Secret CSO: Tom Conklin, Druva

Secret CSO: Tom Conklin, Druva

Name: Tom Conklin

Company: Druva

Job title: CISO

Date started current role: May 2018

Location: Sunnyvale, CA

Tom Conklin is the Chief Information Security Officer (CISO) at Druva, a provider of cloud data protection and management solutions. Previously, Conklin was the Director of Security & Compliance at Vera Security and has held numerous leaderships roles at fast growing software-as-a-service companies. His current focus is on developing continuous monitoring and transparent reporting of security risk within organisations.


What was your first job?   IT auditor at a CPA firm

How did you get involved in cybersecurity? I started in IT compliance auditing, and it was a great start, but I realised my passion was in building security programs and influencing how companies embrace security. So, I left auditing to work for startup companies where I could do just that.

What was your education? Do you hold any certifications? What are they? I have a Bachelor's Degree in Business Administration with concentrations in Finance and Management of Information Systems. I'm a Certified Information Systems Auditor (CISA).

Explain your career path. Did you take any detours? If so, discuss. I haven't taken many detours. As mentioned, early on I was on a financial audit path, but I quickly changed to security and have been focused on it ever since.

Was there anyone who has inspired or mentored you in your career? I've had many mentors in my career, the one that stands out is Pritesh Parekh, CISO of Zuora. I worked directly with him and learned first-hand how to partner with a company to build a world class security program.

What do you feel is the most important aspect of your job? The ability to understand the company's goals and what security needs that translates into. This is critical to prioritizing what matters and being able to communicate areas of exposure to other leaders in the company.

What metrics or KPIs do you use to measure security effectiveness? Instead of focusing on specific numbers, we try to understand if various functions are improving or degrading. It's not the volume of events so much as the time it takes to respond to events. As a fast-growing company, we need to consider everything relative to the scale of the business, so even if volume increases, our ability to respond and address issues needs to go down over time. 

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? The skills shortage affects everyone. It's still possible to fill roles, but competition is extremely fierce. I find that more often in the present climate, it's helpful to prioritise qualifications to ensure the most critical needs are being met. Roles like security engineers are especially difficult to fill right now.  

Cybersecurity is constantly changing - how do you keep learning? I believe the best way to learn something is simply through practice. It's so easy now to set up an environment in AWS where you can try building something and follow security best practices. It's an opportunity to think about all the different ways you need to secure the environment and learn the trade-offs between design decisions. Another great way to learn is from the security community. I'm a member of a few security practitioner Slack channels, which are great sources of information and learning opportunities.

What conferences are on your must-attend list? I try to attend smaller regional conferences where I'm able to attend talks and speak with colleagues. The major conferences can be a bit more challenging since I tend to join meetings with a variety of customers and partners.

What is the best current trend in cybersecurity? The worst? The best trend is that we are better equipped than ever to detect and respond to incidents. Technology and processes that used to be too costly for most organizations have become democratised and are accessible to just about anyone. The challenge is those same technologies that have made such tools available (expansion of public cloud providers, new collaboration tools, etc.) are also available to malicious actors. These technologies have allowed innovation to flourish, but it's important to remember that does not mean our job is done. In fact, now it is even more important to ensure proper security protocols are in place as enterprise footprints expand. 

What's the best career advice you ever received? Be laser focused on what you want to accomplish. When something goes wrong stay focused. There will be good times and hard times, and your ability to be focused on the goal will be what gets you through the hard times.

What advice would you give to aspiring security leaders? Understand the context. In everything, understand the why. I can be a good security practitioner by being technically sound and diligent, but to be great you have to be able to understand how you fit into the bigger picture and domains outside your area of expertise.

What has been your greatest career achievement? My current role at Druva. Everyday I'm excited for what I get to do and how I can make an impact.

Looking back with 20:20 hindsight, what would you have done differently? I'm lucky, I don't think I'd change anything.

What is your favourite quote?"Work hard, learn lots." - My father

What are you reading now? Subscribed by Tien Tzuo

In my spare time, I like to… go running.

Most people don't know that I… try to see the sunrise every day.

Ask me to do anything but… share my password.


« Saving encryption: Thales on the future of quantum cryptography


The CMO Files: Katie Jansen, AppLovin »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?