Secret CSO: Rick Howard, Palo Alto Networks

Secret CSO: Rick Howard, Palo Alto Networks

Name: Rick Howard

Organisation: Palo Alto Networks

Job title: Chief Security Officer

Date started current role: November 2013

Location: Springfield, Virginia

Rick Howard is the Chief Security Officer (CSO) for Palo Alto Networks where he is responsible for building a Threat Intelligence Team, supporting the product line and acting as a thought leader and company evangelist in the cybersecurity industry. As a 23-year military veteran, Howard has a vast background in several different areas of information security, ranging from experiences within both the public and private sectors.

What was your first job? I was a paperboy when I was 8 years old. At the age of 12, I was a bowling centre manual pinsetter (yes, that's a thing). From seventh grade through high school, I was a movie theatre projectionist. I have seen every bad movie that was ever made in the 1970s, multiple times, and there were a lot of bad movies.

How did you get involved in cybersecurity? I was going to grad school with the idea that I would become an IT guy. While I was there, a book entitled "The Cuckoo's Egg" came out and it changed my trajectory. I thought it was so cool that bad guys could use the internet to do nefarious things and good guys could use the internet to stop them. I was hooked.

What was your education? Do you hold any certifications? What are they? I have a Bachelor of Science in engineering from the United States Military Academy and a graduate degree in Computer Science from the Naval Postgraduate School.

Explain your career path. Did you take any detours? If so, discuss. I spent 23 years in the U.S. Army, where I built and maintained communications networks. That is what got me interested in IT and eventually security. When I retired, I was very fortunate to get a job with a pure-play cybersecurity vendor. Many retired military usually take their first job in the private sector -- I did not and that decision made me learn the commercial business very quickly. The big takeaway for me was that in the military, operations is the most important function. In the commercial sector, it is a cost centre.

Was there anyone who has inspired or mentored you in your career? I was very fortunate to have Admiral Grace Hopper visit my classroom when I was a young captain attending a military school. She was inspiring, funny and smart as a whip. She was a living example of what you can do if you are dedicated and have a desire to learn new things.

What do you feel is the most important aspect of your job? Explaining extremely difficult technical issues to business leaders. Being able to transform a technical narrative into business language -- something leaders can make decisions with, which is part art and part science -- is integral to my job.

What metrics or KPIs do you use to measure security effectiveness? The first is understanding how many people it takes to handle a cybersecurity incident? If that number is going up every year, you are going in the wrong direction. The second is thinking about the probability that my organisation will be materially impacted because of a cyberattack in the next three years. There are three components to that metric. First, it is a quantitative probability and not a qualitative guess like high, medium or low. Second, the event has to be material to the business. Not everything that happens in cyberspace is important. Let's focus on the things that matter. Lastly, it is time bound. The probability changes dramatically if the question is: will it happen ever sometime in the future vs. in the next three years?

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? It is affecting all of us, but I don't think the answer is to keep finding more bodies to throw at the jobs that need to get done. The real solution is to automate as much as you can in a DevSecOps model. Once you automate the menial tasks, you can shift the focus of your experts to do the really hard things.

Cybersecurity is constantly changing - how do you keep learning? Read. Read all the time -- and sometimes read things that are not strictly cybersecurity-related. Also, read books, not just the headlines or technical blogs. Books allow the author to tell the complete story. As Socrates said, "Employ your time in improving yourself by other men's writings, so that you shall gain easily what others have laboured hard for."

What conferences are on your must-attend list? For me, it is RSA in San Francisco, Black Hat and DEFCON in Las Vegas and GovWare in Singapore.

What is the best current trend in cybersecurity? The worst? Best: The movement away from deploying multiple point products that don't talk to each other to a model where cybersecurity prevention services are delivered from the cloud and are already integrated and orchestrated.

Worst: Outdated best practices like best-of-breed and vendor-in-depth that network defenders stubbornly cling to. These best practices served us well in the early days (mid-1990s), but they have caused all of us to have to manage too many tools. So much so that we can't consume even one more security product, even if it is the best tool on the planet, because we would break the back of our InfoSec teams.

What's the best career advice you ever received? Tell the boss early when things go wrong and have a plan to fix it. Do not wait until it gets worse.

What advice would you give to aspiring security leaders? Besides technical skills, the most important thing you have to do is be able to communicate both in writing and speaking, and you have to practice. You don't learn how to do that through osmosis. You have to get your hands dirty and seek opportunities to speak to a crowd. Practice writing. I always tell young people who are seeking advice about entering the cybersecurity field that they should read the famous Lockheed Martin Cyber Kill Chain whitepaper (roughly 10 pages and not that technical) and write a summary that fits on half of a page that their neighbour could understand. If they can do that, they have a future in the cybersecurity space.

What has been your greatest career achievement? When I was in the Army, I managed the Army's command and control communications network in the Pentagon. Because of the redundancy and resiliency work my team had labored on for two years, on the morning after 9/11, the only communications systems that had a green check mark vs. a red X were the Army systems. I am very proud of that.

Looking back with 20:20 hindsight, what would you have done differently? I have no regrets. I have had a wonderful and exciting career. The one thing I might have done differently is not stay as long as I did in certain workplaces.

What is your favourite quote?"Sometimes it is the people no one imagines anything of who do the things that no one can imagine." - The Imitation Game

What are you reading now? I like to have three books going at any one time: For work on my Kindle: "Cult of the Dead Cow" by Joseph Menn. For general interest via Audible: "Sapiens" by Yuval Noah Harari. For killing time on my phone: "Grace Hopper and the Invention of the Information Age" by Kurt W. Beyer

In my spare time, I like to… Ride bicycles, play video games (currently getting my butt kicked by my kids in Fortnite), and watch geek movies. I am a fan of Marvel and Game of Thrones.

Most people don't know that I… have attended not one, but two Comic-Con conventions: one in San Diego and one in New York City.

Ask me to do anything but… stand around and wait for you to decide what to do next.


« CIO Spotlight: Sean Wechter, Qlik


CTO Sessions: Richard Price, PragmatIC »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?