Go Phish: Zach Powers, CISO at Benchling

Go Phish: Zach Powers, CISO at Benchling

What would you describe as your most memorable achievement in the cybersecurity industry?

In security, people are often enamoured by our ‘war stories’, but when asked what my greatest achievements are, I refer to people. I have had a lot of young engineers join my teams, eager to learn and innovate, then grow through coaching, mentoring and experience to become CISOs, start-up founders, engineering executives, etc. Watching them grow and succeed in their careers, having played a hand in developing their talents, are my greatest achievements.

What first made you think of a career in cybersecurity?

There are two things that motivated and influence every job I’ve taken: a feel-good reason for joining an organisation, that it would have a positive impact on society; and an ‘economies of scale’ impact, bringing real change to larger populations.

The first taste I had was when I worked across a network of 12 Native American tribes with the broad remit of helping their communities and reservations to overcome their digital divide. Some of these tribes didn’t have access to a basic Internet connection because they didn’t have the infrastructure. My work as CIO for these tribes was focused on setting up the technology infrastructure and services and also in promoting digital literacy — training youth to be equipped to join the tech workforce.

Next, as a security executive at Salesforce, I was attracted to what cloud computing might do for humanity by democratising cloud services. Most companies could not maintain or afford secure and scalable infrastructure. Salesforce would use cloud computing to help companies achieve something with technology that they couldn’t do on their own, as well as a global scale and level of security not fathomable by most companies in the world. Providing security for the cloud, this was an economy of scale value proposition that I was completely energised by.  

What style of management philosophy do you employ with your current position?

Traditional security practices tend to isolate security and make it solely tech-focused or solely compliance-focused – my management style differs from this. I build security teams that are also people-centric.

Those that work on my teams get professional development training so they can influence and engage with non-technical audiences to influence them to be more secure. You can have the smartest security engineers in the world, but if they can’t influence a business to make more secure decisions, then secure outcomes aren’t going to be accomplished.

What do you think is the current hot cybersecurity talking point?

That depends on which community we’re talking to. For example, in Europe the hot talking point is that modern companies who are adopting cloud and enterprise SaaS are effectively taking advantage of security economies of scale that modern software provides.

At the same time, one of the worst talking points I am hearing in Europe is about distrust in cloud technology, which is unfortunately a more common sentiment in biotech. A lot of biotechs are still adhering to a security strategy from the late 1990s, using on-premises technology and essentially using firewalls as the first and only line of defence. Often, maintaining an on-prem strategy exposes you to more risk because 100% of the security responsibility and resourcing is on you. Most companies that distrust cloud computing are actually less secure than the cloud providers they distrust.

How do you deal with stress and unwind outside the office?

I read a lot of books. When I’m reading with my daughter, I’m not thinking about work.

I’ve also developed a winemaking hobby. Some security executives and I make award-winning pinot noir.

If you could go back and change one career decision, what would it be?

Each step I took in my career has helped shape who I am today, so I wouldn’t have changed anything on that front. What I would’ve done differently is understand faster – that you really can use security, technical knowledge and leadership to make significantly positive change.

What do you currently identify as the major areas of investment in the cybersecurity industry?

Overcoming the skills gap for cybersecurity engineers should be priority number one. Security engineering roles are hard to fill – as a security engineer, you need to create new solutions, understand security problems and create solutions for them. You’re not buying off-the-shelf software as often, as there is no off-the-shelf software that can solve all the problems.

At Benchling, as an example, every security employee we have is an engineer. In almost any industry, security engineers are really sought after. In biotech, most companies have security analysts. That provides value. But there’s a delta between what they’re doing and what a security engineer is capable of.

Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?

In Europe and in the biotech industry, we see a hesitancy to shift from on-prem to the cloud. Part of this is due to a reluctance to invest in and change the workforce, skills and technologies needed to make the transition. Part of this is also due to a myth-making narrative questioning the security of the cloud.

Beyond taking a data-driven approach to making security decisions, the most important lens I can offer to change attitudes around the security of cloud computing is that of economies-of-scale. Companies that adopt cloud and enterprise SaaS take advantage of economies-of-scale on security that modern software companies provide. Enterprise SaaS companies have a responsibility for security and they have security capabilities and teams beyond what most companies can afford.

What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?

This is my first role that’s focused on security and IT for biotech. As such, I’ve needed to really understand the biotech customer’s dilemma, including how they think about use cases and workflows in research and development, how IT enables research and development, their pain points and their needs.

Biotech organisations generate revenue based on intellectual property, and if compromised, a great deal of revenue stands to be lost. These organisations are also highly regulated due to the potential human impact of their products, and complying with regulations can make or break the organisation’s ability to compete. Both of these factors mean that for a cloud-based platform like Benchling, maintaining industry-leading security, privacy and compliance standards for biotech customers is paramount.

What advice would you offer somebody aspiring to obtain a C-level position in the security industry?

Your goal is to reduce security risk across the board. One of the best ways to do that is to truly, deeply embed security throughout your organisation. You need to not only understand your company’s business; but also to have a seat at the table in making that business successful.

Browse our latest issue

Intelligent CISO

View Magazine Archive