Cybersecurity collaboration, team building and working as CEO

[00:00:00] Chris Sienko: Today on Cyber Work, my guest is Wendy Thomas, CEO of Secureworks. Wendy's passion is encouraging collaboration on a mass scale across the cybersecurity industry. And in today's episode, we discuss some practical ways to make that happen. And we also discuss Secureworks’ extended detection and response platform pages. We also discuss important changes to hiring procedures and the money you could save by developing the talent you already have. That's all coming up today on Cyber Work.

[00:00:34] CS: Welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals, and offer tips for breaking in or moving up the ladder in the cybersecurity industry. As President and CEO, Wendy Thomas champions Secureworks’ drive to provide innovative best in class security solutions that sit at the heart of our customer security operations. She leverages over 25 years of experience in strategic and functional leadership roles, including Chief Financial Officer, Chief Product Officer and VP Strategy and M&A, and has worked across multiple technology-driven companies such as FirstData, Bell South and Internap Network Services Inc. Most recently, Wendy served as Secureworks as President of Customer Success, where she designed and implemented a customer-centric approach to security partnership. She is a graduate of the University of Virginia with a double major in economics and foreign affairs, and she holds an International MBA from the University of South Carolina, Darla Moore School of Business. Wendy was recently named the incoming CEO of Secureworks, which is a security platform informed by 20 plus years of threat intelligence and research. Wendy has taken time from her new role to tell us all about her cybersecurity journey, her work leading Secureworks’ strict strategy plans, and helping to take the group public in 2016, as well as the importance of cross-industry collaboration to address cybersecurity crime on a large scale.

Wendy, thanks very much for taking time to join me today. Welcome to Cyber Work.

[00:02:06] Wendy Thomas: Thank you very much. Glad to be here.

[00:02:08] CS: Alright, so we like to start out by getting the story of our guest’s cybersecurity journey in their own words. So your education and early career path were in the economics and finance sector. What was the allure of cybersecurity that moved you into this career space?

[00:02:23] WT: Well, I really have to start with what interested me in economics in the first place. And it was essentially the application of mathematics to predict human behavior as they make decisions within a system, an economy, an industry, a community, and to understand the leverage points that could potentially change the behavior within those systems. And to me, that type of systemic thinking applies very much to cybersecurity as well. And beyond that, it's sort of not your average industry when it comes to assessing and reducing systemic risk, driving different behaviors and outcomes by simply making your organization too costly to attack, because security is not your average industry. We're not talking about a set of competitors creating value by solving security pain points with products and services. You got an industry where all the players are facing a human adversary on the other side.

[00:03:18] CS: Yep. And so evolving threat imagine too, right?

[00:03:22] WT: Constantly, constantly. And one, we're all working sort of in a kind of siloed way to protect against. And so it really creates a unique dynamic in the industry both for customers and for providers like us. So because I am an economist, I originally read about the cybersecurity industry probably 15 years ago in an article in The Economist. And I had been working in the technology sector, but had never really thought about the cybersecurity of that.

And so long story short, not long after that, a friend introduced me to the then CFO of Secureworks. And a couple hours into that conversation I thought, “This is a great company, leading development in a new industry. And it's doing something that, frankly, could save the world.” And so, for me, I was hooked from that day on.

[00:04:16] CS: I love it. So in our introduction before the podcast, you noted that your dual roles in the business and technical side of Secureworks gives you a neat perspective on the industry. And just to sort of reiterate some of the things you've been saying here, your VP of Finance of Secureworks from 2008 to 2011, and then moved on some other organizations. And then came back to Secureworks in 2015, again, in financial planning and analytics, before moving to Chief Product Officer in 2018.

So the purpose of Cyber Work is not just to get sort of industry trends, but also to help people who are trying to move up the career ladder or get started in cybersecurity. So for those of us who aren't as familiar with the high rungs on the org chart, how big of a jump is it in terms of responsibilities, skillsets and experience to jump from finance to product officer? And then what was the role of chief product officer and how did your time and finance influence your vision for the company?

