Secret CSO: Seth Cutler, NetApp

What's the best career advice you ever received?” Look in the mirror. This is the person responsible for your failures and successes.”


Name: Seth Cutler

Organisation: NetApp

Job title: VP & CISO

Date started current role: June 2020

Location: Raleigh, NC

Seth Cutler has worked in technology for 30 years, leading technical, security and risk teams for global operations and a series of large enterprises. Cutler joined NetApp in June 2020 from his most recent position as the VP and Chief Security Officer at Allscripts Healthcare where he successfully implemented the first company-wide security strategy. In this role, he led the overall security and risk program including application security, incident response, Security Operations Center (SOC), Identity & Access Management (IAM), compliance/audit, training, business continuity and mergers and acquisition integration. 

What was your first job? When I was an early teen, I taught martial arts to kids in an after-school program and sold golf balls (in egg crates) that I found to golfers. My first job in tech was at an IBM/CSFB start-up as a software developer/tester.

How did you get involved in cybersecurity? I worked at a Microsoft/Softbank start-up building Digital Rights Management (DRM) software. I continued the security journey at a Healthcare IT firm building an Application Security program and then a full-scale Privacy and Security strategy for on-prem and in the cloud. I have been at NetApp since June this year and look forward to continuing the security journey at the leading Cloud Data Fabric, Storage and Management company.

What was your education? Do you hold any certifications? What are they? I have a Bachelor of Science in Business Administration from the State University of NY at Albany, concentrating in Finance and MIS and have been through the Executive Management Program at Duke University and the Accelerated Leadership Program at UNC Chapel Hill. As for certifications, I hold CISM (ISACA); HCISPP (ISC2); CCRP (DRII); and CIPP/US (IAPP).

Explain your career path. Did you take any detours? If so, discuss. I spent the last 30 years in technology in various roles and companies. No major detours but rather expansions. I started in the application development, quality and then DevOps side of the house and then, as the security and regulatory landscape changed, built a logical path to include privacy and security into the Software Development Life Cycle (SDLC).

My focus shifted to include additional aspects of privacy and security including SOC, IR, GRC, Physical, Supplier Management, M&A, DR/BCP, Training/Awareness and working with Legal on regulatory, contractual or other matters from a security perspective. I now enjoy the intersection of business and technology risk decisions.

Was there anyone who has inspired or mentored you in your career? When I first began my career in the early 90’s, I worked for a gentleman who spent 35 years at IBM. Many times, he was the adult in the room at this new start-up and had an incredible blend of technical, business and people skills. I was very fortunate to have him be my first mentor AND manager. He held everyone 100% accountable, pushed us to learn, allowed us to make decisions and mistakes, and gave credit where appropriate. I still remember he was the only manager to walk the floor to personally hand out the biweekly pay check envelopes (pre-direct deposit days) and say “thank you.” I like to consider the good, bad, ugly from leadership, peers, and staff and apply as appropriate to my professional toolbox.

What do you feel is the most important aspect of your job? A thorough understanding of the security and business needs of the company - and treating people with respect.

What metrics or KPIs do you use to measure security effectiveness? I prefer to utilise risk-based metrics and overlay maturity models. Additionally, we have a key set of metrics that we derive and monitor from these.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes, the demand is greater than the supply and we have a long tail to hire. Skills that we are always looking for include: Threat, Vulnerability, and IR analysts as well Application Security Developers and DevOps folks.

Cybersecurity is constantly changing – how do you keep learning? I subscribe to a plethora of industry reports, daily vulnerabilities, threats, and intelligence that I spend 1-2 hours every day reviewing (my day starts at 5AM). I am a lifelong learner and really believe that with this constantly shifting landscape and industry you must stay current. I learn a lot from speaking to peers and leaders throughout the company, especially folks on the team that highly specialise in one privacy or security area. We have regular deep dives on timely topics and I’m always learning from our team.

What conferences are on your must-attend list? While it’s been a while, ISC2, ISACA, and Daniel Solove put on some great conferences. I also enjoyed local and regional Security and Technology meetings from InfraGard and ISACA as they are a bit more intimate. I also just presented and attended (remotely) the NetApp INSIGHT conference – it was very well done.

What is the best current trend in cybersecurity? The worst? The best trend I see is the removal of the password. The worst, not getting rid of the password fast enough. The most interesting is Quantum computing.

What's the best career advice you ever received? Look in the mirror. This is the person responsible for your failures and successes.

What advice would you give to aspiring security leaders? Perfect is the enemy of good. The terrain is shifting more than any other industry and you need to move the security agenda forward quickly. Find the right balance of tactical and strategic as both are critical to success. You also need to learn to provide a concise and actionable message to others in the business at all levels.

What has been your greatest career achievement? Building and working with great diverse teams and partnering with other functional areas to move security higher in their priority stack.

Looking back with 20:20 hindsight, what would you have done differently? There is lots of room for things to have been done differently. However, I try to look forward, learn from my many mistakes, and ensure they do not happen again. Continuous improvement is key.

What is your favourite quote? “In business, only the paranoid survive, so understand and confront the facts as they stand today, no matter how brutally painful, and focus on solutions. “ - Andy Grove, Intel.

What are you reading now? The Art of Invisibility by Kevin Mitnick and The New Girl by Daniel Silva.

In my spare time, I like to… Read, spend time with my family, hike, tennis, ski...

Most people don't know that I… Was a competitive martial artist (Kumite, Kobudo, Kata). My daughter now competes at the international level and is way better than me.

Ask me to do anything but… Sit on the beach – I need to keep moving and I do not like sand.