Secret CSO: Charles Poff, SailPoint, Inc.

Secret CSO: Charles Poff, SailPoint, Inc.

Name: Charles Poff

Organisation: SailPoint, Inc.

Job title: CISO

Date started current role: April 2019

Location: Austin, TX

Charles Poff became SailPoint's Chief Information Security Officer (CISO) after more than twenty years of strengthening security at companies like HomeAway, Inc., Symantec, IBM and Internet Security Systems (ISS). As CISO of SailPoint, Poff is responsible for the overall security of our products, services, networks and assets. He is also a key stakeholder on SailPoint's board-level Cybersecurity Committee, whose charter is to drive the company's cyber risk resiliency across both its technology and its products.

What was your first job? My first job was mowing grass in my neighbourhood. It taught me how to earn money based on hard work. It also taught me valuable lessons in money management that I still appreciate today.

How did you get involved in cybersecurity? It all started with a Commodore 64 computer and a dial-up military (type) modem. Who knew that playing a programming video game would start a lifelong passion and career. Before the internet, there were BBS systems that we would dial into, learn, etc.

What was your education? Do you hold any certifications? What are they? I have both BA and MS degrees in computer science with a focus on security.

Explain your career path. Did you take any detours? If so, discuss. I started in college as a physics major and always worked with computers. During this time, I joined a local security club called "2600," which is still around today worldwide, and started networking. Over my college career path, I naturally navigated to the computer side of things and started programming. I guess you could say that I detoured away from the natural sciences and landed in the computer science field.

Was there anyone who has inspired or mentored you in your career? I think it was a combination of friends, parents and professors. Everyone around me played a vital role in my thinking and life goals.

What do you feel is the most important aspect of your job? I think the most important aspect of my job is providing comprehensive security strategies that protect our customers and our company. Two important principles I carry with me is one, being holistic with any security strategy, and two, being proactive. I don't waste time on things outside of this world view.

What metrics or KPIs do you use to measure security effectiveness? I measure execution on strategic items that have the most impact on the organisation. I am not necessarily concerned with how we get there as opposed to getting the job done. Although subjective, I also monitor folk's soft-skills and communication. Building a world class security program can only be accomplished with natural bridge builders and communicators.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes, there is a security skill shortage that impacts the industry. Before I expand, there are two types of security folks on the market. The first is academically-based, and the second is self-taught. I tend to navigate to the self-taught folks because they tend to be more in tune with real world security issues and these self-taught folks are getting harder to find. The ‘self-made' guys are the ones spending their free time contributing to open source security projects, programming, or finding new exploits. It's what I call "the passion for the craft." Security craft that is. The skillsets we need now are dev/sec/ops intertwined. We need the scripter, coder, and platform expertise that were once separate roles. The traditional security engineer, who does not know how to script or program, is becoming obsolete.

Cybersecurity is constantly changing - how do you keep learning? I learn from hiring folks who are much smarter than I am. Bringing brilliant people to the table who have great communication skills and great ideas is the best way to solidify security strategies for any company.    

What conferences are on your must-attend list? To be honest, I do not attend conferences anymore. I usually send my team and to collect all the cool stuff and we do a mind meld when they get back. Back in the day, I used to go to the DefCons and BlackHats—great shows but I now have my team go instead.

What is the best current trend in cybersecurity? The worst? I believe the best security trend today is the alignment with dev/sec/ops. We are seeing robust and highly automated security programs incorporating AI and ML into their platforms. I think this is a positive trend with lots of opportunity to mature. I believe a bad trend is around being proactive in the cloud space. I've seen many organisation sideline the security function and just give them logs. Log aggregation is an "after the fact" scenario that is more reactive than proactive. Understanding that something bad happened is needed but stopping it in real time is of critical importance. Organisations should stop thinking that the security team "just needs the logs," as this mindset is detrimental to the overall security health of the organisation.

What's the best career advice you ever received? The best career advice I've received is from my father. He was a huge outdoorsman and would always tell me to "not rock the boat unless you have a life vest on," and I take that to heart with any decision I make.

What advice would you give to aspiring security leaders? The best advice I can give is to make sure you understand cloud and dev/ops technologies, including how to secure them. Most of the market texture out there is misleading and gives the impression that security is all taken care of for you. It's not.

What has been your greatest career achievement? I have had many great moments in my career. But if I were to focus on one it would be around providing logical and robust security programs for organisations over the years that scaled and were cost-effective.   

Looking back with 20:20 hindsight, what would you have done differently? I think one of the things I would have done differently is to spend more time mentoring. Being an introvert is tough. It means I've missed lots of great opportunities around mentoring.  

What is your favourite quote?When something goes wrong and I am trying to break the tone, I like to say "I'm smellin' what your stepping in." It usually changes the tone of the conversation.

What are you reading now? Nothing in particular but I do read lots of tech blogs and industry publications.

In my spare time, I like to… I like be outdoors - fishing, hiking, dirt biking.

Most people don't know that I… That I don't like to wear sneakers.

Ask me to do anything but… Play with spiders.


« Dropbox's next stage: a single workspace for content and people


CTO Sessions: Jon Wrennall, Advanced »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?