Episode No. 6

Balance and the Human Quality in Cybersecurity with Andres Andreu 

SVP, CISO 2U
CISOs need technical acumen and relationship-bulding skills to collaborate and protect their companies and customers. Andres Andreu has both in spades. In this episode, Alberto sits down with Andres to discuss his wide-ranging career across public and private sectors, the human quality in cybersecurity, getting out of your comfort zone, and his current role as SVP and CISO with EdTech learning platform 2U (NASDAQ: TWOU).
Listen or watch

Andres has over 30 years of security experience including federal government service with the DEA, senior roles in enterprise and startup cybersecurity, and IT leadership positions in multiple industries.  

He is a master of balance, having worked in IT and cybersecurity at multiple levels: macro and micro, enterprise and startup, public and private, and technical and business.  

Agility is at a premium in a rapidly changing digital landscape. Andres shows us how a broad and well-developed skillset equips us to face new challenges.  

“If you walk into a room and there’s seven people in the room, do you honestly think that one style and set of messaging is going to resonate equally with seven people? That’s not the way humans work… when you’re translating risk to upper management, to an auditor, to whoever, you have to resonate with that human on a one-on-one level to effectively relay your message.” 

Andres Andreu

About Andres Andreu

Andres is a serial CISO and Chief Architect with over 30 years of experience spanning federal government service, global consulting, and cybersecurity and IT leadership in multiple industries. He currently serves as SVP, CISO at 2U, a global e-learning platform that acquired edX in 2021.  

Prior to his current role, he was CISO and CTO at Bayshore Networks as a founding member before the company’s acquisition by OPSWAT. He has held senior IT and cybersecurity leadership roles with neuroFuzz Security, Ogilvy & Mather Worldwide, The Princeton Review, and the United States Drug Enforcement Administration. 

Andres is also the distinguished author of a book on pen testing, numerous published articles, multiple open-source projects, and two patents. He has received numerous accolades including a Top 100 CISO award. He currently serves on Forgepoint Capital’s Advisory Council and as a mentor with Cyversity.

Episode Highlights

0:26 Introduction

1:48 Law Enforcement and Getting into the Cyber Industry 

7:35 The Transition from Government to Tech 

13:06 Transitioning from a Global Company to Bayshore During the Pandemic 

23:17 Who is 2U? 

26:47 The Importance of Human Quality 

30:52 Advice for Aspiring Cybersecurity Professionals 

33:05 Diversity and Inclusion Efforts 

34:55 Judo, Writing a Book, and Pentesting 

39:44 Finding Balance and Getting Out of Your Comfort Zone 

Transcript

0:26 Introduction

Alberto Yepez [AY] 

Hello and welcome to the Forgecast. My name is Alberto Yépez and I’m going to be your host. I have the pleasure of having Andres Andreu with me today. I had the opportunity to work with Andres at Bayshore Networks, where he was Chief Architect and CTO. He exuded a lot of leadership skills and great insights about building resilient products for a very top market, which was the Internet of Things, and worked with some of the most sophisticated industry players to safeguard critical infrastructure sites. Andres, thank you very much for being here. I know today you are part of 2U, which is a public company, and we’ll jump into more details about what they do and where your role there is. But what always impressed me was how you got to this industry and also how passionate you are. We’re trying to increase the pipeline of diverse candidates. Thank you for agreeing to be with us today.  

Andres Andreu [AA] 

Thank you for having me. 

AY 

Why don’t we get going on your personal story? Where do you come from? How did you get into cybersecurity? Can you tell us a little bit about yourself, your beginnings and how you eventually got into this industry?  

1:48 Law Enforcement and Getting into the Cyber Industry 

AA 

Absolutely. I am an immigrant to the United States. I was born in Cuba and came relatively young, went straight to New York. We were not one of the Cuban families that stayed in Miami. I grew up in Queens, New York. The area I grew up in dictated a lot of my path in life. I did not grow up in a nice area, it was pretty rough. In those days we were one of the very few Hispanic families in the neighborhood. That certainly made for an interesting set of dynamics, especially in terms of whether you are of a certain type of personality- whether you have a tough personality or not. I found out very early what I was made of, and I definitely appreciate the way I grew up. I think it prepared me for a lot of my journeys in life. In terms of getting into this field, my intention was to have a career in law enforcement and I went into federal law enforcement. 

