Former Twitter CISO shares his advice for IT security hiring and cybersecurity

Michael Coates, CEO & Co-Founder of Altitude Networks and the former CISO at Twitter, share best practices for building strong security teams and for starting a career in cybersecurity.
Written by Bill Detwiler, Contributor

As a company, building a strong security team can be a challenge. On the flip side, if you're looking to enter the field of cybersecurity, it can be challenging to know where to start. I had a chance to discuss both these issues with someone who's been there, Michael Coates, Co-founder & CEO at Altitude Networks.

Coates got his start in IT security through red team exercises. He would use social engineering, physical pen testing, and a variety of hacks to break into the network and applications of corporate clients and financial institutions. It "was really exciting to learn how it was actually being done week over week," Coates said, "and then sitting down and with the CIO, the CTO and explaining these are the actual things we found." From there, Coates spent time at the Open Web Application Security Project (OWASP) and served on the board. He eventually moved to Mozilla and served as Director of Security Assurance, and then Twitter were he was CISO. The following is an edited transcript of the interview.

SEE: How to build a successful career in cybersecurity (free PDF) (TechRepublic)

Building a career in IT security, from red teams to CISO

Bill: How did you get started in the field of IT security?

Michael Coates: Yeah, the security field has been a wild space, and I've been very fortunate to be in it for now over 15 years or so. And I got into it originally, I think as many people did in the security field, out of curiosity, I was a tinkerer, I wanted to learn how computers worked, how software worked, how different things happened. And as I found that there were careers in the field of security, I was really drawn to them. And the beginning of my career in security, it was actually in red teams, which was really exciting because week over week, I would be called out to a bank or a company with the goal of breaking into the company through social engineering; through physical pen testing; through hacking into the network and applications.

And it was really exciting to learn how it was actually being done week over week, and then sitting down and with the CIO, the CTO and explaining these are the actual things we found. And you would get pushback, which was always interesting, "No, that's not possible." But doing it and having that be the first thing like, "Oh, let me show you. I just actually did it," that was a really interesting way to cut my teeth in the field of security.

Over the years, I progressed into a variety of roles, focusing on application security for a number of years, having a great stint in OWASP. Also being on the OWASP board, and eventually moving to the West Coast where I started security programs at Mozilla and eventually was head of security there, protecting hundreds of millions of users with the Firefox browser, along with an amazing team. That was quite a challenge.

Download the Cyberwar and the Future of Cybersecurity articles as a free PDF ebook (free TechRepublic registration required)

Then eventually found my way over to Twitter. CISO of Twitter was equally exciting. On one hand, people say, "well what would you really need to protect at Twitter? You know, people use Twitter to say they're having a ham sandwich for lunch," true, but on the other hand it's also a global platform fundamentally for free speech. And you can think of some organizations and regimes that are not in line with that reality. So we actually had quite a number of challenges across the spectrum and that was a very interesting role to see what it's like doing security in a real time system where you know, two second delay on a response to something is two seconds too slow. We need to really do things in tens of milliseconds or faster.

But now I'm at Altitude Networks. I made the big jump after being at Twitter for a number of years, to start a company, largely going after a space that we know we needed a solution to ourselves there. And it was ubiquitous across other companies, which is, how do you protect data in this new paradigm shift to Cloud, specifically Cloud collaboration like Google G Suite, Box, Dropbox, et cetera. And briefly, it's very easy in those platforms to collaborate and share documents with other people when you want to. It's also equally easy to make mistakes and share them with the wrong people or be malicious or get compromised. And so we're really trying to thread that needle to enable people to use those platforms while having security over data built into the experience.

Focus on IT security empowerment, not just the perimeter

Bill: What are some of the security challenges that today's CISOs face as technology evolves?

Michael Coates: Yeah, the change in technology, the speed of change, really is a challenge for CISOs and organizations. Organizations want to move fast. They want to be nimble and adopt new technology and get the benefits of moving to [the] cloud or having third party relationships with different companies. From the security perspective though, it is really challenging because the fence, the perimeter, is constantly changing. It's actually dissolving as we think about it. The interconnectivities continue to increase and what you want to do from a security perspective is you don't want to be the team that says, "all right, we're going to make this new shift. Let's pause for a year and really evaluate this and think about everything that's happening, how to do it perfectly right," because a year is eons, and you can't delay the business forever. It's the old model of security where you can't have these big choke points that just slow everything down.

So instead from a security perspective, what I found effective at both Twitter and Mozilla, was moving towards this model of empowerment. And it's very much along the idea of like security champions that I think a lot of people have had success with, but what we want to do is empower the teams to make good decisions within a reasonable bound of risks, and give them the tools so they can do that safely. It's kind of the paved path approach. That's a term that I know I've heard a lot from the Netflix security team, which is great. Where you make the secure way of doing something the easiest way. And this is really a way that when you think about scaling security teams, you can never have two of your security members in every team across the company. You'd never get that much headcount, but you can anoint security champions, and you can train them and teach them ways of how to drive good security practices. And I found that to be very effective in helping companies move fast.

SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (free PDF) (TechRepublic)

Now the other side of things is that as we keep adopting new paradigms, Cloud being a big example, it causes us to rethink security as a whole. Like we used to put a lot of faith in, we had big firewalls, therefore the bad guys are out and the good guys are in. But there is no real, as I said before, perimeter, and this notion of relying on firewalls doesn't just translate into the Cloud. And so now there's a big shift, and I drove this at Twitter, of let's not think about security in the old way, but let's instead move to what matters the most. And what matters the most to us at that company, and matters to many, is data. And so we adopted a data first security policy which said, wherever the data lives, let's apply the security controls there first and then move out kind of in concentric circles outwards. And this has the added benefit of thinking about the reality of internal threats.

