Career Notes 6.6.21
Ep 52 | 6.6.21

Dave Farrow: The guy that enabled the business. [Security leadership]


Dave Farrow: I am Dave Farrow. I am a Senior Director of Information Security at Barracuda Networks, and I'm responsible for their entire internal security program.

Dave Farrow: At the end of high school, my father was into technology as an early adopter, which is odd because he was in human relations, in HR all of his life. And he had this Kaypro, and he kept trying to get me to play with this Kaypro computer that he had, and I wanted nothing to do with it. He thought he might lure me in with a Commodore 64, and I preferred to surf and ride my bike around Southern California.

Dave Farrow: It wasn't until I spent a quarter at college doing a non-technical, non-engineering course of study that I realized that I didn't like that, that I really wanted something more concrete. And at that point, I picked up and started studying electrical engineering. I chose electrical engineering because at that point I'd had a couple of classes, you know, the prerequisite classes in physics and whatnot, and all of the mechanical stuff sort of made logical sense to me. And I thought, I'm going to with electrical because it makes absolutely no sense to me, and if I'm going to pay for this, or my parents are going to put me through this, I should at least learn something that I couldn't learn on my own. And so I chose something that made no sense to me at all.

Dave Farrow: You know, it's funny because, you know, my life is filled with doing a bunch of things I never said I would do. I swore I would never do software, because, at least in the electrical engineering school at Berkeley, there was this snobbery that said the only people that were in software were people that couldn't make it through the EE program. And it's funny because as soon as I graduated, I had an offer from an old aerospace company that's gone now called "TRW" that said, hey, we'll pay you to learn software, and something tickled in the back of my mind saying this an offer that you probably shouldn't refuse. And once I actually got into writing software, I just – I fell in love with it and realized that that snobbery was just that – it was snobbery, and I almost missed something great.

Dave Farrow: I got into development in aerospace. A couple of years into that, I went out on my own as a contractor and did contract gigs in a lot of different industries, from telecom to data warehouses around the time of the dotcom bubble burst back in about 2000, I had a contract that was winding up. Long story short, I ended up finding a contract gig in Fresno, California, which might be the least technically oriented city in California. Actually, I did software architecture for probably the first fifteen years of my career, and then moved into building and developing teams.

Dave Farrow: I was looking around for how else I could meaningfully contribute to Barracuda, and just sort of backed my way into the security role. At that time, one of our lead architects on the email security team had been managing our privately run bug bounty programs, and so I offered to take on that job just so that this architect could focus on developing the product that he was the lead for and that sort of blossomed into an internal security team over the course of the next couple of years.

Dave Farrow: We do vulnerability management, network scans, logging and monitoring, we do incident response. And when I'm not supporting the teams that are doing those things, a lot of my time is spent in defining our security policies and communicating those with the rest of the company, and really sort of communicating the good work that the team is doing to the leadership of the rest of the organizations. The people that we talk to are working in this space on a regular basis. You know, you still have challenges because, you know, a team that does email security may not be as well-versed in the nuances of network vulnerabilities, right? And a firewall team may not be versed in the nuances of web application vulnerabilities. 

Dave Farrow: The challenges that we run into are the challenges that I think everybody runs into, which is that I think that the real challenge in security is, when you're trying to interact with the business, is recognizing that there are other threats to the business besides cybersecurity threats and being able to become part of the risk management conversation. If a security guy rolls in and says everything has to be fixed, you're going to take away resources that might cost you opportunities in the future. I think that's a problem that all of us in the security industry have to recognize is that we're part of the economic strategy of the company.

 Dave Farrow: You're going to apply different security controls if you're worried about cyber vandals than you will if you're worried about nation-states. But the fear is that if I don't tell you about every single possible exploit that a nation-state might throw at you if you get hacked, you might come back to me as a security guy and say, hey, what did you miss? It's a real challenge to correctly align the investment in security with the threat that you're protecting against.

 Dave Farrow: I hope to be remembered as the security guy that understood that cybersecurity threats were not the only threat to the business. You know, I have stuck in my mind, because I spent so many years as a developer, my picture of the security guy was that he was the guy that was always saying no. And I want to be remembered as the guy that said, yes, we can do that, if we do it in this responsible way.