Secret CSO: Darrell Stinson, MacStadium

Secret CSO: Darrell Stinson, MacStadium

Name: Darrell Stinson

Organisation: MacStadium

Job title: Chief Information Security Officer

Date started current role: March 2018

Location: Atlanta, GA

Darrell J. Stinson is the Chief Information Security Officer at MacStadium and brings over 17 years of industry-tested performance to the team. Stinson is responsible for making sure MacStadium is compliant, but also a step ahead of what the next attack or exploit is going to be. He is a Certified Information Systems Security Professional (CISSP) as well as a Certified Ethical Hacker (CEH) and can speak in great length on topics such as threat and vulnerability management, data privacy and data security.

What was your first job? My first job was at Kroger as a grocery bagger in the tenth grade. I worked seemingly every department in two years; as a bagger, a cashier, and in produce. Though I excelled in math and science, cybersecurity was nowhere on my radar.

How did you get involved in cybersecurity? I got involved in cybersecurity through the US Army. My MOS or "job" was Computer Automated Systems Repairer; in short, a hardware repairman of anything with a processor (e.g., printers, PCs, facsimiles, radios, etc.). My first duty station named me "Security Officer" which I had never heard of. This was the first time I learned that security and computing environments were a couple. I was around when USB drives were great technology and then they quickly transitioned to evil, virus-infected devices. Even after serving in Saudi Arabia, Iraq and Kuwait, it's amazing to look back at the pandemonium and change influenced by removable media.

What was your education? Do you hold any certifications? What are they? I've had a great deal of military training such as basic electronics and a soldering course where I learned to read schematics, troubleshoot circuits, and repair mother boards down to replacing capacitors, resistors, and VGA ports. I have both an associates and a bachelor's degree from South University, and CompTIA Security+, CompTIA Server+, EC-Council Certified Ethical Hacker (CEH), and ISC(2) Certified Information Systems Security Professional (CISSP). CISSP was incredibly challenging. I self-studied for four months drinking hundreds of gallons of coffee and used all six hours to complete the 250-question exam. The exam has changed since 2017 but is still as difficult. I paid for a week-long course where CEH was proctored at the end; twelve-hour days with homework each night. I loved it! I had never been exposed to Linux CLI and we did everything manually with stealth, thought and technique. My security IQ leaped echelons up from the Monday I walked in.  CEH truly opened my eyes to what cybersecurity and hacking really meant.

Explain your career path. Did you take any detours? If so, discuss. Believe it or not, after leaving the Army in 2006, I was a real estate agent for roughly a year and even acquired a commercial driver's license (CDL) to keep money coming in while I worked on my bachelor's degree and made my way back to the IT scene. I eventually landed a government contracting job in 2008 teaching binary math, switching and routing on the Cisco Catalyst 2950 to new soldiers training to become network administrators. Now back in the IT game, I stayed there until I moved to Atlanta for my first position dedicated to security after passing the CEH exam. As a Systems Analyst III, I ran scans in business units, generated reports and discussed the findings every week. With the Security Engineer position, exposure and introduction to new technologies at a young thriving company seemed to boost my growth. Policy writing, threat and vulnerability management, risk management, penetration testing, security awareness programs, security questionnaires, auditing frameworks and so many other aspects of security were being launched from scratch or an underdeveloped state. This is when I truly became a security practitioner to the point that I was brought into the management to help build the team.

MacStadium has allowed me to lean heavily upon my experiences, innovation, and auditing insight to give us another edge in the industry. It's been a beautiful time here and we have so much more to accomplish. I am really happy I joined this team.

Was there anyone who has inspired or mentored you in your career? Actually, quite a few people inspired me along the way.  My father Darrell H. Stinson, Dexter Nelson, Marvin Martin, and Rodney Wells were outstanding leaders and mentors. I learned everything about teamwork, leadership, accountability and professionalism from them.

Spencer Dase hired me for an electronics technician at a level where only tenured employees were promoted. He first was technically proficient but focused on details that build up to excellence. Spencer saw this in my skillset and challenged me with full confidence. He understood the importance of identifying potential coupled with training to build reliable teammates which strengthened the entire team.

