In a wide-ranging Q&A at the consulting firm offices of Bishop Fox in San Francisco, Dropbox Head of Trust & Security Patrick Heim spoke with consultant Vincent Liu about some serious and not-so-serious issues facing the security industry today. We excerpt highlights below. You can read the full text here.
First in a series of interviews with cybersecurity experts by cybersecurity experts.
Vincent Liu: There’s such a lack of leadership in security, and there’s no real training for it. What are your recommendations to new leaders?
Patrick Heim: A solid technical foundation is important. It’s common to see people who are less technical being replaced with a newer generation of more technical security leaders. There’s also the issue of interacting with boards or higher-level executives. In those situations, claiming everything is fine is probably not playing your role. The expectation is that you will be self-critical, and you’re continuously seeking opportunities for improvement. You don’t want to be overly critical, and you want to celebrate your team’s wins. That’s important psychologically since security is a never-ending treadmill. Celebrate the wins, but look to the future. Consider how risks are evolving, what new threats are emerging, and how you will adapt to them.
VL: As somebody at the top of his field, you have your choice of position. What led you to Dropbox, and what do you look for in leadership when you meet them?
PH: I’m interested in how leaders impact organizations. When I visited Dropbox and saw its culture and people, it became clear to me that something was very right about this company’s leadership. Having been inside of Dropbox, I now know why. From a cultural perspective, it’s focused on attracting the best of the best without compromising “cupcake,” a company value*.
VL: Have you encountered any personality differences that are unique to security? For somebody who is starting to manage security professionals … are we weird?
PH: Yeah, we are weird. That weirdness factors in when we talk about the lack of adequate security professionals. To maintain a healthy team, sometimes you have to pass on an opportunity to hire a particularly big personality because they could cause a disruption.
VL: When would you hire a big personality?
PH: It depends on the company. There are individuals with big personalities who excel at what they do. Harnessing that energy in a security product company is incredibly powerful. Taking that energy and putting it into a mature security organization in a decent-sized company may be difficult.You can hire those people, but you need to say, “What value am I going to get from them before they move on to their next challenge?” They are probably going to become restless and not want to work in a large company for an extended period. Then, consider how this person will impact the team. If the individual has a coaching mentality, they may inspire others to up their game. If that individual is a very big personality, they may intimidate others or they may become frustrated.
VL: What recruiting lessons have you learned about building a team?
PH: I’ve made hires that were too experimental and backfired as a result. I’ve also learned — and this is more of a leadership skill — you have to quickly get all over any tension and resolve it. Visibly confront it because that way, the team sees that you have their backs. If problems are building up, you must address them. A good security leader will guide his or her managers so they understand that angering people is an unsustainable strategy. Look for win-win solutions, things that make everybody happy, and keep the business moving.
VL: How did you build out your security team at Dropbox?
PH: We structured the security organization into two parts. One is Security Engineering, and the other is Trust and Security. We wanted to group individuals with similar skillsets together. The Security Engineering team consists of developers and highly technical skillsets. This involves more operational elements as well as the engineering side. The other part of the organization, Trust and Security, is compliance, risk management, working on more business-driven strategies, coordinating the entire program, and assessing its performance.
VL: You’re considered a de facto expert in cloud security. Why is it so valuable?
PH: Everyone is a target. An environment’s agility is the difference between success and failure. When you have an amazingly gifted team of security engineers, agility is sometimes measured in hours. Cloud is game-changing because of its agility. The provider can rapidly intervene, change, evolve, do whatever necessary to protect the customer’s data. Security is higher-stakes for cloud companies. If you’re not a great custodian of data, if you’re not compliant, if you’re not securing their information, your customers will leave.
First exposure to computers: Dad supported “bad habits” with an “amazing amount of hardware:” PC XT, Commodore 64, TI-99/4A
First taste of security: Bulletin boards on the West and East Coasts with “hardcore” long distance charges. “Out of necessity, you had to figure out how to hack the phone company.”
On security leadership: There are two camps. One values structure, controls, reports, and predictability context. The other has an outcome, adversarial perspective. Neither is right or wrong.
*Why organizations need "cupcake": Cupcake is basically being nice, good, and pleasant. When you make that a company value and combine it with amazingly smart and humble people, you have a great environment.
Bio: Patrick joined Dropbox in January 2015 with over 20 years of information security and technology experience. Previously, he served as chief trust officer at Salesforce.com and also held chief information security officer positions at Kaiser Permanente and McKesson Corp. Patrick advises security startups and serves on the board of directors at Cylance.