Secret CSO: Justin Dolly, Sauce Labs

Name: Justin Dolly

Organisation: Sauce Labs

Job title: Chief Security Officer & CIO

Date started current role: January 2020

Location: San Francisco Bay Area

Justin Dolly is Chief Security Officer and Chief Information Officer at Sauce Labs, where he oversees the development and implementation of the company’s long-term security strategy, ensuring its customers have the highest level of protection to support their digital goals. He is a Certified Chief Information Security Officer (CCISO) with more than 20 years of experience in building and implementing a culture of security within global organisations. 

What was your first job? When I was a teenager, growing up in Ireland, I worked in music stores and loved it. Even then, there was something about discovering new (and old) music that really satisfied my natural curiosity.

How did you get involved in cybersecurity? Having a natural curiosity in life lent itself to what later became a career in cybersecurity ‒ as a kid, I used to take apart everything in the house and put it back together again, just because I wanted to know how everything worked. I’ve always wanted to know what was hidden beneath the surface.

Later, while studying liberal arts at university, I started to feel a passion for technology. To pursue that passion, II paused my studies and took a year-long technology course at a local community college, where I learned basic code writing, how circuits worked, all about mainframes and beyond. Of course, the technology at a community college seems to be consistently broken, so I began fixing the technology we were using, which taught me how to be resourceful with technology.

Through that experience, I found my desire to make technology my life’s work, specifically cybersecurity, where so much of what you’re doing is breaking things down and finding out what’s hidden behind the surface.

What was your education? Do you hold any certifications? What are they? I have a BA from Maynooth University in Ireland, specialising in both French and the classics, and I’m also a Certified Chief Information Security Officer (CCISO). It’s interesting ‒ throughout my career, I continue to meet people in this space (in cybersecurity), with arts degrees, especially history. Cybersecurity is obviously a highly technical field, but there are so many soft skills – like creativity and problem-solving – that security leaders need in order to be successful. And, I think that’s why so many of us often have a more arts-centric background.

Explain your career path. Did you take any detours? If so, discuss. I’ve been fortunate to work in many different industries and verticals, including technology companies like VMware, ServiceNow and now, Sauce Labs, as well as security solutions providers like SecureAuth and Malwarebytes. Every organisation is different, so getting to see first-hand how various organisations approach and view security has been incredibly valuable. And, it’s taught me that security is not a one-size-fits-all concept.

For example, at Sauce Labs, we recently achieved SOC2 Type2 and ISO 27001 certifications in parallel because in today’s security environment, having a detailed approach and commitment to security is critical to provide a higher level of safety and security for both businesses and consumers alike. 

That said, every company has a different culture and a different appetite for risk. The cultural norms that govern security at a healthcare company or a bank are going to be far different than those at a small software company. In my career, the opportunity and ability to cast such a wide net ‒ to really see the industry from so many different angles ‒ has molded me into a more well-rounded leader and practitioner than I would have been otherwise. That’s also why I wouldn’t characterise any of my stops along the way as a detour. As long as you’re open and willing to learn from these stops, every step and every experience plays an equally critical role in shaping the leader you eventually become.

Was there anyone who has inspired or mentored you in your career? The person that comes to mind is a gentleman named Robert Urwiler. We worked together at Macromedia in the early 2000s. At that time, I was still relatively early in my career, and Robert was my CIO. He later went on to be the CIO of Vail Resorts, which we laughed at as a perfect fit for him since he loves to surf and ski. We didn’t necessarily have that paternal, mentor-mentee relationship, but he was someone I regularly consulted when seeking guidance. Moreover, watching him lead was a formative experience for me as a professional. Robert was always diplomatic, calm and thoughtful, and he never let the moment seem too big. That’s something I really admired about him and have tried to emulate now that I’m older and, hopefully, wiser.

What do you feel is the most important aspect of your job? If you think about it, when most companies hire a security leader, they’re really hiring a change agent. This often happens in the aftermath of a bad experience, or other times it’s to confront the reality that the company can no longer continue to scale and grow without having a more defined, mature security posture. Regardless of what prompted the change, security leaders are usually brought in because the function has become essential in order for the company and its customers to safely grow together.

To me, what it really comes down to is creating safety. It’s about ensuring our employees, our IP, our environment, our networks, our data, and above all else, our customers, feel safe and are safe. That’s the most important thing we do ‒ we minimise risk and create safety for both the business and its customers.

