Secret CSO: Alex Tosheff, VMware

What advice would you give to aspiring security leaders? “If you don’t make the time to invest in yourself as a leader, a situation will force you to find that time in the most stressful way possible…”

Headshot of Alex Tosheff, CSO & Senior VP at VMware

Name: Alex Tosheff

Organisation: VMware

Job title: CSO and Senior Vice President

Date started current role: July 2014

Location: Palo Alto, California, United States

Alex Tosheff is Chief Security Officer, Senior Vice President and Global Crisis Management Chair, leading all aspects of VMware’s cybersecurity, physical security and enterprise resiliency across the global enterprise. An industry veteran with more than 25 years of business and technical leadership, Tosheff is an ardent proponent of cybersecurity as a driver of business value. He is a recognised expert on the nexus between security and technology innovation, and he has led transformational initiatives at VMware to establish zero trust principles, accelerate time-to-value on security investments and enable a secure, global work-from-anywhere workforce. Tosheff is passionate about agile leadership and empowers VMware’s global team of security professionals to develop new and innovative ways of protecting VMware, employees, customers and partners. Tosheff previously served as CISO at PayPal and BillMeLater. He also previously served as Venture Partner for St. Paul Venture Capital and Chief Technology Officer at Science Applications International Corporation (SAIC).

What was your first job? My first job in technology was working for a large defence contractor as a systems integrator and engineer.

How did you get involved in cybersecurity? I was hired as a unix systems engineer at SAIC, a defence contractor headquartered in San Diego, CA. My boss at the time brought me into a DoD/DISA project that was under pressure to be completed. I basically got put into a room lacking windows with a bunch of Sun SPARC workstations, a Trusted Solaris OS boot tape, a stack of manuals and copies of the DoD Rainbow Series – including a heavily dog-eared copy of the Orange Book. It took more than a few months to go from CONOPS to deployment, but we ended up with one of the first DISA accredited B1 multi-level trusted systems, and I got to travel around the world deploying it. Afterwards I was lucky to have opportunities to branch out to other security project in architectures, firewalls and public key infrastructure.

What was your education? Do you hold any certifications? What are they? I hold a Bachelor’s degree in physics from the California State University. I have been in the industry longer than the certifications that are common today have been around, so I gained most of my cybersecurity skills and knowledge on the job in hands-on roles. I also learned a tremendous amount from peers along the way.

Explain your career path. Did you take any detours? If so, discuss. I’ve held a variety of different roles but always circle back to security. There wasn’t a defined CISO role when I started my career and honestly, it wasn’t something I was deliberate about. Over the years, I worked as a systems engineer, systems administrator for Unix systems, and a systems integrator. In later years I moved into leadership positions and worked at a start-up called BillMeLater, which was later acquired by PayPal. I was then at PayPal for 6 years before joining VMware.

I didn’t take a focused path to CSO, and there were detours along the way. Having a diverse background can be particularly helpful for security pros looking to move into leadership positions One of the other detours I took was an opportunity to work as a venture partner on a venture fund while also working on building investment pieces. That experience taught me a portfolio approach which translates to how I manage security in a company today. The time I spent in Board of Directors meetings during those venture days also helps me interact more effectively with boards in my current role. I also think an important part of being a security leader is balance. When my kids were little, I consulted for around 7-8 years so I could spend more time with them. Fun fact, if we go further back in time, I’ve also done a stint in construction work as a carpenter.

Was there anyone who has inspired or mentored you in your career? Fortunately, I had some amazing mentors early on. I quit college football in my junior year in order to focus on my academic career and ultimately went back to school to get my 4-year degree. I discovered the UNIX and VAX data centre in the basement of the science building – it was so cool. I used to show up early in the morning and pester the staff member who ran the computer systems to let me come in and play around. It was through this process of breaking and having to fix things, asking questions and reading a lot of manuals -- that I learned all my initial skills on Unix and networking.

Ultimately, someone gave me the opportunity to ask a lot of questions, make mistakes and learn from them early in my career and that’s always helped me. To this day, I have people in my life that are close friends and mentors. I think it’s important to have someone you can trust to give thoughtful feedback on a particular situation or just life in general.  On the flip side, this really gave me a sense of duty around mentoring others as I progressed in my career. 

What do you feel is the most important aspect of your job? Executing the broader mission – it's easy to get lost in details, but leaders need to keep energy focused on the strategic outcomes. Equally important is establishing and maintaining trust with our customers and stakeholders, including colleagues.

