Operations
10/20/2015
10:30 AM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Building A Winning Security Team From The Top Down

Dropbox security chief Patrick Heim dishes about the need for strong industry leaders, the 'unique' cybersecurity personality and why successful organizations need 'cupcake.'

In a wide-ranging Q&A at the consulting firm offices of Bishop Fox in San Francisco, Dropbox Head of Trust & Security Patrick Heim spoke with consultant Vincent Liu about some serious and not-so-serious issues facing the security industry today. We excerpt highlights below. You can read the full text here.

First in a series of interviews with cybersecurity experts by cybersecurity experts.

Vincent Liu: There’s such a lack of leadership in security, and there’s no real training for it. What are your recommendations to new leaders?

Patrick Heim: A solid technical foundation is important. It’s common to see people who are less technical being replaced with a newer generation of more technical security leaders. There’s also the issue of interacting with boards or higher-level executives. In those situations, claiming everything is fine is probably not playing your role. The expectation is that you will be self-critical, and you’re continuously seeking opportunities for improvement. You don’t want to be overly critical, and you want to celebrate your team’s wins. That’s important psychologically since security is a never-ending treadmill. Celebrate the wins, but look to the future. Consider how risks are evolving, what new threats are emerging, and how you will adapt to them.

VL: As somebody at the top of his field, you have your choice of position. What led you to Dropbox, and what do you look for in leadership when you meet them?

PH: I’m interested in how leaders impact organizations. When I visited Dropbox and saw its culture and people, it became clear to me that something was very right about this company’s leadership. Having been inside of Dropbox, I now know why. From a cultural perspective, it’s focused on attracting the best of the best without compromising “cupcake,” a company value*.

VL:  Have you encountered any personality differences that are unique to security? For somebody who is starting to manage security professionals … are we weird?

PH: Yeah, we are weird. That weirdness factors in when we talk about the lack of adequate security professionals. To maintain a healthy team, sometimes you have to pass on an opportunity to hire a particularly big personality because they could cause a disruption.

VL:  When would you hire a big personality?

PH: It depends on the company. There are individuals with big personalities who excel at what they do. Harnessing that energy in a security product company is incredibly powerful. Taking that energy and putting it into a mature security organization in a decent-sized company may be difficult.You can hire those people, but you need to say, “What value am I going to get from them before they move on to their next challenge?” They are probably going to become restless and not want to work in a large company for an extended period. Then, consider how this person will impact the team. If the individual has a coaching mentality, they may inspire others to up their game. If that individual is a very big personality, they may intimidate others or they may become frustrated.

VL: What recruiting lessons have you learned about building a team?

PH: I’ve made hires that were too experimental and backfired as a result. I’ve also learned — and this is more of a leadership skill — you have to quickly get all over any tension and resolve it. Visibly confront it because that way, the team sees that you have their backs. If problems are building up, you must address them. A good security leader will guide his or her managers so they understand that angering people is an unsustainable strategy. Look for win-win solutions, things that make everybody happy, and keep the business moving.

VL: How did you build out your security team at Dropbox?

PH: We structured the security organization into two parts. One is Security Engineering, and the other is Trust and Security. We wanted to group individuals with similar skillsets together. The Security Engineering team consists of developers and highly technical skillsets. This involves more operational elements as well as the engineering side. The other part of the organization, Trust and Security, is compliance, risk management, working on more business-driven strategies, coordinating the entire program, and assessing its performance.

VL: You’re considered a de facto expert in cloud security. Why is it so valuable?

PH: Everyone is a target. An environment’s agility is the difference between success and failure. When you have an amazingly gifted team of security engineers, agility is sometimes measured in hours. Cloud is game-changing because of its agility. The provider can rapidly intervene, change, evolve, do whatever necessary to protect the customer’s data. Security is higher-stakes for cloud companies. If you’re not a great custodian of data, if you’re not compliant, if you’re not securing their information, your customers will leave. 

Dropbox Head of Trust & Security Patrick Heim
Dropbox Head of Trust & Security Patrick Heim

PERSONALITY BYTES

First exposure to computers: Dad supported “bad habits” with an “amazing amount of hardware:” PC XT, Commodore 64, TI-99/4A

First taste of security: Bulletin boards on the West and East Coasts with “hardcore” long distance charges. “Out of necessity, you had to figure out how to hack the phone company.”

On security leadership: There are two camps. One values structure, controls, reports, and predictability context. The other has an outcome, adversarial perspective. Neither is right or wrong.

*Why organizations need "cupcake": Cupcake is basically being nice, good, and pleasant. When you make that a company value and combine it with amazingly smart and humble people, you have a great environment.

Bio: Patrick joined Dropbox in January 2015 with over 20 years of information security and technology experience. Previously, he served as chief trust officer at Salesforce.com and also held chief information security officer positions at Kaiser Permanente and McKesson Corp. Patrick advises security startups and serves on the board of directors at Cylance.

Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/20/2015 | 9:00:11 PM
Involvement
Another important consideration is to ensure that the security team is actively involved with the recruiting/hiring process (and, by extension, the HR department less so), because the former will have a better idea of what they are looking for/what they need as opposed to filling out a checklist for HR involving x years of experience with whatever.
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.