We ‘Go Phish’ with Charles Poff, CISO, SailPoint, who tells us about life inside and outside the office.
What would you describe as your most memorable achievement in the cybersecurity industry?
My most memorable achievement in the cybersecurity industry is around building world-class security programmes from the ground up. It’s not as common as people may think but most organisations I’ve worked in have tight budget restraints, employee skills gaps, security/organisation alignment issues and overall lack of security focus from the board of directors.
When I am able to work for an organisation that takes security seriously, from the board of directors down through the organisation, and I am able to hire the right people and well-funded, the sky is the limit. Once these ‘stars align’, building a high-performance security team and programme fall into place.
The long-term outcome is that we are: 1) setting the company up to be secure and highly proactive with holistic security insights, 2) setting the security team up for success in everything they do (which is a great career-building opportunity). I’ve had the opportunity to build a few of these high performing security organisations. These are some of my more memorable achievements and the journey on how we got there.
What first made you think of a career in cybersecurity?
My IT and security career path started early in my childhood but didn’t take form until my third year in college. I was studying physics and working a lot with maths and computers. I was also part of local security clubs like the ‘2600 Meetings’. I started networking and watching the industry. At the time, the Microsoft Certifications were beginning to get popular and so were Microsoft products. So, I switched majors and moved into computer science. Technology, in general, has always been a passion of mine and switching majors seemed like the right thing to do.
What style of management philosophy do you employ with your current position?
My style of management should come as no surprise to most. I am passionate around finding the right people and capitalising on their natural gifts and or passion. I am all about positive communication and building relationships. I see any security programme as a collective whole that requires everyone to help ensure the company is secure. I also think it’s important to hire different types of personalities but ensure there is a balance.
What do you think is the current hot cybersecurity talking point?
I think there are at least a few hot security topics, but the one that comes to mind is around cloud security. I see in the industry a lack of security skills around DevOps and CI/CD pipeline security. Most of the robust security insights have to be built instead of bought and companies are already running into scale issues with security in general.
This requires really smart security folks with a development mindset. What I’ve seen happen is security is left behind or put on the side-lines because these security programmes do not know how to run alongside the development, platform, or cloud ops teams. In fast-moving companies, security has to be running faster or as fast as the rest of the teams. If not, the security programme has credibility and integrity issues.
How do you deal with stress and unwind outside the office?
Great question. I love spending time with my family, moto-crossing, fishing and just being outdoors. I am a huge nature buff and love experiencing that with my family. I think it is important to find a way to unwind. The security arena is very stressful and we are always dealing with some evil. Thus, watching scary movies is not my thing. I find ways to try and laugh (funny movies) and not take myself so seriously. It’s crucial to find that balance.
What do you currently identify as the major areas of investment in the cybersecurity industry?
I think the major areas of investment concerning cybersecurity are people. The right people. Companies are moving to the cloud, automating everything and the traditional security engineer is absolute. We have to change the security mindset to be more aligned with DevOps, e.g., Dev/Sec/Ops.
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions? (Middle East, Africa, Europe, Americas.)
I think there are opportunities for countries to communicate better around fraud, abuse, cybercrime, etc. I think we have some serious gaps with the way law enforcement and the private sector share information.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
I have seen my job change concerning the Board of Directors’ involvement in cybersecurity. These are good changes where the board is getting more involved and is getting more educated on cybersecurity initiatives, products and best practices. I see and hear more and more companies getting serious at the board with cybersecurity funding and overall security health. These are great changes in the industry, for when a company takes security seriously and comes from the top down, the security posture of the company changes in such a good way.
What advice would you offer somebody aspiring to obtain C-level position in the security industry?
For anyone looking to obtain a C-level position, make sure you learn how to articulate risk and find ways to quantify it. It’s vital to know your audience when talking about risk and I strive to find creative ways to talk about risk every day.