What metrics or KPIs do you use to measure security effectiveness?  As a data-driven person, my team first looks at the data ‒ measuring anything (and everything) for which we have reliable data. We look for trends related to vulnerabilities, bugs, authentications, and anything else critical to maintaining our desired posture. I think it’s also important to have your finger on the pulse of more discipline-related metrics that aren’t as easily measured or quantifiable, but are equally important to a holistic security strategy. This can include metrics, such as behavioral change within your own organisation, for example. The point is, it’s less about what you specifically measure and more about ensuring that you are assessing the complete picture, not just capturing the data that’s easily compiled and shared within your organisation. 

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? There’s certainly a shortage out there, but I’ve been around long enough (fortunately or unfortunately, depending on your perspective!) to have built a strong, professional network that I can usually rely on during the hiring process ‒ whether it’s hiring from that network directly or having referrals of qualified candidates sent to me from that network, when I need to fill critical roles.

All of which is a great reminder that people and relationships are as much a part of success in security as are skills and technologies. I’ve been lucky to have formed some great relationships in this industry, and even luckier to carry them with me throughout my career.

Cybersecurity is constantly changing – how do you keep learning? There’s a saying I use with my team constantly: every day is a school day. I learn something literally every day, and I try to be conscious of it and purposeful about it. At the end of every meeting, I ask myself if there’s anything I know right now that I didn’t know 45 minutes ago, and the answer is almost always yes. I’ve found the more people you interact with, the more you learn, and that includes people outside of security roles and outside of engineering roles all together. I’ve learned as much about security from talking to marketing teams, HR teams and customer service teams as I have from talking to a team of developers or engineers. Security touches pretty much every aspect of every company, so as long as you’re listening and open-minded, you can’t help but learn.

What conferences are on your must-attend list? The top two on my list are always RSA and Black Hat. I’ve made it to both just about every year for the past 20+ years (aside from these most recent pandemic-affected years). Obviously, it remains to be seen what they’re going to like going forward, but I’ve always leveraged those conferences to catch up with friends and colleagues while  hopefully meeting interesting, new people, too.

What is the best current trend in cybersecurity? The worst? There’s always going to be challenges and threats, and of course, the losses will always garner the headline. But when the good guys are winning more often than the bad guys, that’s the best trend possible ‒ and quite frankly, that’s the only trend I focus my attention and efforts toward. We’re seeing more and more of these ‘wins’ because security leaders have a far more prominent seat at the leadership table than they have in years past. As long as we keep that up, we’ll continue to win more than our fair share of today’s cybersecurity battles.

However, during a time when cybersecurity concerns and damaging attacks headline the news almost daily, being aligned with poor security can be almost as detrimental to a brand as an actual breach. In fact, according to new findings from the recent Every Experience Matters Report, 63% of users say a bad experience can make them feel as though their data is not secure.

That said, if I had to zero in on a single trend that concerns me, it would be how many of the more high-profile data losses are due to carelessness or lack of discipline. It’s one thing to be victimised by a new threat vector that you couldn’t have seen coming or have realistically prepared to combat, but when it’s preventable with basic discipline, as so many of these seem to be, that’s disconcerting.

What's the best career advice you ever received? Just before I left Ireland to move to the U.S. and start my life here, my parents told me that if I put my head down and worked hard, good things will happen. Simple, yet it remains to this day the best career advice I’ve ever received. 

What advice would you give to aspiring security leaders? Take your time. It’s easy to feel like you’re supposed to have all the answers and have them immediately, especially when something goes wrong and you’re in triage mode. When someone asks you a question, even if it’s your CEO, you don’t have to answer immediately. There’s very seldom a question that needs to be answered in the next 10 seconds. Don’t be afraid to tell people, you’ll get back to them.

What has been your greatest career achievement? Rather than pointing to one specific achievement, I would consider the overall opportunity I’ve had to build teams as my greatest achievement. I love seeing teams come together behind a shared goal and message. Even amid an often stressful situation, there’s something energising and encouraging about the way teams come together during a security incident ‒ the camaraderie, and the support for each other and the cause is inspiring. Bringing people together in that way is something I always have and always will cherish.

Looking back with 20:20 hindsight, what would you have done differently? Knowing what I know now, I would have made it a point to slow down a bit in those earlier days of my career. I was often eager to implement change faster than companies were ready to absorb it, but I’ve come to realise there are cultural factors unique to each organisation that dictate the pace and velocity at which you can reasonably drive change. Some organisations can only go so fast, and you have to be thoughtful about that. So, from what I’ve learned throughout my career, I’d tell myself to slow it down a bit.