Time to Embrace Change - Becoming a Field CISO

Posted on 31 May 2022 by Ray Heffer

Humble Beginnings

It was a hot summer in 1996 when I parked my car along the beach in Littlehampton, a small coastal town in the United Kingdom, and I took my usual walk to the office. It was a small office above a Chinese restaurant in the town. I joined this small company as an Informix 4GL programmer, and little did I know the journey I was about to embark on.

We rarely had customers in the office, so we’d have music playing all day on a small CD player. The Prodigy - Music for the Jilted Generation, was on repeat most days in the office. Fueled by the sounds of techno, this was a pretty cool place to work, despite the pitiful pay.

After a few months of fixing bugs in Informix 4GL code, and spending my days using vi, I ultimately ended up becoming their Unix administrator. They sold bespoke software to customers, so I ended up helping customers with their Unix setup too.

Back then there were no virtual machines or containers, and orchestration was achieved with bash scripts, oh and 10BASE2 was actually a thing! It was always Dave that would kick the cable under his desk and disconnect the entire network. Dammit Dave!

For the two decades that followed, my journey ultimately led to joining VMware in 2011, and then moving to the United States in 2016. My new life in the US gave me a fresh start in many ways, including a new focus on cloud architecture.

In the years leading up to the move, I was part of VMware’s End User Computing (EUC) technical marketing team. I’d dive deep into the latest releases of VMware Horizon, and Workspace ONE delivering sessions at VMworld, VMUG, and Tech Summit events all around the globe.

The move to the United States also gave me the opportunity to shift my focus on cloud architecture, and in 2019 I took the decision to join AWS. I was eager to see what was on the other side of the fence, and dive deep into public cloud. I knew that many customers were embarking on their own cloud-native journey, and I had that itch to scratch. I started learning Kubernetes, I needed to understand the technology stack used by born-in-the-cloud companies, and enterprises alike.

At the same time VMware was diversifying with the Tanzu portfolio, and a few years later I was asked if I’d return as a founding member of the Tanzu solutions engineering team. It was good timing. I would help cloud providers with their Kubernetes service offerings, on multi-tenant architecture, and inevitably security was always top of the list. I started establishing myself as the go-to SME for secure DevOps, and privacy-engineering.

Getting Caught Hacking Novel NetWare!

I’ve always had a passion for cybersecurity. But, I have a confession to make. I once hacked the Novel NetWare server at my college in the early 90s. I gave myself admin rights, and got caught enabling email for my friends (back then it was only allowed among staff). Thankfully, it was my C++ teacher that caught me, and rather than get me into any trouble, or even kicking me out of the college, he showed me some code he had written.

int main()
# Evil payload

It was a virus!

What he had showed me blew my mind (thanks Clive!), and he taught me a very valuable lesson. Don’t be an idiot. Oh, and he taught me how vulnerable computer systems really are.

Even throughout the 1980s, I was obsessed with my Commodore 64, and my mother’s IBM PS/2, both of which had a modem. I had discovered a plethora of BBS (Bulletin Board Systems), the demo scene and of course the movie Wargames. Luckily for my mother’s bank account, I didn’t use an auto-dialer! - The thought did cross my mind.

In college, my C++ classes were so much more exciting from that day forward. Clive knew what interested me, and he harnessed that curiosity, explaining how some of the very early anti-virus products worked.

Cybersecurity Journey

Throughout my professional career, I’ve never forgotten the lessons Clive taught me. As fast as new innovation brings us cool new technology, there will always be adversaries trying to disrupt it and gain access. Even Tesla’s are being hacked, as Shannon talks about here. Nothing is un-hackable.

Unlike the playground antics of a script kiddie, which can still be very dangerous by the way, we now have nation states, and organized cybercrime groups such as Conti and Lazarus doing harm to peoples lives by disrupting utilities and healthcare systems.

If I can play a part, no matter how big or small, in helping customers stay safe against these adversaries, then you must admit that’s probably on of the most rewarding roles in IT.

Back in 2004, a good friend and colleague introduced me to Nessus. This was before it was part of Tenable, and that was another mind-blowing moment. I remember saying to him, “So this can actually carry out an exploit? “ which was pretty impressive, especially since this was before Metasploit. I also learned how to use nmap, JtR, L0phtCrack, and many other tools, which almost twenty years later are still in use today!