AY 

Did you go to school before law enforcement? 

AA 

I did. I went to John Jay College of Criminal Justice in New York, and I entered the Drug Enforcement Administration in 1991, I swore in in February of ’92. My intent was never to go into tech. I really had no interest in any of this and back in those days tech was very different. But like they say, you can’t run from who you are. No matter what I did, no matter what value I added- I have evidence of value that I added in terms of my field work- I always ended up on the tech side.  

I had a defining moment while working at the DEA where one of the older agents that was mentoring me said to me- and this was profound for me- he said to me, “Look, no matter what you do on the street, when you end up in court it’s your word against theirs. And any defense attorney that’s really good will make you look really bad. Irrefutable evidence comes through technology. No one can argue that.” That was profound to me because I really believed in the mission, and one of DEA’s strong suits is that everybody that works there, at least that I encountered, was very mission oriented. I realized that my greater value add was in evidence gathering that could not be rebutted in court.  

I ended up spending the majority of my career there building what’s known as Title III technologies, or wiretap technologies. I encompassed everything from hardware, small microphones, hidden microphones, hidden cameras in walls- we tapped everything- and all of the software on the back-end to correlate the gathered data, enforce chain of custody and make it all stand up in court. I learned a lot very fast in terms of the integrity of data and how to maintain that integrity such that there was a value in the evidential content. 

AY 

Wow. All these terms like chain of custody are pretty much applicable today for cyber security because right now we’re chasing criminals. These are digital cyber criminals, and they leave footsteps everywhere. How you gather evidence, make it irrefutable, the chain of custody, time stamping, and everything else makes it irrefutable. It’s interesting how that shaped your early thinking to come into the digital world. Great perspective that I think not many have. So how long do you spend at DEA? 

AA 

I was a little short of 10 years. Nine and change.  

AY 

I recall that given the timing, you had drug enforcement and all the different things that were happening, a lot of activity in Latin America and different theaters. I’m sure you must have been involved. 

AA 

Given the timing and the fact that I am bilingual, I had an interesting set of skills as far as they were concerned. Like I said, I had every intention of using every skill that I had for the sake of enforcement. It just wasn’t in the cards for me, and that’s okay. I just came to terms with that and moved on with life. But I loved my time there, I loved the people that I worked with, I loved the fact that everybody was so mission-centric, so mission-oriented. It was a wonderful way for me to start my career.  

AY 

Thank you for your service, I’m sure there’s a lot of things that you wish you could share, but you cannot talk about it. But thank you again for trying to make our environment safe. We’re not out of the woods. It’s still something that is constant fight, but now the whole theater has moved to the digital realm. Then you transitioned to the commercial sector. How was that transition? Obviously, you’ve got some very interesting grounding of what it takes to be in this space, so what was your first commercial job? 

7:35 The Transition from Government to Tech  

AA 

My first job out of the government was at a small ed tech company in New York City called the Princeton Review. If you want to talk about culture shock, it was culture shock, because I came from a very structured, regimented environment. People respected chain of command; people respected positions. If you put a policy in place, people adhered to the policy. Then I left the government and it was like, “Yeah, no, this does not work that way in the rest of the world.”  

The Princeton Review was a very dynamic environment, very fast-paced, a lot of hours because it was really a start-up for all intents and purposes. The pace was crazy. It was a little tough for me because at the time, my third son had just been born. I had three very young children, three sons at the time. That was tough because we were working seven days a week, 15 hours a day, that kind of craziness. But it was a transition for me. It was coming out of regimented space into the wild west of corporate America.  

AY 

Did you do cybersecurity at the time or just broad infrastructure? 

AA 

Well, I ran all of IT for the kindergarten through 12th grade division of the Princeton Review. That encompassed information security. Back then, cybersecurity wasn’t really a thing yet. It was information security. I did have that as part of my remit, but I handled everything having to do with IT, engineering and software engineering. 

AY 

Then you went to a much bigger company after that, right? 

