Secret CSO: Steve Dotson, Acoustic

What advice would you give to aspiring security leaders? “Understand the actual business you are protecting and become an expert on your products and services.”


Name: Steve Dotson

Organisation: Acoustic

Job title: CISO

Date started current role: March 2020

Location: Atlanta

Steve Dotson is a security executive with over 20 years of experience in Information Security and Risk within public and private companies, government contractors, and startups. Dotson specialises in building security programs from scratch and has proven experience in enabling business growth in a secure manner through risk management and business alignment.

What was your first job?  My first ‘real’ job after graduating from the University of Central Florida with a bachelor’s degree in Marketing and Sales was selling cellular phones in Orlando. Fun fact: when Shaquille O’Neal signed with the Orlando Magic, I sold him and his family a bunch of cell phones. I learned pretty quickly that I didn’t like sales.

How did you get involved in cybersecurity? I moved to San Diego in the mid-90s, primarily for the surfing but also because it was a tech hub and I knew I wanted to get involved in technology of some kind. I was selling Mac computers to graphics shops and biotech companies, and the son of an SAIC executive was working with me and recommended me to his dad for a large government contract he was staffing up. It just happened to be a huge DoD PKI project, which started my path in security. They asked me to configure a large Sun server and early Netscape certificate and directory servers. It was a total “sink or swim” environment but I loved it.

What was your education? Do you hold any certifications? What are they? My first degree was a B.S. in Business Administration. In hindsight, I should have done Computer Science, but I didn’t know what I didn’t know. I see my kids struggle with major selection when they don’t have much basis for the selection, and that’s how I felt too. I went back to school at the University of California San Diego for Computer Science, but California didn’t allow a double I had to start the Master’s track. I did my undergrad in Computer Science there but then moved to Denver for a telecom startup. I finished my Master’s in Computer Science with a specialisation in Security 10 years later at Florida Tech when I was working at Harris Corporation in Melbourne, Florida. I had a Cisco CCNP and Microsoft MCSE when I was doing networking and administration on some of the early projects I was on, but I think I tested well and don’t feel like I learned much going through that process. There were some other security certifications that I could have ‘grandfathered’ in like the CISM but I didn’t pursue them as I felt I was just chasing CPEs for the sake of a certification. The CISSP is still one I hold in high regard as it is broad; however, I let that one lapse as well due to CPEs.

Explain your career path. Did you take any detours? If so, discuss. I started out in sales then worked my way over to security technology. I wrote web code (yes Perl) for a year at a web startup in the late 90s, then did networking at a telecom startup. Otherwise, all my roles have been security-focused roles. I focused on international security standards for a few years (cable and cellular/3GPP/LTE), which was a bit of a detour. I felt standards/policy was a way to make a larger and lasting impact.

Was there anyone who has inspired or mentored you in your career? Terri Bush at SAIC and Ronda Henning at Harris had to spend a lot of time rounding out my sharp edges early in my career. Ronda sat with me in executive meetings with government higher ups so she could kick me when I went down technical rabbit holes. I thought everyone had the same passion as I did for the details! Mark Gibaldi and Phil Agcaoili were also strong mentors for me when I moved over to the executive side of security. There were many others that helped me get to where I am and I am thankful for everyone’s help and advice.

What do you feel is the most important aspect of your job? Protecting the value of the business.

What metrics or KPIs do you use to measure security effectiveness? I am usually creating security programs so I am a big fan of using capability maturity during the build phase. These are normally subjective based on my experience, which is a gap in the standard frameworks (in my opinion). Once capabilities are stood up (e.g., security monitoring, vendor risk management, vulnerability management, etc.), then more traditional KPIs become important at the control level. 

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Definitely. Strong application security and cloud security skills are challenging to find. Devops skills are also in high demand (e.g., AWS, CICD, Kubernetes, containers, etc.).

Cybersecurity is constantly changing – how do you keep learning? That’s why I do it, I tried programming and networking and while those are always changing, security has its own technologies but it is also an overlay on everyone else’s technology so we must keep up with general technology as well, and I love learning. I am part of several CISO groups which offer high-value collaboration with peers on similar challenges. My network is probably now my biggest source of information, along with books and online content.

What conferences are on your must-attend list? I really enjoy BSides San Francisco; it reminds me of very early days at the RSA conference when it was small(ish), and the content was meaningful and actionable.

What is the best current trend in cybersecurity? Zero trust as a principle. The worst? Zero trust in practice

What's the best career advice you ever received? Talk less and listen more.

What advice would you give to aspiring security leaders? Understand the actual business you are protecting and become an expert on your products and services.

What has been your greatest career achievement? I have been lucky to find 4-5 opportunities to build out security programs from scratch, so I feel like I’m leaving things better than they were.

Looking back with 20:20 hindsight, what would you have done differently? I probably would have done a different first degree, such as Computer Science.

What is your favourite quote?Just do it.

What are you reading now? Currently I am reading Noise: A Flaw in Human Judgement by Daniel Kahneman, Olivier Sibony, and Cass Sunstein and Think Again by Adam Grant.

In my spare time, I like to… One of my current hobbies is track days at different racetracks, and I recently started instructing novice drivers. I am hoping to start endurance racing next year if I ever finish my project car. If we ever get surf in Atlanta, I am ready to go!

Most people don't know that I… spent most of my life surfing.

Ask me to do anything but… Tell you what I hate doing! Nothing is coming to mind.