Secret CSO: Brandon Hoffman, Netenrich

What metrics or KPIs do you use to measure security effectiveness? “There is a wide variety of metrics that people can use for security but the challenge is that there is no universal metric.”


Name: Brandon Hoffman

Organisation: Netenrich

Job title: Chief Information Security Officer

Date started current role: July 2020

Location: Chicago, IL

Brandon Hoffman is an admired CTO and security executive well-known for driving sales growth and IT transformation. He is responsible for Netenrich’s technical sales and security strategy for both the company and its customers. Most recently, he oversaw solution architecture for Intel 471’s dark web threat intelligence business. As former CTO at Lumeta Corporation and RedSeal Networks, Hoffman led technical and field development in network security, vulnerability and risk. He’s also held key practitioner roles focused in security architecture, penetration testing, networking and data centre operations.

What was your first job? My first professional job was working at a radio company in Chicago. This was a technical role and was related to IT but also covered areas like remote broadcast and other RF technology. It was a great place to dive into a vast array of technical challenges which help prepare me for a future in cyber security.

How did you get involved in cybersecurity? After several years of working on different types of IT challenges, at the time, security was sort of the final frontier. Having done traditional IT like desktop and office work, data center, storage, networking and wireless, it felt like security tied everything together. At the time security was becoming a full-time discipline in its own right and it felt like a challenging and interesting space.

What was your education? Do you hold any certifications? What are they? I hold a Bachelor's degree from University of Illinois. A few years later, I decided to pursue my Master’s degree from Northwestern University. Both degrees are technical although the Master’s had some coursework in business. I used to have some certifications related to technology that, dare I say, may no longer be operating.

Explain your career path. Did you take any detours? If so, discuss. My career path was a bit of an interesting twisting road, but perhaps that’s not all that different from others. I started my career in radio broadcast and IT. Spent some time as a consultant focusing on security and wireless technology. So consulting was a bit of a detour but really helped form some of the foundations in my approach through wide exposure. After that I spent a lot of time on the vendor side building products, working with sales teams and mapping the output from products to actual value for customers. These roles helped me more deeply understand the challenges that need attention.

Was there anyone who has inspired or mentored you in your career? I wouldn't say I had any official mentoring but there were several key people. Mostly these people gave me a shot at something I thought I could do well but had no pedigree to prove it. These folks really helped shape my career by taking a chance on me. I would like to think they were happy with the outcome and I now try to pay it forward whenever the chance arises.

What do you feel is the most important aspect of your job? I think the most important aspect of my job is understanding people and connecting with them. In the end, it is all about the people. Without people nothing gets done and in order to execute on anything successfully there needs to be shared intent and vision.

What metrics or KPIs do you use to measure security effectiveness? There is a wide variety of metrics that people can use for security but the challenge is that there is no universal metric. Metrics around detection, response, spend, activity are all fine on their own. But these metrics need to be honed for each individual organisation.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Truthfully the skills shortage is found across the board. Some of the hardest roles to fill include SOC analysts, threat intelligence analysts, and threat hunters. These roles include some specialised skills that are in high demand. I do think the industry has a hard time accepting people that do not have several years of experience but it is something we collectively need to get over. There are a lot of smart talented people coming into the industry and we need to give them a shot. We were all given a shot at some point and we need to pay it forward – for us and more importantly for them.

Cybersecurity is constantly changing – how do you keep learning? It is always a struggle to keep up but staying ‘in the know’ is critical. Conferences and virtual events are great places to learn but there are also a ton of free resources out there to learn about new and trending tech. I also find interacting with the vendors of technology provides insight into the market trends and to learn about the newest tools and services available.

What conferences are on your must-attend list? Blackhat and RSA are old standbys. I also enjoy the locally organised conferences. B-sides and others provide a more casual technology focused agenda that keeps security close to its roots.

What is the best current trend in cybersecurity? The worst? The best trend I see now in cybersecurity is the focus on motivation and intent from an adversary perspective. This really forces organisations to be critical about risk assessment and creates a scenario where classifying assets and data is not optional. The worst trend is, and always will be, ignoring foundational security processes for advanced or popular new technology. You cannot build a house without a foundation and the same goes with cybersecurity.

What's the best career advice you ever received? The best advice I received was to remain true to yourself and stay focused on the things you are passionate about. Also to cultivate relationships with the people you work with. Without the people nothing will be accomplished and having a work-social balance can ease business discussions at all levels.

What advice would you give to aspiring security leaders? I would say to focus on the parts of security where your interest is the highest. For most people, I feel, they will be happier and productive working on something intellectually stimulating. Climbing the ladder of course is a focus for a lot of people but the higher you go the less you are able to work on what you love.

What has been your greatest career achievement? I would say my greatest career achievement was the two patents I hold from a product design at a company I was previously a part of.

Looking back with 20:20 hindsight, what would you have done differently? Actually, I am quite comfortable with the choices I’ve made in my career. I think the only thing I would change is to be more honest with myself about what I really enjoyed working on and to stay on that track. While I had great experiences diversifying the roles I held, there's a chance that staying in some of the tracks I loved would have provided more job satisfaction.

What is your favourite quote?“If you’re offered a seat on a rocket ship, don’t ask what seat. Just get on.” -Eric Schmidt, Google CEO 2001.

What are you reading now? Zone to Win: Organizing to Compete in an Age of Disruption, Geoffrey A. Moore.

In my spare time, I like to… travel, cook, be active, read fiction.

Most people don't know that I… am a triathlete.

Ask me to do anything but… I really don't like putting together compliance binders, hahaha!