AA 

Yeah, I spent basically a year at the Princeton Review. I got two offers to leave. One was for a Japanese bank, which really excited me, but it required about 60% of my time in Tokyo. With such a young family, that would have been tough. The other offer was with Ogilvy and Mather to come in as part of their worldwide group. I came in as a manager. I performed all of what are now the CISO tasks but back then that title didn’t exist. I inherited all of those responsibilities along with everything having to do with application and software. I was there almost 11 years. I went from manager all the way to chief architect globally and made partner at the firm. That was another really large growth experience for me because it was the first time I was forced into a global role. I mean literally global, to the point that I built three data centers: one in Hong Kong, one in London, one in New York. This was pre-cloud. There were no cloud providers. You had to build everything. There were actually a couple of magazine articles on my work back then because we did some groundbreaking work with data level replication across the globe, across all three data centers, and then on the front end we were one of the first adopters of GSLB technology so that we were highly available from a global perspective.  

As a matter of fact, when the big blackout hit New York a couple of years after September 11, none of our customers realized we had a New York data center because there was no downtime. Everything automatically routed over to London or Hong Kong depending on where you were, and we were in business. I’m very proud of that because I built that. That was a mammoth task for someone like me. I had worked in smaller environments up until that point.  

AY 

I’m sure you must have faced a lot of regulations and policies that other countries wanted to put in. Today, it has got to be a little more complex but I’m sure that you started getting the taste that it was not just about putting up the data center but also the regulatory environment you had to be aware of.  

AA 

Regulatory and cultural, believe it or not. I ran into a number of cultural issues that, had you told me ahead of time, I would have said, “You’re kidding.” Then I faced them and it was like, “Oh my God, this is real.” I won’t point that out specifically because it would specify a country and I don’t want to come off as biased. It was really interesting to see how certain cultures approached certain things if they didn’t build it themselves. That was fascinating to me from a human perspective.  

AY 

Yeah, and having to build a team that had the same goal and making sure that the resilience that was built in and serviced all the customers globally, et cetera- it must have been a great experience. 

AA 

Oh, absolutely.  I think what helped me mature quickly is that our customer list is basically just really large customers. If you look at Ogilvy’s customer base, especially in those days, none of them were small players. They all demanded certain things like resilience and high availability. There was no appetite for downtime, and that forces you to think a certain way.  

13:06 Transitioning from a Global Company to Bayshore During the Pandemic 

AY 

Yeah. It teaches you some design points. When you want to design a product or get into the commercial sector to offer something, those are things that you now bake into your thinking. You were a founding member of the Bayshore Networks team, so how was that experience? I know it’s part of OPSWAT now, but how was that experience and that transition? You went from a bigger company, very global, to an area that is very much needed still and supposed to be growing very fast in the future. You were also in the process of building a business that hit the pandemic. How did Bayshore come about and what was the mission or the vision you had with the rest of the founding team? 

AA 

I went from a company of 30,000 to a company of three. Very, very different dynamics, but I’ll tell you, I learned a lot in Bayshore that I would have never learned otherwise, especially on the business side because you’re forced to be part of the business. The founder of Bayshore is a brilliant individual and he was, from a tech perspective, a great mentor. He forced my hand to learn different elements of technology, especially from an uptime perspective. Now, not so much from a scale perspective, in other words network or horizontal scale, but from an actual appliance perspective and the fact that the appliance has to be resilient at all costs. It’s like going from the macro to the micro. In his case, the micro was an appliance, a physical appliance in its first incarnation. Learning from him in terms of all of the minutiae that you have to pay attention to, to make sure that these appliances are resilient and do not lose data when appropriate. That was a great learning experience for me, because I had not dealt with that level of granularity until I got to Bayshore.  

