All Resources

CISO to CISO Webcast with Keith McCartney, VP of Security & IT at DNAnexus

Webcast and Podcast | Altitude Networks, November 19th, 2020

We are excited to welcome Keith, VP of Security & IT at DNAnexus on our next episode of the CISO-to-CISO webcast (later posted also in podcast version). As an electrical engineer in spirit and an Information Technology executive by trade, Keith has established a record of success in improving security posture, prioritizing issue remediation, mitigating risks, and delivering innovative solutions to meet evolving business and industry needs. Throughout his career, Keith has experienced technology as an architect, a salesman, an implementer, a customer, and an end user, which makes for a great conversation with Michael: they will discuss what brought them to their roles today, and advice for others trying to become a CISO.

Read, Listen, and Subscribe to the Podcast

Keith-audio-trimmed.m4a transcript powered by Sonix—easily convert your audio to text with Sonix.

Keith-audio-trimmed.m4a was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2020. Our automated transcription algorithms works with many of the popular audio file formats.

Michael Coates:
Welcome, everyone, to another edition of the CISO to CISO webcast, super excited to have everyone here today. My name is Michael Coates and this podcast webcast is being brought to you by Altitude Networks. We are tackling data security and cloud collaboration platforms like G Suite, Office 365. So if you've ever shared a document to the wrong person, had somebody off board and still have access to your data in the cloud or wonder exactly how you protect all that information, check us out. That's our sweet spot. Super excited today to have Keith McCartney with us, the VP of Security and I.T. at DNAnexis. Keith, thanks so much for joining us.

Keith McCartney:
Thanks for having me.

Michael Coates:
So, so many exciting things to talk about here, you know, the life of somebody in security is never boring, that's for sure. Yeah. And really, really pumped here to hear some of your stories and what you're working on. So tell us a little bit about how you got to the role as a security leader. You know, what I found is everybody's path is different and you're heading up security and I.T. at a pretty exciting company. How did you end up there?

Keith McCartney:
Yeah, it's I love telling the story. It's also I love hearing the stories from others because, as you mentioned, it's always different for folks. I think recently we've had more educational programs and certification programs focus on security. But a decade ago or even more, there really wasn't an educational program. You couldn't go to school to be get a master's in cybersecurity or focus on information security. So I entered the field in kind of a roundabout way. It was actually an electrical engineer at University of Florida. And I ended up doing some work for Siemens and for the local power company. And through that work kind of took more of an IT consulting route and end up at Accenture. When I got to Accenture straight out of school, I think there must have been some resume scanner that that scanned my resume to figure out what group are you going to be in? And because of my work at the power company, I had done some business continuity and disaster recovery work. Hurricanes, obviously very, very influential force in Florida. And so a lot of the reliability engineering work that I was doing was specifically to help us recover service faster for our customers. And so the resume scanning logic that they had at the time meant that that's a security function. So I ended up in the security group, didn't know a lot about it, but had a great group of folks who helped me learn, started on policy and risk assessments and got through to some technical system implementation, did some identity access management work. And the rest, I guess, is history, as you say.

Michael Coates:
Yeah, it sounds like if we're going to make an analogy or reference to a movie, it sounds like the sorting hat, the Harry Potter sorting hat resulted in you going into cybersecurity.

Keith McCartney:
That that's a good analogy. I think a very good analogy, actually. Not thought of that one. The thing I like to focus on is what keeps me in cybersecurity as well. And as you mentioned, I'm leading up the IT team now at DNAnexus in addition to security. And these are two things that I think are interesting challenges that are becoming more and more closely linked to each other. Used to be that they were kind of opposing forces in some camps. But I really like the combination of having the responsibility for user enablement as well as responsibility for security and control. And I think probably the last seven or eight years, I think folks on the security side have been realizing that this is critical if we're not focused on user enablement, where we're going to lose. Right. Because the users are going to go around the controls, they're innovative and they're going to find a solution. But being able to tie into IT and really realize and have the team realize that our success is the user's success. And as we design systems, it needs to needs to work in a way that makes it easy for people to be secure, easy for people to be compliant, easy for people to be safe as well as well as do their work. Right. That's why they're there.

