Several weeks ago, I had a fantastic opportunity to chat with the CISO(Chief Information Security Officer) of Starbucks, Dave Estlick. If you do not know who this man is, he has quite the resume! He has worked at Sun Microsystems, Boeing, Amazon...He is on the board of 7 different cyber security groups, including PCI(Payment Card Industry). This guy has been around the block! In terms of security, he has been in the game since the beginning; he started his career in security around the year 2000. If you would like to know about the man, his Linkedin is https://www.linkedin.com/in/destlick/.

Expectations

Honestly, I expected a pretty quick conversation with the guy. I had forced a very strange connection with the man in order to get him to meet with me. So, I figured I would have the pry the answers out of him then he would leave. However, Dave was more than willing to talk about his career and how he got there, which was very much appreciated.

Secondly, I also expected to have more of a technical talk. But, what we talked about was much more valuable; I saw into the world of how to be successful and to be a winner! The advice below is directly from a man who is the CISO of Starbucks; also known as a man at the top of the industry. Most of these concepts and ideas do not just have to do with the world of cyber security, but to life in general.

Initial Words

Before I could even ask Dave a single question he came out and said the three most important things right off the bat.

Problem Solver

No matter how experienced someone is in the field, a new and different experience will come up. So, now what? The situation is new and difficult to handle. However, this is where the problem solver comes into play. Someone who is marketable, as any sort of professional, should be able to fix issues that are happening in the company. No matter the problem: a security breach, internal issue with employees or anything else, being able to solve problems is very valuable.

Being a problem solver, though, is not a simple skill to develop; this requires dedication to excellence, creativity and a dedication to the profession. If you are able to call yourself a problem solver, then you are in a good place!

Self-Educator

If you are waiting for your employer/school to teach you something then you have likely gone wrong. The people who are willing to go above and beyond by teaching themselves are extremely valuable. Why so?

First of all, they are going to be constantly learning. Instead of watching T.V. at night, they are probably reading a blog on r/netsec. Instead of drinking a beer, they are spinning up a VM for testing. Instead of... Well, you get the point. The self-educators are going to be doing more outside of the office to get ahead in the game.

Now secondly, imagine, there is this new technology, that could revolutionize the industry... The boss needs someone to learn how it works, then harness the power of the technology to create something amazing; who is he going to choose for this task? He will choose the self-educator 100% of the time. This is true because the person will pick up the skill faster, more efficiently and enjoy doing it. What a valuable position to be in...I strongly believe that learning how to learn is an immensely valuable skill in of itself.

Passion

Although the conversation Dave and I had relied upon a passion for security, this really goes into anything. The passionate person will win out most of the time. Why so?

The passionate person will spend time on weekends implementing new things, learning in the process. The passionate person will go to groups around his area, participate in competitions when he is not working and will join online groups just for more interaction. Finally, the passionate person will simply get it. If a major amount of effort is put into something, you will eventually understand it.

There is also a direct proportion of time-spent to care in a project. The more time invested into something, the more someone is going to care. As we all know, once a person takes ownership over a project, it will be their baby; this project will be the best damn project that has ever been made! Passion will drive someone to extreme depths that the less passionate would not go towards.

Calling

If you have not noticed, most people who go into cyber security have a pretty strange background. Elizabeth, the lead security engineer at Faithlife, had a degree in Biology. After viewing the Intrinium Cyber professionals, quite a few of them started off in sales! Hmm... What a weird trend! Dave, however, does not have the really strange background.

What You Are Good At?

The question Dave kept asking me was 'What are you good at?'. Up front, this should be a straight forward question, but a lot more goes into it! Most people are good at pointing out what other people are good at, but not themselves. To Dave, he viewed this more as 'What does everyone always have you do during a project?' After working at Boeing, as the designer for integrating systems together(with no initial design for integration with other applications) he took on the role of making everything secure within the project. Then, project after project, he realized he was good at understanding the risk factors of an application. Hence, he was good at securing it. This led to him using this knowledge of security to propel his career to new depths.

Excelling

Who wants to be mediocre at what they do? Clearly, nobody. So, when Dave was choosing his life path, he realized that people wanted him around during a project for the security. With this in mind, he took a job as a IT Risk and Compliance Development Manager at Amazon. So, what real question is why do people include you in a project? Once you can answer this question, you have most likely found what you are good at. Then, a good path to follow.

Show

How do we demonstrate to people that we know something? This is an extremely difficult question. All those job applications always require 4 years or more of experience. But, how do we get that experience? There is definitely a trick to the trade for this one.

