Secret CSO: Jefferson Horne, Ordr

Most people don't know that… “I’ve been a licensed Private Investigator since I was 17.”


Name: Jefferson Horne

Organisation: Ordr

Job title: CSO

Date started current role: March 2020

Location: Denver, Co

Jeff Horne is currently the CSO at Ordr where he is responsible for security direction both within Ordr products and internal security. Prior to Order, he was the VP of Information Security for Optiv where he was responsible for all Security Operations, Governance Risk and Compliance, Endpoint, Internal Incident Response, Physical Security, and Employee Security Awareness groups. Before Optiv, Horne was the Senior Director of Information Security for SpaceX where he was responsible for the overall security strategy of SpaceX. Horne is well known for his insight in interviews for numerous news channels and publications, speaking roles at various security conferences, as well as authoring several vulnerability disclosures and patents.

What was your first job? My first official job was for Office Depot when I was 15. My job was to upgrade computers (mostly installing new hard drives and ram). At that time, I was also building and repairing computers for people in my city and advertising my services in the local grocery store. My first non-official job was when I was 8 when my best friend and I started a strangely successful ghostbusting business that we advertised via flyers we distributed. My proton pack was a bunch of old noisy radio parts in a Who Framed Roger Rabbit backpack connected to a microphone with lights in it.

How did you get involved in cybersecurity? Ever since I can remember I was taking things apart to see how they work. In my house broken TV’s, phones, radios, would always have to pass by me before they were thrown out so that I could take them apart and see if I could fix them or salvage some interesting bits. My mom and dad saved up and bought the family a computer when I was 13. It was a 486 66/DX2 that I was constantly fixing and playing games on. Like most 13 year olds with a computer I loved video games, but I then started learning how to alter bytes within the games to give me more gold or points, or just to make the games do weird things. I wanted to learn more about this but there wasn’t really many books or magazines that were available, so I started dialling into BBS’s and connecting to IRC to talk to other people about video games. After a few years I got really interested in programming and was regularly “hacking” games.

When I was 16 my parents had given me the 486 computer to keep in my room where I “upgraded” it to run a somewhat stable version of Slackware linux that I could write and compile code on. 16 was a big year for me because at the height of my infatuation with hacking games Phrack magazine released Aleph One’s Smashing The Stack For Fun And Profit and changed my life forever because I knew then what I wanted to do for the rest of my life.

What was your education? Do you hold any certifications? What are they? I graduated from McIntosh High School in Peachtree City Georgia in 1999 and went to Georgia State University for a year before dropping out. I don’t hold any certifications, but I was A+ certified when I was 15 for my Office Depot job. When I say this, I feel that I need to explain 2 things.

I think certifications are great and feel that it’s a great way for most people to further educate themselves. Not getting a college degree is still a regret of mine. Unfortunately, in 1999 there weren’t any cybersecurity degrees, and most programming courses were website based given this was during the dotcom boom. Fortunately, I was hired as a programmer out of high school by Internet Security Systems in Atlanta Ga, and was working there and going to college. In 2000 I needed to make a decision to either take a promotion from install programmer to vulnerability analyst for the Internet Security Systems X-Force team or stay in school. I dropped out of college, I still regret it, and constantly think about getting a degree in philosophy.

Explain your career path. Did you take any detours? If so, discuss. During high school I had made some connections on IRC with people at Internet Security Systems in Atlanta Ga. ISS hired me when I graduated high school to write installers for Database Scanner and Internet Scanner on Windows. I then started writing installers for the Solaris version of RealSecure and then was promoted to do IDS evasion research and vulnerability discovery inside ISS’s X-Force team. I most worked on testing decode signatures for RealSecure and was also modifying previously written exploits to make them work on updated OS/Application versions. My first vulnerability discovery job was when ISS tasked me with researching these expensive new Polycom videoconferencing units they had purchased in 2002. With some help from my friends, I was able to find 5 remote vulnerabilities in the Polycom camera systems and write 10 proof of concept exploits that allowed me to remotely access, gain full control, and receive video/audio from any connected Polycom camera unit. During this time I was given the opportunity to work with the United States Government under a clearance contract around breach and vulnerability discovery.

After working on vulnerability analysis for a year I transitioned to reverse engineering both malware and anti-virus engines in order to work on a behavioural based anti-virus engine based on API execution analysis. I was then hired by Webroot software and I moved from Atlanta Georgia to Boulder Colorado to create detection and removal techniques for their SpySweeper product. At this point I was running a team of reverse engineers and developers that were both tearing apart complicated malware, writing unpackers for common binary obfuscators, and creating some decent detection and removal techniques.  

After Webroot I was hired by Accuvant to create and run their Malware and Incident Response/Threat Management practice within their Labs organisation. For about 6 months I was the only person on the team and would be regularly shipped out to reverse engineer malware that had infected large networks and create and distribute remediation code. After a few successful engagements I was able to assemble an awesome team of reverse engineers, incident responders, whom were also my friends. I was completely confident in my teams’ skills and my job changed from being a technical reverse engineer to being an interim CISO for clients and helping those organisations understand the problem, what my team was doing to fix it, and walk them through a breach.

