Secret CSO: Zane Lackey, Signal Sciences

Secret CSO: Zane Lackey, Signal Sciences

Name: Zane Lackey

Company: Signal Sciences

Job title: Co-Founder & CSO

Date started current role: 2014

Location: New York

Zane Lackey is the Co-Founder / Chief Security Officer at Signal Sciences and the author of Building a Modern Security Program (O'Reilly Media). He serves on multiple public and private advisory boards and is an investor in emerging cybersecurity companies. Prior to co-founding Signal Sciences, Zane lead a security team at the forefront of the DevOps/Cloud shift as CISO of Etsy.


What was your first job? I started in security consulting and penetration testing at iSEC Partners, which was then acquired by NCC Group.

How did you get involved in cybersecurity? It's a bit of an embarrassing story actually. Way back 20+ years ago, when I was first learning Linux, I spent months trying to figure out how to make the early Linux kernel work with my particular modem so I could dial up to my ISP and get online. After months of back and forth, I finally got it working. However, within minutes of getting it online, one of my friends hacked into my system as a joke.

As cliche as it sounds, this was the ultimate lightbulb moment for me. From then on, I was fascinated by security and wanted to understand how to attack systems like that, and most importantly, how to defend them.

What was your education? Do you hold any certifications? What are they? I have an economics and computer science degree from UC Davis. However, the majority of my early security knowledge was largely self-taught - like it was for most of us getting into security in the ‘90s.

Explain your career path. Did you take any detours? If so, discuss. I've been fortunate in my career to experience multiple sides of the security industry. I started in offense as a pen tester and security researcher at iSEC Partners. After their acquisition, I moved to defense where I was given an incredibly unique opportunity to join Etsy as the first CISO and build their security program from the ground up. At the time, Etsy (on the East Coast) and Netflix (on the West Coast) were pioneering what we now call DevOps and the journey to the cloud. The biggest challenge initially was figuring out how to adapt security to DevOps (when almost no one else had gone through the shift yet); however, my biggest success in the role was finding the ways to enable this shift.

My experiences at Etsy are what led to Signal Sciences and my current CSO role. At the time, the only commercial tools we had for defending our web applications/APIs were legacy Web App Firewalls, like Imperva/F5/Akamai, which caused more problems than they solved. As a result of the frustration, we built a new approach in house and my co-founders and I then created Signal Sciences.

Today, we are now disrupting the legacy WAF industry similar to how CrowdStrike, Cylance and Carbon Black disrupted the legacy Anti-Virus industry. Since our launch more than five years ago, our NGWAF and RASP products are defending more than 10,000 applications for Fortune 500 companies all the way down to small scale startups.

Was there anyone who has inspired or mentored you in your career? The list of people I've been fortunate enough to count as mentors is a mile long! For the sake of not boring everyone, a few key ones are Alex Stamos (former CSO of Facebook) and both Jon Oberheide & Dug Song (Co-Founders of Duo). I deeply respect the company they built with Duo Security. All of them (and the million others I didn't get to list here) are crazy smart, thoughtful, compassionate and humble. I've been very fortunate to have had the opportunity to know, work with, and learn from them.

What do you feel is the most important aspect of your job? The shift of security from being a blocker to an enabler is the most important part of my role, and in fact the challenge facing virtually every CSO. Security teams have been built to function as gatekeepers and teams of "No". With the rise of DevOps, cloud, and digital transformation, we need to fundamentally shift the way we approach security to be focused on enabling the business to move quickly.

What metrics or KPIs do you use to measure security effectiveness? We could talk about security KPIs and metrics for hours, but at a high level the two key metrics that would benefit an organisation of almost any size are the following:

  • For the top 10 (or 20, or 50…) security incidents most likely to affect your organisation, how likely are you to both detect the attack and to make it more difficult for attackers to perform. Your KPIs then become focused on increasing your visibility / ability to detect the attack, and implementing controls to make attacking more difficult.
  • On the other side of your security program, how often do you say "No" to new products/initiatives/applications that are developed. I've found the most effective CISOs in the field tend to both track and actively work to minimise. 

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I don't know a security team on the planet that is able to find all the security talent they have openings for! We are facing the reality where security teams can't scale hiring fast enough to keep up with the increase in velocity happening in their organisations. Ultimately, the only way for security teams to scale is for them to focus on enabling the rest of the business to become security self-sufficient.

Cybersecurity is constantly changing - how do you keep learning? I learn best by speaking with peer CISOs and security leaders as much as possible and sharing lessons with each other. This applies to any security leaders reading this as well. If you're dealing with the transformation around DevOps and cloud, please feel free to drop me a line, and I'm happy to chat.  

What conferences are on your must-attend list? From a networking perspective, all the usual security conferences, such as Black Hat, RSA, etc. are beneficial to attend. But I think security is actually much better served by attending and bringing security content to Development and DevOps focused conferences, like DevOps Days, DevOps Enterprise Summit, and others.

What is the best current trend in cybersecurity? The worst? I am most excited about security becoming an enabler during the shift to DevOps, Agile, and cloud. It may seem counterintuitive at first, but this shift is often a net positive for security. As mentioned above, I went through this shift first hand as a CISO at Etsy, and at first, it can be nerve wracking as it seems like a massive loss of control. However, you come out learning that the shift to DevOps actually creates a greenfield opportunity for security.

What's the best career advice you ever received? Pretty straightforward really: work hard and stay humble.

What advice would you give to aspiring security leaders? For those from a technical background, it is easy to get distracted by only focusing on low level technical issues and individual vulnerabilities. Focus instead on building a security organisation that enables the business to move quickly. I also encourage aspiring security leaders to think about obtaining visibility into the attacks likely to impact your organisation while making them more difficult for attackers to perform.

What has been your greatest career achievement? I don't know about greatest, but a couple achievements I am particularly proud of are: authoring a book on lessons learned from building a security program at the forefront of the DevOps shift (called "Building a Modern Security Program" on O'Reilly Media). I am also proud of building a security product where customers consistently tell us that we're one of the only security vendors they've ever genuinely enjoyed working with.

Looking back with 20:20 hindsight, what would you have done differently? The advice I would have given myself as a CISO almost 10 years ago is: "Don't spend so much timing worrying that the shift to cloud and DevOps will make security "impossible." This shift is a generational change in the way we create and deliver software, and as such, security will have to change significantly as a result. However, it allows us the opportunity to be safer and empower the entire business with security capabilities.

What is your favorite quote?"What could possibly go wrong…" - Every CISO at the start of the shift to DevOps

What are you reading now? A biography of the founder of Pan Am Airways.

In my spare time, I like to… Travel, try local food, and sample new whisky

Most people don't know that I… Lived on a sailboat for several years while growing up

Ask me to do anything but… Listen to security vendor pitches! ;-)



« CIO Spotlight: Tressa Springmann, LifeBridge Health


The CMO Files: Alain Mevellec, Sellsy »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?