Secret CSO: John Germain, Duck Creek Technologies, Inc

What do you feel is the most important aspect of your job? "For me it is building relationships. Cybersecurity is challenging because you need to partner and communicate with all parts and levels of an organisation."

Duck Creek Technologies Inc.

Name: John Germain

Organisation: Duck Creek Technologies, Inc.

Job title: V.P. and CISO

Date started current role: August, 2017

Location: Chicago, IL

As Duck Creek’s chief information security officer (CISO), John Germain is accountable for the strategy, direction, and management of the company’s overall security program and capabilities, including those of Duck Creek’s OnDemand services. Germain brings more than 15 years of experience as an information security professional to Duck Creek, and more than 25 total in IT. He has a strong background building and managing IT security programs for large, global organisations and is a well-respected leader in the community, having been named both a Top 100 CISO and a Top 25 Breakaway CISO Leader.

What was your first job? My first full time job was working at a film processing company. I worked in the finishing department where we took the processed film and put it into different types of media containers. If anyone can remember, slide shows used to be these single image film prints that would be put into a plastic slide sleeve. Part of my job was to drop the slides into a round tray by hand. I was the original PowerPoint guy.

How did you get involved in cybersecurity? Long story. At this film processing company, I ended up moving into the accounting department working in Credit and Collections. I had gotten my Associates Degree in Accounting and was working towards my undergrad while working full time. This was before PCs and Windows, but we did have a Wang VS 80 to run the accounting department. I kind of figured out how to use and maintain it as well as write some reports. After some time, we joined the PC age and I ended up running the IT Department. From there I did some consulting and then landed at a large Future 500 company running their network. I ended up running the whole infrastructure at a time when Information Security was just starting to emerge as a function.

They tapped me to be the lead for the security department and because the company was also a top 5 defense contractor, I ended up getting DoD TS clearance, working more with the classified part of our business. I grew the security organisation, building out a security operations capability as well as architecture and compliance functions. As the company grew, mainly through acquisition, a seasoned CISO was brought in to run everything, and I was put in charge of Security Operations and GRC.

After a few years, the company split up into three separate companies, and I was asked to make sure the three companies all separated securely and helped make sure that each company had a security function in place as they became independent organisations. I was also asked to be the CISO for one of the companies after the divestiture was completed. A year into that role, the CIO asked me take on all of the IT Infrastructure as well and I was also tagged to run the IT integrations for large acquisitions.

After a number of years, I decided to move on, and landed where I am now, as V.P. and CISO of Duck Creek Technologies, a leading SaaS provider for the property and casualty insurance industry. And I could not be happier.

What was your education? Do you hold any certifications? What are they? I have an associate degree in Accounting and a BA in Technical Management. I have also held a CISSP for about 13 years. Along the way I had have numerous certifications in different networking and computer technologies as well as completing a number of executive training programs.

Explain your career path. Did you take any detours? If so, discuss. So oddly enough I came out of high school pursuing a degree in Architecture. Like building houses type architecture. That lasted about 2 days because I was terrible at it, so I went after a degree in Accounting. My wife was in the Navy, so she would travel back and forth to the base every day, and I was working full time and going to school. Once I caught the IT bug, it pretty much consumed me.

My strengths were in networking and firewalls as well as directory services. We were using Novell at the time. I had a knack for solving complex issues, mainly because I was always curious about how things worked. I was always tinkering and asking questions trying to figure things out. Always reading and researching as well. I learned the basics of Solaris one night because we needed to add an email anti-virus solution when the Mellissa virus came out in 1999. And because I worked with firewalls so much, security just became a natural progression. I guess I saw it coming, and just tried to position and prepare myself as best I could to be ready for my time.

Was there anyone who has inspired or mentored you in your career? There is one person above others from a professional perspective that really got me started in my career. He taught me some of the basics of how to be successful, including the importance of values and treating everyone with respect. He also taught be a lot about how to be an effective communicator. He gave me opportunities to succeed and to fail, and believe me, I failed a lot. But most important, he taught me to stay true to my principles. That is one thing I have carried throughout my career and I have tried to pass on to others.

I think at times I may have missed out on opportunities because I would not compromise my principles, but in the end I feel like the things I have achieved are much more satisfying because I feel I have done it the right way. Along the way, there have been so many other people that have helped, inspired and motivated me. Especially my wife, who pushed me when I needed to be pushed and supported me during the difficult times. I am truly the person I am today because of her, my son and all the people who have supported me along the way.

What do you feel is the most important aspect of your job? For me it is building relationships. Cybersecurity is challenging because you need to partner and communicate with all parts and levels of an organisation. I spend quite a bit of time building those relationships so that I can gain their trust and respect. As any security expert will tell you, the people in the organisation are so important to the success of a security program.

