Decision-Making

Security Voices

Security Voices (Jack Daniel, Dave Cole)
The Longevity Formula: CSO Andy Ellis’ Wit, Wisdom & Wine Advice From 20+ Years At Akamai
https://www.securityvoices.org/29-andy-ellis

The average tenure of a CISO is 26 months due to high stress and burnout, according to a recent survey. In stark contrast, Andy Ellis has now been CSO at industry titan Akamai for over 20 years. Jack & Dave explore Andy’s longevity formula in a 70 minute interview that spans everything from his advice to young security leaders to the death of live events and why it’s perfectly fine if your favorite wine is a $16 malbec.

While most of our episodes gradually ease into a more focussed conversation, our discussion with Andy jumps straight into the subject of applied human cognition— a common theme of his presentations and writing. He explains how his understanding of human thought patterns and biases directly influences his approach to conducting risk assessments and dealing with especially thorny conflicts. Far from theoretical, Andy breaks down exactly how he and his team enable Akamai to self assess and internalize risk in a fashion that expedites projects where the security team might otherwise be a bottleneck.

From his vantage point at Akamai surveying a sizable amount of the Internet’s traffic, Andy shares their insights from both observing and responding to the pandemic, starting with their move to a ZeroTrust model. Some aspects of COVID-19, such as customers’ struggling to pay bills and how to best help them, are similar to past crises. Others are utterly unique. Jack and Andy explain the crisis likely permanent impact on live events (e.g., industry conferences) and what they may evolve to in the future.

We also discuss the fine line Andy, Jack and Dave walk in the cybersecurity community of being both a vendor and a practitioner. How does one remain objective when you also represent a company that has to sell products or services to exist? How can one neutralize the perceived bias or even the stronger allergic reaction that some have against vendors? While there’s no surefire solution to such a complex matter, each of us shares our tips and learnings as we (and the industry as a whole) aim to strike the right balance.

We wrap up with Andy taking us through how to pick a good bottle of wine. In the same manner as he tackles complicated cybersecurity issues, Andy breaks it down into simple steps that are illustrated with his own colorful experience.