Secret CSO: Ross Hosman, Drata

What conferences are on your must-attend list? “I really like conferences that get security people thinking about how they can help their engineering counterparts go faster in a secure manner; AWS:Reinvent, Kubecon would be great ones...”


Name: Ross Hosman

Organisation: Drata

Job title: CISO

Date started current role: July 2021

Location: Colorado

Ross Hosman has spent his nearly 20-year career working in a variety of technical and leadership positions across the security space. Currently CISO of Drata, a technology company leading in security and compliance automation, Hosman brings his decades of experience to growing the company's own security program as well as providing current Drata customers with relevant support and expertise. Hosman also spent time as JPMorgan Chase’s Head of Cloud Security, building out an automation-focused security strategy for one of the largest financial institutions in the world. Hosman is a member of Silicon Valley CISO Investments, an angel investment syndicate made up of the world's leading CISOs.

What was your first job? My first job was detasseling corn in the fields of Iowa on a farm wage, which is less than minimum wage. You often start work at 4:30 a.m. (when the sun is still rising) - you’re driven to a field in the middle of nowhere, and you just start working, which means walking down mile-long rows of corn and pulling the tops out of them. I specifically remember getting drenched in all the dew that appears each morning, and how cut up my hands would be when I initially started the job. Some days I just hated it and wanted to quit, but I would just start daydreaming about what my life would be like in the future and that powered me through.

My first real professional job was very confidential, as I did information protection for a military contractor.

How did you get involved in cybersecurity? I have been in cybersecurity and cloud/hosting for a long long time. I was drawn to security for my love of problem-solving. There’s nothing like figuring out a problem that no one else can solve - security is one big problem to solve and it is a challenge I welcome every day.  

When I’m thinking of providing a security solution to the business, I actually reverse it and think, “If I were breaking into this, how would I do it?” and start problem-solving from there. When you take that approach, you often see the easy vulnerabilities people will try to exploit instead of just trying to over engineer a solution from a security perspective. It reminds me of the well-known XKCD Comic (#538) - a team of security engineers create this security solution and the attackers’ solution to bypass it is to just make the end user give them their password by physical force (via a $5 wrench).  

What was your education? Do you hold any certifications? What are they? I’m an AWS Solutions Architect and a CISSP. I have college experience but when it comes to security, the bulk of my knowledge comes from being self-taught and what I learned from my career thus far.

Explain your career path. Did you take any detours? If so, discuss. While I didn’t take detours, I worked in cybersecurity for a variety of companies - from networking technology, education, to financial services. It’s given me a broad perspective across the market and different needs of each industry. I’ve been able to bring that experience with me to Drata and help our customers’ security and compliance needs across the board. I was at one of the largest financial services companies in the world and now I’m at a fast-growing startup - while they’re completely different in speed and size, the skills I acquired throughout my career are essential to both organisations.

Was there anyone who has inspired or mentored you in your career? I’m so lucky to have some great mentors in my life that, without them I wouldn’t be where I am today. Mark Buchanan was my direct leader at Savvis and he is just an incredibly smart and talented engineer. He often pushed me well past my comfort zone in the engineering work I was doing and the problems I had to solve. Without his guidance, I don’t think I’d be half as technical as I am today. The other mentor was Savvis CISO Don Betier, who is one of the best people you could ever meet; he radiates positivity and confidence. He helped me a lot with the people problem-solving skills which is a critical part of your job in cybersecurity, and sometimes it can be the hardest.

What do you feel is the most important aspect of your job?  There are a lot of things that you have to do as a CISO but I’d say three of the most important are communication, relationships, and hiring.

  • Communication - Explain the WHY and take feedback. People are usually okay with what you are doing if you can explain why you are doing it and it makes sense.
  • Relationships - Your peers need to have trust that you are doing the right thing for the company. You need to build those relationships and show them what you all are doing and why so they understand. Keeping everything secret is not the way to go: share and over share.
  • Hiring - Hire the smart/motivated people, train them to have the same skills as your engineering team, and make their job enable those teams so your business can be successful.

What metrics or KPIs do you use to measure security effectiveness? There are a lot of great security leaders who can give you endless metrics to measure security effectiveness depending on your goals.

I’d like to share another set of metrics that help B2B CISOs show the impact of their security organisation to the business, that’s often overlooked:

  • Number of sales deals you directly brought in (if any) to the business. A CISOs job should also be to help their business and earn revenue, and you don’t have to sell security to do this.
  • Number of customers asking for compliance documents and their respective deal sizes (e.g. 57 SOC 2, 26 HIPAA, etc.).
  • Number of security questionnaires the team filled out, for which company, and their respective estimated deal sizes.
  • Number of sales meetings that security/compliance needed to attend to help close a deal.
  • Number of times security collateral was downloaded or sent to prospects.