[00:05:12] WT: It is a question I am often asked, because it seems unusual. But if you think about leading finance or financial planning, especially for any company, it requires you to have a full purview of all the functions within an organization. Think of it as how do all the gears touch? Or actually where are they not touching, and they should? And so what you can do in that kind of a role is understand all the points of leverage in a business and put that in the context of an external market opportunity.

And so as you noted, we went public about five, maybe six years ago now. And at that time, I shifted gears from finance to take on Strategy and M&A. And there was a lot going on in the industry in 2016. And we as a leadership team thought, “This is a time to step back, assess the changes ahead in just the technology landscape,” right? The emergence of public cloud. And everything we were charged with securing was changing. And we also stepped back and, in all honesty, thought to ourselves, “This industry is not winning the fight.” The cybersecurity fight is actually losing ground as a collective industry.

And so with 20 years in the space, the good, the bad, all the learnings, we invested a good bit of time and set a for a vision for a very new and different approach to solving the biggest challenges of security with the ultimate objective, is we to turn the tide against the adversary, right? And so for us, that meant we had to completely reimagine and transform our technology, products and services to fulfill that vision. And as we laid out that strategy, the CEO turned to me and said, “Congratulations, you're going to move from a strategy vision role to go-make-it-happen execution role as the Chief Product Officer. And so that's how that came to be.

[00:07:13] CS: Okay. So for listeners who might be coveting the type of work that you do, can you tell us about your average day? Like what was your job role like as chief product officer? And what does your average day look like now is as CEO? Have your jobs responsibilities carried over at all? Or are they completely different? And what are some things that you have to or get to leave behind now that you're at the top of the food chain. Is that what you say?

[00:07:39] WT: Someone said to me the other day, “Seems like you no longer have a boss.” But I assured them that now I have many, many bosses.

[00:07:48] CS: You have a big, big boss called Secureworks. Yeah.

[00:07:52] WT: Yes. And that's pretty much why my early day starts with some yoga and a very strong cup of coffee. But the shift in roles is different in some ways, which I'll share, and not different in others. In one way, I spent a lot of time with customers. That's ultimately the way a company successfully secures customers, is to just spend time and understand the transformation their business is going through, the journey that they're on, and how they maintain security throughout that type of digital transformation. Or maybe it's a merger of two companies, whatever that is. And so that amount of time spent on customers continues.

What I would say is one of the biggest shifts to the CEO role is just a step function lift and making sure that I'm enabling, galvanizing and empowering the team, right? Giving them the right resources, putting them in the right areas, creating a very empowered operating framework, a culture where people can make good decisions in real time, because that lets them take better care of our customers.

I'd say the two areas that are different for me is a lot more time with investors, so one with those new bosses. And from a personal perspective, I am very passionate about the need to build better collaboration across the security community. And I do see this role as an opportunity, a pulpit, if you will, to start to build the kind of cross industry, frankly, cross-public private sector partnerships that could really help us solve some shared challenges in the security space.

[00:09:41] CS: Okay. So yeah, let's jump over to that. Now, the proposed topic for today and, obviously, you're passionate about it, you suggested it as today's topic, is the importance of collaboration within the cybersecurity ecosystem to defeat cybercrime at scale. Can you tell me about your ideas for encouraging collaboration on a large scale? What would this entail strategically and as of course of action?

[00:10:06] WT: Sure. I was just speaking about this topic yesterday. Secureworks had its sixth annual threat intelligence Summit. And this is open to anyone. You don't have to be a customer. And it is designed by our security experts and researchers for those in the industry as a way to create transparency to knowledge share to, frankly, make us all stronger together.

And what we do is create an opportunity for us to accelerate the fight, if you will. If you think about the cyber criminals and threat actors, they actually work together. It may be a very mercenary marketplace type of approach, but they have revenue share models, and they share software and intellectual property. And so we need to be able to do that at a much faster, more effective pace than they are.

