Secret CSO: Devin Ertel, Menlo Security

What do you feel is the most important aspect of your job? “Allowing the business to run more efficiently while being secure at the same time. This is the balance in security that makes it interesting.”

Menlo Security

Name: Devin Ertel

Organisation: Menlo Security

Job title: CISO

Date started current role: August 2021

Location: Mountain View, CA

As Menlo’s CISO, Devin Ertel is responsible for providing internal cybersecurity guidance and policy insights to both the company and its customers. He is also focused on reducing the company’s risk and security exposure. Ertel has nearly 20 years of experience in cybersecurity. His previous experience includes security positions in several Fortune 100 organisations. During his time with both Mandiant and the US Federal Reserve, Ertel had hand-on experience mitigating large, high-profile breaches and dealing with highly motivated threat actors.

What was your first job? My very first job as a kid was at a camp for handicapped children. I worked right alongside the professional caregiver. It was a meaningful and fulfilling job. My first professional job was in technology at Kohls, a large chain department store.  

How did you get involved in cybersecurity? It really started as a hobby for me. I randomly met the local 2600 group while at a cafe. There are 2600 groups all over. Members are a mix of self-described “geeks, nerds, and others who are curious about what’s going on in the cyber world. They typically meet monthly to discuss everything from hacking to infosec to politics and everything in between. From there I just went down the rabbit hole of technology and security.

What was your education? Do you hold any certifications? What are they? I have a Bachelor of Science in MIS from the University of Wisconsin-Milwaukee. I have held many certifications throughout my career. I’ve listed some below. I believe certificates can help but security is all about learning and the curiosity to learn.

  • Certified Application Security Specialist (CASS)
  • Certified Expert Penetration Tester (CEPT)
  • ArcSight Certified Security Analyst

Explain your career path. Did you take any detours? If so, discuss. My career has always been within cybersecurity. But I have taken it upon myself to take on roles in different areas of cybersecurity, whether offensive, defensive, or engineering. Throughout my career I’ve always tried to learn different areas. On top of that I’ve worked in various industries to get an understanding of the security challenges an industry will face. I believe having all these different perspectives gives me a deep understanding of security, and as a result, I’m able to look at opportunities and challenges from all sides.

Was there anyone who has inspired or mentored you in your career? I’ve been fortunate enough to have many mentors throughout my career. Security is a community of people always willing to help each other out. But if I had to name one it would be William Cummings who is also a CISO. He gave me my first technical job with no professional experience. He continues to be a mentor to this day.

What do you feel is the most important aspect of your job? Allowing the business to run more efficiently while being secure at the same time. This is the balance in security that makes it interesting.

What metrics or KPIs do you use to measure security effectiveness? These really do depend on the industry, business, and its unique set of risks. Things like Mean Time to Detect, Mean Time to Resolve and Mean Time to Contain are great KPIs. Others like Patching cadence, Security Compliance, and cost per incident are good things to track.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? My plan is to hire 20 people by year-end. There is a high demand for security people, so filling most open positions is challenging. This is across the board. I’m currently hiring for a Senior Penetration Tester, and Principal Security Architect. We have several engineering, operations, researcher, and R&D positions we’re looking to fill. Anyone interested should check out our careers page.

Cybersecurity is constantly changing – how do you keep learning? Security can be hard to keep up with. Being it is a passion of mine this does come very naturally. To stay current, I attend several conferences each year, network with peers, listen to podcasts and read blogs, just to name a few.  

What conferences are on your must-attend list? Everyone should go to Defcon at least once. I also like BSiides, BlackHat and RSA. The Gartner Security and Risk Conference is another good one. I also always recommend going to small conferences. Look in your local area and go to meetups and small peer groups. You will find a lot of value and make some great connections. I’m looking forward to when these conferences are in-person again.

What is the best current trend in cybersecurity? The worst? Security is getting more executive representation and board visibility. Because of this we are being asked to do more. Without the right resources this can sometimes present a challenge.

What's the best career advice you ever received? Do more than your job description. Be the linchpin.

What advice would you give to aspiring security leaders? Keep your passion, believe in yourself, and it's ok to take time for yourself.

What has been your greatest career achievement? I can’t pinpoint just one achievement as they all felt like great achievements at the time. I would say I’m fortunate to have all the experiences I have had within cybersecurity. Working for the U.S. Federal Reserve was a big achievement for me. I was able to use my knowledge and skills to protect some of the nation's most critical assets.  

Looking back with 20:20 hindsight, what would you have done differently?  Cybersecurity can be fast paced and stressful in the moment if taken out of context. At this point in my career, I’ve learned to enjoy these moments as learning opportunities. I wish I would have taken that approach earlier on. I like to remind not only myself about this, but also my team.

What is your favourite quote? Think long term. Execute short term. Experience now.

What are you reading now? Courage is Calling by Ryan Holiday.

In my spare time, I like to… Spend time with my family, hike, make sourdough bread and pizza.

Most people don't know that I… am a comic book nerd.

Ask me to do anything but… to root for the Dodgers.