Over the past 19 months, I was empowered to create a security and compliance function at a Seattle startup. I was a pretty successful Security Director by most measures - I helped my employer win a Series B funding round then a Series C, and cultivated many amazing customer relationships. I got to experiment at the bleeding edge of cloud-native startup security and being a JupiterOne customer was a huge part of this successful journey.
JupiterOne was the first piece of security software I bought. It helped the company’s security and DevOps teams win customers, pass audits, manage our cloud assets, and improve overall security posture as the organization doubled, tripled, and quadrupled in headcount. It was effortless for me to justify the cost of JupiterOne renewal after 12 months since I could very easily point to times that the Slack JupiterOne alerts lowered the AWS bill or averted a crisis.
Also, JupiterOne Insights dashboards made me seem smart in front of executives and customers - I bragged about my GDPR dashboard daily, to anyone who’d listen.
While I could have continued my work at the startup, I was eager for a new challenge. Plus, if I learned anything in the last few years, it’s that being a Security Director is hard, exhausting work.
Sanity Check: Security is Hard without the Right Context
Security is the only thing I ever really wanted to do when I grew up. I've worked with organizations large and small and found regardless of the size, the challenges all businesses face fundamentally start with their cyber asset landscape. They don't know what they have, much less the true extent of the relationships between cyber assets and their company's infrastructure. Also, regardless of what the media says about skyrocketing security salaries, most of us aren’t doing this work for the money. There are much less stressful ways to make a comfortable living. Virtually all security practitioners do this work because they share the core belief that security is a basic right.
Also, I’ve observed first-hand that most of us face a nasty learning curve in our first security leadership role and many of us spiral into PowerPoint hell after realizing success is based on communicating effectively. Truthfully, it’s a struggle for many security practitioners to communicate the right info in the right context to executives, customers, and colleagues. It’s even more onerous when your CEO expects a complete update summarizing “security” in exactly one slide. And, no you can’t use font size 8! JupiterOne Insights saved me with visual collateral for these types of updates but it still wasn’t easy.
Lastly and most importantly, I learned once you know your security goals, you must put your security and compliance program on autopilot. Automation is key to survival and scaling up maturity. Integrate, automate, orchestrate, or you’ll crash and burn. Studies show the average CISO burns out after like 11 months and way too many of us regularly put in 14-hour workdays. So, something's got to give.
So, I spent a few weeks casually job-searching. I took some of the great advice I regularly give to my mentees and said yes to most conversations with potential employers. As it turns out, the security job market is definitely red hot. But, I learned something else, too - that I couldn’t possibly bear to go do my job at a company using spreadsheets for asset inventory, vulnerability management, and risk.
Life is way too short to do cloud-native security with spreadsheets, especially after using a cyber asset attack surface management (CAASM) tool like JupiterOne
So, I Quit Being a JupiterOne Customer and Became an Employee.
Monday, I joined the JupiterOne team as an employee in a Field Security Director role. It’s an ideal arrangement, since I still get to use JupiterOne every day to seem smart. Armed with some fresh real-world experience as a Security Director, I’ll be helping JupiterOne customers realize the value of a CAASM tool. In addition, I’ll be writing, researching, and helping grow a community of security practitioners at the cutting-edge of cloud security. I’ll get to learn at the feet of top brains like Tyler Shields, Sounil Yu, and Kenneth Kaye and help the industry create common knowledge of solving the most significant challenges we face.
That’s the story of how I stopped being a JupiterOne customer and became a JupiterOne Field Security Director.