Go Phish: Joe Brown, CSO at Boomi

Go Phish: Joe Brown, CSO at Boomi

What would you describe as your most memorable achievement in the cybersecurity industry?

Looking back on my 20 years in cybersecurity, I’ve met a lot of great people and had some truly memorable moments but if I had to choose one particular achievement, I would say it was building out the web application penetration testing program for a major pharmaceutical company.

I was asked by the internal audit team to test the security of 10 internal web applications. The results weren’t great and it led to an opportunity for me to build out a program from scratch. I built a team and process capable of testing over 1,000 internal and external facing web applications each year, including reporting and metrics. It was a huge undertaking but very rewarding and the program is still being used to this day, 10 years later.

What first made you think of a career in cybersecurity?

Surprisingly, I have an undergraduate degree in economics. However, about 20 years ago I was assigned to implement an online banking solution for a major insurance company. When I was building out the web servers and learning how to disable unused ports and services alongside all of the usual system hardening activities, I became interested in learning why this was necessary and why it was so important. From there, I started reading more about information security and I was fascinated. Soon after, I took a position performing penetration testing and the rest is history.

What style of management philosophy do you employ with your current position?

People who work in analytical careers like cybersecurity are generally less comfortable with ambiguity and are more logical, very black-and-white thinkers. We value data and we value facts and transparency. I encourage my staff to be authentic, transparent and accountable for their actions and behaviours. They know that they can expect the same from me. I also believe that it is acceptable to fail, we all make mistakes and we need to learn to move on. I had a great leader who was extremely direct and transparent but what I especially liked was that he would expect everyone to jump in, help out and correct mistakes. We are all one team and together we get the job done.

What do you think is the current hot cybersecurity talking point?

A huge talking point right now is privacy, especially considering the recent laws and regulations such as GDPR and CCPA. GDPR is already responsible for about US$126 million in fines so far and it is barely two years old. Inevitably, more states in the US will likely follow California’s lead with the creation of their own laws. While privacy isn’t necessarily security, security professionals are going to be asked to build the controls that keep consumer data safe, so organisations should be carefully considering how their privacy and security teams can band together to tackle this challenge.

Boomi is a Dell Technologies business and as such, has full access to Dell Technologies’ suite of professionals within its cybersecurity, legal and privacy infrastructure. I meet regularly with privacy, legal and cybersecurity experts from Dell. If I need to bounce an idea off someone or speak with a cryptography subject matter expert which is a difficult skill set to possess, they are just a phone call away.

How do you deal with stress and unwind outside the office?

I won’t lie and say the job is not stressful – it is! The average CSO lasts for around two years at a company. There is always that pressure of wondering if you are going to see your company’s name in the news for all the wrong reasons.

I would say my family, my wife and my children, play a large role in keeping me grounded. In my spare time, I enjoy reading, travelling and listening to music. I love football, despite living in the US, I mean ‘real’ football, not American Football. I watch the Premier League every weekend. I have also recently started fly fishing. It is a very peaceful activity although I can’t say I’m particularly good at it.

If you could go back and change one career decision what would it be?

I don’t have many regrets career-wise. Early on, I was a security consultant and was able to travel to Europe. I spent time with so many different organisations with so many great people that while it was challenging travelling so much, it was a great experience. I would recommend consulting to anyone starting out. I would also say don’t be afraid to take risks. It can be scary but it is incredibly rewarding when you get it right. Think about what you want your next role to look like and start to prepare for it. Whether that means getting a certification, or learning a new skill because ultimately, as the saying goes, luck is what happens when preparation meets opportunity, so you need to be prepared for when opportunity knocks.

What do you currently identify as the major areas of investment in the cybersecurity industry?

It should be investing in people because cybersecurity is a combination of people, processes and technologies. The cybersecurity industry moves incredibly fast. We expect our employees to keep up, but historically we have not spent the money to enhance their skills. This can be a recipe for disaster. In a few years, your employees will lack the skills needed to do their job, or just become disengaged and leave the organisation altogether. Unemployment for cybersecurity professionals is extremely low, so it’s important to spend the time and invest in your people so that they stay.

Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?

The laws are of course one aspect, but when you look at the different regions, it also comes down to different threat factors. There will always be opportunistic threats, regardless of region. These are the threats that any business or person is going to face, from phishing attacks to credential theft. We all face these types of threats every day. The more sinister are the targeted threats, threats that can take advantage of a geopolitical climate across different regions. For example, Russian meddling in the US Presidential Election or the Stuxnet malware attack on the Iranian nuclear program. Security professionals need to understand the region they are operating in and then build defences that counter threats within, accordingly.

What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?

For the past 12 months, I have been working on the processes and procedures within my company. When I started, I was putting out a lot of fires and working very tactical risk-reduction initiatives. Now we are ready to think more strategically. I am looking at how I can grow and develop the programme while evaluating metrics and KPIs to measure and continually improve the programme.

What advice would you offer somebody aspiring to obtain a C-level position in the security industry?

It is really all about two things: business and risk. Everything that you do as a cybersecurity professional should either be about enabling the business or reducing risk. When executives know that you are there to help them grow the business and not stifle their innovation, you will be seen as a trusted adviser rather than an obstacle. Long gone are the days when a cybersecurity professional can simply say no. You now need to be considerate to the wider company goals and structure your own security measures within this.

Browse our latest issue

Intelligent CISO

View Magazine Archive