Afternoon Cyber Tea with Ann Johnson 4.16.24
Ep 95 | 4.16.24

Insights from LinkedIn's CISO

Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tea" where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the frontlines of digital defense to groundbreaking advancement shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. [ Music ] Today I'm joined by Geoff Belknap who's the Chief Information Security Officer and Vice-President of Engineering at LinkedIn. Geoff brings more than 20 years of experience in security and network architecture with experience in financial services and the telecommunication sector. Geoff joined LinkedIn in 2019 as the Chief Information Security Officer, and in this role, he is responsible for safeguarding LinkedIn's member and customer data, as well as helping the business navigate risk. Geoff has held several security leadership roles at various technology companies and previously served on the Board of Directors of the Bay area CISO Council. Before joining LinkedIn, Geoff was responsible for physical and information security at Slack. Welcome to "Afternoon Cyber Tea" Geoff.

Geoff Belknap: Thanks for having me. It's going to be fun.

Ann Johnson: So, you've worked in tech for a lot of your career, you were at companies like Time Warner, you were at Palantir, you were at Slack, and now you are with CISO and Vice-President of Engineering at the world's largest professional network at LinkedIn. I want to go back in history though and talk about how you got your start in cyber; what sparked your interest and what made you stick around all this time?

Geoff Belknap: Oh! Do I have the option to not do this [brief laughter]? Nobody told me I could stop doing this [multiple speakers].

Ann Johnson: It's like the Hotel California.

Geoff Belknap: Yeah. I think it's a great question. I often ask myself this same question; why am I still doing this? And I think for me, it comes down to my initial motivations where, you know, I was that sort of bezel young boy who wanted to either be a pilot or a police officer or a firefighter or something like that, and I think, you know, other than just thinking those things were really cool, there was some, you know, deep-seated belief in justice and helping people and I think as an adult, I think being at a service of others is one of the highest things you can do in helping people, and certainly, I was always fascinated by technology. And for me, a career where you can fuse those two things, where you can be in service of helping and protecting people and lean in to your technological callings and beliefs. Whatever they might be, that's a great career for somebody like me. The fact that it is stressful and challenging and hard, I think reflects the value of doing that work sometimes.

Ann Johnson: I think that anybody who is in security long-term knows that it's mission-driven work and the people who stay in the industry have a service focus. So, it's good to hear you reinforce that. One of the things I admire about you, is you really do have this effortless way of transitioning between business and technology sides of the house so to speak. Do you think of yourself as a business guy who knows technology or a technologist that has strong business acumen, and what do you think is more important for the modern CISO?

Geoff Belknap: This is a tough one. I think I certainly find myself complaining about CISOs and security leaders being bucketed in kind of that specialized IT bucket, and I think the reality, especially for CISOs and even more so for just generically security leaders, you have to really think about your job and the sort of maturity of the career path as being the early days of CFOs or GCs, in that, you know, you can be a great leader and a competent executive, but if you've never opened Excel before you really probably don't belong leading finance; if you've never done anything customer facing, you probably shouldn't be leading a sales function; and similarly, if you've never practices law, probably a bad idea to lead the legal function. So, I think you have to sort of look at it as this -- it's not an either or, you're not a technologist or a business leader or an operator, you are executive in an organization and you are helping that organization be successful and grow the way it needs to grow and thrive the way it needs to thrive from the perspective of the part of the organization that you are responsible and accountable for. So, I think the other thing to keep in mind in terms of thinking about what's important here is, wherever your organization goes in the future, it is going to be, in a way, seeking harmony with technology and seeking to leverage technology to achieve the goals of that organization. And I think this CISO role, wherever it goes, is less about picking that side and focusing on one aspect of your skillset or another, and thinking about how you can really use all your knowledge and all your skills to focus on leveling up that organization and helping it succeed.

Ann Johnson: I think it's a fair way to put it. I also like the way you talked about, if you don't know how to use Excel you're probably not going to be a finance person. We're not saying that chief information security officers need to be the level for technical depth person in their organization, but you do have to have a baseline understanding; is that fair?

