Secret CSO: Mike Johnson, Fastly

Name: Mike Johnson

Organisation: Fastly, Inc

Job title: CISO

Date started current role: October, 2019

Location: San Francisco Bay Area

Mike Johnson has over twenty years of experience in the security industry. He currently serves as CISO at Fastly where his team secures the network and platform behind the best of the web. Before Fastly, he spent a year and a half as Lyft’s first CISO where he had overall responsibility for its cybersecurity efforts. Prior to Lyft, he spent nine years at Salesforce in various roles, ultimately building and growing their world class Detection and Response organisation. He started his career prototyping intrusion detection systems for battlefield networks.

What was your first job? Are you trying to guess my security question answers?? My first job in “tech” was working at a travel agency where I was changing backup tapes (they used a ¼ inch reel tape based system). I was made obsolete when they upgraded to a 4mm DAT backup that didn’t need changing during backups.

How did you get involved in cybersecurity? I developed an interest in cybersecurity while in college. I was a teacher’s assistant for a professor of a networking projects class, which really meant I managed a lab of UNIX (UNiplexed Information Computing System) servers that were directly connected to the internet. The professor spent some time walking me through some of the concerns I should have, and I was hooked. At the time, the threats were internet pranksters and people looking to host pirate software sites. But the idea that there were adversaries that would be attempting to get past defences I was setting up was fascinating.

What was your education? Do you hold any certifications? What are they? I’m a bit of an oddball in that I actually managed a BS in Computer Science. My path there was a bit circuitous (and took me 5.5 years!), as I started out wanting to go into architecture (the houses and buildings kind), but didn’t have the high school grades to get into the design school. Instead, I went into the engineering school to study aerospace engineering (yes, aerospace engineering didn’t have the same high school grade requirements as design school…), which turned out to be too hard (thermodynamics was my undoing). I moved to mechanical engineering and after a while decided that wasn’t what I wanted to do with my life, so decided to go try that computer thing. - I currently hold no certifications, but have held a few in the past. I don’t feel that continuing to pay the annual dues for those was worth the value I was getting out of them, so I intentionally let them lapse.

Explain your career path. Did you take any detours? If so, discuss. I’ve been at this for over 25 years at this point. There are some twists and turns, but it’s always been cybersecurity (even though we didn’t have that term way back then!). Worked my way up the ranks, starting on the helpdesk, system administration and R&D, and moving on to leading security and IT teams and building datacentres. I was fortunate to join Salesforce in 2008, when no-one knew what the “cloud” was and “cloud security” was not a term that security professionals thought of, it was here I started a team focused on Detection and Response where we built capabilities that were (and remain!) absolutely first class. After nine years at Salesforce, I decided to leave to join Lyft as their CISO, where I had the good fortune of working with an amazing group of folks who taught me how to scale security in extreme growth. I also got to learn what preparing a company for an IPO means from a security perspective, which was another fast learning opportunity. After I left Lyft and was trying to decide what I wanted to do next, an area that I had long wanted to focus on was services that are foundational at internet scale - this led me to Fastly. Fastly is in this amazing position where we are a key service on the internet. While we’re behind the scenes, our customers depend on us to deliver safe and performant experiences. Every day, it’s likely every internet user is interacting with us, without even knowing it. In fact, dear reader, it's likely that you're seeing this via Fastly!

Was there anyone who has inspired or mentored you in your career? Oh gosh, the list is too long! So many folks come to mind, even as I start thinking about it, the list gets longer. I’ll take the easy way out and say that everyone who tirelessly works in cybersecurity inspires me on a daily basis. This profession is difficult and often thankless. The folks in our field work long hours to keep others safe, often without those others realising it. We do it because we’re a mission driven profession. Even though it’s usually thankless, we still do it. So thank you fellow cybersecurity professionals, you inspire me!

What do you feel is the most important aspect of your job? Relationship management. Our teams need the assistance of many other teams across the company, and it’s critical that I have the trust of my fellow leaders across Fastly when we’re discussing key issues. Building and managing that trust is the most important aspect of my job, and maintaining those relationships is how I do that.

What metrics or KPIs do you use to measure security effectiveness? Tough question! I look towards some of the typical metrics such as vulnerability remediation velocity, time to detect, adherence to agreed upon SLAs, and also more broad programme performance metrics such as security maturity improvements and risk reduction. It’s key to measure repeatable indicators that you’re able to influence. I avoid putting weight on things like number of attacks, which you have no way to influence.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I think this affects any cybersecurity organisation. It of course means it takes longer for us to fill an open position, which also adds uncertainty in work and budget planning. I can’t say some of the roles/skills are more difficult to find than others. I’m regularly surprised. For instance, I know a lot of cybersecurity teams have a hard time finding cloud security skills, but we’ve been able to find these when needed. On the other hand, we have sometimes struggled finding more general security backgrounds. There’s no rhyme or reason to it.

Cybersecurity is constantly changing – how do you keep learning? I’ve been fortunate to be invited to several communities for cybersecurity leaders. I learn so much by speaking with my peers across the industry. Many issues that I come across have already been solved elsewhere, so I get to pick folks’ brains. I ask questions and folks are kind enough to share their answers. Through the kindness of these communities, I’m able to learn from the best security leaders out there. 

What conferences are on your must-attend list? I love the spirit and content of Security BSides events. Find the one closest to you, join that community, and attend!

What is the best current trend in cybersecurity? The worst? Best: Identity awareness. I’m glad to see the priority we as a profession are placing on identity and how to manage it. This is not only for machine representations of human identity, but also how we represent automation/service/application accounts. Attaching identities to everything and then reasoning on what those identities can do lays a strong foundation to build upon. Worst: Ransomware. Ransomware has been a scourge for a while now and the actors behind them continue to evolve. The damage these attacks reap is astounding and only getting worse.

What's the best career advice you ever received? “Hire slow and fire fast.” This one always sticks with me. Not so much for words themselves, but the sentiment. You can have a group of the most intelligent cybersecurity professionals in the world, but if they can’t work together as a team, it’ll all fall apart. Values alignment is critical to working together successfully.

What advice would you give to aspiring security leaders? Don’t hire or work with brilliant people who are rude or arrogant. Our jobs are hard enough without working with people like this, no matter how smart they might be.

What has been your greatest career achievement? This is perhaps the most difficult question of all of these. I’ve tried to spend my career humbly plugging away and making a difference where I can. While I have been fortunate to be involved in many great achievements, I’ve always been but one part of them.

Looking back with 20:20 hindsight, what would you have done differently? Emphasised the relationship building part of my various positions. It’s only in more recent times that I’ve really recognised the power of good relationships. I’ve certainly been aware in the past, but I went through most of my career relying heavily on the technical aspects of our field.