Michael Coates:
Yeah. Yeah, definitely. Yeah. I think that's going to be interesting thing to unpack this, this tie between security and it. So I'm really excited about exploring that. And then another piece that is also often overlooked, I think because of the technical nature of our field, is that so much of what we need to do is actually not technical. It's about relationships. And it's almost shocking at first because I took a similar path to you in a security, you know, going in and doing a broad spectrum of different things from policy review to technical controls, reviews to actual hack hacking. And I gave an appreciation of all these different parts, the technology, the policy. But for me at least, what I noticed was the more you progressed in the field, the more the human part becomes the big driver. Now, you're probably seeing that even more so in a smaller company where that human interaction or bumping into each other is a big deal. Not that it doesn't change, but how are you managing that element of relationships in humans in the small or to get things done?

Keith McCartney:
That's a that's a great, great question. And I to be honest with you, I love being in a small org. I think I've been I think my first company was about a hundred and eighty five thousand people when I was there. Their second was it was about one hundred and twenty thousand. And then I went to the thirty six hundred in relative sizes, it's still a lot, went to about four hundred person org and now at about one hundred and fifty percent org. The thing that is different for me is at the one hundred and twenty thousand person or you're really conscious of creating demand. Right. Because it can very quickly outstrip your capacity to service that demand. That concern goes away a little bit as you get to smaller and smaller org right where you can actually have a one on one relationship with everybody in the company, which I love. You can develop a relationship and you can be involved in the majority, if not all of the design decisions and the decisions related to technology. Whereas you've got to figure out other methods to scale at the large orgs. And you can do that through growing your team. You can do that through providing guidance. But I think it becomes much more, as you mentioned, relationship driven. And you get to focus a little bit more on kind of what what people's business objectives are, what are they trying to achieve, and then how can you help them get to that point without being the department of NO that I think at the larger companies, folks are typically forced into just because of that scale problem.

Michael Coates:
Yeah, and you mentioned a really interesting point there of how to help them be successful. I didn't hear you say how to shove security down their throats. How have you found that it's worked out with shifting that mindset? If I can kind of make some leaps there of helping them be successful versus advancing your agenda per se?

Keith McCartney:
Yeah, I think the thing to realize is that there's steps forward and there's steps back. And those steps back can be because of an experience that that person has has had in the past with your predecessor or a security person or a compliance person at another organization. And so I think empathy is a really important part to understand. Try to understand where somebody is coming from. The default assumption. I like to say I had a boss who taught me assume positive intent so we don't come into the meeting, come into the room, come into the project with the assumption that anybody is trying to do do things in the wrong way or do things in a way that's going to create risks for the company. But they do have other constraints that we may not be aware of. And I think it's important to understand those and have a conversation with them and understand which of those are flexible, which of those can we work on and help them, and then which are the ones that are inflexible that we just have to have to deal with and maybe go down a risk acceptance path or risk mitigation path to make sure that the business can be successful without taking too long to get the market or without increasing our operational costs or our development costs beyond what we can support.

Michael Coates:
And, yeah, I think that other constraints element is really key because sometimes a security person, you'll wonder, like, why are they pushing back? Why won't they just do this and maybe they even want to do it. But the other constraint they have is priorities and time. Like if their boss, their chain or their OKRs or whatever are saying this thing has to be done by this date and you are not part of that thing. You can see how it's not you. It's not security. It's like the facts on the table.

