Secret CSO: Sebastian Goodwin, Nutanix

What do you feel is the most important aspect of your job? “The role of a CISO is uniquely challenging because a security team cannot succeed independently. Success requires the cooperation and participation of everyone in the company…”

IDGConnect_secretcso_suppliedart_sebastiangoodwinnutanix_1200x800
Nutanix

Name: Sebastian Goodwin

Organisation: Nutanix

Job title: CISO

Date started current role: May 2017

Location: San Francisco, USA

Sebastian Goodwin is the chief information security officer at Nutanix and a cybersecurity and risk management executive with experience launching products, leading consulting practices, and managing information security/compliance teams. He has worked throughout the U.S., Middle East, and Europe as an entrepreneur and as a trusted adviser and consultant. Over the years, Goodwin has worked as a long-term consultant or employee delivering cybersecurity solutions at companies including Nutanix, Palo Alto Networks, Microsoft, NetApp, AT&T Wireless, Goldman Sachs, and Oracle (PeopleSoft). Goodwin is a recognised IT security industry leader as the author of two books on Windows Server security as well as co-author of the Security+ certification exam.

What was your first job? My first job was pumping gas at my dad’s gas station in Long Island, New York. He fixed cars in the garage while I was out pumping gas. I must have been 14 or 15 years old. My first job working for a big company came shortly thereafter. When I was 16, I started working in retail at Egghead Software. It was an incredible job for me because of the perks—access to tons of software and magazines that I wasn’t able to afford at the time.

How did you get involved in cybersecurity? Ever since we got a computer in the house when I was around 13, I learned on my own from breaking, fixing and tinkering. Later I started reading 2600 magazine, and then two books really drew me into the world of cybersecurity: “Secrets of a Super Hacker” by Knightmare and “The Cuckoo’s Egg” by Clifford Stoll. I was completely intrigued by the innovation and creativity involved in hacking and the cyber-sleuthing involved in detecting and countering cyber-attacks.

I was nearly expelled from high school after cracking the computer department’s newly deployed full disk encryption software but was allowed to stay given that a teacher had casually issued a challenge to any student who could “hack the unbreakable encryption.” That type of “do the impossible” challenge has always fired me up throughout my career. In cybersecurity we encounter such challenges frequently, and that keeps things interesting.

What was your education? Do you hold any certifications? What are they? I was largely self-taught as a teenager sitting in the basement with a 9600 baud modem. My first certification was the Microsoft Certified Systems Engineer (MCSE) back in the Windows NT 4.0 days. I was eighteen years old and had already been building and repairing computers and networks for a few years. I took a gap year to work after high school and accumulated a bunch of other certifications from Microsoft, Cisco and others. There was some pressure from the adults in my life to go to college, so I moved to Seattle and started at University of Washington but that didn’t last long. I was only interested in technology and took no interest in the other required courses. After less than a year, I left school and got on with my career.

After several years of working and moving up the corporate ladder, with advice from mentors, I decided to go back to school. However, I didn’t go to study computer science. I felt I already had a lot of hands-on experience in that area, and I wanted to be an executive leader—a future CISO, CEO, and/or board director—so I set my sights on a business degree. My mentor told me to shoot for a top-tier MBA. I hadn’t completed a bachelor’s degree yet, so at the age of 25 I returned to school to finish a bachelor’s in Applied Economics at University of San Francisco. It was an evening program for working professionals, and I was able to finish in two years by testing out of several courses. Then I focused on taking the GMAT exam and applied to executive MBA programs that would allow me to study while working full time. At age 27, I was a little young for an executive MBA program, but a full-time program was not an option because I had a wife, a new baby and a mortgage, so I needed an income. I was rejected by the University of Chicago, and that left me a little deflated. I waited a few years and then decided to try again. I applied to the San Francisco campus of the University of Pennsylvania’s Wharton Business School. I was accepted, and it was a tremendously rewarding experience.

Explain your career path. Did you take any detours? If so, discuss. I’ve had various jobs, including teaching certification prep courses to people pursuing MCSE and CISSP certifications. My first real security job was at PeopleSoft in 2001. They were looking for someone with deep knowledge of Microsoft Active Directory and Windows, which I had. I also had the security mindset, so it worked out well. Later I got into consulting—advising CISOs on technology strategy and best practices. Eventually, I became a CISO myself.

I took a bit of a career detour after I finished business school. I wanted to get some experience on the product side of things, focusing on product go-to-market instead of back office operations. I landed a role in product marketing at Palo Alto Networks, and that was a very rewarding experience. After a few years of that, I longed to get back to the hands-on work of a security practitioner, so I returned to a CISO role.

Teaching has also been a theme throughout my career. I was one of the youngest Microsoft Certified Trainers (MCTs) back when I started teaching at the age of nineteen. I really enjoyed being in the classroom. In the last few years, I’ve returned to teaching. I created a course called “Managing Cyber Risk” which is part of the Masters in Cybersecurity program at the University of California, Berkeley.

