Secret CSO: Debby Briggs, NETSCOUT

What do you feel is the most important aspect of your job? “… the role of security is much like a set of brakes on a car, providing safety even at high speeds, mitigating risk without obstructing all forward motion, unless necessary!”


Name: Debby Briggs

Organisation: NETSCOUT

Job title: CSO

Date started current role: Started at NETSCOUT June 2004 become CSO in 2008

Location: Westford, MA, USA

Debby Briggs has more than 25 years of experience in cybersecurity and has been with NETSCOUT for the last 17 years. Prior to joining NETSCOUT, Briggs held various network administrator and IT infrastructure roles with leading companies, including RSA, Healthsource and GTE. She holds an MBA from Southern New Hampshire University, a CISSP, and a BS in computer science. Debby is also a patent owner for technology using trust profiles for network breach detection.

What was your first job? I started my career as a service desk professional at GTE Government Systems where I was responsible for supporting PCs and teaching DOS!  Does anyone even know what this is anymore?  This led to managing technology initiatives supporting email, server and network infrastructure.

How did you get involved in cybersecurity? I transitioned into cybersecurity while at RSA Security in the late 1990s. I was hired to deploy their frame relay network worldwide.  I was brought into security after RSA experienced a malicious DNS redirect, and my team ended up being responsible for administering the firewalls after the incident. 

What was your education? Do you hold any certifications? What are they? I hold an MBA from Southern New Hampshire University, a CISSP, and a BS in computer science from the Massachusetts College of Liberal Arts.  If I ever go back to school for a PhD, I would like to get a doctorate in organisational design. I am fascinated by people and how they interact together.

Explain your career path. Did you take any detours? If so, discuss. My career path has been about finding the right opportunities and being willing to take risks.  When LAN Manager and Microsoft’s first version of email was coming to GTE, I volunteered to get it implemented, and haven’t stopped raising my hand for new projects and opportunities since!  There haven’t been any detours for me. I had a plan and found the opportunities to get me there; taking jobs that gave me opportunities and choosing great managers and mentors to guide me.

Was there anyone who has inspired or mentored you in your career? Everyone has a mentor or someone that inspired them. My first manager, Peg McCarthy at GTE, demonstrated how women in a male-dominated field could be successful. She inspired me to persevere in my own career and was instrumental in the development of my own leadership style. She inspired me to never let gender play a role in work assignments. 

What do you feel is the most important aspect of your job? The most important aspect of my job is being a business enabler. Using an automobile analogy, I like to think of cybersecurity as the brakes on a car, and the guardrails on the roads.  I view cybersecurity as the “brakes that allow the enterprise to go fast.” In other words, the role of security is much like a set of brakes on a car, providing safety even at high speeds, mitigating risk without obstructing all forward motion, unless necessary!  And, much like a guardrail, security is also there when needed to provide guidance and ensure safety.

I’m also passionate about protecting the 2,600+ employees that work for NETSCOUT, and leveraging their talents in turn to protect NETSCOUT. Often employees serve as the best “human firewalls” security teams can employ! I view it as my responsibility to be an awareness coach for our people, while taking the time understand and secure business processes that help us advance our business around the world. As a security leader, I have the unique opportunity to provide feedback on how companies can leverage the network packets data that we all have, harness it to be used within for cybersecurity.  We all know the statistics on dwell time for malware and that dwell time and nefarious traffic is see at the network level.  The industry is always talking about how many security tools that we have, and that some or just shelfware, instead of having to add a new tool, security teams can repurpose the tools and data that their networking brethren are already using.  

Outside of my “day job,” I take my job as a role model to young girls very seriously. I use my talents to give back to the area communities where I live and work.  Getting young girls interested in STEM, and, if I am lucky, interested in cybersecurity careers, is one of the most important aspects of my job in the “external” world. Our industry is desperately aware of the cybersecurity employee shortage. My contributions to the community are just one small way I can actively work to improve the number of talented people we get into the field.

What metrics or KPIs do you use to measure security effectiveness? The most meaningful KPI to me is the number of teams asking for your advice. Over the years, I have found that if people aren’t asking, they’re working around you. If a company’s CSO and cybersecurity organisation becomes the department of “no,” you’re less likely to be invited to participate in open dialogue that would help protect the very business you’re trying to enable. It’s important as CSO that you collaborate with teams, earn their trust and respect. For a true KPI, I recommend having an SLA for fixing vulnerabilities, which includes reporting to management of those addressed within and outside of those agreements, giving a clear picture of where the risk windows remain open.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Thanks to Boston traffic, the security skills shortage outside the city is not as bad. Because of NETSCOUT’s Route 495 location, great work environment and number of universities in Massachusetts, we have great access to top young talent. The talent hardest to find is for roles that require years of experience in a cybersecurity specifically, with insight as to how security is a critical element of enabling the business. All cybersecurity leaders should start looking inside for talent in different departments.

Cybersecurity is constantly changing – how do you keep learning? I am a life-long leaner. I read the news every day about current happenings in the cybersecurity community and follow key influencers on Twitter to keep up with the industry dialogue. I havefound peer to peer learning is critical. I’ve also considered taking cybersecurity classes on-line as a means to compare notes between classroom teaching and real-world application. 

What conferences are on your must-attend list? Personally, I prefer smaller conferences that allow me to network with peers, with only a small number of security vendors such as Secureworld Boston. Cybersecurity professionals should join their Infragard local chapter, this provides you the opportunity to meet some of your local FBI agents.

What is the best current trend in cybersecurity? The worst? Zero Trust is the best and worst trend in cybersecurity. Every security vendor claims to have the answer for zero trust. Zero trust is not one thing. That is the worst part. True Zero Trust will allow networking and security teams to work smarter, not harder. The most Zero trust tools will take the rich data sets that we already have, and augment them in ways that speed interpretation, providing better analytics to IT and faster implementation, providing more accurate prevention or better incident response.

What's the best career advice you ever received? Don’t ever put something in email that you would not want on the front page of the newspaper! 

What advice would you give to aspiring security leaders? You reap what you sow.  If you are a respectful, challenging, and inspiring leader, your team will be the same. Look for talent in unusual places. I have found that drive, willingness to learn and motivation trump any debate over a particular degree. My second piece of advice is to get top-down support for your security initiatives and buy-in for security as a business enabler.

What has been your greatest career achievement? I am most proud of being awarded a patent with Anil Singhal, CEO of NETSCOUT as a co-inventor for using trust profiles for network breach detection.

Looking back with 20:20 hindsight, what would you have done differently? Back in the late 1990’s when network-based email was taking off, I should have invented SPAM filtering and email analytics!

What is your favourite quote? All I really need to know I learned in kindergarten” - Robert Fulghum.

What are you reading now? I just finished Countdown To Zero Day by Kim Zeiter. Do not read this book in the evenings and expect to be able to sleep.

In my spare time, I like to… participate in team volunteer projects at NETSCOUT. It’s a great way to meet fellow employees and learn how non-profits respond to community issues. I would ask that anyone in the security space to find a local non-profit and offer them some of your time. During the course of the last nine years, I’ve been part of 33 team projects. My goal is to volunteer for at least 40!

Most people don't know that I… I used to be a shy person and was afraid to talk in front of others.

Ask me to do anything but… attend another web meeting! I cannot wait to get back to in person meetings.