Danny Powers was actually a teammate of mine supporting the soldier training command. Undoubtedly the most skilled, intuitive and brilliant technician I have ever met. Danny could do seemingly everything and inspired me to think creatively to solve technical issues. Working with him was a remarkable experience. 

My CEH instructor, Keatron Evans, opened my eyes to a skillset I had never actually witnessed. Ethical hacking has a brain space that is very unique but invaluable. The week I spent with Keatron during the CEH boot camp was an enlightening experience. This one event gave me the security bug.

What do you feel is the most important aspect of your job? I'm the expert charged with delivering advice and insight to my organisation's security program with the highest integrity. This does not mean I know everything, but when it comes to defending critical assets/resources, managing risk, establishing resilience, educating the user community, and maintaining a strong overall security posture, I'm responsible for sustaining an azimuth for the security program that fits the organisation regardless of the company's objectives.

What metrics or KPIs do you use to measure security effectiveness? Auditing (internal and external) and continuous monitoring, commonly known as Governance Risk and Compliance (GRC), is a security leader's best reference point. There are numerous frameworks and certifications to go after. I have been so fortunate to take part in MacStadium's impeccable audit and compliance feats: ISO 27001:2013, SOC 1 & 2 Type 1, SOC 1 & 2 Type 2, and Privacy Shield (EU-US and Swiss-US frameworks). Still there are others: the elaborate NIST, PCI DSS, Cloud Security Alliance, etc. Leveraging these controls and concepts against the organisation help CISOs identify gaps, validate proficiency, innovate new options, increase visibility, determine readiness and plan for the future. You can effectively expand upon where framework criteria [starts].

Success in the realm of GRC does not mean the fortress is completely secure from all threats, but this is fundamental when asking, "where is our security program now and where is our security program going?" 

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I do not believe there is as much of a skills shortage as everyone claims. I think there is more of a gap in professional development. Many security leaders are just learning how to identify talent and potential. Junior professionals and job seekers are just beginning to realise where they want to fit in the security world. This is not to discredit any of us because cybersecurity as we know it today is relatively young. To put this in perspective, think about how long ago the Industrial Revolution started and how successful it was in its prime. If I as a CISO am not skilled in determining what type of positions I need on the team, then job descriptions and titles will be off-target. This means job seekers are misled, interviews are ineffective, talented professionals with potential are overlooked and there's a struggle to ensure success.

Resume writing, job description format (including titles), professional development, career path and the interview process may all seem like minutia, but as these components improve the skills shortage will evaporate. We just need to learn to attract the right candidates then become creative in retention. MacStadium does an excellent job with this concept. With all of the elaborate and unthinkable breaches taking place, how can we say there is a truly a skills shortage?

Cybersecurity is constantly changing - how do you keep learning? I acquire a new certification every two or three years. This allows me to build on my experience while learning what is the next relevant wave. I subscribe to newsletters and content like Dark Reading, Hacker News, HMG Strategy, SANS, Tech Crunch and many others. This is how I find out about breaches, how exploits were leveraged, products that are no good, and other solutions that are reliable. I go to at least one security event each month; a networking event, a product demo with other CISOs, or a conference. I have dinner or lunch with other CISOs, Sales Engineers, Security Architects, and professionals I have built a relationship with. They all have different experiences, perspectives, interests, challenges and ideas. We learn from each other; it's what the industry is supposed to do.

What conferences are on your must-attend list? Definitely EC-Council's Hacker Halted, CXO's SecureCISO, CyberHub Summit, Secure World and Cisco Connect.

Others I have not attended yet but are on my radar for next year include RSA and BlackHat, and DefCon.

What is the best current trend in cybersecurity? The worst? The best current trends are initiatives towards privacy and risk management. Both of the concepts have somewhat been overlooked but are gaining a great deal of momentum with major breaches, new regulations such as GDPR, CCPA, HIPAA and precautions surrounding sensitive data. Risk should always influence decision making in any organisation - specifically, likelihood and impact. From this perspective we can choose any tools that will yield appropriate data. This then leads to useful information to determine security budgets, critical resources, suitable protections, business continuity, disaster recovery, organisational headcount, gap assessment and policy/procedure adjustments.

