Secret CSO: Caleb Merriman, Deltek

What metrics or KPIs do you use to measure security effectiveness? "To best answer this central question, I focus on understanding open vulnerabilities in our systems and tracking time to remediation."


Name: Caleb Merriman, Deltek

Organisation: Deltek

Job title: Chief Information Security Officer

Date started current role: January 2020

Location: Birmingham, Alabama

As Deltek's Information Security Officer (CISO), Caleb Merriman is responsible for leading Deltek's global information security team in support of providing the best software and solutions for project-focused businesses around the world. Merriman is an accomplished security professional with an extensive background in the software industry. He joined Deltek from Guidewire Software, where he managed the company's enterprise security program. In addition to his security experience, Merriman has spent over 20 years as a pilot in the Air Force and Air Force Reserve, achieving the rank of Lieutenant Colonel.

What was your first job? In college, I was a campus security guard – and even worked in a funeral home! After I graduated with a degree in engineering, I worked at the Southern Technology Application Center, while I was waiting for my start date to begin pilot training for the United States Air Force.

How did you get involved in cybersecurity? After my time on active duty in the Air Force, I worked for a medical device company and was immersed in technology in a highly regulated industry in the early days of HIPAA. My job responsibilities at the time – which included manufacturing and network engineering - exposed me to regulatory and compliance security concerns. Given my background, once there was a demand to focus on compliance, it was the logical next step for me to dive into information security at that organisation. My first task in that new role was building a security program for this medical device company to help them secure their data, and have been involved in security programs ever since.

What was your education? Do you hold any certifications? What are they? I graduated from the University of Florida with a degree in Engineering Sciences and received a Master’s degree in Computer Information Systems from the University of Phoenix. I hold a myriad of security and compliance certifications, but the one I find most useful is my Certified Information Systems Security Professional certification.

Explain your career path. Did you take any detours? If so, discuss. Over the past twenty years, I have gone down a few different pathways, but I wouldn't exactly call them detours. My main focus has always been leading information security programs, and I’ve had the opportunity to do that across a variety of industries, including medical devices, banking, retail and now software. Each of these industries has its own challenges and specificities, which has allowed me to continue to grow without straying from my core passion of information security.

Was there anyone who has inspired or mentored you in your career? I’ve been blessed with a number of different mentors throughout my career. From commanders and supervisors in the Air Force to church pastors and professional career coaches. My mentors taught me the value of maintaining humility, building an effective team, admitting mistakes and assuming good intent in other people. The lessons that stood out to me the most from these mentors were less about the technical aspects of the job and more about how to build teams and work well with others while always striving to improve - those are the critical lessons that have shaped my career.

What do you feel is the most important aspect of your job? The primary mission of my job is to protect the data, operations and reputation of Deltek. However, the most important aspect of my job is leadership. I’ve taken a great interest in helping others grow in their careers and while working in security is a difficult job, it is also a team sport.

What metrics or KPIs do you use to measure security effectiveness? Over the years, I’ve used a number of different metrics to help manage security programs that I’ve led, but the most impactful to me are the ones that answer the question, “How secure are we?” There are many different activity metrics that can help from a staffing and planning standpoint, but I’ve found what senior leadership and our customers care about the most is making sure that we are secure. To best answer this central question, I focus on understanding open vulnerabilities in our systems and tracking time to remediation. Our risk profile is directly tied to these two issues, and the longer vulnerabilities remain unidentified or unaddressed, the more likely they are to be exploited.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? As long as I’ve been in the industry, there’s been a security skills shortage. Luckily, Deltek’s recruiting team has been in build mode this year despite the pandemic, and we expect to continue to grow our team for the foreseeable future. Having worked in the industry for over 20 years, I have a clear understanding of what to look for in a candidate and what is expected of security talent in the marketplace. That being said, there is the reality that there are more security jobs today than there are people to fill them. This continues to be a challenge across the board. Over the years, I’ve learned it works best to wait and find solid talent rather than quickly backfill a position in such a critical industry.

Cybersecurity is constantly changing – how do you keep learning? Learning has to be a part of your job. If you haven’t worked in information security in the last few years, you may as well have not worked in information security at all. The field moves so rapidly that the knowledge and systems I relied on 20 years ago are now obsolete. You have to be one step ahead of new threats and regulations, and CISOs need to be thinking about the security program of tomorrow, not today. Staying abreast of the direction we are headed and the skills needed to face these new challenges is top of mind for all leaders in the field. Fortunately, there are great organisations, vendors and security conferences that can help you keep your finger on the pulse.

What conferences are on your must-attend list? As a long-time CISO, I find the conferences that deliver the most value are the ones that take an interactive approach instead of a top-down lecture format, providing real-time interaction with other security leaders and allowing attendees to share real-time feedback with peers. I used to lead the Information Security Round Tables (ISRT) for Blue Cross Blue Shield, which I still feel is the most valuable conference I have attended due to the large number of industry attendees who were facing the same challenges and problems and yet not competing with each other.

What is the best current trend in cybersecurity? The worst? The best trend is the move toward greater awareness of cybersecurity and the heightened investment in cybersecurity in general. The “worst” trend in cybersecurity is the growing ease with which cyber criminals are able to exploit individuals and organisations and the difficulties in protecting those entities from harm. It’s still too difficult to catch and punish cyber criminals. At one point, I had the opportunity to work with the FBI and secret service to put a cybercriminal behind bars, which was a highlight of my career!

What's the best career advice you ever received? Do your best in the job you’re currently in and eventually opportunities will come your way - and don’t be afraid to seize them when they do.

What advice would you give to aspiring security leaders? If you don't have the passion for security, it's probably not the place for you. The job itself is very rewarding as long as you don’t lose your sense of humour or willingness to learn. Information security is serious business, but it is also a team sport, so working well with others is essential for success. Since this field evolves quickly, continuous learning is paramount.

What has been your greatest career achievement? For me, the greatest achievements have been building strong teams and what we’ve been able to achieve together. It's never really about the tools and technologies or even the business processes that make the difference, it’s the people.

Looking back with 20/20 hindsight, what would you have done differently? It’s hard for me to say that I don't have any regrets; there are always tactical things you wish you would have done differently, but those mistakes have helped me learn and become better at what I do. I’m blessed to have an incredible and rewarding career in this field, and I enjoy sharing my own lessons learned with my teams to help them grow.

What is your favourite quote? “Never tell people how to do things, tell them what to do and they will surprise you with their ingenuity.” - General Patton

What are you reading now? I have to admit that I seldom read for entertainment, but I do stay up-to-date with new writings on security trends and topics of personal interest.

In my spare time, I like to… I watch a lot of college football, spend time with my four children and granddaughter, work on home improvement projects and enjoy a glass of wine.

Most people don't know that I… I was a C130 pilot in the Air Force for 22 years.

Ask me to do anything but… Cheer for the Georgia Bulldogs.