Geoff Belknap: Yeah. You got to know what's going on at more than a surface level, because I think one of the most important things is, about this role, is you've got to be able to help other people understand what's going on and you're not going to be able to help them relate to what's going on and really connect them to the important parts of your world if you really don't understand it yourself.

Ann Johnson: Let's keep pulling the thread on CISO evolution. A lot of CISO's find their roles currently evolving. For some, their scope is expanding to be more engineering centric, others are engaged in more with their business peers, some or reporting on cyber risks to their boards of directors more than they ever have. How have you seen the role evolve in your time holding the role since 2019? And what qualities and skillsets do you think are must haves for CISOs now and also for them to future-proof their careers?

Geoff Belknap: I think it's a great question, and I'm going to give the worst answer possible, which is, it depends which is also the most important answer. Which is, you know, CISOs are always going to be the most successful they can be in their roles when they're part of an organization's business leadership, and that's less about the reporting structure, but more about where are they going to be well-positioned to influence the organization to make good decisions whether that's good decisions in terms of being well-informed about risk and sort of deciding to open up new markets or open up new parts of an organization, or whether that's making smart technological choices. And I think this is where the "it depends" come into play. You know, when I joined LinkedIn, security was already a part of engineering. We, although it might be, you know, some of the roles that you might traditionally think about as being IT, we really were a big part of understanding how we were going to drive changes in the tech stack and our technology strategy to make sure that we can achieve what the business wanted to achieve; to make that we could drive economic impact for all of our members, that we could really drive success for our -- the customers. And for our business, that made the most sense. For other organizations, for other businesses, for other nonprofits, what that organization might need is somebody who's got more business savvy, who's going to lean more into a public policy conversation that they need to have to help them grow, that might need to lead into a national security debate or make some changes in terms of what they need to do, but based on their threat level. But I think it all really comes down to, what does that organization need to succeed then? And where is it going in the future? And that really determines what the CISO's skillset that matches best to that organization is going to be.

Ann Johnson: I think that is a good way to articulate it and people, no matter what career you're in, right, your roles change and you need to think about your growth and you need to think about the new skills that you're bringing in. So, it's no different than being -- for being a CISO. Let's pivot though and talk about talent in general. I think the CISO at LinkedIn, which is a talent site in its essence, is going to have a point-of-view. We've all heard the number, there's a few million or more open cyber roles worldwide and industry wide, and every cyber leader I talk to knows there's an issue, but they get tripped up on the how; how are they going to solve it? How do you think about cyber talent needs at LinkedIn and how does that translate into your strategies to source and also to retain folks on your team?

Geoff Belknap: So, I think certainly the number, you know, it varies depending on who you talk to, but I think one thing is for sure, the demand for high-quality talent in the security industry has not gone away and is not going away. Certainly markets may rise and fall and those numbers may go up and down, but the thing that has never changed even as we've gone through macroeconomic shifts in the hiring industry, is it is really hard for us to both find the people we're looking for, but also to describe to people that are in the industry or wanting to get into the industry, what we're looking for? What do we want from those people? And I think the most important thing is, is overtime we're getting better at understanding what we want from those people and understanding something that I believe very deeply and, which is like, we have to build some of those people. We can't just expect them to come to us with five or ten years of experience in all of the different various domains that happen in cybersecurity especially because cybersecurity is an inherently multidisciplinary domain. There is constantly, you know, five, six, seven different things that you need to be a specialist in before you can really be useful broadly in information security, and you might come to me as a new hire or as an intern through an apprenticeship program with one of those skills or two of those skills, but it's going to be really hard for you to develop a lot of that without getting a foot in the door. So, I think one of the most important things we can do is, first of all, build a way for people to build those skills or understand what they need. And two, for us to get better at being realistic about what we're looking for and what we can really hire in the industry.

