Secret CSO Series: Tom Conklin, Fivetran

What's the best career advice you ever received? “Your career will be shaped far more by the relationships you build than the work you get done.”


Name: Tom Conklin

Organisation: Fivetran

Job title: Chief Information Security Officer

Date started current role: April 2020

Location: San Francisco Bay Area

As Chief Information Security Officer at Fivetran, Tom Conklin is responsible for ensuring the security of the Fivetran SaaS platform and the company’s digital assets. Prior to Fivetran, Conklin built security programs at Druva, Vera Security and Zuora. He has extensive experience building and leading security programs at SaaS companies where protecting customer data is paramount. Conklin has in-depth experience architecting security programs to meet multiple compliance frameworks, including FedRAMP, PCI/DSS, SOC 2, ISO 27001, HIPAA, FIPS 140-2, SOX, GDPR and others. He has also led application security, incident response, vulnerability management, and product security functions throughout his career.

What was your first job? I was an auditor at a CPA firm.

How did you get involved in cybersecurity? I’m naturally curious and my entire life I’ve been good at breaking things and figuring out how they work. I just didn’t think cybersecurity was a career path until I started auditing companies. I like the intersection of technology and business from my experience with other SaaS companies and figured it’s the best path to build great teams and products.

What was your education? Do you hold any certifications? What are they? I have a Bachelors of Science in Business Administration with concentrations in Finance and Management of Information Systems.

Explain your career path. Did you take any detours? If so, discuss. When I graduated undergrad I had to decide between a manufacturing management job in San Diego and an auditing role in Silicon Valley. I’ve always wanted to work in tech so I opted for the auditing route. Looking back this was a great decision. It gave me exposure to the SaaS industry when it was just getting going. I had the opportunity to work with some amazing companies while they grew from 30 people to public companies. I knew I had to work for similar companies, so I left auditing for industry. Fivetran is now the fourth SaaS company I’m doing this journey with.

Was there anyone who has inspired or mentored you in your career? I learned a ton working for Pritesh Parekh (CSO) while I was working at Zuora. Most of how I’ve structured my security programs is modeled after the work we did together.

What do you feel is the most important aspect of your job? Communication, being able to align teams on shared goals is by far the most important thing I can do.

What metrics or KPIs do you use to measure security effectiveness? Way too many to list here, but I think the most important metrics are those that show the rate of change over time and anomaly events. It’s not as important that I have 90% of something done - it’s what’s going on with the 10% that’s failing or out of normal. So looking at outliers is key.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Fivetran is lucky we’ve filled our security roles at the moment! It helps that we’re an exciting company, and we have a strong culture to enable security’s success. But from my experience at other companies and talking to peers, finding good leaders in security is really hard; and after that, AppSec roles are the toughest to fill.

Cybersecurity is constantly changing – how do you keep learning? I’m a member of some different security communities, listening to what others are doing and having conversations about current challenges is super helpful. I’m very fortunate in my role to be able to talk to lots of customers and partners which helps me learn about new trends. I take a lot of notes during these conversations and will Google topics after.

What conferences are on your must-attend list? None right now with COVID.

What is the best current trend in cybersecurity? The worst? The best trend is that with work from home now the norm, it’s forced companies to adopt zero-trust access models. We’re finally getting rid of this illusion of security that certain locations are secure now that everyone is working from home. The worst I’d say is not a new trend, but over the last few years we’ve made software and tools very easy to adopt this - along with incentives for companies to move faster - has increased the risk of misconfigurations or shadow IT.

What's the best career advice you ever received? Your career will be shaped far more by the relationships you build than the work you get done.

What advice would you give to aspiring security leaders? Don’t hold your cards close - be open with others at your company about what is working and what needs improvement. When working on something new, solicit feedback as early as possible instead of waiting for something to be perfect. You’ll make faster progress iterating on your plan.

What has been your greatest career achievement? So far it’s the security program we’re building at Fivetran.

Looking back with 20:20 hindsight, what would you have done differently?  Not much to be honest. One thing is I could have spent more time mentoring others. It’s a goal I have for this year.

What is your favourite quote? “Work hard, learn lots.” - my Dad

What are you reading now? Extreme Ownership.

In my spare time, I like to… Hike/backpack.

Most people don't know that I… Am left handed.

Ask me to do anything but… Eat licorice or anything licorice flavored.