At Bayshore, the first challenge really was taking a platform and turning it into a product. There’s a difference. Turning that original platform into a product was a substantial amount of work. But I think the real benefit was that we were wise enough to do it based on potential customer feedback. We weren’t just inventing something. We were taking feedback loops from the field and implementing the notions that we were getting. The biggest flaw that we had is that we assumed that there were going to be “experts” out there that could write rulesets that could be enforced on network flows for protocols that were hardly understood, especially at that time. That was a massive flaw, but it was a flaw that forced, at least me in particular, to think very creatively and find a solution for the problem. I ended up being the author of an internationally-granted patent based on that work because what we had to do was figure out how to, in essence, create a machine learning engine that had to operate real-time on network flows. There was no off-boarding to a massive network of neural nodes or anything like that. There was none of that. It was, “Listen, here are the flows. Figure it out and generate a policy or rulesets off of the flows.” And we did. I think that’s one of the features that made that product actually appealing from a commercial perspective. A lot of deep learning there, a lot of thinking creatively, but it was wonderful to be able to come together with the team and have the skills to implement that creativity, to execute on those creative ideas. A lot of learning, very thankful for my time at Bayshore. It was a bit of a roller coaster, but hey, that’s the startup life. 

AY 

I remember the thing that attracted us to Bayshore was really the team and the sophistication of the technology. We were doing references and there were a lot of leading industry pundits saying “Hey, this is the best technology.” Ahead of its time, perhaps, but on the other hand, you were protecting some precious critical infrastructure in New York and power plants and nuclear power plants for your technology. I said, “Wow, if they can do that with a small team, imagine what they could do when they have unlimited resources.” But obviously, OPSWAT was very impressed with what you guys built and eventually took over the team. There was an interesting transition for you and eventually you moved on. Most companies in cybersecurity get acquired, which you’ve gone through already. Talk about some of the lessons learned and how you keep teams together and things like that.  

AA 

I think what helped me was, I’m always a people first person. I always take care of my teams. Evidence of that is I have people working for me now that started with me at Ogilvy. They’ve been with me for over 20 years, over multiple jobs. When we were doing the initial negotiations for being acquired, my clear directive on a personal level was to make sure the team ended up okay. Even if it meant I had to walk away sacrificing all my time and not walking away at a more lucrative stage in my life. That’s okay, I took care of my team. And I’m okay with that. I think you have to do right by people. But from a more business or tech perspective, one of the things that I learned from getting acquired is that you must have all your ducks in order. When the acquiring entity comes in to do their analysis, if anything’s out of line, they’re going to catch it. If you’re lacking documentation, if your code’s sloppy, if your processes are weak, all of that becomes very real, very quickly. With startups, come on, let’s be realistic, startups cut corners and they have to do what they have to do to survive. We were no different. We had to scramble to put a lot of things in place that might’ve existed in our minds but didn’t exist in black and white.  

Those were some hard lessons. Another big lesson that I walked away with, which I’m happy I did because it had an impact where I am now, was that external validation of maturity matters. What I mean by that is, for instance, we did IEC 62443 for the products at Bayshore. When you first go down that path, it’s a nuisance. It’s an annoyance. It’s like, I don’t want to have to go through this process or whatever, but you don’t realize the value of that third-party validation of what you’ve built. When the acquiring process started, the acquisition process, I realized the value very quickly and I was really glad we had gone through that. To quote myself, I wish we would have done it earlier, and I wish we would have done a few more. But they cost money and take time, so we did what we could. To your point, at that stage, the pandemic was already hitting, and things were getting kind of tight and a little crazy in the world. I’m really happy with the way things turned out. The team ended up in a good place, and I think all in all it was a positive for me on a personal level.  

AY 

It was positive. You and the team, the founding team, created something with a lot of value today, it’s adding value and protecting some critical infrastructure as part of OPSWAT. That’s part of a successful outcome. Talking about networks and people that you work with, the opportunity 2U comes up. I think you knew somebody that knew somebody who worked with you before, right? 

AA 

It goes back to my days at the Princeton Review. Some of the folks that worked for me at the Princeton Review stayed in that space for 20 plus years and were founding members of 2U. We had stayed in touch and we became good friends over the years. When they heard that we were getting acquired, they said, “Help us build a cybersecurity program here. We’re focused on education.” They genuinely care about their students- their customers. I thought it was a good fit for me because not only does it put into practice all the tech knowledge that I had gained, but it also went back to that mission. The mission is the student. The student having a great outcome. The student having a safe environment to learn in. That resonated with me. To me, it was like, “Yeah, this makes sense” Plus, it’s nice to know the people there already. That always helps. 

23:17 Who is 2U? 

