Secret CSO: Andy Ellis, Orca Security

Cybersecurity is constantly changing – how do you keep learning? “While I know a lot of people are down on social media, I find that Twitter is a great way to draw attention to new hot topics that I should pay attention to.”

Orca Security

Name: Andy Ellis

Organisation: Orca Security

Job title: Advisory CISO

Date started current role: September 2021

Location: Massachusetts

Andy Ellis is the Advisory CISO at Orca Security. Ellis is a seasoned technology and business executive with deep expertise in security, managing risk, and leading an inclusive culture. A graduate of MIT and former US Air Force officer, Ellis designed, built, and brought to market many of Akamai’s security products. His leadership helped propel the Fortune 1000 company from its start as a content delivery network into an industry powerhouse with a billion-dollar dedicated cybersecurity business. In his twenty-year tenure, Ellis led Akamai’s information security organisation from a single individual to a 90+ person team, over 40% of whom were women. Widely respected across the cybersecurity industry for his pragmatic approach to aligning security and business needs, Ellis regularly speaks and writes on cybersecurity, leadership, diversity & inclusion, and decision-making. Ellis has received a wide variety of accolades, including the CSO Compass Award, Air Force Commendation Medal, Spirit of Disneyland Award, Wine Spectator Award of Excellence (for The Arlington Inn), and was the winner of the Sherman Oaks Galleria Spelling Bee. He was inducted into the CSO Hall of Fame in 2021.

What was your first job? Construction site cleanup. My parents were always building, both professionally and personally, and the first thing I recall getting paid for was cleaning up job sites at the end of the day.  Learning whose tools went where was really important!

How did you get involved in cybersecurity? While I was a cadet in the Air Force ROTC, I was spending a summer at Luke AFB backseating in F-16s, because I really wanted to be in operations. I got a call one afternoon from a major in the 609th Information Warfare Squadron, actively recruiting me.  And by “actively,” I mean, “he got to decide, and he decided he wanted me.”

What was your education? Do you hold any certifications? What are they? I have a Bachelor’s degree in Computer Science, with a minor in Mathematics, from MIT.  I was once a CISSP, but I let that lapse many years ago.

Explain your career path. Did you take any detours? If so, discuss. My career is entirely detours! I was kicked out, errr, took an indefinite leave of absence from MIT after my freshman year. I spent two years working at DisneyLand. Then I spent two years in Vermont as a wine steward, bartender, innkeeper, ski bum, and physical security guard. I came back to MIT on a ROTC scholarship, but to meet the age requirement, I had to graduate in two and a half years, and my misspent freshman year had left me with three courses on my transcript. In those two and a half years, I was also the Vice Master of the MIT Assassins Guild, the Wing Commander of the AFROTC Detachment, and a member of the Student Information Processing Board. I include those in my career section because I rely on skills I picked up in each of those every day in my career.

When I graduated, I spent three years, five months, and fourteen days on active duty; first with a tour in South Carolina doing Information Warfare, and then up in Boston doing Acquisitions Test Management.  After I separated, I spent just over two decades at Akamai, doing just about every security role from engineer to CSO, including acting as the CTO for our security business, and building an amazing team of professionals that could tackle almost any problem with a diverse and deep skill set.

Now, I’m enjoying being wholly on the vendor side of things as Orca Security’s Advisory CISO, and I also am an Operating Partner at YL Ventures, helping companies bring their great ideas to market.

Was there anyone who has inspired or mentored you in your career? The list is really too long to try listing, but some of the best inspiration and mentoring came not from the people senior to me in the organisation, but from the people who worked for me.  From each of them I learned new ways to lead, and better understood the challenges that other people had to face.

What do you feel is the most important aspect of your job? Communication.   Learning how to speak to very different audiences, using language that they will connect with.  Because if you can’t communicate, you can’t change the world.

What metrics or KPIs do you use to measure security effectiveness? The hardest one, because it’s mostly anecdata, is “incidents dodged.” It’s really useful, though, to both survey the landscape (did industry incident X affect you? Why not? What controls saved you?), as well as look at near misses (oh, that Sev 2 incident would have been much worse if we hadn’t already implemented system Y).

Coverage. Too many controls are really limited in asset scope, so when you ask “are we pentesting?” you get a “yes.” But what’s left out of the conversation is how many systems you aren’t applying that control to. So for any KPI, a measure of coverage is essential.

Days within SLA. Many controls, like vulnerability management, look at a point in time (“how many open vulns do we have today?”), when what is interesting is how often the SLA was met.  Over the last quarter, what percentage of the time were we outside the SLA we wrote down for fixing things?

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Well, I don’t have a security team right now, as an Advisory CISO, but, speaking on behalf of the team I built at my last job, I’m pretty sure that the “skills shortage,” while not quite a myth, is really a polite way of saying that “HR and management don’t know how to recruit and retain talent.” Too many security postings ask for unicorns that can fly, seeking polymaths that are omnicompetent across the board. That might work for a startup hiring one security person, but not for a team. Teams need to hire people who are going to be good at the job you hire them for, and can grow. That often means that you aren’t hiring career security professionals. Need to write research reports? Make sure your team has a former journalist. Managing thousands of documents to prep for audits? Consider a librarian.The list goes on and on; it’s easier to hire skilled professionals and teach them security than to hire security operators and teach them vastly new skillsets.

Cybersecurity is constantly changing – how do you keep learning? While I know a lot of people are down on social media, I find that Twitter is a great way to draw attention to new hot topics that I should pay attention to. I’m also in a handful of slack channels that do the same for me, and I regularly have conversations with CISOs and security leaders across multiple industries to hear what’s hot on their radar.

What conferences are on your must-attend list? CSO50, of course!

What is the best current trend in cybersecurity? The worst? The Best? Moving to the cloud, and reinventing your security program to be more agile.

The worst? Moving to the cloud, and not reinventing your security program.

What's the best career advice you ever received? Networking is about doing someone a favour when you don’t get anything back for it.  Building up a network of goodwill is one of the best ways to propel your career in the future.

What advice would you give to aspiring security leaders? Make small, effective changes that your business partners will love. Don’t tackle hard problems that everyone will hate until you’ve built up enough political capital to spend.

What has been your greatest career achievement? The team I built around me when I was at Akamai. 94 people, no turnover for my last 15 months there, over 40% women, and an amazingly inclusive team. Ask anyone who worked in it, and you’ll hear fantastic stories about people feeling like everyone had each other’s backs, and managers invested in the development of their people. It’s the sort of team that any CISO worth their salt would kill to have.

Looking back with 20:20 hindsight, what would you have done differently? I’m really happy with where I am now, so I’m not sure I’d want to tamper with that good outcome. But for someone faced with the same challenges, I think that, earlier on my career, I wish I’d been a better listener. When someone tells you something that you think can’t possibly be true, it should be a signal to you that you are disconnected from the actual situation in dangerous ways.

What is your favourite quote? Voltaire: “The best is the enemy of the better.” Make progress now, rather than refusing to work until you have a path to perfection. Military leaders often phrase this as some variant of “A 70% plan, violently executed now, will defeat the 100% plan that you’re still designing.”

What are you reading now? Well, it changes by the day, since I tend to devour books. Professionally, my reading list currently has Cybersecurity Sales, The Charisma Myth, and Sapiens all on it.

In my spare time, I like to… read. I’ve been working my way through the GameLit genre for a while, as I wait for the latest books to come out from my favourite authors.

Most people don't know that I… am a triathlete. I mean, I’ve done two triathlons, so I think that counts. You can find me training on my Peloton as @ChiefSweatOfcr.

Ask me to do anything but… lie to the people that work for me.