Despite learning these tools, and getting involved in pen-testing for the ISP I worked at, something else offered a distraction which changed the course of my career. I opened up a cabinet in the office, and found a boxed copy of VMware ESX 2. I still have no idea who put it there, but it was still wrapped in plastic, and was just too shiny a thing for me to pass by. Six months later, I had my first VMware Certified Professional (VCP) certification. That was in 2006.

In those days, VMware was still very cutting edge and niche. Those were the days developers (if they even knew what VMware was) who would argue that they had to use physical servers to meet their performance and application SLAs, and to them virtualization of any kind was just blasphemy!

Around a year later in 2007, VMware released VDM (Virtual Desktop Manager) 2.0 beta. In fact Citrix also released Desktop Manager (which soon became XenDesktop) around the same time, so I started evaluating them both. I started blogging, joined the VMware community and eventually joined VMware.

It was 10 years later while I was part of the Tanzu solutions engineering team at VMware, that I started some internal initiatives of my own, advocating for privacy-engineering best practices, and identifying gaps in DevSecOps capabilities. I started to harness my passion for cybersecurity once more and use it to help customers understand their DevOps security challenges.

I took the Certified Ethical Hacker (CEH v11) certification, mainly because I wanted to prove to myself that I still had what it takes. I’d been using sites like Hack the Box or Try Hack Me, for a long time, so I thought I’d use the CEH exam as a way to prove to myself that I knew what I was doing. That really sparked up my interest in cybersecurity, so I made the decision that I would shift gears once again.

To scratch that next itch, I joined Sysdig in 2021 as a Principal Cloud Security Architect. I was only there a short time, but what an amazing team and product, and more importantly the people there are just awesome. Bringing my recent Tanzu experience to a role dedicated to Secure DevOps was an awesome opportunity.

Unfortunately the role ended up changing due to customer demands so I decided to move on, but joining Sysdig gave me the time to really think about what I wanted next in my career.

Field CISO for VMware

Today, I am delighted to announce that I have accepted the position of Field CISO at VMware. The journey from a Unix systems admin has been a well-trodden road. I feel ever so lucky to have landed this role as it really is a perfect match, given what brought me here in the first place.

Aligning VMware’s security strategy across product teams, field teams, and customers, will be one aspect of the role, but also I’ll be helping advise customer CISO’s on their security strategy. Another aspect of the role which I simply cannot wait to start is presenting at events again. The community is very important to me, and I’ll be continuing to expand on my InfoSec community network.

Opinions on Broadcom

I’ve already weathered many storms throughout my time at VMware, from the change of ownership from EMC to Dell Technologies, to it becoming an independent company once again. I was part of the big shift from an on-premises product portfolio to multi-cloud, and seen three CEOs during that time. But each time there were opportunities, not just for VMware but for my professional growth.

Is it true? Is it kind? Is it necessary? I am unsure where this quote originates from (it wasn’t Socrates despite the myth), but it is something I like to live by. Don’t fall victim to the negativity you read on social media, the majority of which are from former VMware employees or folks that just seem to enjoy taking part in any drama. It’s an unnecessary noise, and if you let it, you’ll drown out your own thoughts and actions.

Keith Townsend (@CTOAdvisor), said it best here.

Keith’s tweet is very stoic, a philosophy I like to follow (see Marcus Aurelius). When you stop caring about what other people think and say, and start caring about your own actions, then you will succeed in your own goals.

As I said, I’ve been under the leadership of three CEOs and I have been part of both EMC and Dell ownership during my time at VMware. While some were worried whether they’d have to switch to a Windows laptop instead of a MacBook, I focused on building my career. I’d rather have had a Dell XPS running Kali than a Mac anyway :)

What remains constant are my skills and abilities, professional network, and my growth both personally and professionally. I’m not insecure about these things, and I shall continue to build upon them. I will focus on doing the best I can each day, what I am doing now, and I refuse to succumb to the imagined troubles of others.

I am an old man and have suffered many troubles in life, but most of them never happened.
- Unknown

Follow my thoughts on cybersecurity @CISOops

Comments are closed for this post.