One of the security industry's pioneers recently celebrated a homecoming of sorts: Marc Maiffret last month returned to his post as chief technology officer (CTO) at privileged access management vendor BeyondTrust after a six-year hiatus from the limelight of the security industry.
Maiffret, whose vulnerability management startup eEye Digital Security was acquired by BeyondTrust in 2012, left BeyondTrust three years later to take a break, do some backpacking, and figure out his next move. He was soon also caring for both of his parents, who had been diagnosed with dementia.
After a brief stint as CISO at SpaceX, he has mostly kept a low profile in the industry, working as a security consultant embedded in the security operations teams at some large organizations in healthcare, finance, and space.
Maiffret had a rather abrupt start to his security career. In 1998 at the age of 17, he infamously got a literal wakeup call for his hacking activities when he awoke to find an FBI agent holding a gun to his head. He was never charged or arrested for anything, but agents confiscated his computer equipment. The then-teen hacker known as "Chameleon" in the Rhino9 hacker group says he and his hacking cohorts mostly just built tools and wrote papers about their work — activities that were fairly typical at the time for a generation of burgeoning white-hat hackers.
Just a few weeks after his encounter with the FBI, Maiffret teamed up with Firas Bushnaq to found eEye Digital Security, whose flagship product Retina Network Scanner was based on tools Maiffret had written in his teen hacker days. In 2001, Maiffret and fellow researchers at eEye discovered the first major Microsoft Windows worm, Code Red, which they named after the cherry-flavored Mountain Dew soft drink they pounded all night as they picked apart the game-changing worm.
His shift from security vendor to the enterprise perspective was — no pun intended — eye-opening. "The last few years have been both rewarding and a lot of learning," he says. "It's easy when you've been on the product side building security and technology ... to become a little detached from what customers are really facing and what their challenges really are."
Many of his enterprise clients were experiencing a common problem with their security postures: "What was impressed upon me was the lack of security [technology] tailored to a business and an organization," he says. "That impressed a lot upon me how like a vendor we can definitely do what we can with our solutions to be smarter in how we tailor them to the companies. ... It's more than one-size-fits-all."
Maiffret expects to be the "glue" between engineering and product management at BeyondTrust, he explains. One of his priorities will be ensuring the vendor's platform works well with other security technologies. Many security products just don't work well together today, he says.
"I think it's important for security companies to have empathy more than anything else, and to me that is earned through action. The last few years embedding with various security teams was that and more for me, and I'm excited to put that into what I do next at BeyondTrust," he says. "Maybe a bit less brash than I was when I started down this path 23 years ago, but still happy to fight for the things that matter and call 'bullshit' when needed."
In the meantime, Maiffret's already diving back into his roots: security research. "You can't take the nerd out of me," he says. "It's core to my being."