Was there anyone who has inspired or mentored you in your career? I’ve been extraordinarily lucky to have great mentors and role models throughout my career. When I was just seventeen years old working at Egghead Software, I met someone who would become a lifelong mentor and father figure. He came into the store one day in need of help with his crashed computer. I ended up going to his house to help troubleshoot the issue. He turned out to be an incredibly accomplished diplomat and businessman who is chairman/owner of one of the largest privately held industrial conglomerates in the Middle East. It is he who stoked my ambitions as a business leader and builder. He also pushed me to go back to school.

I’ve also had the pleasure of working with some highly accomplished technology executives, one of whom particularly stands out for me as an inspirational mentor throughout my career. Wendy M. Pfeiffer is the CIO at Nutanix, and we’ve worked together in three different companies over the last eighteen years. She has been a role model and mentor for me in the areas of both executive leadership and board service.

What do you feel is the most important aspect of your job? The role of a CISO is uniquely challenging because a security team cannot succeed independently. Success requires the cooperation and participation of everyone in the company, and security is often not everyone else’s top priority. One person’s mistake can lead to a breach. Hence, the most important aspect of my job is the ability to influence the behaviours and habits of others. It’s about human psychology and organisational behaviour as much as it is about technology. Gamification and motivational incentives that change peoples’ behaviour can improve security just as much as firewalls and other technical controls.

What metrics or KPIs do you use to measure security effectiveness? There’s no shortage of things to measure in the world of cybersecurity. I think the most important thing is to identify the areas that pose significant cyber risks in your organisation, start measuring those, then set targets and start moving the needle. For example, if your organisation has a lot of applications that are not integrated with your single sign-on platform and protected by multi-factor authentication, start measuring how many of those applications exist and then start driving that number down. Set targets and timelines and when it gets to zero, you implement the right processes and monitoring to keep it at zero. Then that metric fades into the background because it’s no longer an area of focus. In this way, I cycle through different metrics and KPIs that I focus on from one quarter to the next, constantly looking for those incremental improvements that accumulate over time.

Security effectiveness is also about efficiency. We’re dealing with large volumes of information and not enough people to cull through it all. Hence, I always keep an eye on automation metrics. For example: What percentage of the tickets going into my SOC are resolved by automation without any human interaction? I also keep an eye on false positive rates from various tools because signal to noise ratio is also key to maintaining efficiency.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? One small silver lining from the pandemic is the fact that we are hiring a lot more fully remote roles. This means my candidate pool has expanded significantly since I’m not only looking in cities near our offices. Because of the security skills shortage, some roles still take a while to fill—particularly those in cloud security and DevSecOps. Despite that, we’ve been able to build an extraordinarily talented and diverse team.

Cybersecurity is constantly changing – how do you keep learning? I learn in three ways: 1) I hire people who are smarter than me in various areas, and I learn from them; 2) I read and try to keep up with the latest news via Slack channels, social media and industry publications; 3) I teach. I’ve always found that a great way to learn something deeply is to teach it. You’re forced to contemplate and discuss topics in-depth with students. When you’re teaching mid-career professionals, you also learn a lot from them.

What conferences are on your must-attend list? Other than our own Nutanix .NEXT conference, I prefer smaller gatherings like CISO dinners or summits that are organised by various organisations and VCs. It’s great to have a roundtable discussion with industry peers or startup founders who are solving security problems in innovative ways.

What is the best current trend in cybersecurity? The worst? The development of converged platforms on which to run and orchestrate VMs, VDIs and containers in a true hybrid multicloud environment is a game-changing trend in our industry. When you can point, click and shift workloads from on-prem to cloud or between different clouds, all while maintaining the same security posture, you eliminate a lot of the risk and operational overhead that has traditionally been associated with such migrations. When you can manage storage (with ransomware protection), networking (with micro segmentation), and compute across all your cloud and on-prem estate from one console, you gain enormous efficiencies and the ability to more easily maintain security posture.

The worst trend that I see is technology vendors taking choice away from customers. For example: forcing customers to run on something only in the cloud or only on-premise, or on one particular virtualisation platform or public cloud. As customers, we should be operating on our own terms—not on the terms dictated to us by our vendors.

What's the best career advice you ever received? Stew Friedman, a fantastic professor that I had at Wharton, and author of “Total Leadership” and “Parents Who Lead” taught me that seeking work/life balance leads to undesirable trade-offs. The real goal should be work/life integration. His tips on how to create that have been some of the best career, leadership and parenting advice I’ve received.

What advice would you give to aspiring security leaders? Don’t be the security leader who loves to tell people what they cannot do. Be the security leader who helps the business innovate and take the right risks to be successful. It’s important to understand how to weigh cyber risk vs. business benefits. People will come to you with proposals for things that sound like security disasters waiting to happen. Instead of dismissing them as absurd, work with them to understand their objectives and then help them achieve those objectives in a way that fits within the organisation’s cyber risk tolerance. If something poses a seemingly intolerable risk and you reach an impasse, it’s your job to make sure the risk is properly described to the executives who have authority to evaluate risk mitigation options and ultimately determine how to deal with or accept the risk.

What has been your greatest career achievement? I view the teams I’ve built as my greatest achievements. You’re only as good as the people you surround yourself with and I feel extraordinarily lucky to have worked with some of the smartest minds in the cybersecurity industry. I learn from my team every day, and I constantly hear great external validation of the innovative work that they do.

1 2 Page 1
Page 1 of 2