All Resources

CISO to CISO Webcast with Joel Fulton, Former CISO Splunk

Webcast and Podcast | Altitude Networks, June 3rd, 2020

We couldn't be more excited about this 4th episode of the CISO to CISO Webcast series! 

Michael Coates is be joined by Joel Fulton, who has recently left his CISO position at Splunk to immerse himself in the life of the Silicon Valley startups. Joel is the Founder of a stealth mode startup and joins Michael to discuss how his journey in the field of security lead him to this venture. They also touch on trends in security innovation, a perspective on how security was different or similar across the various companies they were part of, and some career tips for those interested in becoming a leader in Info Sec.

Read, Listen, and Subscribe to the Podcast

GMT20200603-200024_CISO-to-CISO (Audio Only) June 4_Fulton.m4a transcript powered by Sonix—easily convert your audio to text with Sonix.

GMT20200603-200024_CISO-to-CISO (Audio Only) June 4_Fulton.m4a was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2020. Our automated transcription algorithms works with many of the popular audio file formats.

Michael Coates:
Welcome, Internet. Welcome, everyone. Watching live, watching the recording. Great to have you here for another season to see. So my name is Michael Cotes. I am the former CISO of Twitter. Hence the reason I'm part of the CISO duo here. I'm also the CEO and co-founder of Altitude Networks. Joel Fulton is here with us as well. Joel, great to have you here also.

Joel Fulton:
Thank you, Mike.

Michael Coates:
And this podcast is being brought to you from Altitude Networks very quickly. We are a cloud based DLP solution, so we are focused on data security in the cloud, focusing on platforms like G Drive, Box, Dropbox, etc. And if you've been in the enterprise using these platforms, you've probably seen how quickly you can share documents to the wrong people, make mistakes, get compromised, or maybe even be malicious. Your data is at risk. We have a cloud based, integrated platform to find those problems and help you solve them at scale. If that sounds interesting to us, check us out at altitudenetworks.com. We have a ten minute integration to give you a preview of your results. With that out of the way, why don't we get started? Joel, so awesome to have you here. You you have been in a variety of of amazing locations in security leadership roles. You've seen a lot of things. And on top of that, you're an all around good person, which you can't always say about people across the board. So I'm really excited about this.

Joel Fulton:
Thank you.

Michael Coates:
Can you tell us a little bit about your journey? How did you start in security? How did you move through the ranks? There's so many different ways people are in the security field. What was yours?

Joel Fulton:
Yeah. So let me start way back at the beginning when two people really love each other back. So when I was young, I was inspired by private eye detective fiction and I wanted to be a PI. Raymond Chandler novels, The Confidential and all that was just what I wanted to be. And I've always been a planner, and I know that very often planning takes supersedes execution of work. And I've learned that later in life. But as a child, I was a planner and so I had it all meticulously laid out. If I'm going to be a private eye, all the private eyes have friends that are cops because they help you with the system. And if I'm going to be a cop, it could be that I might have to shoot somebody so I should learn how to help them. I should be a paramedic. Best route to be a paramedic, I learned, was to be a fireman. So that was my life plan from the time I was probably eight, is fireman, paramedic, cop, P.I. and then I would finally be the fictional character that I'd long fantasized and admired. But that sense that security, solving problems, intellectually grappling with difficult issues when I first got into IT in tech, security wasn't a thing. The closest you got to it were in actions with the Rainbow Book series. And you remember probably NT 3.51, and it's C2 compliant install. And that was the really kind of the first bit where we got to touch what is security, apart from Watchguard and SonicWall firewalls. As Gramm-Leach-Bliley and Sarbanes-Oxley, as these things started to have consequences on businesses, that security really became meaningful. And the problems, the puzzles, the cognitive challenges I thought I would encounter. I did, but I got a double scoop. I didn't realize that security is not about solving a technical intellectual problem. It's very often 50/50, a relationship problem. And so that's how I backed my way into the career that I've done for 20 years and have a great deal of passion about and love.