Ann Johnson: Can we talk a little bit about talent diversity and from all dimensions, right? When we think about hiring cybersecurity, sometimes people are looking for very technical profiles, you're a coder, you're a network architect; we think about different schooling and certificates we may want to have people when you think about geographies, but how do you actually think about diversity playing a role in helping to solve the talent gap and are there strategies that are working for you at LinkedIn that you would recommend to your peers?

Geoff Belknap: Yeah, I think one of the most important things to just stipulate upfront, is that cybersecurity is a very challenging job. The adversary that we work against, in most cases when it's not ourselves, is a very diverse adversary pool, and let's get into what diversity means here. It means, I've got adversaries that are targeting my organization, as do any security leader, that come from all different walks of life, all different socioeconomic backgrounds, all different cultural backgrounds; they have different aims, they have different perspectives on what your security defenses look like to them, they have different perspectives on what their goals are, and that inherently requires you to build a defense program that includes people that don't just share your perspective on the problem, on your organization, or how people might perceive it externally. And for that, like let's just be frank, we need people that come from all different walks of life and all different cultures and perspectives to build a really robust security program. And I think one of the most important parts about building this diversity and sort of inclusivity in your security program is going great, but there certainly are a lot of really valuable engineers and people that security experience that come from ivy league schools or come from mainstream tech schools, especially in the U.S. and Europe, but there are tons of talented people that did not get their understanding of the technical landscape from the traditional academic pipeline. They are -- they have either started as, you know, kids looking to make a buck working in a HackerOne or a bug bounty type program. There are kids that have been tinkering with things on the edges and they come from all different walks of life. Then it might just be people that transition from a military job, or maybe they were, you know, doing something that might be traditionally more blue collar or manufacturing role. We have to bring those people together and sort of invest in their skills as well to bring them into the program, because those people are going to find things and think about problems differently than you do, and they are going to make your defenses better. And I think when we build pipelines to bring to those people into those programs and help them see if they're going to fail or succeed, that really enhances your program. By all means, you don't have to only look for candidates from one pool or another, but I think the most important thing that we've found success in, is having a very diverse hiring program and looking for people that come from colleges and traditional academic background, looking for people transitioning from different military or government service programs, and then looking for people that just come from completely different places. Some of the most impressive people that I've had on the team, you know, maybe a year before they were in an apprenticeship program, they were a cashier or they were working in retail. I think one of the most important things that it reminds me of is, opportunity is the thing that's scarce not talent. So, the wider we cast our net, the more we look at different pools of people, the stronger a program we can have.

Ann Johnson: I think that's right Geoff. I think that one of the important things that I always say, is our teams need to be as diverse as the problems we're trying to solve, because you don't want to have group think; you want people with different perspectives and different backgrounds that look at problems differently and can bring unique perspectives and are also not going to solve problems.

Geoff Belknap: Totally agree.

Ann Johnson: Let's talk about AI, because you can't get through any conversation without talking about it at this point in time. I want to draw this bridge between AI and talent a bit. GenAI is all the rage in security right now as you are well-aware, in your point-of-view, what can GenAI do for the cyber talent landscape? Will it help lower the barrier to entry and will it help get more people into the industry?

Geoff Belknap: AI -- I should learn something about this at some point, huh? It seems more important. Literally every conversation I have every week at this point, involve some discussion about what AI is going to do for us and what's it's going to do for the industry. I think certainly, like remains to be seen, but I don't know at this point that it's going to make the bar lower for people getting into the space. I think it might be the opposite to some extent, because I think what I see AI doing in terms of early looks and certainly looking into my crystal ball, is eliminating some of the manual toil, and making it easier to up-level your team and give them access to harder problems, but I think that means you really have to come more prepared with understanding the basics so that you can work on harder problems and higher order analytics. In this regard, I think the other way this cuts is it should also make it easier to learn those basics, like maybe AI can get more involved in our learning in our acceleration of people's understanding of those fundamentals. But I think the most important thing to remember is, AI is not going to replace people, but it's definitely going to level up what the people can access and what problems we can solve. So, I think there's a -- it's a mixed bag here, but also, still too soon to tell.