Now that the internal and external is really dissolved, your employees could always have been a threat before, but now you have third parties, you have people, temporary workers, you have interconnections to third party systems and networks, and so now a compromise downstream that eventually threatens your data. You are designing appropriately because you have your security controls right next to the data to begin with.

CISOs, stop using certifications to filter security job applicants

Bill: What are some best practices that companies can use to build strong security teams?

Michael Coates: Yeah, building security teams is challenging. There's this notion that the security field is understaffed and there's no way to hire anyone. And I think that's a little bit disingenuous. It is challenging, don't get me wrong, but companies are not doing themselves any favor when they build their security teams. And specifically what I mean by that is, in many cases when you are trying to build your security team, unfortunately companies are sometimes underfunded. So they get to hire one or two people, and they're like, "all right, well we're going to get the best for that one person. So let's pick these 15 different skill areas and hire someone that knows all of them." And you can guess how that plays out. You can't find those people. So one, we have to get away from the security unicorn that doesn't exist. I mean, to that end, we do need to have a stronger push for good budgets to build the teams that you need. But let's assume you have those those head count.

Now when you go to hire those people, first step back and look at your current team and say, "all right, what skills do we need? What areas of coverage do we have and how do we build a job description and role that actually exists for candidates? So let's find that person that's very strong, that is a, a good analyst for the SOC or a good security engineer or a good application security engineer."

SEE: Launching a career in cybersecurity: An insider's guide (free TechRepublic registration required)

After that is you're trying to find that talent. Go to your recruiting and your sourcers and sit down with them and have a conversation. "This is the kind of person I'm looking for. These are some examples of people that are close but not what I'm looking for." That is one good way to get your sourcers, that first line of attack, actually on board, so we avoid this failure where you see those recruiting emails saying, "Hey, do you have a CISSP? Or if you don't have a CSSP, you get thrown out of the candidate pool." That really is a reflection that you've been lazy in your hiring practices, because you shouldn't look for just one particular certification or really any at all; they're a tool for learning, but not necessarily a filtering mechanism.

After that, have training for your employees on how to do good interviews and good hiring. It's not easy to do interviews, but we should be aware of things like unconscious bias, and so we should do those trainings. We should have our characteristics of what we're looking for and the responses defined ahead of time. All of those things will help you have much better interviews and actually find people. Now once you've done your end of the spectrum, the other thing to do, is to get out there as a company to attract talent. Encourage your security team to go to conferences, to speak at events, host local security events like a OWASP or BSides or any of those other types of events that you can be a sponsor for.

That's another good way to show the security community, Hey, this is an interesting place to work. I'll get a chance to interact with the community. And I've found that to be a good way of having conversations and attracting new talent.

Security career advice: Studying is good, but hands on experience is better

Bill: What advice would you give for both IT pros and non-IT folks who want to start a career in cybersecurity?

Michael Coates: So on the flip side, how do you think about this from the individual wanting to break into the field of security? And that's a really good question. And first of all, we need you, so please do. The one thing I'll point out is there is no bad time to do this. If you are in school, this is a great field to go into straight out of school, and if you have 10 or 15 years of experience in a different field, it's still a great time to make the switch.

And so two areas there, and I'll jump into them both. So for the student in school, take the courses you can. If you want to get a computer science degree, get an information technology degree, even an auditing style degree, all of those have different paths in the field of security. Second, find security labs and activities and do them. That learning by doing is by far the best thing you can do. So download vulnerable web applications, vulnerable operating systems. Use a web proxy or [inaudible] and actually do the exploits. You'd be amazed how much you learn when you go from, "Oh, I read about SQL injection," to "I did it in an application and actually see it working."

SEE: How to build a successful career in cybersecurity PDF download (free TechRepublic registration required)

After that, go to the community, security meetups. That's a really good way to build your network and you would be so surprised in the field of security how having that ...the network is not big. The total number of people in security is not big. So once you start to meet them, you get into those open source projects. You build a network, maybe on Twitter, the security community is strong on Twitter. I've found some people that go on Twitter and they say, "Hey, I'm looking for my first job in security. Here's my skills. Help me out." It works really well.

Now flipping over, if you've been in the industry for 10, 12, 15 years, you're actually a great person to move into security and you might be surprised by that. The reason is, is because in security, we are building a specialization of security skills on top of a fundamental capability already. So think of application security engineers. They have to be good at coding to some degree, or network security engineers, again, a networking background. So if you've been in those different roles, you already have all those base skills that are critical to what you're doing.

So start to study some of the incremental security knowledge to give yourself a baseline. That's where some of the security+ certifications, those are good ways just to start and get the common, the lay of the land. But a company, maybe even your own company would be well suited to bring you in and train you up on that incremental security skills, and that's something we actually did quite a bit at Twitter and I recommend to other companies, is to build that pipeline of skills. You take new candidates out of school, you also take internal employees that are excelling in the company, and you train them that incremental skills, and you suddenly have people that know exactly how the underpinnings of everything works in their domain and they're advancing in that security space.

So it's a really good opportunity on both sides. Companies, take internal transfers and train them and then employees go ahead and make that big leap into security. You can actually do it and you'll, you'll do a really good job.


The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8am AEST in Sydney, Australia, which is 6pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.


Editorial standards