Keith McCartney:
Yeah. And OKR, I love the OKR Point because at that point it goes in that bucket of inflexible constraints. Right. I think your opportunity to influence that is when those OKRs are being set. And so if you're not in the room during that conversation and realistically, you won't be in the room all the time. But if you can set a vision for the organization, if you can socialize that with the right folks, at least your agenda and where you want the organization to go and where your leadership, where your CEO and your board are directing the organization on risk tolerance, that's going to be considered when we set these objectives at the org level. That makes it a lot easier. I think it's always difficult the first year or two when you come into a CISO role or a VP security role and those OKRs are already set. And so you've got to gradually change the pace of the organization over time. Yeah, that's a delicate skill set. And I think one of the metrics that we think about a lot is in the security world, I think this is changing. But a couple of years ago, I used to look at the longevity of security leaders and it was about 18 months. And so if you're leaving the org after 18 months, you really haven't, and presuming you're OK, as I said, on an annual basis, you don't have a lot of time to influence that. So that's one of the things that we need to be thinking about, the long game as security professionals and as really its business partners. Yeah, I fully agree.

Michael Coates:
So, you know, each of these webcasts, we like to move around the world because I don't know about you. I'm tired of sitting on zoom in my home office. So you are hitting a nerve. Yeah. You know, we got out the the corporate jet. We're doing really well as a startup. Got the corporate jet out we flew you. Both of us out here, tell us a little bit about where we are in the world and why you picked this location.

Michael Coates:
Yeah, so we're in Switzerland, we're in Canton of Valais in Zermatt, actually. So Zermatt is a town in the valley. We're both looking at different angles of a very picturesque noble peak called the Matterhorn. We're looking at it from the Swiss side. We have some other pictures from the Italian side and it kind of just blends into the ridge. So it's it's funny that you think of this kind of kind of is a perception in a way that applies to security as well. As you look at the Matterhorn from the Swiss side and you have this picturesque peak that kind of reminds you of Toblerone chocolate. You look at it from the Italian side and it's just another bump in the ridge. And I think security is an interesting parallel to that is the beauty is in the eye of the beholder out on the around here. But this is a place that I had an opportunity to live in Switzerland for about five years as part of one of my assignments and just loved it. But the winters are pretty rough there, particularly I was in Zurich. You don't get many sunny days in the winter is a lot of overcast days. It's in the valley is pretty big, pretty big lake. So it stays cool. And, you know, if you want to see sunshine, you've got to go up above the cloud layer up to the mountains, the three thousand four thousand meters. And Zermatt was one of those just places that we love to go. We love the culture, love the food, love the skiing and and love the love the sunshine.

Michael Coates:
Oh, well, a parallel or an analogy with the background, location, security. I think you take the cake, you've set the bar higher for all of you to go there. All right. All right.

Michael Coates:
So something you said a little bit earlier that I want to come back to was all about this notion of collaboration with the desire to make people productive, make things work, and if I could infer, also making it secure. You have a pretty unique and maybe not unique or changing setup with security and I.T. both reporting to you and I have seen that happening at more companies. How is that working out for you? Were you apprehensive initially is it played out well?

Keith McCartney:
Yeah, I think I don't know that apprehension was the right word. I was excited about it. I was excited about the opportunity. I think as security professionals, anyone who's been in the field for a long time, I'm sure has a story to tell you about dev ops and a story to tell you about IT. And most of those stories, unfortunately, are, at least in my experience, have been positive. I fortunately have had I think I've been lucky. I've had some really good relationships with IT. I think part of that's been the the focus that I've put on that relationship. But also I want to thank the partners that I've had in previous roles. But there's some natural conflict there because we're incented in different ways. Right. So security since then to manage the risk and control the risk and make sure that the bad things don't happen. And IT is generally incented on making sure the systems are online and available and make it make it cheap. Don't kill us with the cost of the systems for the value that we get out of them. And so security can tend to add cost, can tend to add complexity, which impacts uptime and availability, and recently tends to introduce a lot of change, which also can impact cost and availability and uptime. So those objectives don't necessarily align, but it's important to focus on the relationship. I think we're starting to see these two functions roll up under the same executive more often. And realistically, in the scenarios where you've had a CISO report to a CIO and past, they're also rolling up to the same exact executive. It was just that primary background of that executive was as an I.T. operator.

