Secret CSO: Michael Armer, RingCentral

What metrics or KPIs do you use to measure security effectiveness? “There is not a one size fits all strategy and every CISO needs to generate a set of standardised metrics and business outcomes specific to their organisation’s risk tolerance.”

Headshot of Michael Armer, CISO at RingCentral

Name: Michael Armer

Organisation: RingCentral

Job title: Chief Information Security Officer (CISO)

Date started current role: September 2022

Location: Belmont, CA

As RingCentral’s Chief Information Security Officer, Michael Armer is charged with delivering an industry leading cyber risk posture, while creating competitive differentiation through security innovation. Armer brings over 25 years of executive IT and Cybersecurity leadership experience across diverse industries including technology, communications, energy, mining and semiconductor. Prior to joining RingCentral, Armer served as the CISO at 8x8 where he successfully scaled the company's security program during the largest growth period in its history. Armer is an active public speaker and board advisor. He currently serves on Ambient Security’s advisory board and most recently served on Cloud Vectors advisory board who was acquired by Imperva in 2021.

What was your first job? My first job was working the drive thru at KFC. I was eventually promoted to assistant manager where I was given a fifty cent raise and a clip-on tie. That was an exciting career advancement. I landed my first professional job as a mechanical engineer working for a company in Santa Clara designing orthopaedic medical devices. That company offered me an opportunity to build a Novell network for engineering CAD collaboration purposes. That opportunity shifted my career focus to information technology.

How did you get involved in cybersecurity? I’ve been fortunate in my career to have been offered different development opportunities with different employers. I started with Lam Research in Fremont, CA as a systems engineer. I slowly moved up the management chain and eventually led Lam’s global IT operations function as a Sr. Director. Lam’s then current CISO departed to lead Apple’s security team. I expressed interest in the role and took steps to demonstrate my commitment by obtaining a Certified Information Systems Security Professional (CISSP) credential. Lam eventually offered me the role and I accepted. This was ultimately the decision that catapulted my security career. It was an incredible learning experience, scaling a global security program as the business grew from $5B to more than $10B while meeting some of the most stringent customer data security requirements on the planet.

What is your education? Do you hold any certifications? What are they? I have a Bachelors of Science in IT (BSIT) from UOP, and a Master of Business Administration (MBA) from USC. I also hold a cybersecurity leadership credential from UC Berkeley (HaaS), CISSP and ISO/IEC 27001:2015 auditor accreditation.

Explain your career path. Did you take any detours? If so, discuss. My career path has been largely non-traditional in my opinion. It has been guided by opportunity and a willingness to try new things. My personal career spans fast food, retail sales, engineering, consulting, information technology, corporate advisory, and cybersecurity. It seems fair to say that my career has had many detours. Interestingly, the diversity of experience has aided in my career growth in different ways. Working in customer service and sales helped me understand how to engage and work with different people and personalities. Working in engineering helped me understand pragmatic and quantitative approaches to technical problem solving and how to “speak” engineering. The consulting experience taught me how to structure proposals and business cases for the audience. Information technology operations provided a foundational understanding of people, process, and technology, as it relates to systems, cloud computing, and business outcomes. Board advisory offered exposure to executive and product market discussions that helped shape how I package and sell cyber risk management solutions. Lastly, cyber security risk is increasing in frequency and complexity every day which keeps me educationally agile. While my career path may be considered non-traditional, the foundational benefits have been key to my personal and professional growth.

Was there anyone who has inspired or mentored you in your career? I’ve been fortunate to have had a unique set of mentors throughout my career and it's difficult to recognise just one. That said, early in my career one CIO stands out. This individual helped shape my business acumen and better understand the importance of operational excellence and business outcomes. This individual offered decision making responsibility then took the time to advise and counsel me when needed, while not holding back on criticism (sometimes even in public forums). That critical feedback was difficult to hear but always came with constructive recommendations that lead to better business outcomes. I had a choice where I could be frustrated and ignore the feedback or listen and process. Fortunately, I chose the latter and I carry those lessons with me today.

What do you feel is the most important aspect of your job? The most important aspect of my job is effective leadership. I define leadership as the ability to create positive change through influence. Bridging the security interests of our customers, executives, regulators, board members, internal stakeholders, and internal teams is key. Every stakeholder has a different point of view and need. Customers want the highest quality service and data protection possible; executives want market growth and competitive differentiation at the lowest cost; regulators want demonstrated compliance; board members want lower risk for shareholders; product and engineering staff want minimal competing priorities for internal resources; internal stakeholders want committed results; and team members want to be challenged and developed. In my opinion, a CISO’s ability to navigate and bridge these needs is critical to their success.

