Secret CSO: Frank Russo, Calendly

Name: Frank Russo

Organisation: Calendly

Job title: CISO

Date started current role: October 2021

Location: San Francisco Bay Area

As Chief Information Security Officer at Calendly, Frank Russo oversees external and internal application security, infrastructure security, corporate security, privacy, and compliance. He is responsible for strengthening the security of the platform, along with assessing company-wide tools and processes, while cultivating user trust. Russo brings over 20 years of security and infrastructure experience to his role, most recently as the vice president of information security and CISO of XRP II at Ripple. Before that, he spent nearly a decade at Salesforce as the director of enterprise security.

What was your first job? My first career job and debut into tech was as a customer support engineer at Pilot Network Services supporting their network security infrastructure. Here is where I had the chance to see how they think about and tackle solving complex security problems.

How did you get involved in cybersecurity? I’ve always found security to be an incredibly interesting and intellectually challenging space. I guess you could say the intrigue started in college when I became known as the guy to call if you locked yourself out of your dorm since I was good at picking locks. The moment when I really jump started my career in security was at Pilot Network Services. It was a startup and at the apex of the dot-com boom. It was my first exposure to security and meeting experts across network security, systems security, cryptography, you name it. I became hooked. As this historical moment turned a corner, I entered into a senior network engineer position with Wilson Sporting Goods, where I built out their network and security infrastructure. 

What was your education? Do you hold any certifications? What are they? I graduated from Boston University and earned a degree in Liberal Studies. Some people may be surprised to know I’m a “Class of 2020” graduate. I studied physics and math after high school, published a paper on computers and physics in 1996, got an entry level certification for networking, and planned to get a graduate degree in physics. Instead, I dropped out of college and dove head first into the startup world. Returning to college later in life gave me a chance to get a broader education. I studied history, economics, philosophy, and creative writing, all of which now gives me the ability to look at the bigger picture outside the technical aspects of my job. 

Explain your career path. Did you take any detours? If so, discuss. I’ve always been deeply intrigued by this space and recently became excited about the possibility of leadership and overseeing a team responsible for the security of an entire organisation and its customers. My most transformational career moment was the near decade I spent at Salesforce overseeing enterprise security. It was an incredible place to grow and be surrounded by a team of senior security and privacy experts. Most recently, as the CISO of Ripple Labs, I dabbled in the increasingly complex crypto space. I faced challenges unlike others I've managed in past security roles. 

As of mid-October 2021, I’m now diving into my next new adventure as CISO at Calendly, a scheduling automation company, to help reframe the security culture internally and strengthen security for our customers, especially as we emerge deeper into the enterprise. It’s funny, it’s exciting to join a tech company where my dad understands what the product does and even uses it. Everyone has meetings and appointments. Scheduling is a universal pain point, increasingly so in today’s digital first environment. 

Was there anyone who has inspired or mentored you in your career? I have a number of mentors who have guided me throughout various moments in my career. I’m continuously adding to my list. One of my mentors is the first person who gave me my first job as a college dropout. Another is the person who promoted me from principal security engineer to director at Salesforce and had full confidence I’d do a great job. 

Now as I sit with over 20 years time learning in this industry, it’s my turn to return the favour. It’s one of the things I’m focused on at Calendly: I want to be here to lift people up throughout their careers and hope to be on someone’s list of inspiring mentors down the road. It’s important to me to help people navigate their security career goals, while scaling our security team. 

What do you feel is the most important aspect of your job? It boils down to protecting the platform and the business and helping people grow in their careers along the way. Today is a historical moment for hybrid work so we are breaking into new ground at Calendly when it comes to security. Security leaders, like myself, have a greater responsibility to provide safety for our customers and employees. Educate, protect, and build trust. Those are the real nuts and bolts of the job. 

What metrics or KPIs do you use to measure security effectiveness? The best indication that your security program is doing well is how quickly and effectively you can respond to incidents, both external and internal threats. You have to be good stewards to your organisation and customers, which means being extremely responsible, building smart and consistent processes, and instilling a sense of ownership within your team so they feel a sense of responsibility for everything that happens. 

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Every CISO and head of security I talk to says finding and keeping good people for the long haul is one of their greatest challenges. Across the board, any technical role is difficult to fill, but in particular, finding deeply knowledgeable application security engineers – people who can write code and find security vulnerabilities – is proving to be tough.

It’s easy to find people who are very early in their careers and just beginning or, on the other hand, people who are seasoned and expensive to hire. It's people who are mid-way into their career journey that are hard to source. These individuals are often at an inflection point in their careers where they’re debating if they want to go deeper in a technical area or transition into technical program management.

Cybersecurity is constantly changing – how do you keep learning? I’m a big fan of podcasts for staying on top of security news and analysis, along with vendor movements. One of my favourites is the Risky.Biz Podcast. I also find LinkedIn and Twitter can be good sources of information if you follow the right people and organisations. DEF CON’s Twitter account is one to pay attention to if you want quick, digestible updates. 

What conferences are on your must-attend list? I occasionally enjoy the bigger conferences like DEF CON. INFILTRATE is a great one. For the most part, I enjoy the security BSides more. I find I get more out of smaller conferences since they’re more intimate and personal venues so it’s easier to network. 

What is the best current trend in cybersecurity? The worst? It’s difficult to narrow it down. So much is happening in the world of security at the moment. 

The best trend would be the rise of remote-first work and explosion of devices pushing cybersecurity and regulatory compliance to become the top two biggest business concerns. As the hybrid workforce takes shape, companies must scale critical security measures for tools and workflows to suffice long-term. More mobile, dispersed people working in remote or hybrid environments has resulted in a greater need for us to build and scale our platform for this reality and mitigate risk with securing the cloud. 

The worst trend is the belief that security can be an afterthought. Implementing a zero-trust security model from the start is critical to an organisation's long-term success regardless of whether they work in or out of an office. Everyone is moving towards this zero-trust model and the belief that you should be able to work anywhere and be secure should have been an industry reality long ago. 

What's the best career advice you ever received? To be taken seriously as a leader, build trust and be transparent with internal and external stakeholders. I learned early on that staying close to the technology and technologists responsible for it are key to building a successful security program. If you invest in people as they navigate opportunities and challenges, they encounter at work and throughout their careers, you’re doing both them and yourself a favour. Building a meaningful security path for team members internally is critical for retaining them. 

What advice would you give to aspiring security leaders? Build and lean into your support network, ask questions, and stay hungry to learn. Creating a community of security industry professionals to bounce ideas off of or to share learnings and wins is your greatest asset for career advancement and problem-solving. That network will be able to point you in the right direction as you encounter new challenges and opportunities over the course of your career. 

What has been your greatest career achievement? Without a doubt, a distinct moment for me in my career was leading the enterprise security team at Salesforce. We were at the cutting edge of security, and I’m incredibly proud of what we were able to accomplish as a team. I was fortunate to build a strong cohort of industry connections and mentors during that time, many of whom have since gone on to become security leaders at some of the most known tech companies in the world and whom I’m still in close contact with. 

Looking back with 20:20 hindsight, what would you have done differently? It’s difficult to say I would have done things differently when we know that every decision we make impacts another decision. The counterfactuals are hard to imagine. I wouldn’t have done anything differently as I am where I am today because of those decisions.