Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
Zane Lackey: 'Technology Is the Easy Bit'
Security Pro File: The DevOps evangelist and investor shares his expertise with the next generation of startups. If you're lucky, maybe he'll even share his Lagavulin.
It was only a few years ago, around 2016 or '17, that Zane Lackey had a conversation that encapsulated the challenge of his life. Then a Signal Sciences cofounder, he was meeting with the CISO and CIO of a certain Fortune 500 client (he won't say which).
He met with the CISO first. Lackey suggested a cloud migration, but the man refused to budge. "I'm not allowing any of that," Lackey remembers him saying. "It's all insecure."
Lackey's second meeting of the day was with the CIO, who informed him that cloud migration was "our No. 1 priority." Lackey must have given the man a strange look because he laughed. "I see you've been talking to the CISO," the CIO said. "We just don't invite him to meetings anymore."
Lackey, former CISO and general partner at Andreessen Horowitz (a16z) since March, is one of the foremost champions of DevOps, the integration of a company's code-writing and code-deploying teams. "The teams have different priorities," he tells Dark Reading, "but they form a Venn diagram. Solutions have to help everybody, in security and everything else."
The greatest obstacle to the kind of architectures Lackey lives for has nothing to do with code or obsolete firewalls: It's the culture of siloed security and operations teams, ignoring each other's processes, or, like the Fortune 500 officers that day, actively subverting each other.
In his words, "Technology is the easy bit. Culture is the hard bit."
The Early Years
The ancient feuds and impenetrable silos of digital business teams must be a particular headache to someone like Lackey, who never outgrew his boyhood joy in attacking tech problems. Lackey grew up in Murphys, Calif., a tiny village without much in the way of mental stimulation. Lackey discovered PCs in his early teens and began saving money for a new hard drive to learn Linux. It was hard, lonely work, and he loved it. It took him months to figure out the PPP settings to connect to his local ISP. But once he was on, it took only five minutes for someone to hack him and shut him down.
"It was a moment that changed my life," he says, "in an extraordinarily positive way."
Security infrastructure became Lackey's obsession. He began spending nights playing virtual "capture the flag" with his friends, devouring Red Hat, Windows, and every systems manual he could find. The passion for infrastructure and offense-defense security took Lackey to UC Davis, that improbable cradle of geniuses, where he worked as an intern in the computer security lab (a rarity in the early 2000s, even at big universities).
At one point he had to develop a honeypot, and so he created an entire, fake departmental website to lure in hackers. A group of South American teenagers took the bait and installed their own Counter Strike server. He describes the event today as if it were a rugby match: all give and take, high pressure and clever footwork.
His first job out of Davis came from a 2005 Craigslist ad: A Bay Area startup called iSEC Partners was looking for its first employee. Lackey started immediately, working as a general consultant under the direction of Alex Stamos. His work involved a lot of app, wireless, and network pen testing and assessment.
Then in 2010 the NCC Group bought iSEC Partners, and Lackey went to New York to start an East Coast branch. It was there, around 2011, that Lackey began exploring the tools and tactics that would come to be known as DevOps. Companies were growing faster than their linear waterfall deployments could handle. Cloud storage and bespoke, integrated tool chains had only just bridged the gap of concept and code.
But Lackey was on the case, especially after Etsy took on the 26-year-old, briefly as a consultant and then as CISO. It wasn't exactly a gamble on the company's part, at least as Lackey tells it; his credentials spoke for themselves. Etsy gave Lackey his first real taste of the colossal volume of modern, international security upkeep. At iSEC, Lackey was pentesting companies that deployed software once every 18 months. At Etsy, he was expected to secure software being deployed 30 times per day.
"This was security," he says, "but for a different world." (Etsy was ahead of the pack — at the time, Google and Facebook were deploying once a week.)
That different world brought its own new tools, not only at Etsy but at its mirror company on the West Coast, Netflix, where another iSEC veteran, Jason Chan, was now CISO. Like Chan, Lackey saw that reliance on thousands of discrete Web application firewalls (WAFs) could never keep pace with the modern volume of threats. The cloud transition was part of the solution, as was a more nuanced zero-trust strategy than was common, then or now.
But what companies like Etsy needed was a new architecture altogether, where each individual application fits into a companywide, vertically integrated security system like teeth in a zipper, accessible through one "single pane of glass" console. The console would have to be completely visible across teams, never "someone else's job" (in or out of the company), and, most importantly, scalable. That's where DevOps came in.
Businesses grow at different speeds; the point of DevOps is to keep their security operations moving at exactly the speed they need. Lackey says that scale is the foremost problem facing every security team, and that "if you have to be a security expert to use a security tool, [the tool] doesn't scale."
Changing Up His Game
In 2014, Lackey left Etsy with two of his colleagues to form Signal Sciences, a venture-backed Web app and API security startup. Signal Sciences blew up (in a good way): At the peak of Lackey's tenure as board member and CSO, the company had 150 employees, $28 million in annual recurring revenue, and outlets like Forbes and Gartner piled on accolades.
Lackey then found himself on the other side of the table, advising the Fortune 500 companies and, increasingly, investing in new firms. "I enjoy adapting," he says, with the same relish that comes through in his tales of early 2000s hacking games.
"Security was one of the largest speed bumps to early DevOps adoption," Lackey says. As CISO at Etsy, an early DevOps adopter, he learned how to institute DevOps through firsthand experience. He co-authored a book on the topic, called Building a Modern Security Program, and found he enjoyed sharing the lessons he learned with other enterprises going through the shift.
Investing seems to unite Lackey's two professional passions: the steady march of DevOps as a discipline and the love of frustrating, high-stakes, high-risk play. It's also a union of right-brain tech and left-brain leadership skills, which seems to come naturally to Lackey. Last year he explained to Cloud Security podcast that as all roles merge, founders have to keep their goals in mind or risk failing. "You're building a company," he told them, "not a tech project" — remarkable advice from an infrastructure specialist.
Fastly bought Signal Sciences in 2020. Lackey consulted independently for two years before accepting the partner role at a16z. He likes the work, particularly his interactions with founders — "I enjoy being their first call," he says — and says the new solutions he's seeing are extraordinary. He won't say what those solutions are, for confidentiality's sake; presumably they include updated zero-trust protocols for the 2020s. But he's happy to see the discipline he helped shape, DevOps, take on a life of its own.
"This is a generational change in software development and delivery," he says. "I'm excited for the future."
PERSONALITY BYTES
What professional achievement are you most proud of? "It's not an achievement, but I'm very proud of all the teams I've been able to be a part of, and the work we've done."
What one technology or solution has made the greatest impact on your work? "Again, it's not a technology, but I'd say velocity — the increase in velocity. The shift from the waterfall-approach era to the DevOps era has been about rapid movement, rapid iteration. I mean, think of how long it took to found a company in the '90s, compared to the early 2000s, compared to now."
What's one thing your colleagues would never guess about you? "I was born in a fishing village in Alaska. Talk about low tech! My parents went to Alaska in the '70s to work as commercial fishermen. After they had me, they moved to Murphys."
Any hobbies? "Travel — I've been to every continent except Antarctica, but that's next. I ski and snowboard."
Finally, we understand you're a scotch drinker. Islay, Speyside, Highland? "I love all whiskeys: bourbon, scotch, Japanese. I tend to like peatier scotches, though — your basic Lagavulin 16, for example. One glass is usually enough."
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024