Secret CSO: Amy Herzog, Pivotal

Secret CSO: Amy Herzog, Pivotal

Name: Amy Herzog

Organisation: Pivotal

Job title: Field CSO, Transformation

Date started current role: November 2018

Location: San Francisco, California

Amy Herzog is Field CSO, Transformation at Pivotal. Prior to joining Pivotal, she held the position of Principal Security Engineer at the MITRE Corporation, managing multiple computer security research portfolios. As Field CSO Herzog's helping complex enterprises bridge the gap between technical and organisational problems and enable higher performing developer teams.

What was your first job? My first job was analysing the information flow in multi-level-security operating systems for a government think tank in the US. Though I graduated from college with a mathematics degree, I didn't want to go to grad school straight away, so I looked around for a position that would leverage my formal math skills. There happened to be a government contractor hiring that wanted to explore the possibility of a (mathematically) provably secure system. So that was my first project. 

How did you get involved in cybersecurity? My involvement in cybersecurity was research focused at first. I worked on several projects in different areas of provable security. However, I wanted to get more practical, so I took some security system administration positions and systems engineering and management jobs too.

What was your education? Do you hold any certifications? What are they? I am a math nerd. My degree is in mathematics and I've taken various additional graduate courses, covering algorithms and data structures and other computer science topics. I don't have any certifications, although my first boss at MITRE Corporation helped write the Rainbow Series of secure system configuration for the US government. Another colleague developed the Common Vulnerabilities and Exposures (CVE) while I was at MITRE, so I've been adjacent to a lot of cybersecurity breakthroughs.

Explain your career path. Did you take any detours? If so, discuss. My career has been made up entirely of detours! I didn't think when I got my degree that I'd end up in the industry. I was pretty sure I wanted to be a professor until I did a research experience for an undergraduate programme and saw the day-to-day shape of that career path.

From an initial research focus, I wanted to get a more practical understanding of what operators do on the ground, and this eventually led me down the systems engineering path. This new perspective allowed me to tackle some super forward-looking problems, and I went back to lead a cloud security portfolio for MITRE's internal research programme.

At this time in my career, I was really looking at what technology would be in place ten years from now, and how we could leverage that to give security guarantees across a network. I followed that career path through some exciting advancements and changes, but at a certain point I knew I wanted to take the next step in my career. I'd anticipated moving elsewhere in the mainstream tech industry, but instead a mentor said: "You have this knitting hobby, and you've written software to support it, I think you've got a business model there." So, I started my own company based on selling the use of the software.

Was there anyone who has inspired or mentored you in your career? I like to learn from everyone who's around me. One of my first mentors was Joshua Guttman, my leader on that very first information flow project at the MITRE Corporation. He really showed me how to take structured ways of thinking and do good things for practical problems with them. I loved that marriage of theory and practice.

Another colleague who really inspired me back in my Akamai days was Justin Sheehy. I saw him join and begin a bunch of early-stage start-ups and take professional risks, and I would say he really influential in my decision to leave the corporate world to do something on my own. Another old friend, Dean Cookson, greatly helped me navigate the decision to jump back into a more traditional role at Pivotal.

What do you feel is the most important aspect of your job? I think it's boxing up and setting aside my own preconceptions in order to fully listen to what customers are telling me about their needs and their success. I really try to avoid bringing my opinions and background to the conversation until after I fully understand where they're coming from and the constraints and needs they're operating under. 

What metrics or KPIs do you use to measure security effectiveness? I would encourage any CSO to think about what he or she could measure in their environment that would give them a sense of how quickly they are catching intrusions when they happen, how costly it is to recover from them, and how repeatable and automated the recovery process is. Those are three areas I think it's very important to measure.

This means really taking a quantitative analysis of the risks and benefits. I think security lends itself to drama filled stories about zero intrusions. If you're ever measuring something and there's really zero, that's a sign that you're not monitoring well enough — not a sign that you've succeeded!

There's also a temptation to say it must be perfect like there's no alternative to failure. I feel we need to get much better at saying, ‘here's how much remediation would cost,' ‘here's how much intrusion is going to cost,' and do an actual analysis of what's going on.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? It is, but perhaps not in the way you'd expect. Rather than there being a shortage on a particular set of technical knowledge, security requires an unusual combination of mindset-skills. Practitioners need to be positive and intelligent enough to see how a whole system could work. But they also need to have this mindset of searching out all the ways that it could go wrong and what that looks like. I think this ability to synthesize the pessimistic and optimistic views of a complex system is rare, in staff that I've engaged with personally over my career. 

