Secret CSO: Peter Albert, InfluxData

Is the security skills shortage affecting your organisation? “I find this skills shortage to be a myth.”

IDGConnect_secretcso_suppliedart_peteralbertinfluxdata_1200x800
InfluxData

Name: Peter Albert

Organisation: InfluxData

Job title: CISO

Date started current role: 2019

Location: San Francisco

Peter Albert is the Chief Information Security Officer at InfluxData, where he is responsible for leading a diverse information security and IT risk strategy. With more than 30 years of security experience, Albert has previously held senior roles as Security Advisor at IOActive, Director at Guardian Analytics, VP of Engineering at iPass and VP of Ops at Qualys where he was responsible for overseeing the expansion of the company’s global SaaS infrastructure and worldwide security operation centres (SOCs).

What was your first job? My first tech job was a summer job at the age of 15, managing a database for a computer-based training start-up in Silicon Valley.

How did you get involved in cybersecurity? My grandfather was an NSA hacker back in the day as well as a mathematician at the University of Chicago. This was between WW2 and the Cold War so in addition to teaching math he was also secretly helping to develop the crypto capability for the NSA, cracking codes and developing technology to encrypt data. He actually gave a talk to the National Science Foundation back in 1941 called Some Mathematical Aspects of Cryptography that really helped to develop the field of cryptology and cryptanalysis (code cracking).

My father had a similar background as both a physicist and a programmer; he wrote code for the cyclotron at Fermilab which is a particle accelerator and developed computer science courses, amongst other things. And my big brother was a UC Berkeley Computer Science Grad. I guess you could say, surrounded by all this tech and growing up in Silicon Valley, in the Bay Area, it was pretty inevitable I would get into this industry.

I first got interested in cybersecurity as a kid when I was about 12 years old and started learning to program. My brother had an internship at Tymnet. He left his acoustic coupler (old modem) at home with connection details, and off I went; but really got into it as a profession about 25 years ago when the company I was working for had a data exfiltration compromise and we spent a year on the investigation and remediation work. This is also a time in my life when I started meditating.

What was your education? Do you hold any certifications? What are they? I have a degree in Computer Science from West Valley College and bags of certifications, including from SANS Institute, Cisco, Sun, Oracle and Microsoft, et al. That said, it’s been my experience that self-motivation and a drive to investigate on your own can be the best education. When I’ve hired people, and I’ve had the opportunity to interview and hire perhaps hundreds of engineers and technical roles over the years, aptitude and energy are the two most important characteristics. Education and experience may be useful metrics, but can the person learn new things easily and do they have that drive or spark of life which can be focused to do great things - aptitude and energy - are far more valuable.

Explain your career path. Did you take any detours? If so, discuss. I consider my career path to be more random than goal oriented. I basically followed the path that revealed itself before my eyes and had a lot of great experiences along the way. Growing up in Silicon Valley and having access to all of the education and companies in the region, it always seemed probable that I’d work in the tech industry. I started in tech as a teen, doing random things for small startups. At one point, I was working as a hardware technician for a company that made printers for banks. My next job after that was at a spinoff of Apple that was helping OEMs with peripherals and utilities for the first generation of Mac.

After this early start in tech, I needed a break, so in my 20s, I moved off grid to the Mojave Desert and learned about introspection and scorpions, and started working as a high voltage electrician for a few years, which included performing risk assessments and testing of power distribution lines. I then moved back to the Bay Area about 25 years ago and have been working in tech in different capacities ever since, but often either directly or indirectly involved with the security industry.

At first, I spent several years playing with PBXes (phone switches) at a telecommunications company; then went to an absolutely amazing company called General Magic which created technology that the world is only now catching up on. Next I spent a small lifetime (11 years) at a remote access company called iPass where we had a global authentication network and had to deal with a lot of Internet fraud from various parts of the world; this is actually where I met Evan Kaplan, the CEO of InfluxData, and I really liked working with him. He is an inspirational leader who enables people with tremendous opportunities. Then I went to Qualys, a cloud security company where I was focused on network vulnerability scanning. I also had a great time and learned a considerable amount about the security space working at a professional hacking company called IOActive for several years with some very talented people who can reverse engineer firmware, hack airplanes, and open ATMs with a ballpoint pen. Now I’m back working with Evan again at InfluxData.

Was there anyone who has inspired or mentored you in your career? Hundreds of people! My father for one, my brother Roy as well has helped me considerably in my tech career. And Ms. Rachlin, my 7th grade teacher who taught me how to code. In terms of industry luminaries, definitely the early Apple crew (especially the Woz and Bill Atkinson), and Dave Cutler from DEC who wrote the VMS kernel. Paul Dix, the CTO and co-founder of InfluxData, is an inspirational technical leader too. He has developed a strong engineering culture which is reflective of Paul — a strong technical ethic and committed to high standards. Paul walks the walk, he’s actually built a product, not just like a website but a core infrastructure component, the database. And he’s still at the company, actively involved in guiding the future. And that’s attracted a lot of very talented technical people to the company. Again, having lived and grown up in this region, I’ve had the opportunity to know and work with really smart people who have taught me many, many things over the years. Too many to name. One can never stop learning in such an environment.