Ann Johnson: Well, keeping with that theme, let's talk about AI from a technological perspective. How are you thinking about leveraging GenAI or just AI, in general, machine learning in your security programs at LinkedIn?

Geoff Belknap: Yeah. I think, well machine learning has definitely been a big part of the program to-date. The fact that I get to call that AI now and sort of put it under the umbrella is great, it looks good in my SlideDecks. But the most important thing is, I think we are -- we have high conviction machine learning and data science can still be really valuable at the scale of the datasets that we're working on. I think where we're seeing some early -- early looks at success with generative AI in my own program, is where it intersects with humans. So, one of the things that we often don't think about in industry programs, is third-party risk. And I'll give you a great example of where we're using this today, is both in helping our customers and our members understand how we perform our security program and how we sort of establish our trust with our members and our customers; when we onboard a customer and they want to understand that, typically that goes through a sales person or someone else who's interacted with that customer, and to get them rapid, high-quality, high-trustworthy answers about how our programs works, we're experimenting with AI to help sort of synthesize all the information we have about our security program and provide that to people that have questions. We're also looking at generative AI to understand the risk posture of the some of the third-party vendors and help make better choices about who we prioritize and how we understand our relationship and sturdy posture of those vendors. We're also using it to help internal employees get information about security requirements or standards or implementation guidance, and what we're finding is, we really free up the time of our internal subject matter experts when we can answer the easy questions in a conversational way, in a way that helps go more than just a layer or two of depth like with a SharePoint page or some static content, and I think there's a lot of value there because then it extends the quality and consistency of the typical kind of security advice or the security information we might give to people, that are then going to use that to secure their products, their services, and their customers. So, we're really excited about that and we haven't yet really gotten into like how we're even going to use it for detection. I'm really excited about that, but we're having so much early success with these other things, we haven't even gotten there yet.

Ann Johnson: I think those are a great use cases and the use cases we don't talk about a lot; people talk about detection all the time. So, thank you for sharing with the audience.

Geoff Belknap: You are welcome from me bringing the most boring parts of security to the most exciting podcast.

Ann Johnson: [Brief laughter] I don't know if we're the most exciting.

Geoff Belknap: Think positive.

Ann Johnson: Oh, we have our moments. Yes! I know you're also thinking about safe and responsible AI; how are you enabling this within the experimentation your team is doing? How are you balancing safe and responsible AI?

Justin Bell: The number one thing we talk about, is going into it understanding where bias comes from and how bias gets expressed in models that are trained on certain datasets that are used in certain applications, and I think the easiest place to start is just to go like, "Okay, let's be thoughtful about this in the beginning." We have a process internally we call "trust by design" and we have a trust by design review and part of that is just understanding what are we building? Why are we building it? How do we sort of understand what could go wrong upfront, kind of a pre-mortem approach and, you know, we try to bring that to every product that we build even before AI was a part of that, and I think that's at this point really just building on a process that we feel good about to make sure that, you know, we're being thoughtful ahead of time. On the backend, we're, you know, we're applying this sort of traditional security approach which is going, hey, if we're going to, you know, take content in, we have to think about, you know, what that content could mean; how we can process it; how it can impact the mode; if we're going to push results back out to a member or a customer, we think about what might happen that could go wrong in that situation and think strongly about bringing the other principles that we have about keeping data separate, about protecting data, about segmenting data and what it's meant for. And so, we're really excited that we've, you know, we've sort of have these fundamental principles already baked into the company that we're bringing into generative AI.

Ann Johnson: That's fantastic. And I think that it's necessary. I -- the fear I hear in the market is that people are worried about responsibly use cases or safety for AI. So, thank you for being on the leading edge of that.

Geoff Belknap: Yes, and it's all me, let's be clear. And everyone else at LinkedIn you're welcome, it just me. No. I think, you know, this is certainly the situation where, as a team, we have fantastic people that work in our trust engineering org, in our privacy orgs, our legal teams, our security organization. Everyone deeply cares about doing this the right way and I hope that shows our in our products across Microsoft and across LinkedIn.