Keith McCartney:
Now that I've got both of them in line, I'm starting to reduce the distinction and difference between security and IT. I think giving the security professionals on the team the objective of enablement and the consideration of user experience as well as change communications. Right. If we're doing a security change the security folks write that. It is not the IT folks that are writing that change notice, as well as giving the I.T. operators the responsibility, make sure that any changes they're making, any new systems that they're introducing are secure, I think is really making us more efficient. It's making us more streamline. And we don't have these kind of like multiple steps on the deployment to say, hey, did so-and-so sign off on this or is so-and-so handling the communications to the users on this? It's really integrated. And I think that gives our people development opportunities, right, they are becoming more skilled at end to end deployment, and it also allows them to work across boundaries that we had instituted in the past. But I don't know if there was really a reason for it other than just the differing objectives that the organization had given to us. So all in all I think it's a great change. I think we're going to see more of it, but it's not without challenges. It introduces some of the same prioritization challenges now within the organization, within the team that security has always faced. We will always face the cost challenges. We always face the considerations of users, although we may not have been held as accountable for those considerations as our I.T. counterparts were.

Michael Coates:
Mm hmm. Yeah, and I love that it brings together these to push and pull forces. That has to be secure, has to be usable. I wonder how would an organization think about this with that concern over what if the the leader just buries one like what if you just buried the security like it's usable. Who's your counterbalance to that or what is the counterbalance in the business as I think about that?

Keith McCartney:
Yeah, that's a good point. I always think of it as well. At some point you're going to have a problem. Right. But that's not the type of counterbalance we want to see in our organizations, because that that means that something has gone wrong. So I think there's that piece out there that we want to be accountable for. But I think there is some new relationships that start to evolve between compliance and audit teams, which have always held both those sides accountable. Legal teams who are a key part to how we communicate that risk to the board and to our investors. And then ultimately, there's the executive team of the company and the board which are setting the strategy, which security needs to be a consideration on that right now. IT and the cost side and the user enablement is something that they're interested in. But it's also very frequently regarded as table stakes. The systems just have to work. People just have to be efficient. If there's pain, we're going to focus on that and address it. But I think more and more so we're seeing the security conversation rise to the board level to be a frequent feature at the board reporting. And honestly, the board members are becoming more educated and know to ask these questions and they are starting to get more experience and more insight at evaluating our responses to their questions in this area.

Michael Coates:
And I like that the notion that parts of IT are considered table stakes. But as you move technology platforms, like if you make a move to cloud to work from home, that's going to impact IT dramatically. But of course, security as well. So having those two work hand-in-hand is great. And even for this is the top issue, guys, we've got to get this element solved and we've got to solve it in a way that works and is secure.

Keith McCartney:
Absolutely.

Michael Coates:
Very cool. Now, one of the challenges in the security world or the leadership of security is, to your point, if the average tenure is 18 months, that's that's a challenge. And some of the reasons that that period is so small is burnout. It's something that we are aware of. And I think that gets back to some elements of your mental space on how you think about this. There's so many things that could go wrong. There's so many things you could be doing. So when you look at all those things, how do you think about when you are done or how do you know if you've done enough or how do you wrap your head around thinking that at all?

