Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/20/2015
10:30 AM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Building A Winning Security Team From The Top Down

Dropbox security chief Patrick Heim dishes about the need for strong industry leaders, the 'unique' cybersecurity personality and why successful organizations need 'cupcake.'

In a wide-ranging Q&A at the consulting firm offices of Bishop Fox in San Francisco, Dropbox Head of Trust & Security Patrick Heim spoke with consultant Vincent Liu about some serious and not-so-serious issues facing the security industry today. We excerpt highlights below. You can read the full text here.

First in a series of interviews with cybersecurity experts by cybersecurity experts.

Vincent Liu: There’s such a lack of leadership in security, and there’s no real training for it. What are your recommendations to new leaders?

Patrick Heim: A solid technical foundation is important. It’s common to see people who are less technical being replaced with a newer generation of more technical security leaders. There’s also the issue of interacting with boards or higher-level executives. In those situations, claiming everything is fine is probably not playing your role. The expectation is that you will be self-critical, and you’re continuously seeking opportunities for improvement. You don’t want to be overly critical, and you want to celebrate your team’s wins. That’s important psychologically since security is a never-ending treadmill. Celebrate the wins, but look to the future. Consider how risks are evolving, what new threats are emerging, and how you will adapt to them.

VL: As somebody at the top of his field, you have your choice of position. What led you to Dropbox, and what do you look for in leadership when you meet them?

PH: I’m interested in how leaders impact organizations. When I visited Dropbox and saw its culture and people, it became clear to me that something was very right about this company’s leadership. Having been inside of Dropbox, I now know why. From a cultural perspective, it’s focused on attracting the best of the best without compromising “cupcake,” a company value*.

VL:  Have you encountered any personality differences that are unique to security? For somebody who is starting to manage security professionals … are we weird?

PH: Yeah, we are weird. That weirdness factors in when we talk about the lack of adequate security professionals. To maintain a healthy team, sometimes you have to pass on an opportunity to hire a particularly big personality because they could cause a disruption.

VL:  When would you hire a big personality?

PH: It depends on the company. There are individuals with big personalities who excel at what they do. Harnessing that energy in a security product company is incredibly powerful. Taking that energy and putting it into a mature security organization in a decent-sized company may be difficult.You can hire those people, but you need to say, “What value am I going to get from them before they move on to their next challenge?” They are probably going to become restless and not want to work in a large company for an extended period. Then, consider how this person will impact the team. If the individual has a coaching mentality, they may inspire others to up their game. If that individual is a very big personality, they may intimidate others or they may become frustrated.

VL: What recruiting lessons have you learned about building a team?

PH: I’ve made hires that were too experimental and backfired as a result. I’ve also learned — and this is more of a leadership skill — you have to quickly get all over any tension and resolve it. Visibly confront it because that way, the team sees that you have their backs. If problems are building up, you must address them. A good security leader will guide his or her managers so they understand that angering people is an unsustainable strategy. Look for win-win solutions, things that make everybody happy, and keep the business moving.

VL: How did you build out your security team at Dropbox?

PH: We structured the security organization into two parts. One is Security Engineering, and the other is Trust and Security. We wanted to group individuals with similar skillsets together. The Security Engineering team consists of developers and highly technical skillsets. This involves more operational elements as well as the engineering side. The other part of the organization, Trust and Security, is compliance, risk management, working on more business-driven strategies, coordinating the entire program, and assessing its performance.

VL: You’re considered a de facto expert in cloud security. Why is it so valuable?

PH: Everyone is a target. An environment’s agility is the difference between success and failure. When you have an amazingly gifted team of security engineers, agility is sometimes measured in hours. Cloud is game-changing because of its agility. The provider can rapidly intervene, change, evolve, do whatever necessary to protect the customer’s data. Security is higher-stakes for cloud companies. If you’re not a great custodian of data, if you’re not compliant, if you’re not securing their information, your customers will leave. 

PERSONALITY BYTES

First exposure to computers: Dad supported “bad habits” with an “amazing amount of hardware:” PC XT, Commodore 64, TI-99/4A

First taste of security: Bulletin boards on the West and East Coasts with “hardcore” long distance charges. “Out of necessity, you had to figure out how to hack the phone company.”

On security leadership: There are two camps. One values structure, controls, reports, and predictability context. The other has an outcome, adversarial perspective. Neither is right or wrong.

*Why organizations need "cupcake": Cupcake is basically being nice, good, and pleasant. When you make that a company value and combine it with amazingly smart and humble people, you have a great environment.

Bio: Patrick joined Dropbox in January 2015 with over 20 years of information security and technology experience. Previously, he served as chief trust officer at Salesforce.com and also held chief information security officer positions at Kaiser Permanente and McKesson Corp. Patrick advises security startups and serves on the board of directors at Cylance.

Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a ...
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/20/2015 | 9:00:11 PM
Involvement
Another important consideration is to ensure that the security team is actively involved with the recruiting/hiring process (and, by extension, the HR department less so), because the former will have a better idea of what they are looking for/what they need as opposed to filling out a checklist for HR involving x years of experience with whatever.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.