Secret CSO: Eddie Garcia, Cloudera

"It can seem daunting to keep up with everything, all the new cybersecurity software and the internet of threats, but it really comes down to dedicating time to keep up with what’s going on in the world of security."

Name: Eddie Garcia

Company:  Cloudera

Job title: Chief Information Security Officer

Time in current role: 1 year as CISO

Location: Austin, Texas, USA

Education: I have a B.S. in computer science from Tecnológico de Monterrey. I’m also a certified CISO and hold four security-related patents.


Eddie Garcia, Chief Information Security Officer (CISO) at Cloudera, has worn many hats over the course of his career. He served as vice president of InfoSec and Engineering at Gazzang, was the chief architect of zNcrypt encryption products, holds four issued and provisional patents for data security, and is Hadoop Security book co-author on Data Security. He has established a strong platform as an expert in information security, building software and leading highly energized security and engineering teams. Today, as Cloudera’s CISO, Garcia helps the company and its customers reduce security and compliance risks associated with sensitive data sets stored in big data environments. He focuses on information security and privacy programs, cybersecurity and threat analytics using Apache Spot, machine learning, and more.

What was your first job? I started off as a software engineer, writing code, and that evolved into security software.

How did you get involved in cybersecurity? I helped build a startup that focused on the protection and encryption of big data and that company was acquired by Cloudera. Once at Cloudera, I went from protecting consumer data to protecting the data and infrastructure of Cloudera and its customers.

Explain your career path. Did you take any detours? If so, discuss. I did a few potential startups, mostly night and weekend things, and it took a few before building out one that ultimately was acquired by Cloudera. Still, there’s that entrepreneurial part of me and it’s led me to many different opportunities. The highlight of all this work has been the acquisition by Cloudera. Four years ago when I joined, Cloudera was a pretty small company and it’s been a blast building up the company to the IPO last April.

Was there anyone who has inspired or mentored you in your career? My earliest mentors continue to mentor me to this day. It’s also not a coincidence that the best mentors I’ve had had their own mentors. Amr Awadallah, Cloudera’s CTO, has been a wonderful mentor. He really helped me grow after Cloudera acquired my company -- he’s just a phenomenal person.

What do you feel is the most important aspect of your job? Reducing risk for our customers and Cloudera by securing data. That can come in many forms -- from ISO to GDPR to detecting threats and vulnerabilities. More recently there’s been a large focus on using machine learning to address cybersecurity threats and eliminate them.

What metrics or KPIs do you use to measure security effectiveness? We set goals and then measure our progress in attaining those goals; we run various projects and programs to measure security effectiveness.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? We at Cloudera have not been impacted by the security skills shortage. Organizations in general need to be aware they’ll have to train a candidate on specific skills, for example, finding a resource that can configure a firewall and write code and be able to recite the ISO 27001 security controls will be hard, you are better off training on a missing skill. Data science is a difficult area to find people, particularly with machine learning expertise for cybersecurity. There’s a bigger shortage, in my view, in data science than in cybersecurity right now.

Cybersecurity is constantly changing – how do you keep learning? It can seem daunting to keep up with everything, all the new cybersecurity software and the internet of threats, but it really comes down to dedicating time to keep up with what’s going on in the world of security. Set aside a few hours a week.

What is the best current trend in cybersecurity? The worst? The best: machine learning, anomaly detection and predictive analytics. These all will have a great, positive impact on the community. The worst: blockchain and cryptocurrency. They’re overhyped and setting unrealistic expectations they can solve the world’s biggest challenges.

What's the best career advice you ever received? Don’t be afraid to take risks. Risks are how we learn and grow.

What advice would you give to aspiring security leaders? Security comes in many different flavors, so pick one that you’re passionate about. Don’t look at salary ranges or titles; those will fall into place on their own.

What has been your greatest career achievement? To see my contributions help organizations securely process data for good, helping to advance neonatal care, combat sex trafficking and develop new precision medicine. That’s the most satisfying part of my job, contributing my little part to making these possible.

Looking back with 20:20 hindsight, what would you have done differently? If I were to sum it up, I’d say starting to take risks sooner. Earlier in my career I stuck with what was comfortable and was too risk averse. It wasn’t until I started taking risks that I got the rewards.

What conferences are on your must-attend list? It’s interesting because my must-attend conferences have changed over time. It used to be RSA and Black Hat but now I look for more specific events such as CISO or privacy summits -- ones that are more specific to a particular topic, I get the most value from the smaller events..

What is your favorite quote? “In a gentle way, you can shake the world.” --Mahatma Gandhi.

What are you reading now? 99 GDPR articles.

In my spare time, I like to… That’s an easy one -- spend time with my family, as much as possible.

Most people don't know that I… Ride motorcycles. I have a Moto Guzzi and a Harley that I love.

Ask me to do anything but… Fix someone else’s source code.