After Accuvant I was hired to be Senior Director of Information Security at SpaceX and I moved out to Los Angeles. This was a dream job for me, and I was lucky to be there when I was. I was able to work closely with both the engineering and launch teams, and Elon Musk is a talented programmer and extremely interested and knowledgeable about security and so it was great being able to work closely with him on security issues. I was there for the first landing of the Falcon 9 rocket, the start of the Falcon Heavy and Starship projects, and the award of several launch contracts that made SpaceX a United States based launch provider. SpaceX had a lot of unique issues that I had never experienced before, and I loved every minute I was there. During my time there I was exposed to a lot of policy work because SpaceX is considered to be a weapons manufacturer in the eyes of the United States Government due to the fact that its primary product is a payload carrying orbital rocket booster. I was knee deep in International Traffic in Arms Regulations (ITAR) and NASA specific security compliance standards and policies during my time there. NASA has had teams of technical writers documenting literally everything they’ve done for the past 63 years. The NASA instructional standard to solder two wires together and connect wires through a simple wiring harness is 101 pages long. I forgot how long the NASA standard was for secure transmission of astronaut bio-monitor data was but I do remember being worried about it breaking the glass top conference table when the NASA engineers had printed it out for me to review.

After SpaceX I decided to move back to Colorado where I was hired as the CISO of Optiv and ran their internal cybersecurity teams. Optiv was interesting because it’s a security company that advises and sells security products to other companies so again, I was knee deep in Third Party Risk Management (TPRM) for thousands of large organisations. I luckily had a very talented Governance Risk and Compliance team. I got to work on implementing and managing advanced cyber security controls across multiple countries. What I loved most about my time at Optiv was that I had access to all of the latest and greatest security tools, and that I got to trial and review them and subsequently advise companies on how to implement and use them.

After Optiv I joined a start-up called Boldend as their CIO/CISO. Boldend is very interesting as it works exclusively with a few US Defense Contractors and the United States Intelligence Community. I unfortunately cannot talk about anything I did at Boldend which knowingly makes it sound more mysterious and interesting, but it was actually pretty normal stuff.

After Boldend I was hired by Ordr to be their Chief Security Officer. Being a start up my role is of course multifaceted and includes; product security features, internal CISO responsibilities, compliance, customer advisement, and a bit of public speaking. Ordr is a great company with very talented people solving a foundational asset discovery management problem made more difficult by new and old devices suddenly becoming connected computers on the network.

Was there anyone who has inspired or mentored you in your career? When I was about 15 I had saved up enough money mowing lawns to buy a used Toshiba T3100 20lb “laptop” from a local computer repair store with an orange monochrome screen and more importantly a 2400 baud modem. I had purchased this “laptop” so that I could chat with people on BBS’s and IRC in the privacy of my room late at night and not on the family computer. I quickly found that this computer had several password protected archives on the 10MB hard drive from the previous owner. I wanted to delete them to recover some space, but I decided that before deleting them I’d find the owner to see if they needed these files. I went back to the computer repair store that I purchased the computer from, but they had no record of the previous owner. I used a brute force password cracker to discover the password and read the documents and discovered that the previous owner was a Cobol programmer named Banks Glover that lived close by. I found his phone number and called him and asked if he wanted his files back and he said yes. At the time Banks was about 50 and arrived at my house, my dad answered the door, and when Banks asked for me my dad was surprised. We invited Banks in for lunch where I gave Banks his files back, told him how I found his password, and talked about computers.

My dad had just started his own private investigation business and ended up becoming quick friends with Banks and hiring him to run the computer database search portion of the private investigation practice. During this time Banks taught me a lot about DOS, and programming languages beyond Basic. I was fortunate to have Banks as a mentor as I really didn’t know any other programmers beyond the people I would talk to on IRC/BBS’s.

What do you feel is the most important aspect of your job? The ability to communicate somewhat complicated problems and solutions to people that don’t spend every conscious moment of their life in cybersecurity. I feel that some cybersecurity people come off as incredibly arrogant and I try and sometimes fail to make sure I can articulate a problem or solution correctly to an audience.

What metrics or KPIs do you use to measure security effectiveness? I usually focus on the basics; finding and managing all devices connected to my company’s network, time to patch, monitoring for hacking attempts against my internet facing machines, measuring how long it takes for my team to discover an incident based on the first indicator of an attempted hack, and of course time to resolve and incident.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I think security skills shortage is probably affecting every organisation, but I think it is more that businesses lack funding and understanding of the security problem and their overall risk, more so than a lack of an individual’s skills. Securing modern systems require incredibly deep technical knowledge of very diverse systems, architectures, and operating platforms, and most businesses incorrectly feel that a single individual could contain all of these required skills instead of properly funding a team. This problem is very apparent in the cybersecurity job listings of most companies as they are desperately trying to find the one person in the world with in-depth knowledge and vast experience in securing the systems, they just deployed a year ago instead of properly funding the team required to do that task.

1 2 Page 1
Page 1 of 2