CTO Sessions: Michael Smith, Neustar Security Services

What predictions do you have for the role of the CTO in the future? As Marc Andreesen said, ‘Software is going to eat the world’ and the CTO will be the driving force behind that.”

Headshot of Michael Smith, Field CTO at Neustar Security Services
Neustar Security Services

Name: Michael Smith

Company: Neustar Security Services

Job title: Field CTO

Date started current role: March 2022

Location: Massachusetts, USA

Michael Smith is Neustar's Field CTO and is responsible for the organisation's overall products and services strategy including product management, security operations, and customer support.  With over 30 years of experience in cybersecurity, IT, and intelligence, he has managed high-profile incidents such as the wave of DDoS attacks against major U.S. banks in 2012 and 2013 and attacks by e-commerce account takeover gangs, as well as security monitoring for large online events such as the Olympics and World Cups. Smith initially started as a Russian translator in the U.S. Army before serving in engineering, information security management, incident management, and CTO roles at Akamai, Deloitte, Unisys, and several startups.

What was your first job? When I was 17, I joined the army to escape my home state of Idaho. I was sent to the Defence Language Institute in Monterey, California to learn Russian, and I worked as a translator and intelligence specialist on active duty for 8 years. I believe that language is software for the human brain and should be treated as such.

Did you always want to work in IT? I started programming in the late 1980s. After my early experiences, I really wanted to do a computer-related job in the army, but were not many options at the time, so I went into the intelligence field.

While I was stationed in Germany, I taught myself system administration using a lot of the Linux System Administrator’s Guide. When I got off active duty, I volunteered with the local Linux User’s Group and fixed all manner of systems every Thursday night, sometimes until midnight. I parlayed that into my first IT job.

What was your education? Do you hold any certifications? What are they? I am a graduate of the Russian course at the Defence Language Institute, so I have an advanced certification in Russian. My university experience is split across many different colleges and universities – wherever I happened to be living at the time. I finally got my BS in 2007 at the age of 34 when my boss told me that I needed to do that so he could increase my billable rate to the US Government. As a security specialist, I have since earned the CISSP, CISM, and ISSEP certifications, along with a handful of others.

Explain your career path. Did you take any detours? If so, discuss. I had all sorts of detours – I went from linguistics and intelligence to Linux system administration and Local Acceptable Mismatch Program (LAMP) stack programming during the Dotcom era as the CTO of an eCommerce start-up. I then moved to the Washington DC area and spent 10 years working across several hybrid roles that had a mix of security management and architecture, governance, risk and compliance, as well as security engineering.

I went on to work for Akamai Technologies for 10 years in four different roles, including building out their customer-facing security incident response team and working as a security CTO across the Asia-Pacific region as well as Japan. At around this time, I was activated as part of the National Guard and spent 7 months inside Afghanistan as an infantry squad leader. My goal in job-hunting is to find a role where I can use as many of these eclectic skills as possible.

 What type of CTO are you? Personally, I do not feel like I am the ultra-intelligent or ‘smart’ type as the job requires, but I have the ability to context-switch and have those complex or technical conversations in an instant. I constantly ping between different talk tracks and goals, from being the voice of reason for our customers, to an incident response and security operator mindset, to being a business champion or spokesperson, who can offer deep dives into engineering and interface design.

Which emerging technology are you most excited about the prospect of? In the security world, controls efficacy and log analysis are everything. With problems like detecting advanced web-crawling bots, you are required to scan artificial intelligence (AI) or machine learning (ML) with a ‘cheat code’ in order to get detection and blocking in real-time and at scale. I am really interested in that bridge from ‘new-tech’ which is comprehensive but requires more resources, to older tech that is far smaller and faster.

Are there any technologies which you think are overhyped? Why? Information security is overhyped each year, particularly around the RSA Conference – Gartner’s ‘hype cycle’ is very applicable here and it is a shame really! Most of the time, I agree that a particular solution is overhyped, but it does not help that expectations are simply set far too high. Zero-Trust seems to be the topic this year, although I think Mitre ATT&CK might be the main focus next year.

What is one unique initiative that you’ve employed over the last 12 months that you’re really proud of? Last year, I put together a software project that performed fuzzy matching against all of the registered domains using Zone Transparency from ICANN (Internet Corporation for Assigned Names and Numbers) to find eCommerce sites with counterfeit and grey-market goods.

Are you leading a digital transformation? If so, does it emphasise customer experience and revenue growth or operational efficiency? If both, how do you balance the two? We have two very mature platforms for domain name system (DNS) and Distributed Denial-of-Service (DDoS) mitigation and an emerging platform for Web Application Firewall and Bot Management. With the mature platforms, it is incremental development for customer experience and kick-starting a new round of innovation to build net new capabilities. On the emerging platform, it is all development to add entirely new functionality and features.

What is the biggest issue that you’re helping customers with at the moment? We have a scaled platform with a massive amount of data, but you have to go through a round of analysis to get information, and then there is another round of analysis with that information as input to get to useable threat intelligence that is timely, accurate, and relevant.

I am taking a lot of my intelligence and incident response experience and steering our data efforts to ensure we make as much use out of all the data that we have and to give customers more transparency in their traffic patterns, attacker behaviour, and in us as a platform.

How do you align your technology use to meet business goals? Talking to customers is invaluable, because you can learn a lot of things. Customer advisory boards for each major product line are incredibly helpful, as well as roundtable events, or even just simply sitting down with customers and going over your product roadmap. However, this needs to be approached logically. Leaders must have these conversations far more regularly. Only then will they be able to identify a persistent challenge or issue that customers are facing, and nobody has adequately solved yet. That leads to innovation.

Do you have any trouble matching product/service strategy with tech strategy? Naturally, we are pulled in multiple directions at any given time. Our general rule of thumb, though, is to have a prioritisation process that resonates with the market, and then to build the most common 80 percent of features. The product and project managers that I work with are phenomenally good at this.

I always think in reverse-order timelines, so for me, the focus is first establishing what we are trying to accomplish then work backwards through the dependency chain to get to where we start. Along the way, you take notes of the dependencies and turn that into a basic project plan.

What makes an effective tech strategy? The most effective tech strategy is the one that meets the goals of the business. That depends on what kind of a business you are but that usually revolves around profitability, agility, or a mission to support the customer.

What predictions do you have for the role of the CTO in the future? As Marc Andreesen said, ‘Software is going to eat the world’ and the CTO will be the driving force behind that. CTOs are people who have the vision and the skills to translate that into engineering terms to get built. For platform companies such as Neustar Security Services, that software and the systems that it runs on are the company and its product, so it is a lot easier to predict.

What has been your greatest career achievement? In 2012 and 2013, there was a large DDoS campaign against US banks called Operation Ababil. I was a director for an Incident Response team and one of a handful of response directors in contact with each other in order to fight the attacks.

Looking back with 20:20 hindsight, what would you have done differently? I have had some start-up experiences that did not necessarily pay off, but failure leads to experience. I don’t think I would do anything differently because even when I fail, I walk away smarter and wiser.

What are you reading now? A real mix of things… currently, Deep Work by Cal Newport, The Car Hacker’s Handbook by Craig Smith and Venture Deals by Brad Feld and Jason Mendelson.

Most people don't know that I… Lived for over three years each in both Germany and Singapore.

In my spare time, I like to…Mountain biking, trekking, and volunteering to teach flyfishing through Project Healing Waters.

Ask me to do anything but… Be an accountant or managing consultant that just creates reports.