Secret CSO: Gil Vega, Veeam

Name: Gil Vega

Organisation: Veeam

Job title: Chief Information Security Officer

Date started current role: February 2020

Location: Chicago, IL

As Chief Information Security Officer (CISO) at Veeam, Gil Vega establishes and executes Veeam’s vision and strategy to ensure its information assets and solutions are adequately protected, while driving strategies to help customers protect their critical data across multiple environments and ensure regulatory compliance. With more than 20 years’ experience, Vega is widely respected as an expert in cyber security operations, digital security and technology risk management in highly regulated environments. During his career, Vega has held various cybersecurity leadership posts within the U.S. Department of Defense, Intelligence Community and in financial services.

What was your first job? I pushed shopping carts at A&P grocery store in New Jersey when I was 14.

How did you get involved in cybersecurity? A career in security was not even on my radar when I started out. I always wanted to be a police officer, and on that journey, I joined the United States Army. After I left the Army and spent nine years as a police officer, I decided it was time for a change and to pursue an education and eventual career in cybersecurity.  

What was your education? Do you hold any certifications? What are they? I hold undergraduate and graduate degrees in Information Systems & Information Assurance Strayer University in Washington, DC and Norwich University in Northfield, VT.

Explain your career path. Did you take any detours? If so, discuss. I had an unconventional path to cybersecurity. After high school, I enlisted in the United States Army and served in the Gulf War. After leaving the Army, I pursued my childhood dream to become a police officer, where I spent nine years on the force in the DC area. It was towards the end of those nine years that I started thinking of where I wanted to go next, and decided to pursue my degree in IT. This is what jump started my cybersecurity career in the government sector. I held roles with the Library of Congress, and I made my way through various agencies like the Department of Defence, the Department of Energy and Immigration & Customs Enforcement. About seven years ago I made the jump into the private sector which led me to becoming Veeam’s first Chief Information Security Officer.

Was there anyone who has inspired or mentored you in your career? Luke McCormack, who was my boss at the Department of Homeland Security. He’s retired now, but was the CIO at U.S. Immigration and Customs Enforcement, the CIO of DHS and at the Department of Justice. Half the time he was kicking my ass, but I learned more from this guy than anyone else in my career.

What do you feel is the most important aspect of your job? It’s driving cultural change to the organisation to make cybersecurity a part of our foundation. I’m looking to enforce the critical nature of security in our overall business success, and I believe building these emerging capabilities will bring us to the desired level of cybersecurity maturity.

What metrics or KPIs do you use to measure security effectiveness? Often, I find these metrics relate back to IT management and don’t specifically focus on the fundamentals of cybersecurity, which can be a deterrent to your overall security success. A company is most successful when they focus on educational awareness, ensuring your people know how they are being targeted for cyberthreats, preparing them for these inevitable attacks, and, most importantly, how they can be mitigated in the first place. Risk-based vulnerability management programs and maturity models help security teams to understand what and where your IT assets are, how you respond to make critical fixes and patches and how to set the stage to prevent these threats at the onset.

I like to enforce KPIs within two main metrics, “mean time to discover” and “mean time to respond.” The “discover” phase looks at how long it takes incident response to discover an anomaly to a breach, and helps you understand post-mortem what your dwell time was and how quickly the team was able to identify. Actions that focus on operational cybersecurity, counter hacking, and incident response will make the difference between the living and the dead in the event of a breach. The “respond” phase is, of course, how quickly a team was able to counter the measures engaged. If you’ve taken these two metrics into account, you’re on your way to providing actionable response items and setting up success metrics that can be easily communicated across business functions (and perhaps most importantly, your board of directors).

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? There’s an ongoing “war on talent” in security. Everyone is trying to hire the same people, and the most critical roles that security teams need, like operational cyber logging, monitoring, and response teams, are the most difficult to fill with experienced people. I sincerely feel that starting young and promoting long-term careers in cybersecurity is one way to try and close this skills gap. I always try to advocate for strong internship programs at each of my companies, to grow this young talent from within and allow them real opportunities to contribute to the work and learn on the frontlines. There’s also something to be said for being a strong recruiter and being able to poach talent from other organisations, but I’ve found where you get the most return and the most talented group of folks is with internal growth opportunities.

Cybersecurity is constantly changing – how do you keep learning? I read constantly and stay close to my security practioners who are always teaching me new things.

What conferences are on your must-attend list? VeeamON 2021.

What is the best current trend in cybersecurity? The worst? The best trend, I think, remains a focus on the fundamentals. So many companies don’t have the focus on the foundation elements because they are dazzled by the trends before they are ready for that advanced stage of security. Basic things like understanding the qualities and capabilities of your cloud service providers and what they offer for security are overlooked or given a mass-assumption that you’re completely protected. This is especially deterred after a company has their own security breach or threat, you truly need to start from scratch and make fundamental changes before you’re ready to advance and progress your security posture.

I would consider the “worst” trends to be those that fall into the bucket of “sexy” security trends like security in AI and machine learning, automation, things like that. We’re making some true progress and innovation in this area, much to do with the pandemic putting remote environment capabilities into over-drive, but I also think it’s true that without a mastery of the fundamentals, it’s harder to grow into the more advanced technologies.

What's the best career advice you ever received? I got my start in the military, where there’s a big focus on command and control over the chain of command. In the world of tech and cybersecurity, it disrupts our ability to respond. It was my mentor Luke McCormack who told me to “forget that bull sh*t before I got into trouble,” and he was right! You should trust that you’re surrounded by a great team with smart people, and to be successful you must find a way to find paths of communication and escalation with the bosses. And on the flip side, you’ll be surprised what you may learn from your entry level employees.

What advice would you give to aspiring security leaders? I pass along that same advice from Luke to young professionals I meet. Letting go of this notion of the chain of command will allow young professionals to become more collaborative, and your teams will be better for it. Do not shy away from raising your hand, offering your skillsets and collaborating to the greater advancement of your team. 

What has been your greatest career achievement? My promotion into the Senior Executive Service in 2011, after serving as the Associate CIO for the Department of Energy. Not to take away from any of my current work in the private sector, but I loved my time in government, serving my country with a job that made me feel like I could take on the world.

Looking back with 20/20 hindsight, what would you have done differently? Looking back, I’m not sure if I would have pursued my time as a cop. Ever since I was a kid I dreamed of being a policeman – I wanted to be the guy who showed up when you called 9-1-1. I pursued the job for nine years after I got out of the military, but looking back today I’m not sure it was what I truly wanted to be doing. Even though I love serving my country and being a part of emergency response, the line of today work I’ve found in cybersecurity and government IT is where I’m meant to be.