Keith McCartney:
Yeah, yeah. I think part of it is just part of being successful in this space is realizing that you're never done. And I, I equate that to, you know, a lot of engineering and scientific endeavors where we're looking at and even the concept that that's pretty prevalent right now in our SaaS infrastructure is continuous, continuous integration, continuous deployment, proxy for continuous improvement. And so we don't think of it as like there's kind of an end of the road where we just stop and we're good. And I think that supposes that we're not up against a dynamic adversary. I think the reason that we need to do these things is because there's other folks that would like to profit or would like to gain advantage if we were not to do them right, to use our resources, to use our investment, to use our knowledge, use our intellectual property to abuse our relationships with our customers for gain that is outside of that agreement or outside of the structure that we've created for our service and service our customers, so I think that's the important thing to remember is you're never really done. But I think an important thing to deal with it is to set in the milestones of like, what are we going to achieve this quarter? What are we going to achieve this year? What do we need to be thinking about? What do we need to be planning for in the next two years, three years? I think the five year plans become really difficult because there's so many unknowns and the rate of change in the spaces is so quick. You can build a five year plan, but it might be a humorous effort. Looking back on it.

Keith McCartney:
But it also underscores the importance of continually evaluating what do we need to be focused on. So even with your one year plan or a two year plan, when you get to that point, it's unlikely that you're going to be doing exactly what you thought you would be doing a year ago. If you are, you're pretty fortunate. You're pretty lucky. But but having some type of feedback mechanism, having some type of evaluation of like, what are the threats to my organization is seeing? What are the threats that other folks in the states are seeing, that our partners are seeing that that our customers are seeing. And so having that open dialogue with those partners, with those customers and even in some sometimes our competitors, I think that always makes our business a little bit nervous. But in this in our space, we're all on the same team. All right. We're trying to achieve the same objective and breaches of even a competitor I don't think are necessarily to our advantage. That just increases the incentive for our space to be targeted. But, yeah, just talked a lot there. But I think that to sum it up, I think you've really got to like prioritization is critical. An interim goal setting is is absolutely critical. And I like the OKR approach where you kind of define what do I want to change about the organization versus this? Like, OK, we deliver this project, we're good. But really, like, what do we want to change and how are we going to measure that change is a good way to think about it.

Michael Coates:
Yeah, and you touched on that measurement piece is really interesting in security and there are extensive discussions on security metrics. And in many ways you can at the base layers, you could track all sorts of metrics on patch level, passwords, the complexity. You can track all sorts of things, but some of it leaves some to be desired. And I like what you're saying about tying metrics like, OKRs, and actually understanding, well, what do you fundamentally changing for the company to move forward? I think that's the area. We have lots more work to be done in security and certainly a great place to do some deep thinking about.

Keith McCartney:
Yeah, there's a there's a lot of material that's been written on this. I think there's a lot of ideas right now around how do we measure security and what are effective measures of security. The old joke is like, does it really matter how many packets your firewall dropped? Like, that's not a good measure of security. But really tying it back to business objectives and how we're controlling and managing the risk that that our space, the technological risk presents to those business objectives.

Michael Coates:
And to your point about, you know, speaking to the board, if you've built that strategy that you're sharing with the board, you're right. Telling them how many packets your firewall dropped isn't going to like, how does this help the strategy? And so suddenly, if you step back and don't think about security, like, well, what are we trying to achieve? How do we measure achieving that goal? Well, boom. Now you have some metrics that people might actually care about. Exactly. Now, very interesting. So you know, of everything you've seen through your journey, we know that there are plenty more people we need in the security field. There's I mean, on one hand, you could argue there's a security shortage. On the other hand, I'll argue people are bad at hiring. But those two things are both probably true. But so we need more people in security. What do you say to the people that want to transition from a security IC and they want to be a leader. They want to run a team. They want to run security for a company. They want to be in your shoes one day. What advice do you give them? Things to avoid, things to make sure to do?