What metrics or KPIs do you use to measure security effectiveness? I tend to use different metrics depending on the audience. For example, boards tend to be more interested in cyber maturity ratings and incident disclosure metrics, such as number of incidents, dwell time and “time to notify, respond, and contain.” Along with board metrics, operational executives tend to be interested in the following metrics: security cost of ownership, OS patching and vulnerability management performance, training completion rates, and phishing campaign click rates. All metrics should connect to a business outcome. There is not a one size fits all strategy and every CISO needs to generate a set of standardised metrics and business outcomes specific to their organisation’s risk tolerance.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? As the “Great Resignation” period post-pandemic has ended and the economy continues to slow, I’m seeing some relief in finding qualified security professionals. A continuing challenge is finding individuals who have both deep security technical expertise *and* business acumen. Individuals who are able to generate business cases for risk mitigation solutions and an ability to communicate those cases effectively to different stakeholders and decision makers are of high value in my opinion. Other in demand skills include digital forensics, incident response and qualified security software engineers.

Cybersecurity is constantly changing – how do you keep learning? Active engagement every day is key. Beyond academic and periodical information, I work closely with my legal and privacy business partners on pending regulation. I engage with my appsec and secops teams regularly and ask a lot of (sometimes dumb) questions. I rely on my peer network heavily to discuss trends and strategies. I request regular security vendor roadmap and executive briefings from leading security vendors. Most importantly, I maintain a “safe to fail” and “fail fast” organisational environment to encourage risk taking and learning.

What conferences are on your must-attend list? There are several high value conferences occurring annually, however RSA & Blackhat are must attends for me. They offer great opportunities for learning and professional networking.

What is the best current trend in cybersecurity? The worst? One positive trend impacting cybersecurity is the increasing level of corporate accountability for data breaches. Executives and boards are increasingly subject to personal liability if they fail to properly protect or disclose data breaches. Boards and executives are paying more attention and measuring cyber risk investment similar to other enterprise risks, especially those which they may be personally liable for.

Inversely, some of the problem trends I’m seeing are the increasing use of social engineering, phishing, and smishing to exploit humans. Many recent data breaches have been connected to human breach rather than a technical breach. Threat actors are increasingly targeting humans through SMS and email with infected payloads to extract credentials, PII, or financial information. Organisations can invest and build the most sophisticated security management systems on the planet, yet it can take one unintentional user click to defeat those controls and trigger an incident. In addition to high efficacy technical blocking controls, organisations should implement frequent and specific awareness training for employees to help them identify and report such attacks.

What's the best career advice you ever received? Some of the best career advice I’ve received: (1) Surround yourself with people smarter than you (which is pretty easy for me to do). (2) Understand your audience and message accordingly. (3) Always work to understand the other side of the argument, even if you don’t agree with it. If you follow these three tips, better business outcomes are more likely.

What advice would you give to aspiring security leaders? Be patient. Cybersecurity is evolving fast from a risk and regulation perspective and business leaders are struggling to keep pace. Consider expanding your business skills to better package risk mitigation proposals in business terms. It helps to speak the language of your business counterparts who may not understand security vernacular. Lastly, and probably most importantly, recognise the importance of your team, customers, vendors, business partners, and stakeholders in your success. Each area requires a proper amount of attention, direction, and effective communication.

What has been your greatest career achievement? My greatest career achievement has been striking the right balance of career growth and raising a family. My wife and I have three teenage daughters. It’s fair to say both family and work have made sacrifices through the years. I recall occasions attending meetings while on vacation or missing meetings due to kid’s soccer practice, yet both my family and work managed to thrive. I’ve been fortunate to work for companies like RingCentral who understand the importance of work / home life balance and have a willingness to be flexible. I can say the same for having such an understanding family.

Looking back with 20:20 hindsight, what would you have done differently? With the benefit of 20:20 hindsight, I would have done a better job listening and been more patient. I would have taken more time to enlist the opinion, perspectives, and support of stakeholders. I would have been less averse to change.

What is your favourite quote? Several favourite quotes come to mind. However, here are two of my favourites.

“A true leader has the confidence to stand alone, the courage to make tough decisions, and the compassion to listen to the needs of others” - Douglas MacArthur

“Trust, but verify” - Ronald Reagan

What are you reading now? I recently read and would recommend Jim Collins book Great by Choice: Uncertainty, Chaos, and Luck--Why Some Thrive Despite Them All. Collins examines companies that out-performed their competitors by a factor of 10.

In my spare time, I like to… I like to spend as much time as possible with my family on our houseboat in California. The sound of the rain on the lake during the winter is amazing and of course summer water sports including wakeboarding and wake surfing are super fun.

Most people don't know that I… have been working on my FAA pilot’s license.

Ask me to do anything but… Pick up a spider!!