What do you feel is the most important aspect of your job? For me, this is about continuing to find ways to embed security in a more effective way across and within an organisation, rather than building a giant security organisation and bolting it on the side. This includes actively participating with cross-functional teams and projects, constant communication, collaboration and training of both the general employee base and also the technical staff on security best practices, such as secure coding and threat modelling. And eliminating the unhealthy and unnecessary tension that can sometimes be created between siloed security teams and the rest of org, by having security become part of the org.

What metrics or KPIs do you use to measure security effectiveness? At a very high level, the end user experience is the measure of success for the business. It all comes down to this single metric — did the user have a good experience or not? If we get compromised for example, that’s not a good user experience. Ultimately though, security metrics really boils down to issues found, and issues fixed.  An issue can be an organisational risk such as a missing review process for new vendors, or it can be a vulnerability in a piece of code in the product base; these can be very high on the organisational, ontological stack and also very low in the complex technical weeds. We need to figure out where these all issues measure up, what really matters, and what to fix and in which order.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I find this skills shortage to be a myth. There’s certainly a gap, there’s always a gap. Working in security is basically living in the gap. But security shouldn’t be a separate thing, and you don’t have to fall on your sword just because you don’t have a big security org. Security should be baked into every aspect of the stack and I think this is what’s missing at some organisations. That means you have to roll up your sleeves and participate with the rest of the company. Then, the entire company becomes the security team.

Another thing that is missing, which isn’t necessarily a skill, is a mindset for security and risk. One of my previous bosses referred to this as “enabling the evil bit.”  Most developers or people who write code and create applications tend to be good people and are focused on building cool and useful things. It might not even enter their minds that other people are thinking about how they can destroy or subvert things. We don’t want everyone freaked out all the time but it’s important to have the mindset and awareness of threats being a possibility so that precautions can be incorporated at every level.

Cybersecurity is constantly changing – how do you keep learning? I don’t really think it’s changed that much fundamentally. Most break-ins happen the same way - stolen credentials, social engineering, or common vulnerabilities in unpatched software that get exploited, etc. What has changed is our level of vulnerability due to societal changes - the attack surface is everywhere now. We have drones that deliver pizza and robot helicopter taxis. Companies have 100 clouds in their supply chain. Everyone has multiple devices and subscriptions to services, networks and cloud connections, and each one of these is a target. But human nature hasn’t changed - there will always be bad actors who get in the way of business, and consequently, life. It’s the scope of the attack surface that has changed. I heard Elon the other day talking about installing chips in people’s heads to deal with certain medical conditions and just thought, “do I really need to expose my brain’s API with a wireless connection?”

What conferences are on your must-attend list? I really like CanSecWest, a conference that takes place in Vancouver every year and focuses on applied digital security; and hardwear.io which is a platform for the hardware and security community. And if you are ever in SF for RSA and need to escape the blinky lights per square inch contest, walk across the street to B-Sides conf and meet some real people.

What is the best current trend in cybersecurity? The worst? Incidentally, the word “security” comes from the Latin “securus” — se- ‘without’ + cura ‘care’. The word literally means “without care or concern”, but when it comes to security in tech, you have to care about everything. All the trends. All the threats. All the blinky lights.

Contrast that with meditation, where the goal is to control thoughts in the mind, and eliminate cares and concerns altogether. Hacking the mind is a greater challenge than hacking technology.

The best current trend... what comes to mind is bug bounty. The popularisation and rewarding of independent security researchers who find vulnerabilities in your company or product. That’s a really cool thing, that what used to be illegal is now being seen for the value it brings to companies and people. Maybe not just the concept of bug bounty, but the endorsement of ethical hacking techniques in general as a control in the service delivery lifecycle; but bug bounty is a good example of that.

Another current trend is the use of time series data in the security nomenclature. We’re talking about the ability to detect security events in a timely fashion across a very broad attack surface. SIEMs have grappled with this issue for years, but they are based on older methods of data collection, storage and correlation. This is where InfluxDB and other TSDB implementations have an interesting role to play in the future of security monitoring as natively storing events in a time series format from multiple assets would take a lot of manual work out of forensics and incident management workflows. That’s another reason I was interested in coming to work at InfluxData, where we can build our own security tools on top of our own platform. More to come on that.

The worst? Security used to be more fun. Now it’s become a big business, and organisationally it’s become a separate entity from the rest of a company or project, rather than doing what we were already doing - just a little more thoughtfully.

What's the best career advice you ever received? Being a little bit stressed is ok. And that if someone opens the door for you, walk through it. Don’t wait to be carried.

What advice would you give to aspiring security leaders? Be patient. And learn to meditate. Get your code reviewed. Hire people who are smarter than you are.

1 2 Page 1
Page 1 of 2