Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/20/2015
10:30 AM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Building A Winning Security Team From The Top Down

Dropbox security chief Patrick Heim dishes about the need for strong industry leaders, the 'unique' cybersecurity personality and why successful organizations need 'cupcake.'

In a wide-ranging Q&A at the consulting firm offices of Bishop Fox in San Francisco, Dropbox Head of Trust & Security Patrick Heim spoke with consultant Vincent Liu about some serious and not-so-serious issues facing the security industry today. We excerpt highlights below. You can read the full text here.

First in a series of interviews with cybersecurity experts by cybersecurity experts.

Vincent Liu: There’s such a lack of leadership in security, and there’s no real training for it. What are your recommendations to new leaders?

Patrick Heim: A solid technical foundation is important. It’s common to see people who are less technical being replaced with a newer generation of more technical security leaders. There’s also the issue of interacting with boards or higher-level executives. In those situations, claiming everything is fine is probably not playing your role. The expectation is that you will be self-critical, and you’re continuously seeking opportunities for improvement. You don’t want to be overly critical, and you want to celebrate your team’s wins. That’s important psychologically since security is a never-ending treadmill. Celebrate the wins, but look to the future. Consider how risks are evolving, what new threats are emerging, and how you will adapt to them.

VL: As somebody at the top of his field, you have your choice of position. What led you to Dropbox, and what do you look for in leadership when you meet them?

PH: I’m interested in how leaders impact organizations. When I visited Dropbox and saw its culture and people, it became clear to me that something was very right about this company’s leadership. Having been inside of Dropbox, I now know why. From a cultural perspective, it’s focused on attracting the best of the best without compromising “cupcake,” a company value*.

VL:  Have you encountered any personality differences that are unique to security? For somebody who is starting to manage security professionals … are we weird?

PH: Yeah, we are weird. That weirdness factors in when we talk about the lack of adequate security professionals. To maintain a healthy team, sometimes you have to pass on an opportunity to hire a particularly big personality because they could cause a disruption.

VL:  When would you hire a big personality?

PH: It depends on the company. There are individuals with big personalities who excel at what they do. Harnessing that energy in a security product company is incredibly powerful. Taking that energy and putting it into a mature security organization in a decent-sized company may be difficult.You can hire those people, but you need to say, “What value am I going to get from them before they move on to their next challenge?” They are probably going to become restless and not want to work in a large company for an extended period. Then, consider how this person will impact the team. If the individual has a coaching mentality, they may inspire others to up their game. If that individual is a very big personality, they may intimidate others or they may become frustrated.

VL: What recruiting lessons have you learned about building a team?

PH: I’ve made hires that were too experimental and backfired as a result. I’ve also learned — and this is more of a leadership skill — you have to quickly get all over any tension and resolve it. Visibly confront it because that way, the team sees that you have their backs. If problems are building up, you must address them. A good security leader will guide his or her managers so they understand that angering people is an unsustainable strategy. Look for win-win solutions, things that make everybody happy, and keep the business moving.

VL: How did you build out your security team at Dropbox?

PH: We structured the security organization into two parts. One is Security Engineering, and the other is Trust and Security. We wanted to group individuals with similar skillsets together. The Security Engineering team consists of developers and highly technical skillsets. This involves more operational elements as well as the engineering side. The other part of the organization, Trust and Security, is compliance, risk management, working on more business-driven strategies, coordinating the entire program, and assessing its performance.

VL: You’re considered a de facto expert in cloud security. Why is it so valuable?

PH: Everyone is a target. An environment’s agility is the difference between success and failure. When you have an amazingly gifted team of security engineers, agility is sometimes measured in hours. Cloud is game-changing because of its agility. The provider can rapidly intervene, change, evolve, do whatever necessary to protect the customer’s data. Security is higher-stakes for cloud companies. If you’re not a great custodian of data, if you’re not compliant, if you’re not securing their information, your customers will leave. 

PERSONALITY BYTES

First exposure to computers: Dad supported “bad habits” with an “amazing amount of hardware:” PC XT, Commodore 64, TI-99/4A

First taste of security: Bulletin boards on the West and East Coasts with “hardcore” long distance charges. “Out of necessity, you had to figure out how to hack the phone company.”

On security leadership: There are two camps. One values structure, controls, reports, and predictability context. The other has an outcome, adversarial perspective. Neither is right or wrong.

*Why organizations need "cupcake": Cupcake is basically being nice, good, and pleasant. When you make that a company value and combine it with amazingly smart and humble people, you have a great environment.

Bio: Patrick joined Dropbox in January 2015 with over 20 years of information security and technology experience. Previously, he served as chief trust officer at Salesforce.com and also held chief information security officer positions at Kaiser Permanente and McKesson Corp. Patrick advises security startups and serves on the board of directors at Cylance.

Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a ...
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/20/2015 | 9:00:11 PM
Involvement
Another important consideration is to ensure that the security team is actively involved with the recruiting/hiring process (and, by extension, the HR department less so), because the former will have a better idea of what they are looking for/what they need as opposed to filling out a checklist for HR involving x years of experience with whatever.
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...