But one of the things are guest speaker at the summit talked about, he’s Tony Sager, he's the Chief evangelist of the Center for Internet Security. And he talked about people always often think of this as threat intelligence sharing. And he said, “That's overrated,” right? Unless you put equal emphasis on translation into actual action, or the defensive machinery needed to execute that action, but sharing is just intellectually interesting, right? I think that the ability to facilitate a few things on what is the platform for collaboration? Do you feel secure using a social media application as a security professional to share information? How do you find each other?

And so one of the three strategic priorities of Secureworks is to build that security community, and that means facilitating it in a secure way, helping people find each other in like fields of security or industries. And I think that is the beginning of the pillars of starting to make connections that we can all use to be better, faster, stronger together.

[00:12:09] CS: So what are some of the roadblocks that you see at the moment for collaboration? Is this an infrastructure issue? Is it a lack of willpower? Is it that people want to sort of preserve their silo? Is it all of those things? Is it something else?

[00:12:24] WT: Well, the reality is, first and foremost, we are all in a business of providing cybersecurity. And there is a certain amount of secret sauce there. So we have to tackle what I would call misaligned economic incentives first, right? So how do you protect intellectual property across security companies who have the most access to data and insights other than maybe some governments and create an opportunity for them to do that in anonymize ways that protect their customers, but create the ability to respond at scale and speed to events that are happening?

I think the second big one is that we've got to tackle the sort of risk of legal liability over regulation, exposure and expense, because the bad guys are operating in free havens, right? They’re completely prosecution. They're not regulated. And so we need to find the right balance of making sure we all fulfill our fiduciary duty to have good security, but that we don't bog ourselves down in the fight with taking that too far.

And then the last one, to me, is what I mentioned about just the practicality of facilitating that collaboration. I was on the phone this morning with a CIO based in the UK. And that was exactly what she was talking about. She loves to participate in a community from a former company, but they were talking about how do they get something bigger that is secure and that they know that everybody that's there is okay to share information with. So I think we just have an opportunity to do fundamental things in those three areas to speed the fight.

[00:14:08] CS: Yeah. So what are some practical strategies that you think people should be implementing to encourage collaboration and sharing within cybersecurity? I mean, do you think that the siloed business practices are a matter – Well, I guess we just mentioned about the trade secrets thing. But like how is specifically Secureworks sort of reaching out and how would you like to see other security companies respond in measure in terms of – Because, I mean, it sounds like it's almost like a sound the alarm kind of situation and also that you're sort of like creating this kind of like situation room where everyone can kind of see on the map where everything's happening and stuff like that. So like, what is your end point, I guess? What do you see as like the best possible scenario for all of this? And where do you see that getting started?

[00:14:56] WT: I do see us able to uniquely facilitate that given our depth of contacts, not just in my industry and with customers, but across cross borders with different nonprofits and some government agencies. And I think there's a few sort of foundational elements that have to be in place. The collaboration and sharing starts also with a much more open attitude towards the victims of cyber attacks, right? We're very quick to criticize the victim at the source, when sometimes it might be in their supply chain or other things. And if they're having to fend that off, it really starts to shut down the fostering of sort of sharing and cross-cultural lessons learned sharing, right? And that lessons learned goes beyond just sort of sharing that malicious hash or domain that may be useful. But it's more about sharing with each other the trends in control framework failures, right? And so it's actionable for managing the risk of your organization in a very practical way.

And I do think from a government perspective, that broader approach is really important. Cybercrimes are very underreported, probably to an extreme degree, and it is very difficult for governments or different law enforcement agencies to prioritize things, prevent things if they don't have visibility. And so I think it is all about driving the ability to share intelligence and information in a way that is very practical and outcome-focused, and to take a look at that overall cyber ecosystem and see where we can feed defense programs, create private sharing in the industry that does not sort of take away their secret sauce and share that in a way that's very practical for the public.

[00:16:57] CS: Do you see any indications that is happening now? Or is this still you kind of yelling from the mountains and not seeing a lot of response?

