What would you describe as your most memorable achievement in the cybersecurity industry ?

My most memorable achievement is the work I did to pioneer the modern Bug Bounty Program . This was around 2010 at Google . We started with a bounty program for Google Chrome and quickly moved on to grander things , launching the first broad program targeting web and server assets . It was a progressive experiment , and some people thought we were crazy . But it worked – we built relationships , encountered huge security surprises and achieved a significant increase in quality and reduction of risk .

What first made you think of a career in cybersecurity ?

I started out studying chemistry at Oxford , but halfway through my course realised that my passion was computers , not chemicals . More specifically , I became increasingly interested in engineering and security .

At this time , it was still very early days of cybersecurity , and there were very few jobs to be a hacker or even a security engineer . So , I started my cybersecurity journey in open-source . This area was something where , if you have the talent and the drive , you can dive in and start hacking things and improving them . My first-day job was as a software engineer , but I was moonlighting as an open-source hacker and enjoying it .

After a few years , the cybersecurity landscape started to develop , and a few more progressive tech companies started hiring hackers and security engineers . One of these companies was Google , and I jumped at the opportunity to be able to align my private passion with my day job .

What style of management philosophy do you employ with your current position ?

There are different ways to run a security program . Some are hyper-focused on compliance checklists . We do our fair share of them , including some tough ones like FedRAMP . However , our north star is to be hyper-focused on risks . We have an objective risk analysis process that runs quarterly and gives us ranked risks . It ’ s important to be focused on those and re-evaluate them regularly because we are in a changing cybersecurity landscape . We are always learning new things about our internal posture and systems , as well as new things about the external threat environment . Thanks to our processes , whenever we are working on a given project , everyone knows exactly why .

What do you think is the current hot cybersecurity talking point ?

It ’ s AI , of course . Every decade or so , a new powerful technology or shift comes along , and it takes the cybersecurity industry a little while to get a handle on things . With AI , we ’ re still sorting through how it will make defenders ’ lives as well as attackers ’ lives easier . We ’ re working out how to integrate it into products , how to make it work and how to make it go wrong .

With AI , we ’ re still sorting through how it will make defenders ’ lives as well as attackers ’ lives easier .

WWW . INTELLIGENTCISO . COM 67