends towards communicating to your partners and peers where their risks and issues are. Because at the end of the day, they own the risk, you don’t own the risk.Jacolon Walker
2: Advancing up the ladder in security becomes more about people than about technology
When it comes to advancing in security and moving up the ladder towards being a CISO, the key skills and value-add really comes from being able to connect with and understand key stakeholders in other teams, rather than solely becoming a deeper expert in the technology itself.
Empathy and compassion for what people are trying to accomplish in other teams becomes two of the most important traits to develop as a CISO. Connecting with developers, product leaders, and business leaders is a crucial skill for a CISO, and is the biggest thing that will make you more effective as a security leader.
As a CISO, showing teams where their key issues are is crucial. You need to not only build the security program in depth, but also develop strong communication to the key teams. The business owns the risk, not you as a security person, so they need to know about it.
I’ve done a lot of exploit development. I’ve done a lot of reverse engineering. I love all those technical challenges, but the biggest thing for me was when I became a CISO and had to start breaking down walls with other teams and business units. That to me was more eye opening and more useful than anything.
Being a security engineer or analyst, you’re so in the weeds. And that’s great, but if you want to move forward in your career, you gotta be able to break down those communication barriers and build those relationships.Jacolon Walker
3: Understanding the business and other teams is key to building a good security program
When it comes to building a strong security program, the most important thing you can do is tie it into the business and break down the walls between the security team and other teams. You have to understand the pieces that go into building your security at all layers, which is nearly impossible to do if you don’t understand the needs and goals of other teams.
At the top, there’s the overall business strategy that you need to align to as well. Every other team is doing this too, so you need to spend time with them to understand how they’re doing this — what their pain points and problems are. From there, you can develop a common language and set of goals so your security program is seen as an enabler rather than a blocker. If you use the business strategy as your template and touchpoint, you have a framework for talking to all the other teams and building a strong program.
When I joined Collective Health…I asked every single executive leader, ‘what keeps you up at night?’ And they thought I was coming from a security standpoint, but I said no, I don’t want to know anything about security, I want to know what keeps you up at night. Is it reputation damage, is it financial issues, is it protecting healthcare records? And it’s informative, because it tells you everything you need to know when it comes to building your security program.Jacolon Walker
4: The most important trait in security is diversity
Security is all about solving hard problems. The drive for solving problems attracts a lot of people to the security space. But solving problems effectively in security requires considering lots of approaches and viewpoints. There’s a misconception that security is insular, isolated, and cliquish. In reality, without many different perspectives, security is less effective
A lack of diverse thinking in security is dangerous. If everyone thinks the same, then as a security team, you get isolated and lose the developer’s point of view. And without that, how are you going to help make your relationships better with peers outside of security?
You need people from different areas of security, other business functions, and different backgrounds to get involved. Having a liberal arts background for example, can be really helpful in a security team. With different points of view involved, as a team you’ll be able to build a more effective and thorough security program.
A friend of mine is a poet and a writer. When I was developing an exploit for a web application, I was having so many issues. She gave me a quote from a known poet in her field. I was like ‘okay, I get it. Leave no stone unturned and take a step back.’ I took a step back and took her poem and read it. In the middle of the night, I had an epiphany that helped me solve my exploit.
Without her, I wouldn’t have been able to solve it. Having her help there reminded me that it’s the different traits and diversity that help you think more creatively and expansively outside of your own scope.Jacolon Walker
5: There are many ways to get involved in security
Security can seem intimidating, but security people are often very open to having new people get involved. If you’re a developer or in some other function, get involved with your security team. Take on little projects and let them know that you’re interested. Most security teams are under-resourced, so if you can become their champion, that’s valuable for them and for you.
If you’re already in security, and want to progress, try focusing on building up your coding capabilities. Being able to commit code opens up new areas of security and a deeper understanding of your developers and their work. It can also earn you respect among your developer counterparts.
There’s a ton of security info out there too. There’s so many good books out there, so if you’re a self-driven learner, read some books and learn! Building relationships is also super helpful. Get involved with Slack and Discord communities, many of which are very open to new people and new learners.
Get involved with Slack communities and Discord communities. There are a lot of them out there that are willing to help you out. Without those communities, it can be a struggle. I come from an IRC background, so in the late 90’s, that’s what I was on all the time. They taught me a lot through those channels. Put yourself out there in those channels and you’ll be surprised. There are a lot of people out there willing to mentor you.Jacolon Walker
Watch the session on-demand
Jacolon shared a lot more insights and advice throughout the chat. If you’re interested in starting or advancing your career as a security person, there’s a lot to takeaway from the session. Watch the full session here.