[00:17:08] WT: Fortunately, I am not the only one yelling from the mountains. And I would describe kind of two things going on. One, for good or for bad, after the SolarWinds situation last year. The level of public knowledge of that this can actually impact our daily lives. And we might want to do something about this. And the thoughtful approach of different governments to exploring what is the right partnership here and willingness to invest and think about it even to engage in cross-border diplomacy around recouping names, and prosecution, and those kinds of things. So I think that's opening up. So that's good.

The second one is that as I talked to – We have a lot of higher education customers. So as I talk to the CISOs of those broad university systems, and even the CISOs of states, they’re in the US, they're also very interested in figuring out how to build cybersecurity talent, collaborate with the industry not just for creating internships and solving the talent gap problem, but just creating broader cyber literacy more generally. I think if you take those two tacks a much more knowledgeable, and active, and caring citizenry, and government who's taking a much more proactive, thoughtful approach to helping, that's a great combination.

[00:18:34] CS: Great. So I want to move from the macro to the micro a little bit and talk about your product here. In a recent article for SDxCentral, you noted that your vision for Secureworks is XDR domination. can you explain the workings of – And I apologize. I didn't think to look this up before. Taegis? Taegis?

[00:18:52] WT: Taegis.

[00:18:52] CS: Taegis. Okay. Can you explain the word –

[00:18:54] WT: Technology shield is what that’s meant.

[00:18:55] CS: Oh, okay, okay. Could you tell me what set Taegis apart as an XDR in the benefits of consolidating standalone security tools into a managed XDR platform?

[00:19:06] WT: Absolutely. So we at Secureworks sort of looked at XDR before XDR was a thing, as I talked about, when we were saying, “We've got to take a completely different approach to solving the technology security gaps.” And in the process of doing that we came up with really three fundamental tenants that we thought were important elements or fundamental elements of making sure that you had an effective security program. And where that came out to be was we said that what we wanted to do was to first build that true XDR solution with that vision from day one, and to make sure that we could look across an entire environment holistically. Two, that we would take our knowledge of the threat actor behavior and to detect the true activity, truly malicious activity going on. Not to spread noise of, “Hey, something might be going on,” but to distill it down into these are the things you have to focus on.

And then third, you have to have speed in response. If something gets through, you absolutely have to have the ability to automate containment actions faster than humans speed early in the kill chain. And so one of the most important things about XDR is that it facilitates that automated response to prevent the damaging breaches that can come with the passage of time.

[00:20:38] CS: Do you think that speaking to something you just mentioned here, do you think that a process of sort of eliminating the noise of incident response in terms of there might be something going on, but we don't know. Here's a bunch of random activity or whatever. Do you think that that's going to also be necessary in terms of cross-collaboration, that if we're all going to be sharing data, that it needs to be sort of like cleaner data? Is there any thought around that?

[00:21:06] WT: It absolutely has to be cleaner data. And one of the things that's important to us is having been in this space for 20 years running services across point products, we became very familiar with their capabilities, and importantly, the kind of telemetry and alerts that came from those. And so having a framework by which we can normalize, one, the data coming in so that others can then quickly search for that same type of activity in their environment. And two, normalizing the threat actor, not tactics, techniques and procedures, right? That's why MITRE ATT&CK is so useful for all of us to be able to map our coverage to a framework. It doesn't have to be that one. But we find that very useful for being able to speak the same language across the industry.

So as you think about the data, the tactics, techniques and procedures, the threat actors themselves in terms of who do they target and what are their motivations, because motivation is incredibly important, that that is a powerful way for us to start to collaborate in the same language across the industry and even the public sector.

[00:22:13] CS: Okay. Now, also in the SDxCentral piece, you noted that your strategy for addressing the skill shortage in cybersecurity is “turning managed service providers or MSPs into managed security service providers, MSSPs.” Can you talk more about this? In what ways does this shift help to fill or consolidate open security roles?

[00:22:32] WT: Absolutely. So one of the views that we had in that off sites so many years ago as we were laying out the XDR vision was that there had been this growing and, continues to this day, gap in cybersecurity talent. And we thought, “Well, who better to teach people how to run a very efficient and effective managed security services program than someone who had been doing it for 20 years in this space?”

