Fintech wealth management platform Addepar recently turned 10 years old. Its VP and CISO, Will Gregorian, caught up with Pulse on how velocity can pose a threat to security in a rapidly growing start up and told us what he learned from his mentor Mike Kail.
Pulse: Thanks for joining us Will. I wanted to start off with cyber security, particularly in startups. Could you could you give me an idea of what special challenges there are? When it comes to cyber security and startup?
Gregorian: The challenges are often time constraints as well as velocity when we’re talking about security. When you’re in a hyper growth phase, you need to remain competitive and security often takes a backseat.
That’s not for the wrong reasons. It’s often the challenge of trying to balance the security initiatives and endeavors with your ability to be able to sell fast. There is an equilibrium there. I would say that most startups realize it early on that they need to secure representation, especially based on their business model.
“It’s no longer acceptable for practitioners to sit there and dictate.”
The founders will realize that if their trajectory is towards the enterprise, they need to make sure that the enterprise enablement includes security, which is often the first taste. Some organizations don’t realize that until we’ll do is still stop appropriately. The biggest challenge in as far as security is concerned in a start up is that realization.
I believe that we’re still at the infancy stage of security. It’s very new and there is still much to be learned. The security practitioners, the individual contributors: they’re super good. But when it comes to security leadership and, when you’re talking about the CIO role, that is a brand new title, even though it’s been around for about a quarter decade. I believe that it’s now a second evolution, if you will.
Pulse: Could you elaborate on this ‘second evolution’? Can you talk us through what the first evolution was and then how it’s changed since?
Gregorian: The first evolution used to be the automation companies. Being in the bubble of Silicon Valley, it’s all digital natives, We’re talking about companies who basically have never had brick and mortar. They’ve never even seen a server. In the first evolution, it used to be all about the perimeter. You have your network, you have your perimeter, you know how to secure it, you knew exactly where the data was.
In today’s world, when you talk about security, you don’t worry about any of that. You basically set up an AWS account, fire and forget, and you start pumping a whole bunch of data into it. That lends itself to a bunch of other complexities. Ultimately, the first evolution was much easier. You knew exactly where everything was.
“I would forego the technology, skills, expertise and the experience. I would gladly trade that for the intrinsic motivation.”
It’s inherently difficult in today’s world but the security industry itself hasn’t caught up to this yet.
I deal with clients who are very much in the first evolution entitlement mental model. I have to sometimes educate them about physical security. We’re in AWS and, from a shared responsibility perspective, they are responsible for the physical security aspects, so I don’t have to worry about it. From a risk mitigation perspective, we’ve transferred the cost of the physical aspect of data center to AWS and they do a wonderful job. I never have to worry about the fact that somebody’s just going to walk into a data center.
It’s no longer a single point of failure from a vector perspective, when you’re talking about security attacks. It’s distributed across many different AWS regions, which makes it inherently much more difficult to exploit and infiltrate.
Pulse: Could you speak to the tensions between slowing down products in the necessity of keeping it more secure?
Gregorian: If you’re a security practitioner, and this is part of the second evolution of the journey, you now have to also possess the business acumen and the sense of awareness around what they’re asking for. It’s no longer acceptable for practitioners to sit there and dictate. Let’s face it, we’re technologists first. We don’t always like to hit the mark from a business perspective. So we may not be able to correctly contextualize that, and that takes skill.
Everything is very much context relevant, you have to be in some fashion compromising to some extent. You have to possess the mentality to be able to forego some of the principles bend a little bit to be able to succeed.
Pulse: You mentioned earlier that Mike Kail was a mentor of yours and I’m interested in what the main things you learned from him?
Gregorian: Be concise and direct.That that was his approach. And you do have to basically deliver. You have very little time you have a number of priorities and as an exec. You can’t beat around the bush. That’s what Mike is super good at.
There was one project that he asked me to deliver and I said I’m going to get this thing done in 30 days. I still have his email where he praised my hard work. That’s the value of a good executive. When they come back and they can motivate you and you want to deliver.
Pulse: What’s interesting is when Mike last talked to us he said he wasn’t just looking for technical skills. He was looking for ‘intrinsic motivation’. Is that something you look for as well?
Gregorian: I am absolutely looking for those traits and skills. I would forego the technology, skills, expertise and the experience. I would gladly trade that for the intrinsic motivation. You can teach people how to do it.
I would rather hire people who are motivated, who have this sense of wanting to learn and absorb more than to hire people who’ve gone through their career for 25 plus years, being super good at it, but they walk into a company and they get bored and they leave two months later. So motivation is absolutely the key factor.
Pulse: Thank you so much for your time today. Be great to talk to you again sometime soon.
Gregorian: Yeah, sounds good.