Secret CSO: Gerald Beuchelt, LogMeIn

Name: Gerald Beuchelt

Organisation: LogMeIn

Job title: Chief Information Security Officer

Date started current role: May 2017

Location: Boston, MA

Gerald Beuchelt is the Chief Information Security Officer at LogMeIn. He is responsible for the company’s overall security, compliance, and technical privacy program. With more than 20 years of experience working in information security, he is a member of the Board of Directors and the IT Sector Chief for the Boston Chapter of Infragard. In his prior role, Beuchelt was the Chief Security Officer for Demandware, a Salesforce Company.

What was your first job? My first job was in a commercial hospital’s laundry room – unpacking the dirty laundry from ICU stations, operating rooms, and general hospitals.

How did you get involved in cybersecurity? I was slowly lured into the cybersecurity industry over time. At the beginning of my professional career, I was first focusing my efforts reviewing UNIX and Linux interoperability with Windows NT 4.0, and later Windows 2000. At that time, one of the greatest challenges was the proprietary Kerberos extensions Microsoft put into Active Directory. Naturally, this challenged me to better understand the overall security architecture of operating systems and the various challenges associated with it. With the broader availability of SAML-enabled web services and the need to federate identities across multiple providers, I worked on various identity management issues, including the overall development of the OAuth and OpenID ecosystem.

I then proceeded further into cybersecurity when I started working on several government projects and took responsibility for securing a large acquisition project. While I loved the mission, the people, and the general subject, I was not too thrilled with the speed of execution in the government space. This factor, ultimately, led me to pursue a career working in the private sector as CISO.

What was your education? Do you hold any certifications? What are they? I studied in Germany, and I hold a “Diplom” (similar to a Master of Science) in Mathematical Physics from the University of Cologne. My degree still comes in handy when looking at the more modern computing innovations, such as encryption using quantum entanglement or general quantum computing.  Overall, that particular subject does not have too much overlap with security, but the path of completing the program definitively trained me to analyse and solve very complex problems.

For certifications, I hold the (ISC)2 CISSP and ISSAP, the ISACA CISM and CDPSE, plus a few others.

Explain your career path. Did you take any detours? If so, discuss. I took a brief career detour from1994 to 1997, and I dabbled in journalism. During that time, I worked as a freelance IT journalist and published several articles in major German computer magazines, including “DOS” (DMV) and “PC Professionell” (Ziff-Davis).

Was there anyone who has inspired or mentored you in your career? Many individuals have inspired me to work to larger career goals, however Eve Maler, CTO at ForgeRock, stands out since she is known as one of the inventors of the Extensible Markup Language, better known as XML and the Security Assertion Markup Language (SAML).

Eve and I go a long way back, having worked together for several years when we were both at Sun Microsystems. She helped me understand the intricacies of the open standards community back in the day.

It’s safe to say that Eve was one of the most important driving forces in my work life, molding my career journey and my passion for cybersecurity.

What do you feel is the most important aspect of your job? In my role, I value excellent communication between team members, partners, customers, and other stakeholders. I firmly believe that security is more about the people than it is the processes or technology. Customers and employees – no matter the seniority level – should always come first to ensure proper security practices. The key to attaining this security hygiene level is enabling individuals with the right skills and the right mindset.

What metrics or KPIs do you use to measure security effectiveness? There are several technical and operational KPIs used to measure security effectiveness, such as time to resolution of an issue, vulnerabilities per solution patching cycle, and other technical metrics. Most of these are incredibly tactical or operational and allow security or IT teams to optimise their service catalog and delivery.

From a business perspective, however, it is critical to be aware of the strategic metrics that align with the organisation’s overall goals. For example, how efficient is your organisation at effectively adapting to events such as the recent lockdowns, and is your security program supporting the overall business objective? Some ways to measure this include looking into what kind of revenue the business is supporting through compliance-related efforts, where your pitfalls are, what risk management strategies you have in place, what the overall efficiency run-rate is, and how this could translate to a vulnerability.

I have found that it is only through keeping track of operational and business-oriented KPIs, that you get a well-rounded outlook of how effective your organisation’s security measures are.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We are always looking for individuals with a security mindset – a skill set that is as hard to define as it is to find. A security mindset goes beyond just possessing the specialised knowledge or technical skills needed to thrive in a security role. Instead, it involves having a keen eye for potential threats, the willingness to dig deep to find out where the gaps lie and the ability to think outside the box. These individuals are   one step ahead of the adversaries by anticipating their actions – which is a key skill to possess in today’s cybersecurity landscape.

