We ‘Go Phishing’ with Sam Curry, Chief Security Officer, Cybereason, who tells usabout life inside and outside the office.
What would you describe as your most memorable achievement in the cybersecurity industry?
My most memorable achievement, as opposed perhaps to my most significant, would have to be the sale of Signal 9 Solutions. It was a bridge for me to working in California for McAfee, but it was the culmination of four years of start-up life with some of the most amazing people and we delivered a great return on the faith our shareholders had put in us. We did a lot at Signal 9 in cryptography, remote access and protecting consumers with the ‘accidental’ invention of the firewall; but that was my memorable achievement.
What first made you think of a career in cybersecurity?
I avoided it for a long time and worked on the fringes of security. In 1996 though, I connected with some of the best people in the space when I contracted for a small company and found I had a talent. I didn’t realise it was a real career [option] until 2000, but it was at that point that I first considered sticking to this ‘security thing’.
It was at this point, that I realised decisions I made now would affect the future and I knew that the Internet was booming, security would be vital for decades and I was good at it. I went ‘all-in’ so to speak, which is the subject of my regular podcast Security All-In, in 1997. What other industry is exciting, relevant and challenging? Mix that with the right age, the right opportunity, the right mission and great people; how could I not get hooked?
What style of management philosophy do you employ with your current position?
Four powerful tools: roll up your sleeves, act with a sense of urgency, listen more than you speak and help people help themselves.
What do you think is the current hot cybersecurity talking point?
Hot is not all that interesting – the ‘hot talking point’ is usually a result of the conversations sparked by marketing budgets, rather than getting to the heart of the matter. The current ‘hot talking point’ is all about Machine Learning and AI, which are often over-applied. I think security is an interesting domain for AI and security would do well to remember that there is a wide array of tools beyond the AI toolkit for getting the job done that might actually be better.
The most important thing in security I believe is still strong crypto, hardware roots of trust, building in rather than bolting on and having a ‘cyber’ function to optimise how people in defence stop inbound attacks.
How do you deal with stress and unwind outside the office?
Family is number one for me. I have two great kids and a wife who is far too tolerant of my work-life imbalance. When I am out, I enjoy family time, time with friends and reading.
If you could go back and change one career decision what would it be?
Honestly, none. My career evolution has worked out in a way I couldn’t have predicted but that I love. There are some business or security decisions I might have made differently and there were a few times when I might have joined a company to get a better financial outcome. But hindsight for that sort of thing is always perfect. In the moment, I made the best decisions I could and have no regrets.
What do you currently identify as the major areas of investment in the cybersecurity industry?
The VCs are clearly enamoured of endpoint security and data analysis. It’s all about the overflow of information and applying human intelligence at scale. Personally, I believe that endpoint telemetry, with a behavioural focus has the potential to be the game changer in cyber conflict. I sat on a panel recently where one of my competitors talked about their ‘next generation AV’ stopping 99% of attacks and how that was so much better than (last generation) AV at 30% to 70% efficiency and I was stunned. How could she not have known that a department sees thousands of attacks daily and 1% is a deluge. Further, the 99% are distractions and noise. The 99% aren’t the attacks that are targeted or make a difference; the vast majority of the risk is in that 1%. That’s what’s interesting…stopping the 1% of attacks that get by everything else.
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions? (Middle East, Africa, Europe, Americas.)
For the most part, the regional differences are particular to the geopolitical and regional idiosyncrasies in each region. We live in a global village and the technology on offence and defence is largely the same, with the obvious exceptions of getting some tools in embargoed nations. What matters is who is knocking at the door and why, and that can vary enormously, say, from Latin America to Africa or the Far East.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
My job changes have paralleled changes in Cybereason, my company. I went from being Chief Product Officer and building a great team to more strategic and outbound functions. The company needed it. So the bottom line is I get to work with great people, on a mission I believe in and have my cake and eat it too from a role perspective.
For the future, I can only hope to be able to provide more glue for my company to hit the next hurdles of growth and expansion and, personally, to fulfil my personal mission to reverse the advantage from attackers to defenders in cyberconflict. I will do anything, try anything to get maximum leverage of my personal time and resources to make that mission happen faster for more people. We have to accomplish this if we want the benefits of the connected world for all of us who live in it.
What advice would you offer somebody aspiring to obtain c-level position in the security industry?
Gravitas is more about how you do things than what you do. Follow my four fall back skills and you won’t go wrong; and make sure you both mentor others and have a mentor. There is no one in the world who can’t get better at what they do and tap into the friendly wisdom and lessons learned from others. I personally have a ‘board’ of advisors that I turn to and learn from regularly. Consider doing the same.