Michael Coates:
Yeah, I'm always amazed that the first look at the security field from the outside is that is a deeply technical problem, an area and there are certainly tons of technical, important elements, but the psychology of human behavior, the motivational aspects, organizational interactions that play such a huge role. And it's almost shocking to your point, like 50/50. It's amazing how much of a role it plays if you want to be a security leadership role.

Joel Fulton:
And be successful at it. I think I have observed at least let me use myself when I rely on technical skills, when I have overdone in the past, it puts distance between myself and people. Leave me alone. I'm working on this problem and I have observed in my own practice that when that is my chosen step, that distance I put between myself and others causes me to fail, no matter how beautifully I've architected, built engineer a solution. And that really opened my eyes that maybe I wasn't as smart as I thought I was, from my EQ, IQ standpoint. And there's other aspects where I had huge blind spots.

Michael Coates:
And so you've seen security at some some big and really prominent organizations. You had a security leadership role at Google, your most recently the CISO at Splunk, and also some big players before that as well. How did security change across those different environments? What did you find as similarities? And I guess as you look at overall, how do you think about what the CISO role is? And is it the same in each place?

Michael Coates:
Yeah, those are interesting questions because I bet every member participating with us has a different spin and cut on it and they're all right. So let me introduce some variables that I can map across the roles, positions. And when one of those variables is time, if we go back to the cusp of 2000, security was very binary, is very panic driven. Are you Y2K compliant or not? And then we packed a bunch of variables into Y2K compliant. And now when I meet with startups, newer companies are looking at how do I assess risk? That level of sophistication has grown in our understanding of security. So that's one variable, time and maturation. The other is the the vertical, the industry in which some of these were. So if I started at Boing, Boing was built around organized and their culture was hierarchical. I'm loathe to call it military because they had IDS, integrated defense and BCS commercial. And they weren't all military, but it felt hierarchical. You had an enlisted in an officer class in the management scheme. And so security was very preventive. It was very restrictive. And if you couldn't accomplish your job because of security, that's OK. Was the ruling theme at the time. And I went from Boeing to Starbucks, and it was very much like leaving a base camp and going to a hippie commune where there were no rules and it was all about partnerships and there was no conflict that wasn't passive or many people thought it was kind.

Joel Fulton:
So I didn't disagree with you, I would say so. There's another way of looking at it and we come at it that way. And so coming from a very brust, authoritarian Bowing to a very congenial but also far less disciplined Starbucks, their approach to security was very different. Boeing would see the world as there's bad guys, there's countries, actors who are after us and Starbucks, I can't imagine anybody, whatever. I mean, we're just good people. We do good things. And so from Symantec to Google to Splunk, that company culture dominates my ability to affect security the way I alone would have thought it would be appropriate. And that situation itself is necessary because the companies weren't there, obviously, and I know this is tripe, but the companies weren't there to be secure. They were there to accomplish a mission that security ought to support. So learning how to take things I believe were right and effective and subordinated them to the culture and leadership of the company so they could achieve their goals. That was the biggest change all along the path.

Michael Coates:
Yeah, I saw a similar dichotomy in the other culture. I mean, I spent a few years at Motorola, which very big, very different environment. Then years later, when I was leading security at Mozilla, I mean, I just sort of night, night and day and fascinating to see the differences. I think, as you mentioned it, where security can stop business and some of those companies and in others like, well, get on board, get along for the ride. You know, things happen either way. Yeah. Yeah. And did you see a difference from an enterprise based security role, like you said, like maybe Boeing or Google versus a security vendor security company like Splunk?

