Former Twitter CISO shares his advice for IT security hiring and cybersecurity
Michael Coates, CEO and co-founder of Altitude Networks and the former CISO at Twitter, shares best practices for building strong security teams and for starting a career in cybersecurity. Read more: https://zd.net/2MqgssE
As a company, building a strong security team can be a challenge. On the flip side, if you’re looking to enter the field of cybersecurity, it can be challenging to know where to start. I had a chance to discuss both these issues with someone who’s been there, Michael Coates, Co-founder & CEO at Altitude Networks.
Coates got his start in
IT security through red team exercises
. He would use social engineering, physical pen testing, and a variety of hacks to break into the network and applications of corporate clients and financial institutions. It “was really exciting to learn how it was actually being done week over week,” Coates said, “and then sitting down and with the CIO, the CTO and explaining these are the actual things we found.” From there, Coates spent time at the Open Web Application Security Project (OWASP) and served on the board. He eventually moved to Mozilla and served as Director of Security Assurance, and then Twitter were he was CISO. The following is an edited transcript of the interview.
SEE: How to build a successful career in cybersecurity (free PDF) (TechRepublic)
Building a career in IT security, from red teams to CISO
Bill: How did you get started in the field of IT security?
Michael Coates: Yeah, the security field has been a wild space, and I’ve been very fortunate to be in it for now over 15 years or so. And I got into it originally, I think as many people did in the security field, out of curiosity, I was a tinkerer, I wanted to learn how computers worked, how software worked, how different things happened. And as I found that there were careers in the field of security, I was really drawn to them. And the beginning of my career in security, it was actually in red teams, which was really exciting because week over week, I would be called out to a bank or a company with the goal of breaking into the company through social engineering; through physical pen testing; through hacking into the network and applications.
And it was really exciting to learn how it was actually being done week over week, and then sitting down and with the CIO, the CTO and explaining these are the actual things we found. And you would get pushback, which was always interesting, “No, that’s not possible.” But doing it and having that be the first thing like, “Oh, let me show you. I just actually did it,” that was a really interesting way to cut my teeth in the field of security.
Over the years, I progressed into a variety of roles, focusing on application security for a number of years, having a great stint in OWASP. Also being on the OWASP board, and eventually moving to the West Coast where I started security programs at Mozilla and eventually was head of security there, protecting hundreds of millions of users with the Firefox browser, along with an amazing team. That was quite a challenge.
Download the Cyberwar and the Future of Cybersecurity articles as a free PDF ebook (free TechRepublic registration required)
Then eventually found my way over to Twitter. CISO of Twitter was equally exciting. On one hand, people say, “well what would you really need to protect at Twitter? You know, people use Twitter to say they’re having a ham sandwich for lunch,” true, but on the other hand it’s also a global platform fundamentally for free speech. And you can think of some organizations and regimes that are not in line with that reality. So we actually had quite a number of challenges across the spectrum and that was a very interesting role to see what it’s like doing security in a real time system where you know, two second delay on a response to something is two seconds too slow. We need to really do things in tens of milliseconds or faster.
But now I’m at Altitude Networks. I made the big jump after being at Twitter for a number of years, to start a company, largely going after a space that we know we needed a solution to ourselves there. And it was ubiquitous across other companies, which is, how do you protect data in this new paradigm shift to Cloud, specifically Cloud collaboration like Google G Suite, Box, Dropbox, et cetera. And briefly, it’s very easy in those platforms to collaborate and share documents with other people when you want to. It’s also equally easy to make mistakes and share them with the wrong people or be malicious or get compromised. And so we’re really trying to thread that needle to enable people to use those platforms while having security over data built into the experience.
Focus on IT security empowerment, not just the perimeter
Bill: What are some of the security challenges that today’s CISOs face as technology evolves?
Related Topics:
CXO
Security TV
Data Management
Data Centers