Security is a team sport, and it is critical to collaborate openly and thrive in diverse communities. While knowledge and skills are vital to staying ahead of our adversaries, we can only address security issues in a concerted manner.

Thus, the problem then becomes finding the right security genius who can play in a large team and influence stakeholders to make tough choices and investments without always having formal mandates.

Cybersecurity is constantly changing – how do you keep learning? One of the best ways I learn is by working with peers in my respective community – locally and globally. I regularly read current news and listen to podcasts, which helps to contextualise current trends and events. I also follow several key thought leaders across various industries on social media platforms such as LinkedIn or Twitter. I often find myself re-sharing their insights and getting involved in their conversations, which is a fantastic way to learn about different perspectives.

If you are lucky enough to work with global colleagues, you should embrace the opportunity to learn from them. I often find this to be the best way to gain an international outlook on security trends, which is incredibly helpful in building my knowledge base.   

What conferences are on your must-attend list? This is an interesting question in this day and age. Large-scale events such as the Gartner Symposium, DEFCON and RSA Conference have always remained favorites for tech executives and enthusiasts.

While these conferences are, without a doubt, an exceptional platform for best practice sharing and knowledge exchanging, over the years, I have found that the bigger the conference is, the harder it can be to get quality face-to-face time with fellow attendees. As we continue to navigate a remote workforce, it will be interesting to see when these events will be available in person again – until then, the associated virtual conferences are a good – but not perfect – alternative.

My advice to fellow tech enthusiasts is to expand and include smaller events on their must-attend list. Smaller conferences offer opportunities to meet like-minded people and share knowledge. Our current remote work environment provides accessibility to attend these events as location no longer plays a factor.

What is the best current trend in cybersecurity? The worst? More and more businesses realise the critical importance of keeping themselves safe and improving their cyber-readiness. In turn, they are migrating from a static security program to a more dynamic risk-based assessment and employing threat-centric approaches to their cybersecurity practices. This development has motivated several improvements, such as increased acceptance for zero-trust networking models, which paints a better picture of its security posture and potential risks.

One concern is the potential threat associated with deep machine-learning and emerging AI. As automation advances, so do the methods bad actors have up their sleeves. Ongoing coverage of cyber threats and data hacks should remind us that there is a heightened need to combat threats with similarly advanced solutions. Ultimately, it is a matter of who innovates faster and is quicker at leveraging machine-learning technologies and AI.

What's the best career advice you ever received? “Always follow your passion.” As cliché as that sounds, this advice still rings true for me and has guided me through several career decisions.

No matter your career path, I’ve found that the key to success lies in how much effort you’re willing to contribute outside of the job. Your career should mean more to you than just 5-days a week and a 9 am to 5 pm routine. If you feel passionate about what you do, you will find that you feel more motivated to educate yourself on your own time and build your skillset outside of the office.

What advice would you give to aspiring security leaders? My number one advice to anyone in the security industry is to focus on people, processes and technology – in that order. Many security leaders these days are armed with an abundance of technical knowledge and skills and still they lack critical understanding of the factors that can make or break a good organisation.

Focusing on people requires security leaders to develop a high degree of empathy so that they can fully understand the concerns and needs. This empathy allows them to collaborate not only with R & D or Product Management but also with Legal, Finance, HR, and Sales. All these functions play equally critical roles in influencing the success of any good business. Security leaders must understand that to succeed, these functions must work harmoniously towards the same business goal.

Unlike technical skills, these soft skills are not ones that can be easily picked up through classes. These are the kind of skills that you hone carefully over the years as you move through you career journey.  Aspiring security leaders must focus on building up their skillset to make an impact in the security community.

What has been your greatest career achievement? Mentoring individuals on their own career paths has been a highlight of my own career journey. Sharing my insights, knowledge, and experience – both good and bad – with others has always given me joy. I take great pride in knowing that I have had a part to play, however small it may be, in helping others create successful experiences for themselves.

Looking back with 20:20 hindsight, what would you have done differently? Looking back on my career, I can honestly say I wouldn’t change a thing! All the experience that I have had helped contribute to who I am today.