Joel Fulton:
Yeah, Splunk and Symantec, both vendors in the security space and I. Symantec is and was wholly a security vendor. Splunk larger, but security is bread and butter. And there you have the problem of the temptation of a facade and both the overreaction to it or the ignoring of it, you know, the old Western fronts or the what's called a Potemkin village, where in Czarist Russia, when the Czar would come through, they put up all the fancy fronts and the flowers and then after he would pass, thank God he's gone, they could tear down the stuff and everything to be OK back to normal. So there's part of that because you're a security vendor with an extremely rapid install of your product, solving data leakage in Google, Box, Dropbox and others of that. This podcast is brought to you by my friend. So you can't be a hypocrite, when you approach a company to sell this, you are arguing likely or persuading about the need for the service it quickly moves to. Well, now hold on, is your security commensurate or greater than mine. And that is that the integrity of that company at Symantec at this point to say our company, our customers, let me Splunk specifically because they did a wonderful job investing in this. The position there was our customers put their crown jewels into Splunk. It is crucial that we protect their data as well or better than they can, because if their support were exploited, they would also have removed their ability to identify that exploit. So we have to go beyond the customer's ability as much as we can in order to prevent that double occurrence. In, and it really, in my opinion, depended because I was under four CEOs at Symantec. It depended on the direction that CEO took. You would have a very strong sales leading CEO and then you'd have a very heavy engineering lead CEO. And it wasn't one was pro more or less security. It was how you communicated what the security strategy were and aligned it with what we're now his or her specific goals.

Michael Coates:
Um, yeah, it's it definitely is. It's fascinating to see how that changes across environments and how there is no single universal job description for for a CISO or even a universal reporting chain as everyone seeks. Like, what's the best way? Yeah. Seeing all sorts of varieties. Now in a different lens of security when you look at like what's being studied in universities for security and then where a lot of innovation is happening in the space. And I guess a third domain is like what are in headlines. Those are all very different areas. And, you know, one thing I've noticed is that the theory of what we should be thinking about in security seems to differ from operationally what we're doing and what people are talking about. You know, you see focuses at conferences. Black Hat has lots of great merits to it. But at the same time, I sometimes walk away from them going, I don't need my team to know how to blow up a toaster. So where am I thinking? So how do you think about the differences between practicality theory and all of these different things pulling at your time in the security space?

Joel Fulton:
That's so I. I want to be a curmudgeon and say I don't care about blowing up a toaster, but I love security and I'm not good at all aspects of security and the more folks I meet that are in. Well, as you said, academic research, practical applications, if you grabbed for other CISOs and put them here with us, the five of you would excel in domains where I'm ignorant. And I think that's fantastic. A nd part of it is because security is so young, codified cybersecurity is so young, it ought to be one of the oldest professions that we've got. It's been around and the principles have applied for a long time and been demonstrated to be valid or disabused. But we're kind of in an age right now where we're angry at history and we don't believe that they have anything to teach us. And so we're going to invent lots new. And so where we ignore history, we fail to learn things, but that let's go back to first principles and let's examine these things also does have some benefits to it. So what I love more than anything else, because I've seen its value is I love the basics, the fundamentals of security. I am not a big fan of flashy. It's great as a hobby. But in terms of what does it really take, what is proven out over time, the basics, time and time again. And it applies in other areas like Bruce Lee, who said he doesn't fear a man that knows ten thousand kicks, but the man who's practiced one ten thousand times like that is a theme.

Joel Fulton:
And we always misquote Franklin, Jack of all trades, master of none, what he said was, Jack of all trades, master of what. So get deep and know a fundamental and yeah. No, a smattering of the others. So I love the academic research because it smells like the future. And so where, where we might be innovating in a way that's focused on a particular problem by looking at some of the academic research, even like real simple, tip, scholar.google. com, on the left hand side, eliminate patents. Look, in the last two years, 2019 and recent, and look for your keywords and then look to see where they linked and you can follow those thoughts back and you can build out an academic understanding and you think, well, why is that interesting. What's really cool is when we're looking at machine learning and we're looking at natural language processing to reverse, identify and categorize data, that work's been done in other areas and we can cheat. We can skip forward by stealing some of those examples. So I love the theory and the academic side. But when it comes time to cut the fat and really get to engineering, it's good for me to have a partner that's more focused on the practical because I love that so much.