Ann Johnson: It helps build trust and it's incredibly important, and you're right, it is a team, but just being part of that team and being part of the vision of that team, it's a credit to you.

Geoff Belknap: Someone famous once said, "We run on trust." And I feel like we might have taken that to the nth degree here.

Ann Johnson: "Yes, Mr. Smith, I believe" and it was when he was in Washington I think, so truly Mr. Smith goes to Washington. Before we wrap, I have a couple of other questions that are a little -- a little different from tech. What is the best piece of career advice you have ever received?

Geoff Belknap: Oh! I feel like that one of the best pieces of advice that I've been given and that I give other folks, is just to make sure that we contextualize what we're doing here. At the end of the day, we need to understand how much time to put into our work and how much time to sort of set aside for yourself and for your family and your friends and your neighbors, to you know, some of my colleagues or, you know, even some of our members that are just trying to get that next role, that next job that's going to be really important to them or build their skillsets. At the same time, it's really important for us to be able to do these jobs, to be able to make time for ourselves, to prioritize our own mental health and wellness, and to make sure that we are giving ourselves enough time to be our own human self and not just focused on the roles. I think it's always, you know, the thing I'm telling people is, you have to come first before the role and you have to give yourself time to really invest in the role. You're not doing anyone any favors if you are hurting yourself to be better at this.

Ann Johnson: I think that's great advice, and by the way, we don't talk enough about mental health in cybersecurity. We talked about some time ago, and it's probably something I'm -- we're going to revisit on the podcast as we go into next season.

Geoff Belknap: Great, well let me know. I will be happy to come and be your philosophical Northstar for that conversation as well.

Ann Johnson: I would appreciate that.

Geoff Belknap: [Brief laughter] Great.

Ann Johnson: In all seriousness, I had a MD who focuses in that area on the podcast several years ago and it was just such a great episode.

Geoff Belknap: You know, one of the hardest things is, you know, there are so many people in security, because this is such a high stress job and it's, you know, how to do it well is not really a fully solved problem yet, and as much as we all need more people in cybersecurity, there aren't more people yet. Sometimes it's just us doing this really hard job and we got to check-in on each other and make sure that we're making smart choices and remind ourselves that other teams have hard jobs too, and to sort of like make sure we're not stuck in our hole to try solve this problem by yourself.

Ann Johnson: Well, thank you so much for chatting with us today Geoff. Despite the overall rise in cybercrime, I am an optimist. I still think that we stay one step ahead of the bad guys. I know that every big event you see on the news there's thousands that never made the news. So, as we wrap up today, can you tell me why you're optimistic about the future and your perspective on how we can best defend our verging digital world?

Geoff Belknap: I am inspired by the fact that the bad guys have to continuously up their game. And I think, to me, that means we're doing a great job. It is now harder than ever to successfully phish somebody. It is now, you know, more than ever we see more and more websites that require 2FA, that have FIDO2, that have advanced authentication for simple consumer products. I think, the fact that all of this stuff is evolving means we're doing great work. It is sometimes easy to get lost in the fact that there is still an advisory out there and to remind ourselves that the advisory is not going away, but we have significantly moved the bar and made things harder to successfully attack organizations and we just need to keep going.

Ann Johnson: That's fantastic. I agree. By the way, the less friction we put in the system, particularly for consumers who don't live in cyber every day, the more safe we're all going to be.

Geoff Belknap: Absolutely.

Ann Johnson: Geoff, thank you so much for joining me today.

Geoff Belknap: It's my pleasure to be here.

Ann Johnson: And many thanks to our audience for listening. Join us next time, on "Afternoon Cyber Tea." [ Music ] I invited Geoff Belknap on "Afternoon Cyber Tea," because as a CISO at LinkedIn, he has this incredible responsibility of keeping a professional network safe. It is multi-threaded; the work that they do at LinkedIn to keep the environment safe, to lower the risk, and he has a really interesting perspective that he will share and I'm sure everyone will enjoy the episode. [ Music ]