Michael Coates:
Yeah. Yeah, I like the two items that you called out is like a shortage of talent and people are bad at hiring. Pretty bad scenario that plays out. I think the other thing that I threw out there is, is as kind of a question, is maybe we're not great at developing our people either. And so when I think about that transition, my own personal transition from being a security IC to a security manager and security leader, you've got to make sure that you've identified who are the people going to help you on that journey? Right. Who are the people that you can use as mentors? They don't necessarily even need to be security people, it's helpful for a couple of them do have a background in risk and security and have dealt with some of the same challenges that you're dealing with. But don't be afraid to pick up a business person as a mentor as well, someone who's dealt with operation, someone who's dealt with business development or strategy. I think that's going to be really helpful for you to stay relevant and to understand that the challenges that the business faces and how you can help. The other thing that I would say is that third leg that we talked about that maybe we're not so good at is make sure that you're developing the people who are going to fill those IC roles that you're going to need on your team, not just your replacement, but also other people that you're going to add to your team and build up, build the pipeline to make sure that those folks are getting what they need, that they're in a position to help you and to help your business.

Keith McCartney:
And I think there's always going to be folks that are growing faster than you can build a need for their skill set. And I think it's important as a community that we recognize that and recognize that it's not a bad thing if people leave our organizations to go someplace else for a better opportunity. We always obviously love to retain the talent, but I think more importantly for our people and for our industry is recognizing that talent does move. That's not necessarily a bad thing and that we all grow stronger as that talent base expands and becomes more diverse.

Michael Coates:
To draw together some of the things you said. If you stay at your role longer than 18 months and you develop a reputation for growing security leaders that end up going on to other amazing things. You're going to have a pipeline of amazing people that are with you at all times. That's the reputation. Yes. Well, very cool. Keith, this is amazing. I think I could sit here and talk for another hour with you until we grab a hot cocoa and hit the slopes here. Yeah, but really appreciate the time you've taken. Any final thoughts that we might have missed. So you want to make sure to throw it there to anyone else?

Keith McCartney:
Yeah, I think we talked about it a little bit. But just to recap the importance of relationships, you cannot be successful in this role on your own. You cannot be successful in this role in kind of like an authoritarian or dictatorial position. You can, people have tried that. It doesn't work. Right. It might work in the short term, but in the end, your users find another way. And so the relationships and building trust, not just with your your customers, but also with your users to know to have that reputation as being there, to help them being there, to enable them, not being there to trick or trap or stop them, but being there to really make sure that they can get their work done and that they're thinking about security. But you also have their back. I think that's really important and that leads to success both in the security space and the IT space. My experience.

Michael Coates:
I love it. I like that the fact that if you're a good person, you try and put people's success in the business first, that, hey, things things might work out, that's the way to go. I like that. Well, very good. Thanks, everyone, for joining us today. And again, thank you so much for your time, Keith. For those of you watching, I hope you enjoyed the webcast. Maybe you're listening to the audio and taking a much needed walk around the block. Don't forget to subscribe to get notified of new events and also subscribe to the podcast to make sure you don't miss any of these wonderful discussions. But again, Keith, thanks so much for joining us. Really appreciate it.

Keith McCartney:
Thank you.

Automatically convert your audio files to text with Sonix. Sonix is the best online, automated transcription service.

Sonix uses cutting-edge artificial intelligence to convert your m4a files to text.

More computing power makes audio-to-text faster and more efficient. Automated transcription is much more accurate if you upload high quality audio. Here's how to capture high quality audio. Transcription is now more accurate and more affordable. Sonix's automated transcription is fast, easy, and accurate. Manual audio transcription is tedious and expensive. Here are five reasons you should transcribe your podcast with Sonix.

Save time and money with automated transcription. Easily share and publish transcripts that were automatically transcribed by Sonix. Use Sonix to simplify your audio workflow. Automated transcription for all of your company recordings; Sonix is built for the enterprise.

Sonix uses cutting-edge artificial intelligence to convert your m4a files to text.

Sonix is the best online audio transcription software in 2020—it's fast, easy, and affordable.

If you are looking for a great way to convert your audio to text, try Sonix today.

Subscribe for More

Get notified of future CISO webcast and other excisitng security content

Thanks for subscribing!

Ready to get your Cloud Security in Check?

Fill in some contact info below or schedule a meeting so we can reach out to provide more details on how Altitude Networks can protect you from data loss in the cloud.

We'll be in touch!
OR