Michael Coates:
Yeah, I really found that as well. You know, at Twitter, what I ended up saying to people was boring is sexy. I don't need APT, I don't need quantum this, like I need identity to work everywhere. And while it's boring, it's boring because the concepts are like, oh, identity like I haven't heard about identity enough. Sure. But it's challenging to then do that across all the new architectures. How do you do that with cloud. How do you with micro services. Similarly access control like minimal access model. That's easy, but operation at scale it falls apart real quick. Like what do you do when people move from one world to another? How do you know if they need to drop those permissions? You can't just do your quarterly audit reviews. We tried those. Those are horrible. I imagine if it's rolling their eyes or should be. So they're really boring concepts that are fundamental. But figuring out how you do them at your enterprise scale, that's what I found is super sexy and not enough people work on it. Please keep making new ideas and new startups on this basis, please.

Joel Fulton:
Absolutely. If you could. We all want to win a lottery. That's human nature. We all want a magic pill that'll make us sexy, thin, strong and charming. But nobody really wants to brush their teeth, eat broccoli and do push ups every day, for a year, because the results are incremental. We want the instant change and I think that's a human weakness and that sure falls right into security.

Michael Coates:
Mm hmm. Mm hmm. So I want to jump back to something you talked about at the beginning, because we're thinking about how, you know, the mindset of the CEO is working and how they think about different things. You mentioned relationships. So we talked about a few technical things. I'd love to dive into that a little bit more. How do you build good relationships as a CISO? How do you avoid being captured as the No team? Or to your point, I think you've covered already, like appearing smarter and above other people because sure, we know more about our discipline than everyone knows more about their discipline. But how do you fight those challenges and build those positive relationships so you can be successful in an enterprise?

Joel Fulton:
Yeah, that's so there are some rules of thumb. There's some mottos. What if you thought of other people more highly than you thought of yourself? That's a little startling, and so what if in this interview I thought of you more highly than I thought of myself, you would you'd know it. You could tell I would respect you. I wouldn't cut you off or dismiss your ideas. I can, you are treating me as though you value me highly. You're asking me questions and you're not rolling your eyes when my answers go past three minutes. And that's that's a gift. Right. And so that gift starts to establish trust. And it's very counterintuitive in security where I think that I want to be John Wick and go kill all the bad guys and nail everything down and be this iconoclastic, hard driving like in real life, John Wick is really short. And in security, if people love you, they will go to the wall. They will be your intrusion detection sensors. They will be your first alerts. And people don't love you first, if they know you love them, if they know you respect them. And part of that is if they believe truly you're thinking of them more highly than you are yourself, then what they give you back is a relationship. Now, it's not magic and it's not manipulation.

Joel Fulton:
It doesn't work every time. And that really isn't why you do it. But when people know that you care, people work because they want instead of because they have to or you might catch them. And that to me, others have done that to me. And I watched myself responding, reacting to them. And I thought, now, wait a second, what are they doing? Why am I feeling this way and asking those questions and learning from them, that was their approach taught me. That's one excellent approach, for me anyway, in dealing with other people. And I've had pushback. I've had very good friend who worked for me. She said to me, when we have our one on ones, I'd like to hear more criticisms from you. Like, I hear a lot of things that are encouraging, but I'd like to be like 50/50 criticism and encourage. And we're close enough, and I know that doesn't apply to every situation, but I told her like I'm not your Sensei. Like my job isn't to fix other areas of your life. Let's stick to work. And this is if I have a criticism, I don't wait for a one on one. So it requires. So it's not automatic, right? It's not manipulation or routine. It's a relationship built on that.

Michael Coates:
Yeah. And and I think to tie back to something you said also at the beginning, where the companies are really looking for success and security needs to be a part of the company's success. When you're building those relationships and put the first priority clearly as well, how do we make the business succeed? That really can disarm people. Because I know there's lots of security interactions that people have had historically that have colored their lens towards a new CISO or 2 individual there.

Joel Fulton:
And some of those were mine. So.

Michael Coates:
Yeah, yeah. Oh, yeah. I think we can all think back to plenty of those times ago in retrospect and what I've learned since that was probably not the best way to do that. So, yeah, I mean, one of the more important things I've seen with those relationship building situations is to is to establish that you're not in that former camp. And some of those experiences, just the person may have had were aware. But that's not what we want to do. And by setting up like, all right, well, how can I make you successful? That's really helped people, because when you get to it, they don't want to do things that are super risky. They don't want to lose people's data. They also just don't want you running into last minute with some weird technical jargon saying you can't ship your product out of nowhere. Yeah, that shared understanding really works well to me.

