Secret CSO: Rick Holland, Digital Shadows

Name: Rick Holland

Organisation: Digital Shadows

Job title: CISO, VP Strategy

Date started current role: January 2016

Location: Dallas, Texas

Rick has more than 15 years’ experience working in information security. He is currently the Chief Information Security Officer at Digital Shadows. Before joining Digital Shadows, he was a vice president and principal analyst at Forrester Research, providing strategic guidance on security architecture, operations, and data privacy. Holland also served as an intelligence analyst in the US Army. He is currently the co-chair of the SANS Cyber Threat Intelligence Summit and holds a B.S. in business administration from the University of Texas, Dallas.

What was your first job?   My first “real” job was military intelligence in the U.S. Army. I had some great experiences in the Army, in particular, living in Kuwait and the United Kingdom.

How did you get involved in cybersecurity? My first job out of the Army was doing technical support for dial-up modems. Yes, I knew U.S. Robotics very well. I parlayed that job into helpdesk and then desktop support at a home builder. In 2002, the Enron scandal resulted in the establishment of the Sarbanes-Oxley Act, and my company needed someone in IT to work with Deloitte on our SOX compliance.  I didn’t know what SOX was, but it sounded much better than reimaging Windows XP machines, so I volunteered. Many people in our community loathe compliance and regulations. I’m ever grateful to Senator Sarbanes and Representative Oxley for regulating the financial reporting at publicly traded companies. Without their legislation, my career path would likely have looked vastly different.

What was your education? Do you hold any certifications? What are they? I didn’t take the traditional route to my college education; it took me more than a decade to finally complete my bachelor’s degree. After spending four and a half years working in a high-tech field in the Army, I wasn’t interested in becoming a full-time student. I wanted to continue to work in technology, so I was a VERY part-time student for many years. I ultimately earned my B.S. in Business Administration from the University of Texas at Dallas. I maintain my CISSP and two SANS certifications: GIAC Cyber Threat Intelligence, (GCTI) and GIAC Certified Incident Handler, (GCIH).

Explain your career path. Did you take any detours? If so, discuss. My career began in the U.S. Army and then progressed to technical support and desktop support. Thanks to SOX, I made my way into IT Compliance which then got me interested in cybersecurity. At that time in my career, I wanted to complete my bachelor’s degree, so I went to work at the University of Texas at Dallas defending the school’s networks. Being right on campus accelerated my ability to complete my degree. I then spent time as a Sales Engineer at Accuvant (before the Optiv days) which helped me become an industry analyst at Forrester Research. Digital Shadows was a client of mine at Forrester, and I saw a need for companies to get visibility into their external exposure, so I made my move to the dark side. The dark side is also known as “vendor land.” Many have joked with me that industry analyst firms like Forrester are the true dark side. Search your feelings, you will know it to be true.

Was there anyone who has inspired or mentored you in your career? John Kindervag, who is currently the Field CTO at Palo Alto Networks has played a significant role in mentoring me throughout my career (in addition to mentoring my electrical skills at home). Your readers will know John as the creator of the “Zero Trust” model which is now ubiquitous in our space. Years before either of us were at Forrester Research; John was a solutions architect selling to me at Centex Homes. We kept in touch over the years, and John suggested that I apply for an open role at Forrester to work alongside him. After the most challenging hiring process I’ve ever been through, I somehow got the job. John took me under his wing, nurtured me, and taught me how to be an industry analyst. I’m forever grateful to the father of Zero Trust.

What do you feel is the most important aspect of your job? Recruiting and retaining employees is the most critical aspect of my job. Unfortunately, we get way too wrapped up in technology and project lists and don't focus enough on our teams. Helping my team to progress their careers at Digital Shadows and beyond is a top goal for me. Trying to establish a culture that provides flexibility and pragmatic prioritisation of our ever-growing project lists is essential to me.

What metrics or KPIs do you use to measure security effectiveness? Anti-virus hits, vulnerability scans, just kidding. You have asked a great question, and I don’t feel 100% comfortable with what we have in place; we are maturing our reporting like everyone else. We use operational metrics around incident volume, mean time to detection, and mean time to restore. We also look for business related metrics. How much revenue generation was our security team involved in for the security questionnaires that come in from our customers and prospects? How many clients have used the tools that our security team has built to enhance their operations? 

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We haven't encountered the staffing shortages that so many other organisations are experiencing. At Digital Shadows, we are fortunate to have a long list of qualified candidates for our security and compliance roles. We certainly do have skills that we want to further develop on within our team. Skills development ties back to staff retention as well. We want to invest in and level up the teams' skills so that it benefits both the individual and the organisation. Some skills that I prioritise in new candidates and training are all things DevSecOps, coding/development, and compliance/privacy.

Cybersecurity is constantly changing – how do you keep learning?  I have to make time for continuing education. It is critical to set aside time on the calendar for development and protect that time as well. Unfortunately, it is very easy for operational items to take priority over personal growth. I also like to learn from my fellow CISOs, in particular, those that work in the technology space. They have similar challenges and struggles and victories to share.

What conferences are on your must-attend list? The SANS Cyber Threat Intelligence Summit is on my must-attend list, but I help run that event ,so there is an obvious bias there. I’m a fan of the Security BSides events; they are far less corporate than some of the others out there. I’m also very interested in conferences like Amazon re:Invent and the new Amazon re:Inforce.

What is the best current trend in cybersecurity? The worst? For the best trend, I’m pleased to see the increasing discussion on diversity in our workplace. I recognise that talk is cheap, and we need more action. Two years ago, at the SANS Cyber Threat Intel Summit that I co-chair, I noted that the speakers all looked like me. I was delighted that for this year’s summit we significantly increased the diversity of the speakers. We still have more work to do, but we did make a difference this year. For me, the worst trend in cybersecurity is the negativity that dominates social media. Complaints about this, complaints about that, we have industrialised complaining about our space.

What's the best career advice you ever received? When I first started my career as a security practitioner, I was the epitome of the “department of no.” I took pleasure in blocking users’ access to websites. I took pleasure in locking down their machines so much that a root canal would be a preferable option. My first Chief Information Officer, Tim Hough, taught me that wasn’t the correct approach and that we didn’t do security for the sake of security.

What advice would you give to aspiring security leaders? Network, network, and then network some more. Networking has served me well throughout my career, and it continues to do so today.

What has been your greatest career achievement? I’m not very good at answering these sorts of questions. I don’t have a humble brag queued up here either. For me, I like to measure my success by the team’s success. I consider my team member’s promotion and internal accolades to be great achievements for me.  

Looking back with 20:20 hindsight, what would you have done differently? Does making sure that that all network changes are thoroughly vetted before implementation count? Asking for a friend.