One of the worst trends is what I call the "fix-it and forget-it" syndrome where security leaders take a tunnel vision approach buying and subscribing to a set list of solutions but neglecting to test and validate these solutions. Defense-in-depth is great, but without disaster recovery testing, business continuity planning, risk assessment, and incident table top exercises, weaknesses are never discovered, and strengths become outdated. Subsequentially, the computing environments are subject to the next malicious actor's skillset or toolkit.

What's the best career advice you ever received? My good friend Powers encouraged me to take the CEH exam, in that brief conversation he closed with "your career is going to take off." I'm glad I listened to him.

What advice would you give to aspiring security leaders? Education and certification are the first steps when you have little or no experience practicing security. There are even some certifications such as CISSP and CISM that require years of experience in various domains or aspects of security before candidates qualify. Certification lets an employer know you are proficient in the common body of knowledge a certification relates to. 

Job selection is another important strategy. Security is a broad industry; you have to at least define your next two positions or where your interests lay. While career management is a building process and not all of the blocks will be perfect squares, sometimes choosing a position with some of the duties you want/need is better than choosing a path that will lead you away from your three to five-year goals. 

For example, let's say you are really skilled with CLI, intrigued by internetworking, but have no idea on what certifications to go after or what jobs will fit you. Security+, CCNA and CEH are perfect certifications. Security Analyst, Security Engineer, Security Architect and Security Manager/Director is a realistic stair-stepped career path over five years.

Conferences, roundtable discussions, symposiums, advisory boards, speaking events and product demos are excellent ways to meet other professionals, share ideas challenges and solutions, learn about new trends and techniques, find new security products, and remain relevant. Security professionals need to establish a brand for themselves as well. Your skillset and expertise are a business. If no one recognises your business or you are not exposed to the environment, you will never be relevant. Activity is directly related to success in this industry. Look for free day conferences in your local area, create a circle of professionals you trust, find a mentor, serve as a mentor and extend reach beyond your desk.

What has been your greatest career achievement? I would say my greatest career achievement is reaching a point where I can enrich the industry. In 2018 I was invited to speak to students at Georgia Tech during their six-month cybersecurity boot camp. The idea was to help connect the dots on how the curriculum which included, CLI scripting, penetration testing, cryptography, risk analysis, incident response and many other topics would transform them into the ideal security professional. Perhaps the underlying question was, "is all of this material worth it?" As I shared my experiences and perspectives in response to the students' questions, ninety minutes seemed to evaporate. We all enjoyed the engagement. 

I have visited group homes of troubled kids, attended career days at schools, and have been matched with about ten junior professionals via LinkedIn to serve as a mentor. Incredibly rewarding and enlightening as the questions influenced by their aspirations give unique vantage points on where the industry is going, what the next generation is interested in, and how the knowledge gap is closing. 

While delivering my best efforts to advance the organisations I've been a part of, I have built several teams and elevated careers of professionals through leadership, mentorship, and extreme ownership.  Many of these professionals run their own IT and Security teams. This really makes me smile. 

Looking back with 20:20 hindsight, what would you have done differently? Though I was somewhat ahead of the curve, I simply would have committed to security much earlier. This industry is immensely important to international security and our ways of life. The world needs professionals with foresight, experience and connections to move cybersecurity in the right direction. We're catching up, but we are still somewhat behind our adversaries.

What is your favourite quote?"You only fall to your highest point of preparation." - Chris Voss

What are you reading now? Extreme Ownership by Jocko Willink and Leif Babin.

In my spare time, I like to… Spend time with family, I'm a fitness fanatic, and enjoy passing time at car events (car shows, road courses, etc.)

Most people don't know that I… I was a musician from the age of 5 until I was 18 years old. My sisters and I sang in a gospel group together where we were invited to churches in and out of state to perform. I played the piano and wrote music for our group but was much more skilled as a drummer.

Ask me to do anything but… That's a funny opening because my family and I play the game would you rather… all the time. I think the wildest question proposed to me was, "would you rather eat from an animal trough on a farm or drink water from a dirty work boot?" I don't remember my answer because we laughed for nearly ten minutes.



« Worksome provides a matchmaking service for IT freelancers


How researchers foiled a suspected nation state attack targeting an African bank »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?