Building a Winning Security Team From the Top Down

In wide-ranging Q&A at the consulting firm offices of Bishop Fox in San Francisco, Dropbox Head of Trust & Security Patrick Heim spoke with consultant Vincent Liu about some serious and not so serious issues facing the security industry today.

You can read highlights of the interview in this Dark Reading piece.

Origin Story

Vincent Liu: Let’s start with your background. What first interested you in computers?

Patrick Heim: I have to thank my father for being a technology innovator. I always had an amazing amount of hardware at home. Whether it was my first PC XT, Commodore 64, TI-99/4A, my father supported my bad habits, and that was phenomenal. If you combine having access to cool computing gear with the inevitable boredom of the Midwestern suburbs, I had plenty of time to experiment with hardware and software.

VL: What sparked your interest in security?

PH: I learned things like hex editing and hex in general because I wanted to cheat on certain computer games. Back in the pre-Internet days, everything was modems. You had these bulletin board systems scattered throughout the U.S., but the cool ones were on the West or East Coasts, which had hardcore long distance charges. Out of necessity, you had to figure out how to hack the phone company. This was my first taste of security/hacking. I never studied computer science; everything I know I taught myself. I didn’t think security was a viable career track. At Ernst & Young, I had my first technology auditor job. That introduced me to the idea of a security career. E&Y recognized my potential and that I had more knowledge than an average technology auditor.

"One of the tougher moments is letting go of what has made you successful. When you’ve been more technical, letting go of what you know is difficult."

Going Management or Staying Technical

VL: A frequent question that appears in security is, “Should I go into management/leadership or should I stay technical?” How did you make that choice?

PH: The tech stack’s complexity increased dramatically in the late ‘90s. For me to be technical — and competently technical in an area — I had to specialize. And I didn’t really want to. I wanted to focus on the bigger picture.

VL: What challenges did you face as you moved into a leadership role?

PH: One of the tougher moments is letting go of what has made you successful. When you’ve been more technical, letting go of what you know is difficult. Initially, it’s specifically letting that go. Over time, it’s removing yourself from the details because you have to trust your team to execute — and then hold them accountable.

For New(ish) Security Leaders

VL: There’s such a lack of leadership in security, and there’s no real training for it. What are your recommendations to new leaders?

PH: A solid technical foundation is important. It’s common to see people who are less technical being replaced with a newer generation of more technical security leaders. There’s also the issue of interacting with boards or higher-level executives. In those situations, claiming everything is fine is probably not playing your role. The expectation is that you will be self-critical, and you’re continuously seeking opportunities for improvement. You don’t want to be overly critical, and you want to celebrate your team’s wins. That’s important psychologically since security is a never-ending treadmill. Celebrate the wins, but look to the future. Consider how risks are evolving, what new threats are emerging, and how you will adapt to them.

VL: How would you characterize security leaders’ management and leadership styles?

PH: There are two camps of security leaders. One views the world of security in this structure, controls, reports, and predictability context. The other has an outcome, adversarial perspective. These leaders are more technical and see structure as a necessary supporting element. Neither camp is right or wrong — if anyone is too polarized, they risk missing something.

VL: As a leader, how do you react when one of your team members messes up?

PH: Part of that relates to culture. What’s the organization’s tone? My tone has always been that I’m not going to be punitive when people make mistakes. Nobody’s written the book on security. We’re conducting experiments and betting on risk prioritization. I can’t punish people for trying to do the right thing.

"If the individual has a coaching mentality, they may inspire others to up their game. If that individual is a very big personality, they may intimidate others or they may become frustrated."

Cupcakes and Culture

VL: How was it transitioning from a traditional company like Ernst & Young to a startup like Salesforce? What would you tell other security folks who are making that change?

PH: Choose carefully. Understand the market and the leadership, and the underlying technology. Beyond that, you need to trust the business’s leadership. If you’re the engine powering the boat, somebody has to be steering it in the right direction.

VL: As somebody at the top of his field, you have your choice of position. What led you to Dropbox, and what do you look for in leadership when you meet them?

PH: I’m interested in how leaders impact organizations. When I visited Dropbox and saw its culture and people, it became clear to me that something was very right about this company’s leadership. Having been inside of Dropbox, I now know why. From a cultural perspective, it’s focused on attracting the best of the best without compromising “cupcake,” a company value. Cupcake is basically being nice, good, and pleasant. When you make that a company value and combine it with amazingly smart and humble people, you have a great environment.

VL: Have you encountered any personality differences that are unique to security? For somebody who is starting to manage security professionals … are we weird?

PH: Yeah, we are weird. That weirdness factors in when we talk about the lack of adequate security professionals. To maintain a healthy team, sometimes you have pass on an opportunity to hire a particularly big personality because they could cause a disruption.

