Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.
This week I was lucky enough to talk to Cory Scott–LinkedIn’s Director of House Security and David Cintz, the Senior Technical Program Manager for LinkedIn’s Security Ecosystem. This was a great interview for me because this was the first time I’d talk to people running the security operation at a massive company. Check out the awesome interview below.
Cory, you’re the director of Information Security at LinkedIn and David you’re the Senior Technical Program Manager for LinkedIn’s Security Ecosystem, can you guys describe what you do on a day to day basis?
Cory: I’m the head of the House Security Team here at LinkedIn and we’re responsible for information security, application security and incident response. We’re divided into four groups: the assessment team, the assurance team, the security monitoring and incident response team, and the security ecosystem team (of which David is a part). The assessment team does pen-testing and code review and they’re made up of an excellent team of mostly ex-security consultants. The assurance team provides operational and network security.The security monitoring and incident response team does exactly what the title says and the security ecosystem provides training for employees, interacts with the external security community for marketing purposes, and runs our internal bug bounty program. We now we have a team of 20 staff that work on all of those roles.
David, you were working in business development for several years before you became a security project manager. Why did you decide to go into security and what was that transition like
David: I’d always been interested in security so when a mentor gave me an opportunity to move into the security space, I took it. What I love about security is that it lends itself to being both proactive and reactive and going through a little bit of chaos.
Cory: David also has significant first responder experience outside of information security and he utilizes that mentality when dealing with security issues.
You both presented at Black Hat this year about building a security program that’s tactical rather than just strategic. What do you mean by this and why is this the right way to think about things?
Cory: One common mantra that you hear in the CISO circle is that “you need to be strategic” rather than tactical. While this is generally good advice, it neglects the value of operational excellence. While being strategic is important, you also have to address the threats of today.
Do you mean that many people emphasize product over process?
Cory: Yes, but not only that. Strategy is a set of goals that you want to achieve 6 months or 12 months down the road. Our argument is that you’ll never get 100% buy in on everything that you propose, so it’s more important to focus on doing your job tactically well and getting things done today.
In a blog post you talked about why you chose to implement a private rather than a public bug bounty program although dozens of major organizations are implementing public programs. What other conventional security wisdom do you think is false?
Cory: I’ve seen a lot of people come in with the mindset of “as long as I have a really good product, I don’t need as many staff.” We don’t agree with that. Nothing replaces a human analyst.
Is this a problem given the shortage of security talent?
Cory: Yes–people are adopting these strategies as a way to cope with the lack of qualified staff. I recently published a blog post about this topic, and we found that the best way to deal with a lack of qualified security professionals, is to hire non-security people from within and developing them into security professionals.
Cory, you’ve been in the security space for around 20 years or so, what’s next for you? David you’ve been working in the space for less time, but how do you see your career evolving in the future?
Cory: I want to work somewhere where I can have the greatest impact, both for myself and the company that I’m working for. LinkedIn is a great example; I was the first member of the house security team and I’ve grown it to 20 plus people in two and a half years. What I’ve found at LinkedIn is that we have a lot more potential growth in the future and I’d like to further explore the areas of security monitoring and infrastructure.
David: I don’t look too far in the future. I want to continue to work with the security ecosystem team and continue to help out with incident response and hopefully move up into management down the road.
- Hackers and fraudsters today run serious profit maximizing businesses with different groups specializing in different aspects of the hacking supply chain–stealing credentials, selling credentials, and utilizing credentials for profit.
- This article features Steve Herrod–VC at General Catalyst and former VMWare CTO–discussing the opportunities for security around the public cloud and explaining his investments in Illumio and Menlo Security.
- Bessemer’s Adam Fisher and Netanel Meir create a map of Israel’s startup landscape. They point out that over $2 billion has been raised by Israeli cybersecurity companies in the past 24 months and there have been two IPOs–CyberArk and Varonis.
- Lookout’s Cofounder/CTO Kevin Mahaffey provides several crucial tips for auto manufacturers: they must provide “over the air” software update systems to avoid recalls every time a vulnerability is found, they must control the communication between infotainment systems and the drive systems, third they must secure each software component individually (also see my interview with Kevin several months ago).
- The Israeli company provides automotive security. Argus provides car manufacturers a suite of security products, that protect cars’ critical systems from attack and give manufacturers visibility into each car’s security status.
- Sean is one of the top cybersecurity investors in the game and sat on the boards of companies such as AlienVault, HyTrust and Prelert while at Intel.
- The company apparently charge $600,000 per month for its software and consulting services.