Joel Fulton:
That is so good.

Michael Coates:
So for those of you listening, we have one more question coming. If you have questions you'd like to throw into the mix, feel free to put them into the chat and we'll incorporate those the time allow. Sometimes you don't get many questions because we have I got so many wonderful questions and so many ideas that what else could you possibly ask? But maybe you'll surprise us. That's not a question either. So we've talked about a lot of good ideas here, a lot of interesting aspects. Many of the people that are watching these live recordings or the recordings later are thinking about moving into the security world either from the beginning or maybe thinking about one day being in a CISO role. So those are two very different points in a career. But what are your recommendations? How should someone think about getting into the field of security? And for those in it, how do you rise to be a CISO one day? If that's your goal?

Joel Fulton:
Great, great. So absolutely get into security. It is the best career out there that I can think of. It is rewarding. It is challenging. It also provides it will fit your personality. So security is not a monolith. Security is intrusion detection. It's working. The third shift in the SOC, which honestly third shift is often so much better than, even grocery shopping when no one's in the store, like start there is amazing. The whole governance, risk and compliance. Sarbanes-Oxley, PCI, HEPA. If you approach that and desire, you can be amazing at it instead of. Oh, this is another paperwork processing. In security, architecture and code security and review. There's an aspect of security that will fit your proclivities and your personality. You just add the I know I really want to solve a hard problem and help people. Those two things together, I think. And there's something in security as help you. So how I got into it when I was first looking at security is I went and imposed myself on lots of people in security. I called VARs, I called large companies and asked to talk to the head of security there, which is very often back then the director of IT, who was responsible. And I asked for 30 minutes.

Joel Fulton:
And in that 30 minutes I came with a list of questions and I said, What do you love? What do you hate? What would you have done differently? What's the average day like? What would you switch your job for? Would you tell somebody to get in? And I just had a bunch of obviously rapid fire questions. And it not only built out an understanding from all of their perspectives of what security was back then, but it also made me friends because they said, hey, if you ever do this, keep it. And we did. If you want to be a CISO, my strong encouragement is. So I believe if you have a why, you can solve any what and any how, and very often we try to solve a what. What are you going to do today? What is your business going to accomplish? And so then we build out these house, but we skip the why very often. Like if you think back to Shakespeare and in Hamlet, when Polonius is sending off Laertes, he's like brain dumping this last minute parental advice, wear cheap clothing and don't make fast friends without trying them. And he's like and he's giving them all of these whats. If Polonius had given Laertes a why, I want you to be an honorable man.

Joel Fulton:
And this is what it looks like. Then later he's going to answer all those questions for himself. So do that. If you want to be a CISO, why do you want to be a CISO? And I can tell you the privilege that I got out of it is I believed I could test the hypothesis that we could connect business and security and we could stop treating people like commodities, that we could stop treating people like their trade outs, and that if we built security based on trusting people and caring for them, we could see a return on benefit that others couldn't as they were automating, which never really happened. And then several other CISOs that you and I both know when I asked them, why did you become a CISO? So fewer and fewer say, I don't know, it just happened. More and more say because this was my goal. And so that would be my number one advice to someone who desires to be a CISO. Why get a good why? And if you don't have one intrinsically, talk to other CISOs and create your why and see if it's true, then go for it.

Michael Coates:
That's great. That's great. We do have a couple of questions from the audience. So one of them is what was your big Aha moment about the CISO role within your career?

Joel Fulton:
Oh yeah. The big all I had was the CISO role is so new that we're neither accepted nor rejected from the executive team. So other executives are very welcoming as people, but not really sure as stereotypically or to fit you in that executive team. Likewise, you, I, haven't had the experience and the education they have had to know how to fit into that executive team. And so the biggest Aha for me was I'm not just here to lead a team which I learned and knew how to do, but I'm here to represent my team well to the executive staff and I don't know how to do that. That was my biggest Aha. I thought that would be easy. Years spent presenting to a board. Presenting is not a relationship. And so that was the biggest Aha. The necessity of building relationships, how to build them and how to get reciprocal relationships from the executive team.

