Career Notes 9.24.23
Ep 168 | 9.24.23

Merritt Baer: No one has to go down for you to go up. [CISO]


Merritt Baer: "Hi, this is Merit Bear, and I am Field CISO at Lacework.

Merritt Baer: I think I said a writer, but I didn't realize then that writing would be part of just about every profession. Um, and I also feel like there were fewer roles that look like mine, even coming through school, you know, like the CISO itself, the Chief Information Security Officer role was one that didn't necessarily exist until somewhat recently, where I feel like there was maybe like your IT admin folks and maybe a data privacy attorney, um, but not a lot of room for those kind of, uh, technical and business security conversations that are what I do now.

Merritt Baer: I had always been someone who would pick up a book about the CIA or something. I, I don't understand. How everyone doesn't think security is fascinating. So it was kind of a, um, indulgent side of what I liked to learn about, and then I went off to Harvard, um, and you know, there were just these issues that seemed to be coming for us and I felt like we weren't very well prepared to answer them and that they were already staring us in the face in terms of, you know, private companies, is. Sort of burgeoning into like more and more immediate and intimate interactions with us. And then what is the role of government and what is the role of that citizen or consumer in sort of mediating those relationships and security was just such a primary element of what we needed to think about and I mean, that literally, like, how we're going to protect account access, but also, you know, as the construction of what we think about when we want to experience the world in a safe way.

Merritt Baer: Then I went to Harvard Law School, uh, and, um, and did every, uh, computer security class I could do there, and I ran out of those quickly and wrote my own studies. I was actually really focused on, uh, what is now known as CSAM, child sexual abuse materials, um, child pornography was the term then, and so I basically kicked off my security expertise, um, in this area that is really specific, but also permeates how we think about, you know, access to, um, software and to devices and, you know, rights and responsibilities of the government and of companies. So that was something that led me into, uh, my next, you know, my first job, job, which was clerking for the military's Supreme Court, um, which is called the U.S. Court of Appeals for the Armed Forces. They had, uh, about two thirds of their docket at the time was issues involving child sexual abuse materials because the military gets some of these issues as sort of like herbingers of what civilians will get because civilians have, you know, higher expectations of constitutional rights than military members do, or those who are subject to UCMJ.

Merritt Baer: So I went from that into working for U.S. government in all three branches, doing security work, and then went to AWS, five and a half years ago and today is my first day in a new role, which is as Laceworks field CISO. So I can't tell you what a lot of days have looked like so far, but I can tell you what I think I'll be doing, a lot of it is resident with what I was doing at AWS, Amazon web services, um, which is to, uh, talk to customer CISOs or CXOs, you know, uh, Executives that have responsibility for security and ensure that we are helping them problem solve as effectively as possible, which really should be a business enabler so that security can be part of everything they weave into what they do and ultimately do more and do it securely.

Merritt Baer: So my personal philosophy is that no one has to go down for you to go up. I'm always encouraging my colleagues, um, and other executives to be thinking about how we can, you know, steal, sharpen, steal, how we can be good for each other, how we can collaborate, how we can, um, create more strengths in one another. Um, and I think that that in general is just an approach that is especially conscious of the fact that this field is so relationship driven, and so it's important that when we get in the room, we don't like, waste each other's time with competing, um, you know, with petty, small, um, sort of self serving, uh, conversations, because what we want to do is elevate the entire state of play, right? And we need to be doing that through conversations that build trust and although lots of companies say that they are not super hierarchical, I have found that many are. Um, and so I think that that's, you, you deal with the landscape that you're in, but I think that it is a, um, an important attribute of places that they have a seat at the table for folks to contribute in whatever way that those folks are best contributors, you know, that they're able that folks feel like they are seen that they have the opportunity to develop themselves and that they then contribute to the company bottom line or, or the policy bottom line in other cases and I think that that's, you know, the goal is always to see folks flourish.

Merritt Baer: So I got into security because I had this conviction that folks who are vulnerable get the least inheritances when it comes to both safety and security. And by that I mean walking around in the world and as a sort of byproduct of the merchants and other relationships in their lives, um, you know, women are likely to be murdered by a romantic partner, um, and so on and so like, it goes from the very literal to the more notional, like, if you have a fancy credit card, then you're probably insulated from identity theft debt in ways that folks who are not, you know, using those kinds of luxuries don't have. So I think, um, I would hope that at the end, you know, while I'm working with enterprises and I am, you know, doing what feels sometimes like these, you know, broad strokes that I'm raising the water level in meaningful ways for folks who don't have to then be experts themselves, that we're able to, you know, create security as something that folks are more entitled to and that it benefits especially the folks who need it in vulnerable communities.