Cybersecurity is constantly changing - how do you keep learning? I think much like anyone with any topic, I have a set of people that I follow, but I also have a set of former colleagues from within the security space that helps me keep a more strategic pulse on things. It's helpful to share the most important bits in group texts or email chains with one another.

What conferences are on your must-attend list? I've always loved the IEEE Symposium on Security and Privacy. That's a favourite of mine to see where research is heading. There's usually a good chunk of this conference that focuses on a blend of research and practice, often leading to grad students saying to themselves, ‘this is an interesting paper; can I implement it?' I think that's very exciting. It's more academic than something like RSA though, so I wouldn't recommend to everyone.

What is the best current trend in cybersecurity? The worst? Over the last 10 or 15 years, the security industry has been headed on a definite path of data-based risk analysis, which I think is a great trend. I'd definitely like to see us make rational decisions rather than reacting to what is interesting or seems the most flashy for a headline or would make the coolest presentation.

I think, conversely, that the worst trend is our constant infatuation with the story that sounds super cool. Another candidate for worst is our desire for anything to be a silver bullet — such a thing simply doesn't exist.

What's the best career advice you ever received? To search out problems that are the most interesting to you. The rest will figure itself out. It doesn't always feel like the safest approach in the moment, but it's been the best advice I've received.

What advice would you give to aspiring security leaders? Cybersecurity is a much larger industry now than it was when I started, and it's completely possible to have a very fulfilling career within several different sub-areas. I wouldn't fall into the trap of thinking that malware analysis is the only way to go or that it's the most hard-core elite part of the industry. Instead, I'd suggest security practitioners really look at the wide variety of topics they could engage with and figure out which one is most appealing to them. For example, if you are out to catch the bad guys then the operations track is for you. If you'd like to move the bar for the future, research is likely your area. If you want to raise the floor in terms of daily practice, compliance might appeal.

What has been your greatest career achievement? I think I'm proud of two things. As part of the research portfolio roles that I held at MITRE my ability to get a large number of people focused on a difficult, fuzzy problem and still produce good results. Leveraging that human capability and creativity is a very meaningful accomplishment to me.

I'm also super proud that I started a business, figured out how to make all the different parts of it work, and it didn't fail!

Looking back with 20:20 hindsight, what would you have done differently? I would've hired proper marketers to help me build a marketing plan for my business, instead of falling into the classic tech-person trap of if "it's not bits it's not difficult". It could have saved me a lot of heartache in that first year if I figured that out sooner!

I definitely learned by doing that all the different parts of a modern enterprise are there for a reason, to solve problems that the enterprise experienced on its path to the current state. This means none of them are superfluous - I wish I had learned that lesson sooner.

What is your favourite quote?"Life is good, be happy now, let it go." - unknown.

What are you reading now? I'm reading three things right now. I try to have a book that I'm reading for work and a book that I'm reading to make my life and others' lives better, and a book that I'm reading to unwind. The one I'm reading to unwind is A Song of Ice and Fire (series) by George R.R. Martin - I'm currently in the middle of A Feast for Crows. My choice for improving my own impact on the world, is a book called White Fragility that I'm finding very engaging. It's a really compelling perspective on how white people can have more productive and effective conversations, and take more productive and effective actions, about racism in society today. Finally, I'm reading Accelerate for work, which is an interesting look at applying data and metrics on the success of lean start-up practices.

In my spare time, I like to… Make things. I make bread, I garden, I make clothes - both sewing and knitting. This making tradition I got from my family actually brought me into entrepreneurship: Through my making, I figured out how to take in someone's body measurements and produce custom clothing patterns from those so that the clothing others make for themselves fits the way it should. Use of that software formed the core of my business.

Most people don't know that I… sleep! I tend to pack my life pretty full, and often get comments wondering if I ever switch off. But I am a championship sleeper.

Ask me to do anything but… Sit still.


« Avi Networks CEO on the anatomy of the tech company sale


CTO Sessions: Maor Hizkiev, BitDam »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?