Get Something Out Of It

Regardless of the project you're working on, job you have or anything else, there is a way to morph this into a valuable experience. Oh, you are just a waiter at some restaurant? How about instead of talking about giving people food you discuss the social skills required to deal with customers, to get exactly what they want. Now, this pertains to something that is useful! No matter the circumstance or job, there is a way to get something out of it.

Go Big!

Imagine, in this world, you are an IT guy for Amazon, that is trying to break into the System Administrator side of things. How do we move up from here? Simply, just do much more than is asked. If they ask you to build an interface for the sales reps to more accurately see the customer demographics then do more. Add beautiful graphs so that the sales reps can understand the data better, add some amazing LDAP integrations into it, talk to the sales reps for what they want to see...Just go above and beyond the call to duty. If you do this, people will notice.

You Are What You Do, Not Your Title

When interviewing for another job, people will always want to know what you did. The distinction here is clear; if you do amazing things, then you will be rewarded. This can be inside or outside of the workplace, but tends to be in the workplace/classroom.

One question that I asked was "What counts as a valuable experience?" That is, from the employers perspective. Dave claimed that anything where you can provide results from something is a good experience. So, entering a CTF, where you executed a buffer overflow attack on the system, even though has no job experience at all, is a valuable experience. Building your own website, is a valuable experience. Doing...Anything that you can demonstrate a direct result from is a valuable experience. This can even include a learning experience. Such as, "from this CTF I learned to be more patient and systematic when attempting to exploit something."

Maximizing Effort

No one lives forever; hence, we only have so much time to do life! One truly amazing thing, about Dave, was how intentional he was over his up and coming times as a security professional.

What Will Make You Grow The Most?

Often times, we look at tasks, that will help us get in the correct direction, but not the most optimal direction. If only growth had a derivative that we could take of it...Mr. Estlick made very intentional efforts into what he invested his efforts into. There are two kinds of investing in yourself: knowledge and looks. Now, imagine, you want to be a penetration tester...

From the knowledge perspective, learning the number theory behind cryptography will have some benefit to being a security professional but how much? This "how much" is a really important yet difficult question to ask yourself when deciding to learn something new. Instead of learning about the number theory behind cryptography, a penetration tester would be better off learning how MIPS assembly works. This growth in knowledge is what makes a person valuable to a company, but not necessarily marketable.

On the flip side of things, how to maximize the effort of making yourself a marketable person? This, is where Estlick really shines. He is on the board for 7 different security groups and has several security certificates. The certs help for getting you past the HR reps, making you an easier person to hire. However, his 'looks' all started with a single cert for Dave; he got his CISA (Certified Information Systems Auditor). In particular, at the time he got the CISA, he knew that the industry was heading in this direction. Because he spent the time to get the best possible certification for himself, he become extremely valuable to other companies.

A small part of this, that Dave mentioned, was do something with a bigger objective in mind. To me, this entails having a purpose for every project, cert or anything that you do. This helps assure that you are not wasting your time on something that will end up being meaningless.

All in all, the most important takeaway is how do I maximize my effort? If you can prove that you are doing the best action for your personal growth and marketability, then you are doing the industry right!

The Actual World

Besides the philosophical, we discussed a few technical problems that he was trying to solve. However, the problems were much more abstract and difficult than I expected.

What personally draws me towards security? The intricate exploits found on running machines! But, this part is insanely technical...There exists an entirely different part of security, that typically only the CISO's deal with: business.

At a business, they are constantly trying to cut costs. Because of this, people tend to cut security when things go bad for the company. Being able to understand the risk behind a decision is crucial for a man in his position. This includes a security professionals day-to-day work. Is this really worth making that much more secure? Being able to assess the risk/importance factor of a situation is crucially important.

Being consistent in how to respond to a problem is important. If the image of the person has fear in their eyes, then the rest of the public will also freak out too. It is all in the reaction of the company. So, react similarly to create a sense of calmness, steadfastness and trust.

Technical

Okay, now it is time for the technical perspective that he gave me... Some of these are just quick facts, and others warrant a deeper conversation.

Quick Ones

80% of all breaches are from known vulnerabilities. So, patch your systems people! Most of the breaches are not genius people discovering 0-day exploits.

Automate, automate, automate...Being able to have self-updating devices is extremely important now-a-days! The entire reason these botnet armies of IoT devices exist is because they never get updated! Auto-update would make this much easier. Further, automate the SSL certificates using Let'sEncrypt. The main reason to automate the little things is that it makes the human error element less likely.

Conclusion

Even though the major takeaways from this were not technical at all, I feel that I saw into the eyes of a lion! Mr. Estlick is a winner; he knows the formula to success. Which, at the end of the day, is probably the most valuable thing he could have showed me. Now, I share this with all of you... Hope you learned something new. Cheers from Maxwell Dulin (ꓘ).