Tie these numbers back to revenue and key logos your executive team will remember to really show the impact (i.e. “I helped land the largest chipmaker in the world because I filled out a massive questionnaire, held two meetings and had SOC 2 compliance, which generated $XX in revenue”).

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I don’t believe we have a skills shortage, I believe we have an expectations and investment issue. If you look at other tech roles that involve networking, storage, development, etc., companies are clearly looking for candidates with role-specific skills.  

Security roles are often required to have the general tech skills on top of security, cloud, encryption, etc. This is a high expectation and often related to how we hire and invest in people. We need more generic job descriptions that focus on general experience and professional traits.

For instance, I assess whether candidates are smart and motivated during the hiring process - you can uncover those traits in an interview and determine if they have the right amount of drive you’re looking for in an organisation. It’s not about having 5 years of AWS experience, it’s being able to problem-solve with the cloud provider you do have experience and are most comfortable with. With every interview I conduct, the questions are custom tailored to the individual and their resume to really understand the details of their experience and if they can speak to it on a deeper technical level.  

Additionally, I’ve seen companies silo security folks into a specific area which doesn’t allow them to grow, experiment, and develop their careers. If you’re a security analyst just responding to SIEM alerts all day, it’s hard to gain the knowledge you need to take your career to the next level. Security leaders need to give their employees lab time to experiment, put them in security DevOps teams to work on different projects and problems, and send them to conferences outside of security, such as an event focused on development or containers.

Cybersecurity is constantly changing  – how do you keep learning? For me, the opportunities I have to interact and brainstorm with my colleagues is critical in keeping up with the constant changes in cybersecurity. I’ve helped run the CISO Unconference where a group of CISOs get together and privately share their learnings. It’s been incredibly valuable to get to learn from your peers in a private setting. Being a part of Silicon Valley CISO Investments (SVCI) has also been extremely helpful to me, as I get to see and evaluate the newest technology on the market behind the scenes. It keeps me on my toes.

In addition, the best way to learn is by being hands on. Nothing keeps you updated more with what’s happening on the ground than rolling up your sleeves and getting projects done yourself.

What conferences are on your must-attend list? I really like conferences that get security people thinking about how they can help their engineering counterparts go faster in a secure manner; AWS:Reinvent, Kubecon would be great ones for your security team.

What is the best current trend in cybersecurity? The worst? The best current trend is security teams now really focusing on automation and seeing how it can enable their business. For instance, if you have a cloud account and you know you should never have a public bucket on it, why not have automation that can alert and lock it down within 60 seconds? Go beyond the legacy approach where you assign it to the security team and wait for them to respond, instead use rapid automated remediation to quickly respond in a trustworthy and predictable manner. I believe this is the future of where cybersecurity is headed.

One of the worst trends in cybersecurity is attempting to use legacy solutions to solve issues in the cloud. I’ve seen a number of people in this field refuse to adopt cloud security solutions and it’s a major hindrance to their business.

What's the best career advice you ever received? Some of the best career advice I’ve ever received was from Patrick Opet, Global CISO at JP Morgan Chase & Co. Patrick advised me that it’s ok to take risks as a security professional. You’re in this high-pressure environment where you feel responsible for all things security and any little risk could cause catastrophe; in reality, we take risks every day. For example, at the bank, a mortgage, loan, and credit card are all risks, and millions of decisions are based on these actions every day. Businesses are ok with risks as long as they’re smart, informed risks. That really pushed me to take risks, which was hard to do as I used to be incredibly risk-averse.

What advice would you give to aspiring security leaders? Aspiring security leaders need to know the weight of the world isn’t on their shoulders, and they don’t have to “do it all.” Just because there are security issues at your company, doesn’t make you bad at your job - every company has issues, and it’s more common than you think. We often put so much pressure on ourselves to fix the entire world, we forget to step back and remember we can only change what we control. This is why it’s important to make relationships with the people in your company and earn their trust. When the time comes to approach them with a security issue, they know it’s serious and they will help you fix it. Also, spend time with your peers at other companies and learn from them. One of my greatest resources are the security Slack channels I’m in, which allows me to bounce ideas off peers or talk through frustrations I have and how my peers solved them.

What has been your greatest career achievement? A career highlight has definitely been joining Silicon Valley CISO Investments (SVCI) as an investor. It’s made up of amazing individuals and I’m ecstatic to be a part of the exclusive group. It’s an honour to be a part of the organisation and help advance cybersecurity technology.

Looking back with 20:20 hindsight, what would you have done differently? Looking back on my career, there isn’t anything I would have done differently. I’m a firm believer that the decisions you make along the way get you to where you are, and I’m happy where I’m at in life. I know I’ve made mistakes but I don’t think I would change them - as long as we learn from them, we become better people.

1 2 Page 1
Page 1 of 2