Secret CSO: David Stapleton, CyberGRX

What roles or skills are you finding the most difficult to fill? “…the most difficult candidates to find are true generalists who have a broad range of experience and skills across multiple technology platforms. For a small business this is necessary as we cannot afford to hire a large team of specialists.”


Name: David Stapleton

Organisation: CyberGRX

Job title: Chief Information Security Officer (CISO)

Date started current role: November 2019

Location: Denver, CO

David Stapleton is a cybersecurity professional with more than a decade of experience in both the public and private sectors. Stapleton has led risk & compliance teams at the Food and Drug Administration (FDA) and Indian Health Service (IHS) and contributed to the design and implementation of the Federal Risk and Authorization Management Program (FedRAMP). Stapleton is currently the CISO at CyberGRX, a third-party cyber risk management company located in Denver Colorado.

What was your first job?  My first job, and most important job, was helping to raise my four younger brothers. But my first paid position was as a clerk at a regional library in the Northern Virginia area. I’d volunteered there for some time and they offered me a part-time position. I’ve always been a voracious reader and spent a lot of time in the library anyway, so it seemed like a dream job.

How did you get involved in cybersecurity? I’d been working in accounting in the Washington DC area for several years and knew that it wasn’t a good fit for me. A friend of mine was hiring for an entry level security analyst position and was willing to give me an opportunity to make the transition. I committed every waking moment those first six months or so to bring myself up to speed on the basics and have been learning every day since.

What was your education? Do you hold any certifications? What are they? I graduated from Averett University in Virginia with a bachelor’s degree in Business Administration. My cybersecurity education came primarily from self-study, on the job training, and specific course work. I have held a Certified Information Systems Security Professional (CISSP) certification since 2012.

Explain your career path. Did you take any detours? If so, discuss. As mentioned above, I was heavily focused on business and traditional business roles (e.g. accounting). My opportunity to enter the cybersecurity sector opened my eyes to an industry that I’d been largely ignorant of until that point. Since then I’ve applied myself to learning and executing in this space, but never lost some of the skills and inclinations that I gained in college and my earlier professional positions. As a result, I became a sort of business-oriented security nut, which made me particularly well qualified for certain types of roles in cybersecurity, namely management roles. I moved fairly linearly from analyst, to team lead, to director, and now CISO across several public sector and private sector organisations.

Was there anyone who has inspired or mentored you in your career? Too many to count! I’m a big believer in the power of mentorship so I actively sought out opportunities, particularly any time I moved from one role to the next.

What do you feel is the most important aspect of your job? Communication, by a long shot. As a CISO, I may have a deep, technical understanding of a particular security risk, but if I cannot communicate those risks effectively, to various audiences, I am unlikely to be successful in my role.

What metrics or KPIs do you use to measure security effectiveness? Our security program is based on an understanding of our assets, their criticality, threats to those assets, and vulnerabilities associated with those threats. One metric is the frequency of our threat analysis, to ensure that we are always prioritising the right security safeguards. Another critical aspect of our security posture is the education and preparedness of our staff. So we track our ability to perform security awareness training on a regular basis and test the effectiveness of that training with initiatives like internal phishing campaigns.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We run a fairly lean team and have had the good fortune to be able to hire from within, so the shortage has not had a direct impact on us. In general, the most difficult candidates to find are true generalists who have a broad range of experience and skills across multiple technology platforms. For a small business this is necessary as we cannot afford to hire a large team of specialists.

Cybersecurity is constantly changing – how do you keep learning? My favourite way to learn is by interaction with colleagues. I learn something new almost every day from my own team. We are all curious problem solvers so as a unit we are gaining new understanding constantly. I also read several cybersecurity related articles a day in publications like The Hacker News, Threat Post, and from resources highlighted by my peers on platforms like LinkedIn and Twitter.

What conferences are on your must-attend list? Black Hat, DefCon, and RSA are the most prominent. However, I find that the networking that occurs between sessions is the most valuable part of those events. For that reason smaller events like the Rocky Mountain Information Security Conference (RMISC) can provide a more intimate setting for really getting to know other security professionals.

What is the best current trend in cybersecurity? The worst? This is a bit of a cheat answer, but I think innovation is the best current trend, and has been for some time. Our adversaries are innovating constantly and we have to match or beat their innovation with our own. This extends to all areas of cybersecurity - new ways to train employees, using myriad public data sources to create profiles of specific threats, leveraging ML to better identify zero day attacks. The worst trend is unnecessary marketing spin and the use of buzzwords when selling new security products. I sincerely wish that marketers would speak to us using plain language rather than trying to jam every eye-catching phrase they can into a one sentence product description.

What's the best career advice you ever received? “Understand and speak the language of business and you can write your own ticket.”

What advice would you give to aspiring security leaders? Recognise that security is a vast field and you have so many opportunities and directions to explore. Don’t feel pigeonholed into the focus area where your security career began. Despite the temptation, never lose sight of the ultimate goal of security, which should be to enable our businesses. It is far too easy to get into a, “secure everything at all costs” mindset, which is antithetical to our true goals.

What has been your greatest career achievement? Facilitating the growth and success of other professionals. As a manager I feel one of my primary responsibilities is to ensure that my staff are not only doing what I need them to do, but also doing what they need to do to best progress their own career. I love to see a teammate set a personal achievement goal for themselves and then crush it. It is particularly rewarding if/when I can be a part of that success.

Looking back with 20:20 hindsight, what would you have done differently? I would have gotten involved in cybersecurity far sooner! This field changes quickly but almost always builds upon its previous iteration. Having some of the knowledge and experience that my more tenured colleagues possess would be quite powerful.

What is your favourite quote? “There is a pleasure in the pathless woods, There is a rapture on the lonely shore, There is society, where none intrudes, By the deep sea, and music in its roar: I love not man the less, but Nature more” - Lord Byron

What are you reading now? Centennial by James Michener. I feel like it is a quintessential book to read for any CO resident.

In my spare time, I like to… hike, backpack, rock climb, kayak, watch movies, read comic books.

Most people don't know that I… was home-schooled from the fifth grade through high school.

Ask me to do anything but… repetitive, mindless work.