I need to know that if I say that something needs to be changed or some action needs to be taken to mitigate an immediate risk, that it will be done without hesitation. And I need to know that people respect what I say and that it has meaning to them. That comes with building trust at all levels of the organisation. And my goal is to make sure that everyone I talk to knows that they are important, no matter where they are in the organisation, because they all are.

What metrics or KPIs do you use to measure security effectiveness? I tend to go with metrics that do one of two things. The first is a call to action, meaning I am showing you this information because we need to improve in this area and this is the data showing where we are, where we need to be, and how much is needed in terms of resources to get us there. I am a huge believer in governance, meaning we have a strong set of policies and standards to run the business. I try to measure our compliance to those polices and standards as a way to show where we have drifted from where we want to be. Think of risk heatmaps and control metrics. The second type of metric is to show the effectiveness of our investments in the security program. I want leadership to know that the program is successful. This can be done through audit type metrics and by measuring the maturity of the program over time against standards and even against peers.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? It has not had a tremendous impact, but it is a concern for me. I have been fortunate to have built up a few connections over the years, and I think I have a decent reputation for being a good person to work with. And I think going back to what I said earlier, I treat everyone like they are important. To me, each person who works in my organisation is an individual and I try to treat them that way. And when I interview people, I am more interested in their fit as a person, both from their perspective and mine. I also look past what is written in a resume, and I look for some key traits that I like to see. Curiosity, eagerness, a little bit of an attitude but the ability to work easily with others. Those are all important to me. I feel like there are so many people with strong technical skills, but it is these other aspects that I feel can make for a good employee.

My goal, for anyone that works with me, is to guide their career as was done for me, and if they want to become a CISO as a career goal, then I will do what I can to make that happen.

Cybersecurity is constantly changing – how do you keep learning? I am way too much into the technology than I should be. I basically touch everything we use to secure our company. I guess I have never lost my own sense of curiosity and I am still tinkering with everything. I was given a nickname by someone a number of years back. Dim Mak. The Death Touch. If there was a way to break something, I would find it, most often on the first try. I can’t tell you how many times someone on my staff would come to me with so much pride about something they had developed, and I would find a bug in it in about 5 minutes. I have never lost that need to understand how everything works.

Security is a huge challenge because the variables are so massive. And often times you don’t even know what you are looking for. I am also involved in the security community and try to stay abreast of what is going on in the cybersecurity space by reading, talking to my peers and continuing to learn about the tools, processes and tactics used to fight off cyber-attacks.  

What conferences are on your must-attend list? I tend to stick with Gartner conferences. Their annual Security & Risk Management Summit is usually pretty good. There is an annual Evanta Summit that I have been on the member board for a number of years. I will make every effort to attend that. The pandemic has made face-to-face meetings and conferences impossible, which is disappointing, but there are a number of groups trying to make the best of it. I recently joined the Cybersecurity Consortium, which is run by some of the most impressive security professionals that I have had the pleasure of meeting.

What is the best current trend in cybersecurity? The worst?  I see more attention being paid towards awareness training, which is needed in my opinion. People are still a heavily targeted asset and the hardest to protect. We all just have a trusting nature and want to help, and attackers know how to take advantage of that. Things like zero trust, user behavior analytics, and artificial intelligence are all good ways to deal with managing the people risk, but in the end, people are the ones faced with what I call security moments several times a day every day. And we want people making the right decisions when they face those moments. That takes awareness.

The one area that still has not been well addressed very well is the concept of building for security. Technology is growing and evolving so rapidly, but we face the same challenges as we always have in security in trying to catch up as an afterthought. IoT technology is a prime example. The goal is cheaper and faster for this technology and often times security is sacrificed. The results of this can be pretty dangerous.

What's the best career advice you ever received? The best career advice I ever got was from my wife. She told me I was smart enough and good enough to accomplish anything I wanted to, and I should not be afraid to go out and do it. She talked me into quitting a job that I had stalled in and take a huge risk by making a career change when I was about 30.

What advice would you give to aspiring security leaders? It’s important to know as much as you can about what your company does and how it operates. One of the harder parts about security is how much you must know so that you can have full context into the threats you are facing and what risks need to be prioritised. I often say a security professional must have knowledge an inch deep, but a mile wide. You have to know about legal concepts, regulatory impacts, human resources, finance, what your business does and how they do it. And you must of course know security as a subject matter expert for the company. And again, building relationships and being able to communicate at all levels is crucial.

1 2 Page 1
Page 1 of 2