Secret CSO: George Gerchow, Sumo Logic

Name: George Gerchow

Organisation: Sumo Logic

Job title: Chief Security Officer

Date started current role: March 2015

Location: California

George Gerchow brings 18 years of information technology and systems management expertise to the application of IT processes and disciplines. His expertise impacts the security, compliance, and operational status of complex, heterogeneous, virtual and cloud computing environments. Gerchow is a highly-regarded speaker and panelist on topics including virtualization, ITSM/ITIL, configuration management, cloud secure architecture design, operational security, and compliance. He holds CISSP, ITIL, Cisco, and Microsoft Certifications, and is also the co-author of CIS Quick Start Cloud Infrastructure Benchmark v1.0.0.

What was your first job? My first job was as a tour guide at the Air Force Academy when I was 16 years old.

How did you get involved in cybersecurity? I initially started out as a network engineer which was prior to there being dedicated roles for security at the time, so I was often pulled in to help automate patching of servers and other security functions.

What was your education? Do you hold any certifications? What are they? I achieved a Bachelors in Computer Networking.

I used to hold a CISSP, MSCE, CCN and ITSM but have since let those certifications lapse. They definitely have their value, but perhaps more so earlier on in your career and to demonstrate niche areas of interest.

Explain your career path. Did you take any detours? If so, discuss.  The road to CISO or CSO is always so unique for each individual. I started out as a network engineer for a company called Logicon (later acquired by Northrup Gruman) where we designed pilot training software for a plane called the T2 Texan. My responsibility was to build, secure and support the infrastructure for the software in addition to some lightweight COBOL coding.

After the company was acquired, I joined one of the largest credit unions in the United States as a technical architect where I was responsible for modernising their systems and moving their data centers. A lot of my focus in this role was security related including; patching, maintaining firewalls, creating policies and procedures around change management, access control and other critical items required by a financial institution.

From there I moved to my first software-based role for an amazing security company called “Configuresoft”. This role in particular was life changing as I held so many different roles, including; Federal SE, WW SE Manager, Product Manager for Security, and later TAM in Europe where I mainly focused on the UK, Germany, Copenhagen and Spain. As the company prepared to be acquired by EMC, I then moved into a business development role to train our new owners around how to use and sell our software. After the acquisition, I briefly held the title of CTO before we were acquired again by VMware. I then moved between the two companies in various security related roles where I co-founded the Center for Policy and Compliance.

I then followed our CEO Ramin Sayar to Sumo Logic as I wanted to work for a cloud-native based company around six years ago, now the rest is history.

Was there anyone who has inspired or mentored you in your career? I’ve been fortunate to have quite a few throughout my career including Bill Riley, the CEO at Logicon, Randy Streu who was the Vice President of Product at ConfigureSoft, Boaz Chalamish (GM at VMware) and most recently Bruno Kurtic and Ramin Sayer at Sumo Logic. These folks were key to my growth where they provided an open door, open heart and tough love when I needed it.

What do you feel is the most important aspect of your job? Managing and supporting people is definitely the most important aspect of my job. I try to make sure my team and those around me have a good work life balance as I know how it can affect people’s mental health. I take responsibility for helping everyone balance both the rigor of working for a software company as well as taking care of themselves and their families.

What metrics or KPIs do you use to measure security effectiveness? That’s a great question, and I believe that transparency is everything. Personally, we set strategic yearly goals that align to our company strategy and then take the tactical tasks that are required to meet those goals and measure them quarterly. The detailed progress is shared with EStaff on a weekly basis and highlights exactly where we are at with meeting our objectives.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Thankfully, this doesn’t affect our business because we’re rarely looking to hire traditional security professionals. We like to hire developers and DevOps professionals, or even those with prior military experience, and this has served us really well thus far.

I think most security leaders look in the wrong places. I care less about direct, relevant experience and instead look for those with talent, ambition and the right work ethic - they can learn everything else. 

Cybersecurity is constantly changing – how do you keep learning? Lots of listening and reading across industry news publications, social media, IANS executive updates and talking to developers helps me stay up to date.

What conferences are on your must-attend list? Of course, I’m biased and would suggest Sumo Logic’s own Illuminate user conference, but also AWS ReInforce, RSA, Black Hat and BSides.

What is the best current trend in cybersecurity? The information sharing among the community is the best trend I can see right now. We are getting to an era where we share information about vulnerabilities or potential threats amongst security leaders and even our competitors. This kind of transparency presents a wonderful opportunity to help us keep pace with bad actors.

The worst? Those organisations who are still operating with an old school ‘ivory tower’ mentality of saying no, siloed information and relying on a culture of fear. Sadly this still exists and just serves to create instances where employees are afraid to report mistakes or potential issues due to fear of repercussions.

What's the best career advice you ever received? Do the tasks that nobody else wants to do. Listen as much as possible, and never stop learning.  

What advice would you give to aspiring security leaders? Focus on three things:

1. Learn the business of the company you work for inside and out
2. Try to foster a technical breadth of knowledge
3. Learn how to evangelise your strategy and align it closely to the business objectives

What has been your greatest career achievement? What I’ve achieved here at Sumo Logic - I built and serve a world-class security and compliance team. We created a SOC from the ground up leveraging a modern security architecture and a compliance and audit team that focuses on industry regulations (PCI, FedRAMP, SOX, ISO, SOC2, CSA Star). It was tough in the beginning. Then we went through an IPO during the pandemic which had its own challenges, but it has been rewarding at the same time. 

Looking back with 20:20 hindsight, what would you have done differently?  I wish I had been more open minded towards different kinds of talent early in my career as a manager. I was initially looking for people who could replicate my own skill set but I instead should have been more creative to find different kinds of talent that could bring a new perspective or approach.