Secret CSO: Zach Powers, Benchling

What advice would you give aspiring security leaders? “Your goal is to reduce security risk across the board… Create a model for security that spans across the entire organisation, not just within the technical side of your organisation.”

Headshot of Zach Powers, CISO at Benchling

Name: Zach Powers

Organisation: Benchling

Job title: Chief Information Security Officer

Date started current role: November 2020

Location: San Francisco Bay Area

Zach Powers is Chief Information Security Officer (CISO) at Benchling, where he oversees security and is responsible for teams navigating the evolving threat landscape in order to best protect employees, customers, and biotech research. Most recently, as CISO and CIO of One Medical, Powers built their security program from the ground up and successfully took the company public. During his tenure at One Medical, he led a digital transformation, enabling company footprint expansion by over 500% in four years. As Vice President of Enterprise Security at Salesforce, Powers brought modern cloud security to enterprises, driving security programs for product, infrastructure, supply chain, and M&A security groups. Powers is an active member of the broader security community, serving on the Bay Area CSO Council and Sequoia Capital’s CISO Council.

What was your first job? I worked at a mountain climbing shop in Yosemite National Park, where I managed the implementation of a point of sales systems across the national park, essentially overhauling how sales were done. This is where my interest in technology first really peaked (excuse the pun!) and of course, I found security vulnerabilities in the system.

How did you get involved in cybersecurity? I took on a role at a tech startup which specialised in distributed point of sales systems and logistics for retail, sort of a precursor to cloud computing in many ways. While this involved the transformation of sales systems, it also came with a lot of security challenges. As is the case with distributed computing and communications, I was involved in how to protect and handle network security issues.

What was your education? Do you hold any certifications? What are they? Like many people in the industry, my formal education isn’t in cybersecurity. At university, I studied materials engineering. Although this had nothing to do with cybersecurity concretely, it gave me foundational skills I needed — I learned how to think critically and how to apply an engineer’s mindset to solving problems.

Explain your career path. Did you take any detours? If so, discuss. After the dotcom crash had hit the startup as I was working for, in 2001, I got the opportunity to work across a network of twelve Native American tribes with the broad remit of helping their communities and reservations to overcome their digital divide. Some of these tribes did not have access to even basic internet because they did not have the basic infrastructure, such as landlines for phones, fibre optics, etc. on the reservations at the time. My work as CIO for these tribes was focused on setting up the technology infrastructure, services, and also in promoting digital literacy — training youth to be equipped to join the tech workforce.

I spent eight years on this incredible project, and then took a call from Salesforce for a role focusing on innovating security for cloud computing. There were two things that motivated me with Salesforce, as well as earlier with the Native American tribes and with everything that would follow, from One Medical to Benchling: a feel-good reason for joining an org, that the org would have a positive impact on society, and an ‘economies of scale’ impact, bringing real change to larger populations.

With Salesforce, I had a grasp of what cloud computing might do for humanity by democratising cloud services. Most companies could not maintain or afford secure and scalable infrastructure. Salesforce would use cloud computing to help companies achieve something with technology that they couldn’t do on their own, as well as global scale and a level of security not fathomable by most companies in the world. 

In the security organisation at Salesforce, everyone was incredibly smart and passionate about technology. We pioneered so much of what is considered standard today. We did it back then because we had a fervent desire to make things better from a tech perspective, to make the internet and business more trustworthy. Providing security for the cloud, this was an economy of scale value proposition that I was completely energised by.  

Was there anyone who has inspired you or mentored you in your career? A lot of leaders and engineers have inspired me, but if I had to name one, it would be Jim Cavalieri. He held almost every executive position at Salesforce, from finance and operations to engineering and security, and he had this outstanding ability to connect the dots across different functions. He wanted to understand security because he wanted to understand the best business value opportunity and he was obsessed with the trust of customers. He made me think of security from a business value proposition and risk management point of view, as opposed to just a technical point of view. He really influenced me to focus on customer trust.

What do you feel is the most important aspect of your job? My team is focused on creating an economy of scale with security for biotech, making the industry and customers we serve more secure, and with greater efficiency. We will be successful if we win the hearts and minds of our customers, earning and maintaining their trust. To this aim, we invest far more in security than most customers can afford to, and we have an abundance of expertise. Benchling embeds security engineering into our software development lifecycle and cloud infrastructure operations. Vulnerability testing happens daily, all code checked into production undergoes security testing, and any security issues found are fixed within industry-leading SLAs. The biotech industries can get a more secure outcome by taking advantage of our software and platform. We take care of the hard stuff in security so that our customers can focus on advancing science and delivering humanity-impacting products.