AY 

I don’t know that a lot of people know what 2U does. Maybe bring a little context. What do you guys do? Who are your customers? Are you just a regional player? What does 2U do? What are the scope of responsibilities that you have now as CISO?  

AA 

We’re an education technology platform company. As a platform company, we basically bring together universities or education providers and students. We have partnerships with 200 plus major universities and they provide their professors and their content on the platform that 2U runs. You’ll hear the term 2U edX because we acquired edX and edX is really the foundational platform that we operate under now. The platform brings together university providers with students that are interested in degree programs, courses, and alternative credentials. As of right now, I believe there are 46 million active students. There are a lot more from the legacy systems and I still am responsible for their data, even though they’re not active students. The ultimate  number is much larger than 46 million. That should give you a decent sense of the size of the ecosystem. It’s definitely not small.  

AY 

You have universities outside of the U.S., right?  

AA 

Yeah, we have some in Australia, South Africa, England. We partner with some major players. 

AY 

That’s excellent. So effectively, you’re an online delivery platform of content and education, probably doing testing and a lot of the stuff that comes with distance learning. I’m sure that during the pandemic you also got a little bit higher demand and increased concerns about privacy and laws that start emerging from the EU around data privacy and things like that. You’ve built it to be resilient with all of these things in mind, but now all of a sudden you’ve got to be looking at emerging regulations and see how you can accommodate them, right?  

AA 

S2U was very forward thinking with privacy, way before I showed up. They had a really strong Chief Privacy Officer and a very solid privacy program. I can definitely take no credit for any of that work. That was already in place before me and to be totally fair to them, they run a really powerful program. The global privacy concerns I feel are in very good hands with the folks that run that program. 2U takes that very seriously. Their mission orientation, the vibe, the DNA of the company is super strong and privacy comes along with that. You want to protect your students and give them a safe environment. 

26:47 The Importance of Human Quality 

AY 

You’ve been more active in the speaker circuit sharing your experiences and we saw you recently speak at the global cyber conference in Zurich just a few months ago. During your statements you emphasized the human quality in cybersecurity. How is that important? Do you mind sharing more on that for our audience, especially when it comes to AI and the adoption of new technologies? 

AA 

I started picking up on the fact that so many so many folks in the industry are trying to almost dispel the human factor. They want to make this a technical situation or an AI type situation and none of that is real. The human factor is very real. It’s very much still one of the biggest challenges that we have as an industry. The human factor is two dimensional. There’s the dimension of the users, the folks that we deal with. Then there’s us, because at the end of the day – and this is probably going to be an unpopular statement- it’s my observation a lot of folks in the C -suite of major corporations don’t have tremendously good people skills. You have to understand that, for instance, when you present to a board and you’re trying to get a message across, or more importantly you’re asking for funding, that’s a game that depends on your human connection and your human communication skills. There’s no AI engine involved. There’s no automation, there’s no process. It’s you as a human relating to a number of other humans.  

And that’s a challenge. Because for instance, if you walk into a room and there’s seven people in the room, do you honestly think that one style and set of messaging is going to resonate equally with seven people? That’s not the way humans work. The whole point I was trying to get across is when you’re translating risk to upper management, to an auditor, to whoever, you have to resonate with that human on a one-on-one level to effectively relay your message.  

I think that’s super important, and by the way it’s a skill that takes me all the way back to the early 90s at DEA because DEA is a very human function. You’re not chasing robots, you’re chasing humans. For instance, if you have to sit down with a human and try to extract information from them, you have to have some personality, you have to have some people skills, you have to have conversational skills. For instance, let’s say you have to extract information from somebody that comes from the Caribbean and they’re not afraid of law enforcement but they love baseball. If you can tactfully start talking about baseball, you start to see their guard go down. All of a sudden, the conversation starts to be more on a human level, and the next thing you know you’ve gotten all the information you need and it all started because of baseball. You got to know how to talk to people. What I like to do, for instance, in that example of seven on a board, I like to establish a one-on-one relationship with each one of those folks if they’re open to it so we get to know each other a little bit. I know what resonates with you. I know what upsets you. I get a good sense of you as a human. Then I can start planting seeds so that when I show up to talk to all seven of you, I don’t have to go from zero. I’m not starting from scratch. It’s just a human tactic. That’s what I was talking about in Zurich.  

