Speaking at the live launch of Infosecurity Next Gen at Infosecurity North America, Akamai CSO Andy Ellis ran through his career and how he got to the position he is in now. He said that time spent studying at MIT in ‘theoretical computer science’ included him taking part time jobs at Disney and as a bartender, and even though these were not related to security: “after a long day you do appreciate a good bottle of wine!”
After graduation, he spent time in the US Air Force and was in the first operational information warfare unit, which was part of the intelligence unit originally – but they did not know what was going on, so the unit was created to put defenses in first on the Bright Star project. After this he joined Akamai, but he was quick to admit that there were some roadblocks along the way at various jobs, and by the time he was in his second week he “was responsible for shutting down 75% of the network”, which affected customers in Asia, and was making decisions on product development; the moral was not to fail a lot, but about opportunity and success and failure “and if you take an opportunity you will fail sometimes but what is important is getting back up.”
He said:” So when I think about what you’re supposed to do and succeed, the goals that I aim for are how I maximize the value I provide. So I rent energy, that is the only resource I use, but I am going to spend energy and my multipliers for energy are my skills, my effort and my effectiveness .”
Ellis admitted that he has had some failings in his professional career, but there are others who are good at those so when he spends energy he spends it "in a way that will be useful as if you’re not good at something you waste your energy, and if you waste your energy it affects your multiplier.”
Talking about effort and the time to turn energy into work, Ellis said that you could spend 45 minutes writing a blog, or you could do it in three 15 minute sections but it takes time to do that – so it is not a good way to spend energy.
On effectiveness, Ellis said that someone could build the ultimate firewall which is not used, a blog that is not published or a talk that is unattended, that takes your effectiveness score down to zero. “The most important part of your career is the idea that 'I showed up today and if I had not showed up today, would the world have been worse off?' – and hopefully the answer is yes. But in anything I do, I ask how am I changing anything?”
He said that even if you make a small change that is effective, then that is how you are judged in your career and when someone considers whether to hire you, they will not judge you on just your skill or just your effort, but will weigh you on how effective your changes were.
“If you spent eight hours doing this thing and if you didn’t no one would notice, well that is eight hours you could be doing something else.”
Concluding, Ellis said that where a small amount of energy is applied, it will be recognized. To the audience and the next generation of cybersecurity professionals, Ellis advised: “Do not look at those of us who have already succeeded in our career and say ‘I want to follow that path’, that path is mostly closed. There were no cybersecurity professionals when I came through school, if they taught you security in college it was about cryptography and cryptographers make really poor security managers, and it takes a lot to re-purpose yourself from maths to the management world.
“Security fundamentally is about people management, it is about lateral people management – managing the people who don’t work for you and have been told that you are nothing but an impediment and all they have to do is survive a meeting with you, and you have to convince them to do something different from what they were planning on doing.”
Ellis called that the ‘grand challenge of infosec’ as it's about making people realise that you’re their ally, if we don’t succeed we don’t get paid.
In questions with Infosecurity, Ellis said that there are not enough people teaching cybersecurity from industry, but that is not a bad thing as “some of us have lessons to share but as we all came through in interesting and different ways, there’s not a right way to teach security.” He also said that there was too much focus on trying to create the perfect security professionals, when we need so many people in so many places that we shouldn’t be so rigid.
Speaking on succession plans, Ellis argued that we’re trying to create a person who says ‘this is the path’ and the path is nothing like it. In terms of how to build a career, Ellis said that there are ways to go but there are people in security who do not want to be CSOs and this can be a stressful job, so don’t start by saying ‘I’ll choose the things that will get me to that’, but to be an executive in cybersecurity you have to master the art of public speaking – if you don’t want that job, don’t go after those public speaking paths, but the advice should be “what does this person want and how can we help them.”
In a concluding question, Infosecurity asked Ellis whether cybersecurity needed an equivalent to Rob Gronkowski – the New England Patriots tight end who Ellis described as “the most dominant player in the NFL.”
Ellis said: “One problem is we’re looking for that rockstar and if we had a singular talent that was better than anyone else, we would be good. The reality is very few of our problems would be solved, and as nice as Rob Gronkowski actually is, in my experience the more talented someone in the security field or the more technically gifted they are, the harder they are to work with.
“It takes a lot of work to soften those rough edges, especially when you are convinced that you are better than everyone around you. You may hire that person, but what would that do to the rest of your team? The reality is a $1m employee and a $60,000 a year employee have the same energy, there is still a limit to how much energy they can spend. In many cases you’re better off building that team who are growing and developing than finding that singular talent.”