What metrics or KPIs do you use to measure security effectiveness? I run security teams that are not as common. Traditional security practices tend to isolate security and make it solely tech-focused or solely compliance-focused. I build security teams that are also people-centered and so we focus a lot of our KPIs here. Of course we have standard metrics around technical security and execution, around detection and response, but we also focus heavily on the maturity of business departments, strength of relationships, degree of visibility and influence, pulse of the customer, etc.

Many security engineers spend a lot of time working on coding, testing, and analysis and are really savvy in that regard, but they don’t typically have as much experience with business skills or persuasive speaking skills. If you work on my teams, you get professional development training so that you can influence and engage with non-technical audiences in order to influence them to be more secure. You can have the smartest security engineers in the world, but if they can’t influence a business to make more secure decisions, then secure outcomes aren’t really going to be accomplished.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Most biotech companies have security analysts. These roles provide a lot of value and are extremely important for the org. But there’s a delta between what a security analyst is doing and what a security engineer is capable of. And security engineering roles are hard to fill — as a security engineer, you need to understand security problems and create solutions for these problems; that often means security engineers know more about technology than many other technologists. Engineers are not just buying off-the-shelf software and pushing some buttons; there is no software that perfectly solves security problems today and security engineers often fill in the blanks where off-the-shelf software falls short. At Benchling, every security team member is an engineer, be it in application security or cloud security, security data engineering or in incident response engineering.

In recruiting, we know that security engineers care a great deal about the mission they work for. But they also want their company to be an ethical leader, taking an honest and transparent approach to security with their customers and the public.

Security engineers also care about the security leaders they work for and the team’s culture. Everyone we hire is usually one or two degrees separated from someone who works here at Benchling, as security is such a small world. Recruits are able to backchannel us and they’re attracted to working with leaders in the security community whom they respect and trust. 

Cybersecurity is constantly changing - how do you keep learning? You learn by getting outside of your bubble. Connect with the customers you serve to understand your ‘customer’s dilemma’ — understanding their security concerns, their regulatory and compliance environment, their digital transformation and cloud needs. Equally as important, you learn by connecting with security leaders and engineers at different companies, across different levels, and in multiple countries. You learn by being engaged in the global security community.

What conferences are on your must-attend list? I’ve been energised by going to events that are at the intersection of biotech, IT, and security. I like to hear first-hand where biotech organisations are in their cloud journey and the unique security challenges they face. There are some great security conferences for security practitioners, and some of them are notoriously fun, but you don’t get to connect with customers at them. So I try to divide time between the two different types of conferences.

What is the best trend in cybersecurity? The worst? The best trend is companies adopting cloud and enterprise SaaS, effectively taking advantage of security economies of scale that modern software provides. Enterprise SaaS companies have a responsibility for security, and they have security capabilities and teams beyond what most companies can afford. It’s the same with Benchling, security is an integral part of the product we’re offering to our customers.

At the same time, one of the worst trends I’m seeing is a distrust in cloud technology, which is unfortunately a more common sentiment in biotech. A lot of biotechs are still adhering to a security strategy from the late 1990s, using on-premises technology and essentially using firewalls as the first and only line of defence. More times than not, maintaining an on-prem strategy exposes you to more risk because 100% of the security responsibility and resourcing is on you. Most companies that distrust cloud computing are actually less secure than the cloud providers they distrust.

What’s the best career advice you ever received? Mentoring security engineers to understand the value of security in business and for people will make them better engineers.

What advice would you give aspiring security leaders? Your goal is to reduce security risk across the board. One of the best ways to do that is to truly, deeply embed security throughout your organisation. Security can and should influence the sales cycle, influence internal operations, and be a core part of a company’s strategy. Security certainly plays a role with marketing and communications, with an emphasis on trust. Create a model for security that spans across the entire organisation, not just within the technical side of your organisation.

What has been your greatest career achievement? In security, we often get asked about the scariest vulnerabilities, the worst breaches, etc. that we have lived through. People are often enamoured by our “war stories”, but when asked what my greatest achievements are, I start naming people. I have had a lot of young engineers join my teams, eager to learn and innovate, then grow through coaching, mentoring, and experience to become CISOs, startup founders, engineering executives, etc. Watching them grow and succeed in their careers, having played a hand in developing their talents, those are my greatest achievements.

Looking back with 20:20 hindsight, what would you have done differently? Each step I took in my career has been quite valuable to me, helping shape who I am today. So it isn’t that I would have changed something on that front. What I would have tried to do differently is come to an understanding faster - that you really can use security, technical knowledge, and leadership to make massive changes for companies and communities. I didn’t understand that until I was well into my career and if I had, I probably would have aimed to have had more of an impact earlier.

1 2 Page 1
Page 1 of 2