Go Phish: Raymond Pompon, Director at F5 Labs

We ‘Go Phishing’ with Raymond Pompon, Director at F5 Labs, who tells us about life both in and outside the office.

What would you describe as your most memorable achievement in the cybersecurity industry?

Writing a book on how to build a security program that is both useful and can pass an audit. Publishing the book wasn’t the achievement – the writing of it was. I had to really dig down and organize decades of ideas I had about security and compliance, then figure out how to present it in such a way that a non-security person could actually implement it. It was about six months of really deep thinking about security programs, why they fail to mesh with an organization’s culture, and how people can overcome that.

What first made you think of a career in cybersecurity?

My entire career track, starting from working on mainframes in college, was always about exploring interesting and tough problems. As I progressed in my career, I chased tougher and tougher challenges. I was specifically interested in the mesh of people, technology, and connectivity. Cybersecurity was the next logical step in that progression. What tougher puzzle could there be than doing tech in the face of attackers trying to subvert the system? And the challenge never ends – once I make something secure, some new attack or technology comes along to change things.

What style of management philosophy do you employ with your current position?

I’ve always pursued jobs where I could work with people smarter than me and who were willing to teach me new things. I think my management philosophy is deeply steeped in that love of learning. I am always looking to get new ideas and new concepts, not only from my team, but also from other peers and colleagues around the organization and the industry. It goes both ways too. Whenever I can, I mentor, share, and brainstorm with the folks all around me, so they can learn useful new things. That includes providing the executive leadership with an appropriate level of understanding about cybersecurity.

What do you think is the current hot cybersecurity talking point?

Careers in cybersecurity. There’s so much going on there. Do we have enough people? Are they getting the right training or education? Are they motivated to stay in the fight? How can we address the diversity issues in cybersecurity? How can we get better and fresher perspectives into the field? What does a successful and fulfilling career in cybersecurity look like? When I started in cybersecurity, the field really didn’t exist. Now it’s huge, with so many different roles and skill sets. It’s a very exciting time for the industry and the fast-paced nature of it keeps me on my toes.

How do you deal with stress and unwind outside the office?

Out of the office? You’re never out of the office in cybersecurity. Ha, seriously, I do try to fit in some walks in nature or exercise. But really, it’s a 24×7 job. So, it helps a lot to remember why I do this. It’s not a job for me, it’s a calling. It keeps me going when there is a lot to learn (always) or fires are breaking out (always). It’s a double-edged sword though because you can care too much. Making sure I retain as much agency as possible has helped. I become stressed when I feel trapped or stifled by a lack of options. So, part of my way to manage workloads has always to make career choices to ensure I can have as much autonomy as possible.

If you could go back and change one career decision what would it be?

I ran my own network integration company for a handful of years. This was definitely a huge learning experience and provided me with a lot of freedom. But I have never worked as hard and long in my life. Running your own business means you do everything from marketing to accounting. I’m in this for the technology, not business operations. Running your own show isn’t for everyone and definitely not me. It took a huge toll on my mental and physical health. I should have hung it up sooner and moved on.

What do you currently identify as the major areas of investment in the cybersecurity industry?

The industry should be investing more in people. And by that, I mean growing and training the cybersecurity experts of the future. There are so many good folks out there, and not just in the technology field, that would do very well in cybersecurity roles. Many of them are deep within our organizations and just need to be tapped, motivated, and educated. It’s disingenuous for companies to cry that there’s a cyberskill shortage when they aren’t doing anything to raise up the folks inside their own ranks.

Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?

We have seen some difference in cyberattacks by region. I think a major factor impacting this is which technology platforms are being used and in what ways. For example, the US leverages a lot of tech for retail, so we see a lot of credential stuffing and online fraud. Whereas another region may be deeper into FinTech or delivering government services via technology, or even mobile. This is where we see more regional differences in compliance, which also will overlay on the tech and security deployments.

What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?

My current role is carrying out threat research and talking with security leaders to develop intelligence for the security community. I’m not in what you’d call a typical cybersecurity role. I do see changes in what people are interested in with respect to content and conversation. There’s a lot more interest in DevSecOps, cloud security, and moving to zero trust.

What advice would you offer somebody aspiring to obtain a C-level position in the security industry?

Learn to speak in terms of the business that you’re going to be working in. No one in a C-level position is going to want to hear arcane technical talk or abstractions. And every organization cares about different things. Understand the value flows of your organization and think of all your work in the context of that. The more you can translate cyber-risks into things your C-levels are used to dealing with, the more they will listen to you.