Secret CSO: Dave Bossio, Samsara

Name: Dave Bossio

Organisation: Samsara

Job title: CISO

Date started current role: January 2022

Location: Snoqualmie, Washington

An industry veteran with over two decades of experience in information security and operating mission-critical services, Dave Bossio joined Samsara as CISO in March 2022. He previously served as senior vice president, Security Integration, at Salesforce, where he drove the information security strategy across all business units and new acquisitions. Prior to Salesforce, he spent 17 years at Microsoft, where he was head of Windows Security and Platform Integrity.

What was your first job? I was working on an electrical engineering degree at the University of Washington, and had the opportunity to speak with a recruiter about joining the nuclear Navy. I was looking for a different experience coming out of college, and knew that I probably wasn’t going to be as passionate about designing circuits as I would becoming a submarine officer. I spent eight years in the Navy directing ship and nuclear power plant operations, including personnel development, equipment installation, maintenance, and training.

How did you get involved in cybersecurity? After my time in the Navy, I worked as a product manager for GE before joining Microsoft as a program manager with the Windows security team. Being able to build new features and capabilities into the Windows platform gave me the incredible opportunity to focus and grow as a security professional during almost 20 years with the company. I eventually became head of Windows Security and Platform Integrity, overseeing the security program management team, managing public key infrastructure, cryptography, data protection, security services, and authentication in Windows Security. One notable achievement during my tenure was delivering the Xbox One security infrastructure, including a $20 million game disk security project and one of the largest scale cloud key management services in the world, supporting Windows and Xbox Live signing, licensing, authentication and encryption.

What was your education? Do you hold any certifications? What are they? After graduating with an electrical engineering degree from the University of Washington, I earned an MBA from Marymount University. I also hold a Six Sigma certification, a well-regarded verification of professional skills development, and achieved the highest Master Black Belt for improving overall process engineering within complex business practices.

Explain your career path. Did you take any detours? If so, discuss. My father was former military and always encouraged his kids to join. While I was the only one of my siblings to bite, it provided me with a non-traditional, albeit well-rounded, career path. I had a technical degree, joined the Navy, and gained a wealth of process reengineering and security knowledge at GE and Microsoft. It was during my last years at Microsoft that I was drawn to security operations and knew I wanted to get more involved with that side of the business. I joined Salesforce in 2018, becoming the main point of contact for security and overseeing the platform’s integrations for all mergers and acquisitions. My background in engineering and security operations has well prepared me for my new role as CISO at Samsara.

Was there anyone who has inspired or mentored you in your career? Beyond the obvious familial and military connection I have with my father, he has been a constant source of inspiration to me personally and professionally. He grew up in a logging community in Idaho, was the first in his family to go to college, and provided opportunities for his four children.

What do you feel is the most important aspect of your job? The CISO role can be different depending on the business, some interpret it more for compliance while others look for an engineering focus. For me, the job requires a strong combination of both, and what appealed to me about joining Samsara. For many organisations today, the most important aspect is to set a strategy and drive a culture of security throughout the entire company. A solid security strategy gets the resources and support to ensure the right processes and programs are in place. When it comes to being an agent for culture change, readers likely already know this doesn’t mean just hosting team happy hours. It’s all about driving how security is prioritised by the business. From respecting the value of customer data and treating it with the level of diligence it so rightly deserves, to how product features are built and deployed, to the way we work with customers—it’s imperative to ensure that security is a forethought, not an afterthought.

What metrics or KPIs do you use to measure security effectiveness? It’s key to track compliance metrics like patching and vulnerability management and violations in specific time periods as well as the ability to meet service level agreements in resolving security issues and incidents. It’s also increasingly important to oversee what access people have to customer data and how frequently it’s granted or removed. We want to ensure we’re only allowing access to the systems and controls people need at the moment in time they are doing their job.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? The market is incredibly competitive for engineering talent and even more so for security engineering and operations—tech companies often have the same exact needs to fill. Even as salaries for security professionals continue to spike, some of the data I’ve seen shows that one out of every three security jobs remains unfilled. I think a contributing factor here is that this kind of specialisation and focus has yet to become a clear career path for people coming out of college today. Another challenge is hiring at the right talent level. You can always train people for different roles, but when you’re building a security culture and program you have to make sure you have the right level of seniority from the beginning.

Cybersecurity is constantly changing – how do you keep learning? I read a lot to keep up on the industry’s best practices, tools, and capabilities, and monitor as many threat intelligence feeds as possible. I’m also active in our local CISO forums in the Seattle area, and learn so much from the people we hire from different businesses and backgrounds. No one company has cornered the market in terms of security capabilities, and a lot of learnings come from a better understanding of other organisations' approaches.

What conferences are on your must-attend list? The RSA conference has always been the marquee industry event for me in terms of the speakers and education for security generalists. From a hacker community perspective, Black Hat has been a great place to sharpen up on the state of the art and learn where threats are coming from.

What is the best current trend in cybersecurity? The worst? Passwordless, multifactor authentication continues to be the single best thing that companies can do to have the most impact when it comes to maintaining proper access to systems and services. The worst would be not having good vulnerability management programs in place. Taking the maintenance and services of systems seriously must be part of the normal course of running a business.

What's the best career advice you ever received? Don’t sweat the small stuff.  I was given this advice from a mentor early in my career and internalised it that, while details are extremely important, you can lose sight of the long term goal or strategy if you are too hung up on some small tactical issues.  As I grew in my career it also helped me step away from issues that would be better handled by people on my team with better subject matter expertise and were closer to the problem, giving them the space to make the best decisions.

What advice would you give to aspiring security leaders? Develop a passion for security. While it may not be the first thing young people coming out of college with technical degrees think of, it's a space I’m encouraging my own children to aspire to because there’s an incredible amount of opportunity. As security leaders grow, they can have an impact across a lot of different aspects of a company. Also, be sure to continue your education in different aspects of security, and consider new avenues through certifications or peer learning.

What has been your greatest career achievement? Being certified as a Navy submarine officer was incredibly rewarding, and I was very proud to run operations on behalf of our captain and crew. Looking back, the opportunity to be on the bridge of a submarine and give orders in a variety of contexts and make tough decisions is what taught me how to handle pressure in different situations. Ultimately, it’s about understanding what’s really a crisis and leading with a cool head.

Looking back with 20:20 hindsight, what would you have done differently? I really don’t have a lot of regrets. While I couldn’t have planned my career path, I wouldn’t change a thing. Everything from the decision to join the Navy to the experiences and opportunities I’ve had along the way were overall positive and got me to where I am today.