What metrics or KPIs do you use to measure security effectiveness? We track a lot of indicators. These include mean time to respond to incidents, mean time to patch, threat actor dwell times, and phish-success rates.

We also look at our financial metrics very closely to ensure we’re getting value from our investments. The people side of this is also very important. We look at our organisational makeup and hiring patterns to ensure our teams are diverse, skilled and evolving with the needs of the business.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I believe every company is affected by the skills shortage in security and will be for some time. In the tech sector, companies are feeling the mounting pressure from their customers and regulators focusing on software security. This makes some roles even more competitive to fill, particularly Software Engineering, Digital Forensics and Incident Response (DFIR), and Governance Risk and Compliance (GRC).

Cybersecurity is constantly changing – how do you keep learning?  It’s a mix of two things – there’s a reactive component and a proactive component. Reactively, every attack that takes place, plus the follow up investigations that are conducted, is an opportunity to learn how to do things better. It’s not just a check-the-box exercise, but rather involves trying to understand what the true cause of events were. The goal should be to only make new mistakes.

On the proactive side, I love talking to my peers in more intimate forums where we can share real information and learnings. Of course, I read about these topics a lot, but communicating and collaborating with your team is the best way to advance, in my opinion. You need to actively set time aside to keep learning, otherwise it may slip off the to-do list. And for me, that time needs to be when I’m calm and in a contemplative mode.

What conferences are on your must-attend list? The two main ones are the Executive Security Action Forum at RSAC and Black Hat. I also look forward to other more private peer events.

What is the best current trend in cybersecurity? The worst? The best trend in cybersecurity today is the elevation and recognition of the inherent risk of cyberattacks across critical infrastructure. The increasing recognition and support from the C-suite and boards is also something we as a profession need in order to continue to ensure we are balancing the risk and reward trade-off.

On the other hand, the worst trend or idea I’m seeing right now is the continued focus on point products as a silver bullet for risk mitigation. The value of your technology investment is only as good as your ability to pull the levers of people, process and technology equally at the same time. Good cyber hygiene, incident preparedness, architecture, policies and GRC are all essential components to ensuring that your technology delivers value.

I also have concerns about organisations relying too heavily on ratings. The idea that you can scan the internet to determine your risk of cyberattacks is over-simplified. We may get to a credit bureau way of scoring cyber risk dependably, but I believe there is a long way to go before that’s possible.

What's the best career advice you ever received? Be yourself. Everyone else is already taken. This advice landed at an important time in my career and helped me get over things that a lot of leadership can feel, such as imposter syndrome. Instead of worrying about our persona, we should just be focusing on bringing all of ourselves to the leadership roles we hold.

What advice would you give to aspiring security leaders? I’d give that same advice about being yourself, but also add that if you don’t make the time to invest in yourself as a leader, a situation will force you to find that time in the most stressful way possible. Unpacking yourself as a human and understanding your preferences in how you learn is an exercise you need to do right at the beginning. Good companies will support your growth and development, but you have to take the first step yourself. Otherwise, you’ll always be in reactive mode.

What has been your greatest career achievement? My greatest achievement was leading VMware through the pandemic and helping build the response capability for the company to enable us to be successful in that unprecedented situation. It tested my capability as a leader as well as a security professional, and I took myself to scale in a very challenging environment. I had to think about how we can bring our people together and enable the company to succeed while being mindful of people’s mental and physical health and ensuring the C-suite and board understood our objectives.

Looking back with 20:20 hindsight, what would you have done differently? If I had to look back and give myself advice, it would be to seek feedback on things earlier. Find people who will constructively disagree with you. This is what keeps you accountable. Otherwise, you will believe your own press and lose perspective. If feedback stings, it was probably something you needed to hear!

What is your favourite quote? “Fear is the mind-killer.” Frank Herbert’s Dune.

What are you reading now? As a leader, it’s important for me to constantly seek out different perspectives, so I read a lot of books that test my assumptions. I also like science-fiction and fantasy, and I’m currently reading The Melody of Memory by Cheryl Brinn.

In my spare time, I like to… Spend time with my family, ride mountain bikes, play guitar, read, ride motorcycles, camp and be outdoors. I love to travel!

Most people don't know that I… Was a 318-pound offensive lineman in college football

Ask me to do anything but… Choose Star Wars over Star Trek. Nope.