After Bluebox was acquired, I took a much needed long vacation in Italy & Greece (which I highly recommend). It also gave me some time to reflect and decide what I want to do next. After analyzing the market, I realized that the last thing the world needs is another security startup. The market is crowded and filled with a lot of hype, even by security industry standards. There are literally thousands of security vendors out there, yet more & more breaches are based on companies just not following basic hygiene (more to follow on this topic later). I realized that I want to understand why we are still not accomplishing security basics when we actually have the technology to solve these issues. I came to the conclusion the best way to find that answer is by going to a customer and try to understand both their problems and priorities. And if possible, nail down where the fault lies — in their people, process, or technology, or even some combination.
Once I made that decision, I built a profile to help me find the right company.
1. First, the company couldn’t be too small or too big (call it the Goldilocks equation). That offers the most bang for the buck, so that the problems aren’t from a lack of resources or a result of bureaucracy. I needed to be involved with a company that was big enough to experience all the pain but small enough at which I can make big impact.
2. It couldn’t be a security vendor. I’ve seen that movie already.
3. The company had to be betting big on Cloud. If not, they simply weren’t forward thinking enough to suit my needs. And, I want to see the security difficulties of legacy issues and in transitioning to a cloud infrastructure.
4. The security organization had to have support from the top. I wanted to ensure I was not going someplace that you had to fight for every dollar. C-level buyin is simply paramount to success.
5. They had to be building and doing “cool stuff”. Innovation and support of that is a must. I wouldn’t be in this space if I didn’t favor innovation.
Based on this profile, I started to talking to various companies. One of my friends, Alex Stamos[@alexstamos] , mentioned that I should talk to Capital One as they were doing some “interesting stuff”. One two-hour phone call with Tony Spinelli [https://www.linkedin.com/in/tspinelli] later, I was convinced Capital One met my profile and even more that I was in for a very exciting change. So what convinced me to go?
1. Tony Spinelli — if you don’t know him, you should. Hands down, one of the best CISOs I’ve ever met.
2. People — Everyone I spoke to was much smarter than me and had amazing passion and excitement about what they were doing. Just as important, they all had a consistent message on what Capital One’s mission is and how they were a part of it. That’s the kind of atmosphere that makes you want to be a part of it.
3. Technology — They are moving the entire bank to the cloud and doing it with the regulators right alongside them. Capital One has hundreds of software engineers dedicated to just Cyber Security. They have built and are building some amazing tech.
4. Founder Led — They are a very young bank compared to all the other competitors and are still led by the founder. He has pushed Capital One to become a technology company, not a finance company. Only a founder can make those type of moves. And in this heightened era of risk, that’s how it needs to be.
5. Transition — The cyber security team is growing at an enormous rate and is at the beginning of a major transformation. Being in early and helping to shape and mold that is exciting.
6. The office is half a block away from where I live… that always helps.
Overall this will be an exciting journey and a great learning experience. I feel a bit like a kid in a candy store. So much to learn, and not enough time to do it. I wouldn’t have it any other way.