At this year’s RSA Conference, I got to spend a little time with longtime friend and industry expert, Richard Stiennon, from IT-Harvest. We talked about why I switched to the “dark side” of security by joining a vendor company and how my previous experiences as a CISO are helping our company. You can see the full interview here and read on below for the highlights.
So, Mark, you’ve joined a vendor of all things… tell me, what you induced you to make the move and what you’re excited about at vArmour?
Well honestly, a lot of my CISO colleagues wondered if I went off the deep end by joining a vendor, especially a new data center and cloud security company like vArmour! To tell you the truth though, as I looked at new career opportunities and where security technology is headed… I thought that vArmour was right in the sweet spot of virtualization and cloud where I wanted to be. More importantly, it’s right where I think the future of business technology is headed, so it’s been very exciting few months.
As you know, I’ve always been a big organization guy, Raytheon, state governments, DHS, and NERC, so being at a small, innovative technology company like vArmour is easily the coolest thing I’ve ever done. We are incredibly nimble and have the ability to react very quickly to change so every day is different - and challenging! I can’t emphasize enough how important that is when it comes to developing a technology product like ours in such a fast-moving industry like cybersecurity.
Now that you’re on the other side of the table from CISOs/CSOs... what are you seeing from your previous experience that helps you at vArmour?
I love working with our marketing and sales teams on how to talk to CISOs and security leaders. I’ve heard thousands of vendor pitches in my day and know what I hate, what I love, and what’s most effective. The most important thing for me as a CISO is to be able to trust someone as a vendor, and if you ever lie to me… I’ll make your sales life very difficult! I want to work with vendors that are empathetic to me as a CISO and have an interest in being a long-term partner.
A vendor who just wants to sell me something then walk out the door is not going to get much attention and I’m not going to be real interested in working with them. And guess what, most people can sniff out those vendors pretty quickly. So I’m sharing what I call, “Experience From The Other Side of the Table” lessons with our team and reminding them that when you get an hour of a CISO’s time, treat it like the important and valuable thing that it is.
Great advice - how is vArmour using these lessons?
What we’ve learned from our aggregate experience, both on the technology side and on the presentation side, is that we’ve got to make the product easy to use. Complexity is still the enemy of security and most security professionals already have far too much technology, so we are developing our product so a CISO can actually think about replacing more than one thing by using vArmour.
Here’s a funny story. Way back in 2009 when I was CISO for the state of California, I gave a presentation to a large group of the security leadership in state government. I remember talking about how I thought this cloud thing was going to be a big deal and how we as security professionals should be paying attention to it. After the talk, I was actually chastised by a couple of my CISO colleagues who basically said, “My agency’s sensitive data will go into the cloud in one way - over my dead body.” Fast forward seven years and I feel vindicated.
We know that organizations have lots of legacy technologies available in their security toolkit. The problem is that much of it was developed before virtualization was mainstream and the cloud requires a new way of looking at security because the old vertical stack of perimeter security products simply isn’t good enough. Anyone trying to secure a data center and virtual assets with a firewall and IPS at the perimeter is assuming far too much risk and begging for trouble. This is where vArmour can help by applying highly granular micro-segmentation to individual workloads inside data centers and the cloud.