Michael Coates:
Yeah, very well said. And then our second and final question here, would in a decision maker role for security, what will peak your interest for one tech supplier over another? Or I guess put another way, when you're looking at purchasing technical solutions, what type of things do you think about to evaluate those decisions?

Joel Fulton:
That's a good question. And weirdly, I have a more recent reason for the same answer. I would have told you if you'd asked me this 10 years ago, the people. The people I'm in contact with, the people that run the company, their integrity, their transparency, their honesty, that matters because tech's going to fall apart. PowerPoint never match the demo, which never matches the install. And I need to know that if I say yes, I've got a human. You know, we used to vulgarly call this one throat to choke, don't want to choke a throat. I want to have the game, so that if I suffer, you suffer and you're motivated to get me out of it. With the advent, and we've now spent a year with the Silicon Valley CISO Investment Group. As we've met startups that has been validated from the outside. And that is when you invest in a company, it's apparently very well known to VCs but wasn't very well known to a group of CISOs. You invest in a team, grit, persistence, agility, intelligence, because their products are going to pivot, features are going to fail, and that team is what's going to be resilient or not. The product won't. And so that later on validated when I'm looking for a technology solution, really, I'm looking for an honest broker, someone that will sit down. So anti stories, a vendor that wants to argue or pick a fight is not going to work because they think the product matters more. And if they can persuade the precision of the product, we'd be all in. And what they miss is it's the relationship. Your products will change all the time. It's the relationship that matters most to me and to us. So. There's my answer to technology selection as people selection. I think that's great.

Michael Coates:
I think that's great. Well, very good. I guess Joel before we part, any any last thoughts you want to share about any topic out there?

Joel Fulton:
Well, one of the largest problems that are out there right now is exfiltration of documents, data and email through particularly Gmail, Box and Dropbox. And I understand the Altitude Networks has a 10 minute to install solution that will demo for you, how they can identify where those files are going and whether they're inappropriately shared. Do I get the shirt?

Michael Coates:
I didn't promise of anything for that line, but I love it. I love it. That's great. Perhaps the bigger picture, as you mentioned before, those relationships, relationships matter. You get things like that thrown in there without I even know it. I think this is awesome.

Joel Fulton:
Thank you Michael, I really am grateful for your generosity doing this. This is terrific.

Michael Coates:
Well well, thank you for your time. There's there's so many things going on in your world as well. And taking a moment away to jet over here to Paris for a coffee. A group of people that are sitting quietly letting us do our recording. Really appreciate it. And thank you everyone who joined us live. Thank you. For those of you who are watching the recording when that comes out and keep an eye on the Altitude Networks announcements, both for future CISO to CISO webcasts and also information about our solution for the data security in the cloud. With that, we'll wrap it up. Thank you, everyone, so much.

Joel Fulton:
Thank you very much.

Automatically convert your audio files to text with Sonix. Sonix is the best online, automated transcription service.

Sonix uses cutting-edge artificial intelligence to convert your m4a files to text.

Sonix has the world's best audio transcription platform with features focused on collaboration. Are you a podcaster looking for automated transcription? Sonix can help you better transcribe your podcast episodes. Automated transcription is getting more accurate with each passing day. Do you have a podcast? Here's how to automatically transcribe your podcasts with Sonix. Better audio means a higher transcript accuracy rate. Quickly and accurately convert your audio to text with Sonix. Rapid advancements in speech-to-text technology has made transcription a whole lot easier. Sonix converts audio to text in minutes, not hours.

Sonix uses cutting-edge artificial intelligence to convert your m4a files to text.

Sonix is the best online audio transcription software in 2020—it's fast, easy, and affordable.

If you are looking for a great way to convert your audio to text, try Sonix today.

Subscribe for More

Get notified of future CISO webcast and other excisitng security content

Thanks for subscribing!

Ready to get your Cloud Security in Check?

Fill in some contact info below or schedule a meeting so we can reach out to provide more details on how Altitude Networks can protect you from data loss in the cloud.

We'll be in touch!
OR