So the concept was – So our first strategic pillar, as you talked about domination, is to be the XDR platform of choice. But the second one is to extend the reach of that platform globally, because the more data and insights you have, the more effective that platform is for everyone to enable those service providers globally. So we built, we launched earlier this year our MSSP program that has training and certification for different personas of security professionals, which anyone can access. It is public. You'll see people posting on LinkedIn as they get certified. It's really to help those partners move into security as an integral part of their managed service, managed services to customers and add security integrated on top of that, but to do it at scale, at good margins, and in a way that they trust is going to be very effective for their customers, because security is about trust. And that is just not something that you don't want to do absolutely well.

[00:24:08] CS: Right. Now, I want to move to another topic. It's been noted that you are a part of the less than 5% of cybersecurity companies that are led by women. And you've talked in the past interviews about increasing cyber literacy and supporting increased STEM programs, and also noted that, “We absolutely need to look like the markets that we serve,” which I completely agree with, and we talk about all the time on the show. So my question, first question, I guess, is how do we sort of build the bench for female cybersecurity professionals in the industry? And by that, I mean, that it's one thing to bring in more female professionals just starting their career, and that's great, and that's awesome, but it also seems like diversifying the upper levels of management and C-suites seems like a taller order, as noted, with the stat both high percentage of cyber companies being female-led. So do you have any strategies or thoughts both for female cyber professionals and for organizations who want not only to hire more female professionals, but promote them in the upper levels of the company?

[00:25:08] WT: Absolutely. This one is pretty important to me. When you think about sort of the funnel of talent, and this is not a silver bullet, this is something that has to happen over time. And as you look at that, where does the funnel shrink? And you see it first shrink kind of in that middle school age. And so I actually started a program more than a decade ago, teen girls in technology, to address that very thing.

And one of the most effective ways that kept those girls engaged in something they were already interested in, but instead of pulling out because it started to become unacceptable kind of culturally, socially, was to give them mentorship. To show them what a day in the life looks like, like you asked that question. And to say, “Hey, this is a great career. And there are people who look like you doing this. And you can bring others along with you in this type of save the world cybersecurity career.”

So I think that that is the same kind of thing that happens when the funnel starts to shrink later, right? Think about childbearing age. The funnel starts to shrink, and the demands of taking care of parents or children can fall disproportionately sometimes on females. And so as a company, then you want to think about not only that same support and mentorship, but understanding unique circumstances. And for Secureworks, it doesn't cost anything to be flexible. If you are focused on outcomes, instead of traditional education backgrounds, or career paths, or FaceTime in the office, if what you care about is the impact and the outcome, all of a sudden, you'll find a huge body of talent available to you. And if you simply reach out enough to say, “I want you. And I am going to help work with you to accommodate real life,” you start to not have that funnel shrink at key times in the career path of a professional. So I think there's a whole lot more that can be done. We've completely revamped our recruiting and interviewing.

[00:27:23] CS: That was going to be my next question. Yep. Go ahead.

[00:27:25] WT: Yeah, okay. I just shared with our board this week, we increased our diversity 10% since starting that program in June of last year. Removed sources of potential bias in the resume filtering process. We set a goal for the team to have at least one diverse candidate for every interview slate. Our talent acquisition team and our hiring managers took that up with verve. And we changed our job postings.

So again, if you learned computer science online, but you know your stuff and can pass our coding challenge or our security test, we're going to look at you. And I think that opening things up to just be able to see the talent that is actually out there actually created the opportunity for us to get on a much better path.

[00:28:20] CS: Yeah, that's great to hear. And I like hearing – We talk about all the time about the importance of – I mean, obviously, my job is to sell people on certification training. But at the same time, things like high-level certs and high-level degrees can be such a gatekeeper, especially if it doesn't necessarily isn't required in the position. I mean, it sounds like you have a pretty intensive screening process in terms of finding out like a person's experience and what they do outside of what they've studied for and things like that. And you think that's fairly important actually.

