No More Security Snake Oil: Q&A with Mark Weatherford

No More Security Snake Oil: Q&A with Mark Weatherford

We are excited today to welcome Mark Weatherford as our new SVP and Chief Cybersecurity Strategist. Mark is bringing more than 20 years of security operations leadership and executive-level policy experience from the Department of Homeland Security, the State of California AND Colorado (where he served as the first CISO in both states), and the list goes on… We sat down with Mark to find out what lessons he is bringing in data center and cloud security to vArmour from his prestigious career positions - and, more importantly, where he will be using his first few days of PTO.

Thanks for spending the time today, Mark. With your 20+ years of experience in cybersecurity across industries, can you start by talking about some of the unique security challenges faced by federal government and agencies?

I think there are three major challenges, and, while we face them in the private sector too, they can be especially challenging in the government: 1) Budgeting, 2) Procurement, and 3) Hiring. First, budget cycles in the government are often 24 months out, which makes it almost impossible to truly understand what you want to buy because technology changes so quickly in this time. Second, on the procurement side of things, there are the same kinds of challenges as budgeting because Moore's Law continues to apply to technology and oftentimes, the technology you budgeted and began the procurement process for two years ago is obsolete when you finally get it. And finally, while it’s recognized that the government can’t truly compete for cybersecurity talent when it comes to salaries and compensation, the hiring process is often too long for the most qualified and talented people to wait around for a job. Positions requiring a security clearance compound the problem because it can easily add several months to the hiring process. This is changing in agencies like DHS, but, unfortunately, not quickly enough.

These are some massive challenges to take on… which you did as the first CISO in not one, but two states! Very impressive. Can you share some of the first steps you took in this brand new role, to set a strong foundation and establish this new role in your organization?

I used to say that if a civics exam were a requirement to be hired, Governor Owens in Colorado would have never even talked to me because I knew very little about how government operates. That was truly a “trial by fire” experience, but luckily, I had a number of agency CISO’s who wanted systematic change and gave me a lot of support.

State governments are unique organizations, and while similar to the federal government organizationally and structurally, quite different culturally. Government organizations are made up of a number of different agencies, departments, boards, commissions, councils, etc. and they each run differently, with different priorities, budgets, cultures, and vastly different security requirements.

I had two primary goals when I started as the CISO for Colorado: 1) figure out what data center and cloud assets we had across a distributed state government, so we could prioritize and protect our most critical workloads and 2) build a culture of cooperation and support between the different internal organizations. These were incredibly difficult challenges because of the differences I mentioned earlier, and there wasn’t a history of working together. Fortunately, I was able to create venues that brought agency CISO’s and Security Officers together in order to provide opportunities for collaboration and sharing of both technology and manpower resources.

When I became CISO for the State of California, it was a bit easier than Colorado because the Department of Technology Services was a bit more mature and the security organization had already begun developing the state security policy framework. The security culture, however, was fractured across state agencies, so I spent a lot of time getting people to play nicely together. When it worked, it was magic and we made exponential leaps in organizational readiness. I had a small, but incredibly loyal and dedicated team in our Office of Information Security, and we were able to engineer what I think were important structural changes in government.

That is some incredible progress - did you take any lessons from the military into your future roles as a cybersecurity leader, like the CISO in these states?

I know it’s a cliché, but people are our still most important asset. The fundamentals of leadership are universal and enduring - it doesn’t matter what business you are in. If you are compassionate and take care of people, they will walk through fire for you and do things that simply can’t be accomplished without organizational loyalty and trust. And if you have an inspiring mission like we do at vArmour, it’s easy to create a sense of urgency that motivates each of us to rise to new challenges every day. It becomes our own personal mission and because no one wants to let the team down, the entire company gets better and stronger every day.

The “shoulder to shoulder” mentality is certainly something we live by at vArmour. Beyond that, how is vArmour uniquely positioned to provide organizations, including the government, the solutions they need for today’s cybersecurity challenges?

There are a lot of technologies today that claim to provide eternal and enduring cloud security with a keystroke, a mouse-click and the wink of an eye. Some of them are revolutionary and game-changing, some of them are warmed-over and re-engineered products from the 90’s, and some of them are the worst kind of snake oil.

vArmour is in the revolutionary and game-changing category, and is taking the difficult road of building something where the upside for our customers are titanic security economies of scale. Virtualization has changed the world and cloud is now providing economic opportunities to public and private organizations that we didn’t even dream of a decade ago. vArmour is building the security architecture that will assure people that migrating to the cloud is the safe, sensible, and logical thing to do. Being part of an company that is changing the security landscape in serious and tangible ways is pretty unique and why I wanted to be part of the vArmour team.

We are excited to have you! To end on a fun note, you spend a lot of time traveling both during your time in the military and post-Navy - what was your favorite place you visited? Why?

That’s a tough one. There are so many incredible places around the world and I’ve only scratched the surface. I love traveling the back-roads of Spain and experiencing the culture that, in some respects, hasn’t changed in centuries. I also lived in Iceland for three years, and while it sounds crazy, it was awesome. Cold-yes. Windy-yes. Long winters - yes. But there’s actually a lot to do culturally and I made some great friends there. It’s also a great jumping off spot for visiting Europe. For warm weather vacation spots, I love Costa Rica and Cabo. But, even though I’ve traveled a lot internationally, nothing beats a quiet morning fly-fishing on the Arkansas River in Colorado.

Learn more about vArmour's game-changing security architecture by downloading our whitepaper: Cloud-Scale Security with Distributed Systems.

Related Posts