30:52 Advice for Aspiring Cybersecurity Professionals 

AY 

You have so many experiences that have shaped the way you are. Now you’re sitting in a very important role in a global corporation trying to impact education. You had other roles where you created technologies. What advice do you have for the younger generation that is trying to get into cybersecurity? Akin to the commentary you just made, there’s a human aspect of it- it’s not just all about technology. Any advice for people asking what career they should choose? Why should they consider cybersecurity? 

AA 

My advice to folks is along your journey, find balance. It is easy to become very imbalanced in this field. That just does not lead to anything good. For example, you meet folks with the title that I currently have, a CISO, that are either purely business folks or purely technical folks. Neither one of them really has the balance to be effective. You’ll hear like a business CISO from a large company give advice to other people. You sit there and think, that advice is only valid if you have a team of 900. What happens if your team is nine. You have to think differently. You have to act differently. You have to have different tactics.  

To me, being balanced and being well rounded gives you that type of agility, so irrespective of whatever environment you’re in you can figure out how to succeed. If you have to roll your sleeves up, you roll your sleeves up and you get stuff done. But that implies that you have the knowledge that you’ve gained over the years to be able to roll your sleeves up and get it done. If you’re a pure businessperson, you can’t do that. You don’t have the skills. On the contrary, if you’re purely technical and you don’t know how to talk to a board, you have no personality but you’re technically brilliant, you’re not going to succeed either. To me, it’s all about finding balance.  

33:05 Diversity and Inclusion Efforts 

AY 

It’s not just about taking computer science degrees, so when you’re in college and asking “What career do I follow?” It’s about looking for well-rounded education that is going to prepare you for whatever situation you may encounter. We know that there’s a big shortage of professionals in our field and we get engaged and involved with nonprofits trying to encourage that. I know you do a lot for your community. Can you share some of the things that you are working on trying to increase diversity, given that we’ve been very fortunate to do what we do right now? 

AA 

I am a mentor through Cyversity. We help underprivileged, underrepresented individuals focus their efforts to get into the cybersecurity field. That work is very rewarding because I came up in an era where none of this existed. You had to scratch, kick, punch, fight, bite for every inch you got. There were no DEI efforts back in those days. I know what it’s like to come up that path and I try to help the next generation to not end up in that much of a struggle. It’ll always be a struggle, but at least you have some guiding lights, a path that someone like me can push you into. I think that helps. I do a lot with that. On occasion, I do help underrepresented youth where I live now in North Carolina with actual coding like cybersecurity boot camps, and there’s a lot of value in that.  

34:55 Judo, Writing a Book, and Pentesting 

There’s another side to my life entirely which is I’ve been in Judo for 40 plus years. 

AY 

I forgot about that. 

AA 

I started in 1982. I teach a lot of free clinics to underprivileged youth as well. When I was in New York, I used to teach at a pretty rough area in Brooklyn. I taught a group of 250 underrepresented youth as a volunteer. I just believe in trying to help these folks out in terms of having some discipline, having a path, having some guidance.  

AY 

Did you do some competitive Judo?  

AA 

No, not anymore. I competed for many years I was part of the United States national team that went to the Pan-American Championships in your country, in Lima, Peru. That was a very honorable experience for me. All of my sons are competitors and international medalists trained by me in our garage. It’s just another one of those things in my life I take very seriously. I get very into whatever I do. I’m not one of those half-assed type people. I’m either all in or I’m not. 

AY 

Wow, I didn’t know that dimension. It helps the mind, the body, the focus. Judo, I watch it and I practice it. It tends to be very, very competitive. You have to be very observant and understand what the right move is to make sure when you strike, it is appropriate, right? 

AA 

Yeah, it’s more feeling. You learn how to feel things and then you just explode, but you have to explode. The beauty of judo is that there’s no time to think. It’s a game of action. I’s really how that translates into the professional world because in our industry, analysis paralysis is a real problem. People go into this thought cycle and then they just end up doing nothing. I’ve been fortunate that that’s not me. I’m a person of action. If I fail, I fail fast, I bounce back and I keep it moving. You experienced some of that at Bayshore. When we failed, we just bounced back and changed direction and off we went. That’s just part of my life.  