[00:28:55] WT: We also have a program internally where you can sort of – There's very relatively modest blocks of increasing your knowledge set internally and having a promotion path internally by reaching certain bodies of knowledge or areas of expertise. Not everybody has to start out as an incredible threat hunting security expert. There's absolutely a path to come in early stage and just expand your knowledge. And when you're surrounded by security experts at a company like this, your learning path is even more accelerated. So we really like the concept of bringing people in and developing them with what we think good looks like. And honestly, when they go out into the world and work for our customers, that's actually a great thing for us too.

[00:29:47] CS: And it sounds like that means that you – It sort of requires that your company budget requires a modicum of training and developing time and space, because I think a lot of the gatekeepers thing that happened seems to be because we just want you to hit the ground running. We want you to have all the skills that you'll ever need for this job. And I think it needs to be sort of reiterated in flaming letters on the side of the mountain that like you really need to develop your bench, your team. And I don't know that every company wants that. I think they just want superstars, and they want them to just go for it. We're already five weeks behind on this project. So just get them in there, and plug them in, and plug and play, and burn them out, and move them on.

[00:30:37] WT: Well, if you do the math though, the expensive that is actually less than turnover and recruiting. It really is.

[00:30:44] CS: Sure. I believe it. Yeah.

[00:30:44] WT: This is an easy business case to make.

[00:30:47] CS: Yeah. So as we wrap up today, I want to ask you what you're most excited to get started with on as the new CEO of Secureworks? What are your big initiatives for the rest of the year and in the 2022 that you're looking forward to jumping into?

[00:31:02] WT: We are absolutely focused on continuing to build innovative technology and to continue giving customers the benefit of our knowledge of the fight, right? We stay in that fight with our customers every single day. We do thousands of incident responses and adversarial tests every year. And we use that to just make our technology smarter for everyone who uses it.

And the second one for me is just to keep building this bench of security service providers so that we can close the gap and share our knowhow via the platform and the community and start to actually turn the tide in this fight. That is the ultimate measure of our success, is that we all feel that tide start to turn. And I would be very proud to say that that was my life's work.

[00:31:55] CS: So to wrap up there, do you have any advice for people who are entering the cybersecurity space who might be stuck in a helpdesk role, stuck in a job they don't like feeling like they don't know where to go next, or they feel overwhelmed by the choices? In terms of like what you think is going to be interesting and exciting in the years to come for people who are feeling mired down right now, do you have any advice for them?

[00:32:22] WT: Absolutely. I mean, I would encourage you to go to our website and take a look at some of those certifications. We actually ask all of our employees to go through the foundational courses. Even if you're an accountant sending out bills or that kind of thing, we think it's important that all of us, again, have some level of cyber security understanding in our day to day lives. And if you think about looking out at online learning opportunities more generally to just start to get into the security space, I would most encourage you to reach out to someone in the space to just talk about a day in the life of different kinds of roles and how they sort of moved into more expert type roles. If you have the technical chops to serve on that help desk and an empathy for the customers who call you on that help desk, you can absolutely build a great career in cybersecurity and send you to Secureworks.com.

[00:33:21] CS: Nice. Oh, there we go. If our listeners want to know more about Wendy Thomas or Secureworks, where can they go online? Sounds like secureworks.com is the answer.

[00:33:29] WT: Absolutely.

[00:33:29] CS: Alright. Wendy, thank you so much for speaking with me today. It was really enjoyable.

[00:33:33] WT: Great to be here. Thank you so much.

[00:33:36] CS: And as always, thank you to everyone who is listening to our podcast at home, listening at work, or listening at work from home. New episodes of the Cyber Work podcast are available every Monday at 1pm Central both on video at our YouTube page and on audio wherever fine podcasts are downloaded. I'm excited to announce that our InfoSec Skills platform will be releasing a new challenge every month with three hands-on labs to put your cyber skills to the test. Each month you'll build new skills ranging from secure coding, to penetration testing, to advanced persistent threats and everything in between. Plus, we're giving away more than $1,000 of prizes each month. Go to infosecinstitute.com/challenge and get started right now. Thank you once again to Wendy Thomas and Secureworks. And thank you all so much for listening and watching. We'll speak to you next week.