VL: When would you hire a big personality?

PH: It depends on the company. There are individuals with big personalities who excel at what they do. Harnessing that energy in a security product company is incredibly powerful. Taking that energy and putting it into a mature security organization in a decent-sized company may be difficult. You can hire those people, but you need to say, “What value am I going to get from them before they move on to their next challenge?” They are probably going to become restless and not want to work in a large company for an extended period. Then, consider how this person will impact the team. If the individual has a coaching mentality, they may inspire others to up their game. If that individual is a very big personality, they may intimidate others or they may become frustrated.

"A good security leader will guide his or her managers so they understand that angering people is an unsustainable strategy."

Building a Team

VL: You’ve led teams at industry leaders in nearly every industry you’ve been in and now, Dropbox. How have you built your security teams?

PH: At cloud companies like Dropbox, the best and the brightest are beating down our door. This parlays into my belief about cloud being a powerful risk-management solution. We have an amazing concentration of talent. For the people that I work with, some of what I look for is very Dropbox-y, like that human cupcake element. I think - do I like this person? Do I trust them? Employees can be a source of drama, which is distracting. Bite the bullet, extend the recruiting cycle, and dig deeply into who you want to hire — and hire the right people.

VL: You’re willing to wait for the right person because there are a lot of folks who, as you mentioned earlier, take what they can get. Do you draw a hard line there?

PH: Yes, more so at Dropbox because our culture is so connected to recruiting the right people. We don’t compromise on the talent that we bring into the company. There are some traits I always gauge for when interviewing. Many of the challenges in information security are abstract, so having people who are creative problem-solvers is important. A collaborative mindset is critical as well. When I interview a leader, I look for how they have enabled their teams. When they tell their stories, I want to hear what they’ve done to drive the success of their teams and companies. I gauge for humility in the interview process, too. The tech stack is evolving all the time; specialization is essential. I check to see if people are realistic about that reality.

VL: What recruiting lessons have you learned?

PH: I’ve made hires that were too experimental and backfired as a result. I’ve also learned — and this is more of a leadership skill — you have to quickly get all over any tension and resolve it. Visibly confront it because that way, the team sees that you have their backs. If problems are building up, you must address them. A good security leader will guide his or her managers so they understand that angering people is an unsustainable strategy. Look for win-win solutions, things that make everybody happy, and keep the business moving.

Dropbox: Life Inside the Cloud

VL: At Salesforce, you were always experimenting. Do you feel that is organization-specific?

PH: Cloud and technology companies in general have cultures that support experimentation. Combine that with the talent these companies attract, and you can do fantastic things. Traditional companies may struggle finding the money to staff these experiments. If you don’t have A-team players on your team, it’s difficult to do that.

VL: How did you build out your security team at Dropbox?

PH: We structured the security organization into two parts. One is Security Engineering, and the other is Trust and Security. We wanted to group individuals with similar skillsets together. The Security Engineering team consists of developers and highly technical skillsets. This involves more operational elements as well as the engineering side. The other part of the organization, Trust and Security, is compliance, risk management, working on more business-driven strategies, coordinating the entire program, and assessing its performance.

VL: Can you talk more about Dropbox from a security standpoint?

PH: We’re focusing on Dropbox for Business, which has been around for approximately two years and has grown to over 100,000 businesses using it. We’re also one of the first cloud computing companies to earn the ISO 27018 certification. In the last quarter, Dropbox delivered around 75 new features and many are security-related. We just launched the ability for view-only link sharing as well. There are an increasing number of capabilities that make it a more manageable and more secure product.

VL: You’re considered a de facto expert in cloud security. Why is it so valuable?

PH: Everyone is a target. An environment’s agility is the difference between success and failure. When you have an amazingly gifted team of security engineers, agility is sometimes measured in hours. Cloud is game-changing because of its agility. The provider can rapidly intervene, change, evolve, do whatever necessary to protect the customer’s data. Security is higher-stakes for cloud companies. If you’re not a great custodian of data, if you’re not compliant, if you’re not securing their information, your customers will leave.

VL: What are the major concerns of your customers at Dropbox?

PH: Customers sometimes look at risk from a strictly technical perspective. They undervalue it; they don’t consider the human element. We educate customers to view risk comprehensively and balance it against the business benefit. You have to balance security with business. Since the Dropbox for Business product is still young, we have to demonstrate to users that it is, quite frankly, a secure place for data.

VL: What about balancing security and convenience, and driving through security initiatives? What happens when management, execs, the board says, “No, that’s too much.” How do you know when to stop?

PH: You don’t want it to reach the board level and have them determine that for you. As a security leader, you need to determine what is appropriate for the company and make those recommendations.

VL: Thanks, Patrick. This has been great.

PH: Sure thing. It’s always a pleasure chatting with you.