Secret CSO: Eric Adams, Kyriba

What is the worst current trend in cybersecurity? "The worst trend so far is relying on a ‘checklist’ to check the box on security controls and then assume the organisation is safe…"

secret cso eric adams kyriba
Kyriba & IDG

Name: Eric Adams          

Organisation: Kyriba

Job title: Chief Information Security Officer (CISO)

Date started current role: April 2018      

Location: San Diego, CA

Eric Adams is the Chief Information Security Officer (CISO) / SVP of Kyriba. Adams joined Kyriba in 2018, with 20 years security experience and specifically FedRAMP authorisation experience in Federal cloud at HP. He also worked at IBM as a Federal cloud security strategist with Watson AI applications and Blockchain. He is responsible for Kyriba security compliance certifications and also the overall security of the global SaaS-based treasury management application system and its related business functions.

What was your first job? Once I was old enough to do any type of work, I started my own lawn mowing business and had a paper route. I saved quite a bit of money for an 11-year-old and started buying computer systems to connect via modem. I began my research online, so I could learn how they worked.

How did you get involved in cybersecurity? I worked for a start-up internet service provider in the mid-90s - right when the internet was released for commercial use. A few years after college, I joined an internet service provider called Cyber Highway Internet Services. During my time there, I focused on everything from selling connectivity to installing networking equipment and registering domains. That was my first official foray into cybersecurity. 

I then went on to HP, starting as a Tech Consultant and working my way up to Security Architect and eventually Federal Cloud Program Manager, where I learned more about security and began networking printers in enterprises for some of HP’s largest clients. I started at Hewlett-Packard Enterprise in the 2000s, working in one of the largest data centres in the world. I managed a large-scale security data centre migration project covering six centers, three cities wide. 

What was your education? Do you hold any certifications? What are they? I am a Huntsman School of Business graduate from Utah State University. I hold a B.S. and MBA in Marketing and minor in Information Systems. I am certified in ITIL and have security certifications for CISSP and CSSLP.

Explain your career path. Did you take any detours? If so, discuss. I had a few different types of security-focused jobs at smaller companies before joining HP in 1996. During my 19 years at HP, I was faced with making a career decision, go down the path of business management or continue focusing on cybersecurity. I decided to manage customer-focused projects before getting into the deep technical tracks of security.

Was there anyone who has inspired or mentored you in your career? I was inspired by multiple people at HP and IBM. Many of my former colleges are well-known in the industry and working at AWS, Apple and other top-profile technology companies. I recall once specific instance; I was trained for a particular technical job in Cupertino by an employee about to take early retirement. He reported directly to Bill Hewlett. He shared some of the most amazing stories about the founders of the company, how they cared for the quality of products and services, and most importantly, their employees and customers.

What do you feel is the most important aspect of your job? At Kyriba, it is my ultimate duty to oversee the secure operations of our cloud SaaS application and all of our related business functions. My main role today, as we try to manage the COVID-19 pandemic, is to ensure the security of data and access to data, as well as continually analysing internal risk for Kyriba.

What metrics or KPIs do you use to measure security effectiveness? My team and I constantly review reports from our systems in order to make adjustments to reduce risk. These reports include basic system security reports, account reports and vulnerability reports. Today, the reports I am most focused on are quarterly and annual reports so that we can measure whether a new capability is effective or if we need to address any gaps. Our main area of focus is to ensure we are always ahead of industry standards in the finance system categorisation for each domain in security, which is constantly being re-evaluated.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Over the last 20 plus years I have maintained a large network of security colleagues and connections in order to find the best personnel to fit security roles at Kyriba. However, shortage of skills in the industry is a problem. Finding and retaining talent, such as level-one security analysts is very challenging.

Cybersecurity is constantly changing – how do you keep learning? I am always learning new security concepts in order to stay sharp, whether it be through webinars, learning sessions, or jumping in on a cutting-edge technology project on the job. It is important to devote time to learn at least one new security concept a month.

What conferences are on your must-attend list? I attend conferences to meet in person with the people that I’ve worked with in the past. I typically attend BlackHat and RSA, however, I enjoy the smaller conferences such as B-Sides and SchmooCon for a more personal experience.

What is the best current trend in cybersecurity? The worst? The best trend is the push for automation in cybersecurity; using automation in order to scale, paired with human roles to react based on procedures. The worst trend so far is relying on a ‘checklist’ to check the box on security controls and then assume the organisation is safe. These may not be considered current for mature organisations and not as credible or valid in today’s business world.

What's the best career advice you ever received? I was working on a large project with the U.S. government, and the advice I was given was, “Always make it their turn”, which means - do whatever you need to do to get your work done quickly and correctly and do not make the client or supervisor wait around. Anything submitted for review must be on top of your superior’s stack of paperwork to evaluate. I took this seriously and recall working 23 hours non-stop, but my project never stalled and was successful. I learned from then on that once you have someone’s attention that is very important, you better deliver and never wait around.

What advice would you give to aspiring security leaders? Learn from your mistakes, because you will make them; do not give up and be resilient. It is also very important to ask your trusted mentors for advice. Listen carefully; success comes through collaboration with others who want to succeed based on company goals.

What has been your greatest career achievement? My greatest and most fulfilling accomplishment was to provide static code analysis in a cloud Authority to Operate (ATO) system for the Federal government while at HP. This request came to me from the U.S. Army while I was with HP working onsite at Ft. Knox, Kentucky, training personnel on static code analysis for our Fortify on Demand product in 2012. The commander was very interested in using our commercial cloud version but could not because there was no ATO for our cloud system for military or government use. The next month the FedRAMP government cloud program started, and shortly after I picked up the paperwork and applied for authorisation. Two years later the system was authorised for DoD and DHS – this came after building a government-community cloud, completing the required documentation paperwork, and going through third-party audit and FedRAMP JAB review. The system is currently servicing several government agencies under MicroFocus, which HP sold this software division to in 2016.

Looking back with 20:20 hindsight, what would you have done differently? I cannot really say I would do anything differently, even though some paths were difficult. I would have never learned from experiences that were very valuable, even if they were not the most pleasant or had the best outcome at the time.

What is your favourite quote? “First they ignore you, then they laugh at you, then they fight you, then you win.” -- Nicholas Klein (original quote based)

I have experienced this in real life more than a few times. It teaches resilience and determination if you know something is right and to never give up.

What are you reading now? How to Measure Anything in CyberSecurity” and “Empire of the Summer Moon”. Regarding the second book, if you think we live in difficult times now, try to imagine living in the American plains in the mid 1800s.

In my spare time, I like to… Spare time is a luxury, but when I have it, I like to golf, fish and spend time with my very sports-oriented family.

Most people don't know that I… have a fascination with tipi’s and American Indian culture. My goal is to build one soon.

Ask me to do anything but… cook anything other than meat on the grill. I can grill and barbeque with a decent amount of skill, but that is about where it ends.