I mean, outside of everything I just told you, corporate-wise, career-wise, I wrote a book on my own, 600 pages, published in 2006. Had I not been the type of person I am with two jobs, four kids, a wife, a house, there’s no way I would have written a book. I wrote that book, started a pen testing business before everybody and their grandmother was a pen tester or is a pen tester. As a matter of fact, when I wrote my book, the editor, she told me, “Use pen testing in the title.” And I was like, “What is that?” She said, “Oh, that’s what you do. It’s called pen testing.” “Oh, okay.” In the government, we pen tested everything, it was just testing, it was part of QA. It wasn’t some specialized field, you had to make sure everything was tight. I wrote my book and I started speaking publicly very early in my career because of the book. If you have something valid to say, I think there’s a lot of value in sharing. You know, one of the greatest experiences I’ve had is I’ll walk into a security conference- my face is on the cover of the book- and people will recognize me and go, “I read your book and your book changed the trajectory of my career.” That’s rewarding. I’ve heard that at least three times. That’s rewarding. 

AY 

Wow, I didn’t know that. We’ll make sure to put a reference to your book for the audience because this is about pen testing before it became officially recognized as the common practice that is now. Today, I don’t think we can actually release any software or any program without doing the overall testing and penetration testing, meaning anticipating issues before somebody else does it for you. Wow, that’s amazing. It’s one of these things where you’re willing to share your experiences and put it in a framework for other people to influence their thinking. That’s great. 

39:44 Finding a Balance and Getting Out of Your Comfort Zone 

I guess we’re coming towards the end. Are there any thoughts, advice that you have for people that want to follow this industry, come into industry, and how can they be best prepared? For people like us, there’s a level of engagement that we need to have and recognize the fact that we need to pay it forward. I think we’re the product of not only our parents that make sacrifices, but at the same time, people along the way that touch us and help us to get to where we are. So, any departing thoughts and advice?  

AA 

I’m going to go back to my point of balance because I feel very strongly that technical knowledge matters. Even at this point in my career, I could still sit down and look at some code. I wrote code for many years. As a matter of fact, I just did it a little while ago to validate what somebody has told me in terms of whether the code does it or not. That’s a skill that I’m very happy to still have. If I have to sit down and write code, I still do, but yet I’m a C-level, employee, executive, whatever you want to call it.  

Think of it this way. Most CISOs are concerned about their packages and this and that. You think the bad guys do? They don’t care. They’re going to come after you no matter what. Your job is ultimately to be a protector. But if you don’t know anything about technology, how can you protect it? 

AY 

So achieve balance, and the other thing is to get out of your own comfort zone and be out there, right? Try to get noticed. Otherwise, nobody’s going to do it for you, right?  

AA 

100%, you cannot be shy in this industry. You got to be willing to put yourself out there and if you fall on your face, get up and keep moving. You have to be willing to put yourself out there if you want to grow. Yes, I’m a big proponent of getting out of your comfort zone. 

AY 

We’ve seen that firsthand. You’re a member of our Advisory Council and many times you work with our entrepreneurs, giving all the experience you have to help them shape their thinking, their strategy, their product. I think you’re an architect at heart. I know you take pride to do that because you can write code of course, and you have that overall context and have built in all these key characteristics that have resilience, across global localities, all the different aspects. I guess you’ve been exposed to a lot. In that regard, I consider you one of the most sophisticated members of our advisory council because in addition to having the business acumen and having gone through the experience of working with law enforcement in your service to our nation, having to go into startups and big global companies is something that is very unique and gives us superpowers. We really appreciate the relationship we have with you at Forgepoint and also the fact that you’re always willing to help. Thank you very much for that, Andres. Thanks for taking the time. We really appreciate it. 

AA 

I appreciate it, listen, the relationship with you and the folks here, that’s very special to me. I appreciate you. I appreciate you having me on this and I hope we can even do more as time goes by. 

AY 

We will. Thank you very much. It’s always a pleasure.  

AA 

Thanks, and likewise.