Secret CSO: Chad Thunberg, Yubico

Name: Chad Thunberg

Organisation: Yubico

Job title: CISO

Date started current role: July 2019

Location: Bellevue, WA

Yubico’s Chief Information Security Officer (CISO), Chad Thunberg is responsible for the company’s security, risk management, and compliance programs. Prior to Yubico, he was Leviathan’s Chief Operating Officer and was responsible for managing the professional services organisation, maintaining Leviathan’s reputation for industry leading research, and ensuring the professional services organisation maintained a high standard of quality. Thunberg has more than 20 years of experience solving complex security scenarios across the fortune 100 and start-ups.

What was your first job? I had my first job at the age of 12 – Since both of my parents worked and daycare was rather expensive, I started working during summer vacation. My first job was making sandwiches and salads at a small deli where my mom was a supervisor.

How did you get involved in cybersecurity? I was lucky to grow up with a computer in the house – a 386. I was always curious and started learning about bulletin boards and also enjoyed playing video games. Later in life, this curiosity led to learning about information security which was further fueled by friendships I developed with individuals around the world. I spent a lot of time on IRC learning. What started as a hobby eventually became a career.

What was your education? Do you hold any certifications? What are they? Originally, I was pursuing a B.S. in Chemical Engineering but my interest started to fade as my passion for computers increased. I chose to leave school until I was more confident in what I wanted to pursue. I never went back to college but did earn a CISSP (Certified Information Systems Security Professional) early in my career.

Explain your career path. Did you take any detours? If so, discuss. My professional career started at Microsoft through a temp-agency after I left college. I started in a call centre supporting Windows 98 during its launch and I quickly transferred to the Windows Update support group. Since I was the only temporary employee, I was given the graveyard shift. On a normal 10 hour shift, we would only receive 2-3 support requests via email so I had a lot of down time to say the least, which used to teach myself to program. I also did some pro bono system administration work for my ISP in exchange for free internet access and a shell server. Between that experience, my temp job, and one heck of a reference (thanks Jeff!), I ended up working as a Network Administrator for a company that made multiplexers and cameras for CCTV systems. During my first week in the new  role, the previous administrator hacked into the company and caused a lot of damage – the situation forced me to learn how to quickly rebuild the infrastructure and get the company up and running again.

Eventually, I joined Leviathan Security Group and moved into a Chief Operating Officer position, which was a role I never expected to find myself in. I intended on focusing on the technical side of security when I originally joined as a consultant. However, the company experienced a few challenges early on and I found myself stepping into an executive role.  I went from reading code to evaluating profits and losses and negotiating legal agreements. I enjoyed the challenge and gained valuable business knowledge that provided valuable insight into the business of security.

Was there anyone who has inspired or mentored you in your career? I had many mentors and friends in my corner that I could discuss career moves with. In fact, I wouldn’t be in this position  if it wasn’t for all of the people I met along the way. I am bound to leave someone out if I try and name them all but they know who they are and hopefully how much I appreciate them.

What do you feel is the most important aspect of your job? Learning to listen and learn. We can occasionally get tunnel vision in our pursuit to reduce risk or respond to threats but much of our job as security professionals is about influencing individuals and teams to change their behaviour, often without a direct incentive. A great start to that is learning about them and their challenges. It’s a win for everybody when you can find a solution that is better for everyone.

What metrics or KPIs do you use to measure security effectiveness? One of the more powerful but simple metrics is the rate of adoption for our security infrastructure. The time to research, evaluate, and implement new practices and technology is wasted if they are not used. This metric can not only identify areas of higher risk in the environment but also identify friction during onboarding or use. The effectiveness of a security program starts with adoption and that's also a great place to start with metrics.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill?  High-quality security professionals have been in high demand for a long time. Yubico’s mission and reputation has given us an advantage, so we’ve been fortunate enough to attract highly qualified employees. However, hiring individuals with a great deal of depth in a given area is always difficult and we’re often competing with much larger organisations.

Cybersecurity is constantly changing – how do you keep learning? Information security is just that, protecting information. At its core, information security doesn’t really change. What changes is how information security principles are prioritised for a given architecture, the effectiveness of controls to mitigate a specific threat, or what specific words need to be used to prove that a control exists and is effective. Once understood, I find that I don’t need to learn a new security concept but instead need to learn how to apply our core principles to a new or changing problem. I’ve noticed that a diverse team with many different focus areas is a necessity to ensure the company is keeping up with the ever evolving landscape. My goal is to ensure that I have enough awareness of the changes to ask intelligent questions and to provide guidance where needed. I rely on podcasts, articles, and peers to help me stay current.

What conferences are on your must-attend list? I don’t think we’ll be returning back to large conference-sized gatherings in the near future so I’ve been experimenting with putting together roundtables to learn and network with other individuals. I set a topic and reach out to potential presenters. The approach is semi-formal but the small setting allows everyone to relax which often leads to a dynamic and meaningful conversation. I am not yet sold on attending large virtual conferences again.

If or when we return to larger in-person conferences, my recommendation would depend on where someone is in their career. The value of conferences is in maintaining existing relationships and creating new ones. Small(er) conferences like B-Sides, CanSecWest, ToorCon, ShmooCon and HushCon are great for finding a local community. Larger conferences like BlackHat and Defcon are great for connecting with the broader community.

The amount of hands-on training that is available by industry-leading experts is one of the major pros of attending these conferences. Much of this training is either integrated into the conference or they coincide on, or prior to, the conference dates. Larger conferences can be quite expensive and also take a large percentage from the trainer themselves. Here’s a pro tip if budget is a concern: it’s always worth reaching out to the workshop lead and seeing if they offer private or independent training. You may find them to be less expensive and perhaps will learn more in a setting with less distractions. I look forward to seeing how well the virtual training goes.

What is the best current trend in cybersecurity? The worst? The best trend right now, is the exact reason why I joined Yubico – The industry is on the cusp of actually replacing passwords and legacy multi-factor authentication methods (e.g. OTP) with modern open authentication standards, like FIDO2 and WebAuthn. These standards will enable widespread adoption of phishing-resistant and usable security, and hopefully we will be on the path to eradicate an entire class of issues that have long been associated with passwords.

Information security has become a big business. The worst trend is technology that is marketed toward end-users that provides a false sense of security, and in many cases, increases their risk. Examples can include VPN services and mobile antivirus. Both can provide value in their specific use cases, but their marketing claims are often misleading.

What’s the best career advice you ever received? Be proud of what you do. It’s such a simple statement that translates into so much, and it will help guide decisions that may be morally or ethically difficult. It will foster trust and confidence as you can be transparent about the path you took and the decisions you made. And perhaps most importantly, it will help you maintain your health and happiness.

What advice would you give to aspiring security leaders? Leadership in information security is mostly about working with people to influence change. Learn how to communicate with a diverse set of roles, remember that incremental change is more palatable, and ensure what you are advocating for fits well with the business.

What has been your greatest career achievement? I am proud of many things in my career and many are additive. If I think about the moment that started it all, it would be when I chose to follow my passion. It may sound odd to say now but in 1998, when I chose to pursue Information Technology and Security, the industry was relatively small with only a few information security firms. Back then, I was taking a chance.  I thought to myself that if it didn’t work out, at least I was young  and would have plenty of time to recover. I remember the day I landed my first job and how excited and proud I was. It certainly was a risk that paid off.

Looking back with 20:20 hindsight, what would you have done differently? I don’t spend a lot of time looking backwards beyond understanding how I could have done something better. I’ve made mistakes but there have been valuable lessons learned and have helped mould me into the person I am today and gratefully, I am happy with who and where I am.