Secret CSO: Justin Calmus, OneLogin

Name: Justin Calmus

Organisation: OneLogin

Job title: Chief Security Officer

Date started current role: April 2018

Location: San Francisco, California

Justin Calmus is the chief security officer of OneLogin responsible for architecting and leading risk management, security, and compliance efforts. Calmus is an information security leader, researcher, and hacker-turned chief security officer who previously served as the chief information officer and the chief security officer at Zenefits. Before that, Calmus held various leadership positions at HackerOne, the leading bug bounty program, Salesforce, and LinkedIn. A hacker himself, Calmus regularly participates in bug bounty programs and drives initiatives to foster the global hacker community.

What was your first job? My first big corporate job was at Salesforce as an engineer.  It’s where I first started building a team of mentors, and where I first saw how a very successful product turns into a very successful large company.

How did you get involved in cybersecurity? I grew up in Salinas. It was a tough community at the time and I stayed inside a lot, working at my computer. Hacking games were my initial passion – that’s what sparked me to develop my skills and explore the wider world of ethical hacking.

What was your education? Do you hold any certifications? What are they?

Explain your career path. Did you take any detours? If so, discuss. In the beginning of my career, I decided not to go into security. I was trying to avoid it because I was so incredibly passionate about it. I didn’t want a career path to interfere with my personal love for security. I thought that if I did it as a corporate job I would end up not liking it. Turns out I was wrong. At LinkedIn, I took my first opportunity to get heavily involved in security. It was an amazing experience and it made me realise that if you love what you do, it doesn’t feel like work.

Was there anyone who has inspired or mentored you in your career? There are a lot of people that I consider mentors I see my career as a wheel. To have a strong wheel, you need strong spokes. In my analogy, those spokes are mentors – some in security and some not. It’s important to have variety.

If I did not have someone like Cory Scott at LinkedIn, it would probably have been more difficult for me to understand security from a corporate perspective.

In today’s world, I think it’s about your peers and ensuring that as a community we continue to help each other.  I can access mentors over Slack or meet up with them for coffee. There are definitely many people I’d consider mentors in my life and I would encourage anyone to find mentors for themselves.

What do you feel is the most important aspect of your job? The most important aspect of my job is understanding the current and future threat landscape. Security is ever evolving, and it is nearly impossible to keep up with all of the technology trends.

What metrics or KPIs do you use to measure security effectiveness? Oh KPIs… everyone’s favourite subject. I have a few that I believe make a big impact. RDR – or Rate of Defect Recurrence – is one that should be more obvious to people. It asks how often do you continue to see the same failures within your organisations, and is that failure rate going down. Essentially, are you effective at reducing the risk for your organisations or are you not. Another good one is the Remediation Window – how quickly are you actually resolving issues.

Is the security skills shortage affecting your organisation? Absolutely - our organisation and the entire security world. We're still 20 years out from having enough security talent in the field. We’re still trying to build that skillset among current computer science students.

Cybersecurity is constantly changing – how do you keep learning? You just make the time to keep learning. I‘m quite lucky to absolutely love what I do. If you love what you do, and with the threat landscape constantly changing, there continues to be new things to learn and love. For me, it really comes down to after-hours reading. You can't spend all your time during the day reading about what's going on, rather you need to dedicate time when you’re less busy to dive into the latest of what’s happening in the field.

What conferences are on your must-attend list? DefCon, which has a little bit of everything including educational material about the current and evolving landscape. It is a conference where hackers are supporting hackers.

WarCon, a conference in Warsaw where they discuss exclusive material on vulnerabilities in the current and evolving landscape. It’s hard to get in but definitely worth it.

THOTCON, a conference with a hacker mindset that also caters to CISOs.

What is the best current trend in cybersecurity? The worst? Best cyber security trend: Identity and access management, of course. I honestly think if you don’t have an identity and access management strategy in your organisations you are doing something wrong. In the old days you’d manually de-provision people from applications without really understanding the threats that exist. Things can now get out of control quickly.

The worst: “AI security” as a buzzword. When you dig into most of what is talked about as having AI security it is not really AI - it’s just data analytics. The future holds great promise, but we’re not there yet.

What's the best career advice you ever received? Embrace failures, because failures always happen. As long as you learn, you will continue to evolve as a human.

What advice would you give to aspiring security leaders? Get involved in the community, which is encouraging and will educate you. Reach out to a local BSides or DEF CON chapter. Reach out to online resources like Reddit. Utilise as many free resources as you can. Get involved in the community and you will be successful moving up the ladder and learning more about security in general. After all, knowledge is power.

My core belief is to “always strive to be a teacher and not a judge.”

What has been your greatest career achievement? My current role at OneLogin. I’ve been really excited in just my first few months about how committed everyone here is and with my experience in the security community, I feel this is my biggest and best opportunity to make a big impact alongside likeminded people.

Looking back with 20:20 hindsight, what would you have done differently? As I mentioned earlier, I would have gotten involved in security earlier from a career perspective. I was very worried that I would be killing my passion, but I couldn’t have been more wrong.