Secret CSO: David Baker, Bugcrowd

Secret CSO: David Baker, Bugcrowd

Name: David Baker

Organisation: Bugcrowd

Job title: Chief Security Officer

Date started current role: 2 years

Location: San Francisco, CA

David Baker brings over 20 years of experience in enterprise data security, information technology and government computer research to his role as Vice President of Operations. Prior to Bugcrowd David Baker served as the Chief Security Officer at Okta. As CSO, David was responsible for the security of Okta's service, helping the company ensure customer success and solving the security challenges enterprises face as they evolve operations into the cloud. Prior to Okta, David served as the Vice President of Services at IOActive and Security Architect at Webex Communications. David started his professional career as a research scientist in Computational Fluid Dynamics at NASA Ames Research Center.

What was your first job? I started my career as a rocket scientist for NASA Ames Research Center. I was responsible for the design, analysis, and programming of complex computer models to help in research and flight simulations.

While there, I completed research that pioneered the first basic computational investigation of a 3-D, high-lift, hinged-wing configuration for boundary condition effects and algorithm characteristics using code-to-code and computation-to-wind tunnel experiment comparisons.

 How did you get involved in cybersecurity? The first dot-com boom was happening back then. The Bay Area was a starting to be a pretty expensive place to live and I realised that the economics of getting into the housing market in the Bay Area couldn't be supported by my current role. I joined the information technology (back then they called it "high-tech"; the irony was not lost on me) industry and never looked back.

I joined Ben Horowitz's startup, LoudCloud, in 2000 and became a network engineer. From there, I went to WebEx where I helped build much of their global wide-area-network before transitioning to security architect. This was an easy transition as I had installed, configured, and secured all of their network endpoints.

What was your education? Do you hold any certifications? What are they? I have a bachelor's degree in mechanical engineering and a master's degree in aerospace engineering, both from California Polytechnic State University.

Explain your career path. Did you take any detours? If so, discuss. I took a risk when I left NASA. I was in my early 30s and it was a big career jump from being a rocket scientist to a network engineer. It was a shock to my system, but I wouldn't have it any other way because this career move set me up to break into the security world.

Was there anyone who has inspired or mentored you in your career? Since my career kicked off at the start of the digital security age, everyone in the community was still trying to figure out the best approach to everything, together. This was the most inspiring thing to me -- the cybersecurity community was built around friends and colleagues.

But even before I began my career in cybersecurity, there was an incident at NASA where FBI had locked us out of our computers due to a security incident involving the Chinese. I knew these incidents were complex and we needed to protect our most valuable data and assets to continue doing business.

Once I was in the industry I quickly found that there was an energy there that inspired me to continue along this career trajectory because I felt like I was a part of something bigger than myself.

What do you feel is the most important aspect of your job? My role at Bugcrowd goes beyond the CSO role. I run operations and I'm involved in product development. Understanding technology and the specific threats to your organisation is often the easy part. What causes challenges is when people within the organisation, outside the security function, take the technology for granted because they cannot see or understand the threats.

With this in mind, it is important for CSOs to think beyond solely security and see the bigger picture within their businesses. This will enable them to empathise with how people work so they can make security work for everyone. CSOs can better understand the business, their business problems, customer challenges and be involved in more of the decision-making process, all while applying that inherent security knowledge wherever applicable.

What metrics or KPIs do you use to measure security effectiveness? There are a handful of options, but what I believe is most critical to any business is to measure the things that we cannot see, extending beyond just the number of vulnerabilities found. Instead, it makes more sense to look at how quickly the team is identifying said vulnerabilities and how long it's taking to fix them.

It's also critical to measure the maturity of your security team, the risk to the organisation, and cybersecurity awareness within the larger organisation. These are all things that CSOs should measure to demonstrate success to the C-suite and board.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? The skills gap isn't affecting us the way it is other organisations. Bugcrowd is helping ease the pain felt by the skills shortage by connecting our customers to elite white hat hackers to find and fix high priority vulnerabilities more efficiently and sustainably than traditional methods.

We also offer Bugcrowd University, a free training programme focused on improving the state of application security training, community engagement, and content delivery. This programme helps people looking to break into the industry to develop their skills and put them to the test with our public bug bounty programmes. In fact, 81% of hackers say their experience bug hunting has helped them get a job in cybersecurity.

Cybersecurity is constantly changing - how do you keep learning? As a general rule of thumb, I encourage people to always stay outside of your comfort zone. I was at Okta for almost five years, but found myself wanting to understand other parts of the business. There's an art to this: learning new skills, applying those skills to new roles, but not jumping around so often that you aren't learning anything. I also like to focus on problem solving. Rather than focusing on why something is broken, I prefer to focus on how to fix it.

What conferences are on your must-attend list?

  1. Infiltrate
  2. ReCon
  4. CanSecWest

What is the best current trend in cybersecurity? The worst? Crowdsourced security is of course the best trend! And the notion of the "embedded" security across an organisation is the worst. Recently we've seen a couple C-level exits at companies like Lyft in favor of an embedded, distributed security model across the organisation. While I understand what they're trying to model, this is destined to fail quick without executive and independent leadership. 

As a CSO, I'm responsible to set the tone, establish the security vision across all business functions, and ensure the company executes on the strategy. The embedded model has no such a role in place and relies on various security-influenced folks working in various departments independently of each other without orchestration of a clear, cohesive strategy.

What's the best career advice you ever received? Always replace yourself. This starts by ensuring that what you do is sustainable and people are properly trained. Replacing yourself is not about finding another job, but moving your abilities and the people around you to the next level and access to the bigger and better opportunities.

What advice would you give to aspiring security leaders? Again, always replace yourself, no matter how junior you are. How can you scale what you do? Always share your knowledge of what you do and how you do it with others. Owning everything yourself is the fastest way to burn out and become a bottleneck to yours and your companies' success.

What has been your greatest career achievement? I'm still working on this. I have a lot to be proud of in my career such as earning my first role in security, becoming a CSO, but I believe my greatest achievement is still ahead of me. Keep moving forward!

Looking back with 20:20 hindsight, what would you have done differently? I wish I had obtained my MBA awhile back. It's so valuable as an executive - especially a CSO - to understand how a business works from the get go - from balance sheets to marketing and sales and even capacity planning. I was able to learn a lot on the job through my experiences at startups, but learning and understanding a business takes much time and discipline.

While it's never too late; it just gets harder and harder as your career progresses.

What is your favourite quote?"Effective leaders are always training their replacement." - Michael Pollack

What are you reading now? Cryptonomicon by Neal Stephenson. I re-read it once a year religiously (as well as SnowCrash).

In my spare time, I like to… Run or bike long distances in the Sierra Foothills

Most people don't know that I… Used to restore and collect antique VWs

Ask me to do anything but… Dust the blinds….


« Salesforce EMEA chief on diversity, CEO values, staff wellbeing


The CMO Files: Kevin Gordon, HYPERVSN »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?