CyberWire Daily - Dave Farrow: The guy that enabled the business. [Security leadership] [Career Notes]
Episode Date: June 6, 2021VP of Information Security at Barracuda Dave Farrow shares how a teenage surfer fell in love with software development and made his way in the cybersecurity field. Dave chose to study electrical engin...eering in college because he wanted to learn something that didn't make sense to him. He says he's done things in his career that he said he'd never do: for example, he went into and fell in love with software development. Taking on leadership of a bug bounty program at Barracuda blossomed into the creation of an internal security team. Dave wants to be the guy who enables the business and not the one who prevented it. He hopes all will come to recognize that there are other threats besides cybersecurity threats to business. We thank Dave for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. Learn more at zscaler.com slash security.
I am Dave Farrow.
I am a Senior Director of Information Security at Barracuda Networks,
and I'm responsible for their entire internal security program.
At the end of high school, my father was into technology.
He was an early adopter, which is odd because he was in human relations, HR, all of his life.
And he had this K-Pro, and he kept trying to get me to play with this K-Pro computer that he had,
and I wanted nothing to do with it.
He thought he might lure me in with a Commodore 64,
and I preferred to surf and ride my bike around Southern California.
It wasn't until I spent a quarter at college doing a non-technical, non-engineering course of study that I realized that I didn't like that, that I really wanted something more concrete.
And at that point I picked up and started studying electrical engineering.
I chose electrical engineering because at that point I'd had a couple of classes,
the prerequisite classes in physics and whatnot.
And all of the mechanical stuff sort of made logical sense to me.
And I thought, I'm going to go with electrical
because it makes absolutely no sense to me.
And if I'm going to pay for this,
or my parents are going to put me through this,
I should at least learn something that I couldn't learn on my own.
And so I chose something that made no sense to me at all.
You know, it's funny because my life is filled with
doing a bunch of things I never said I would do.
I swore I would never do software because at least in the electrical engineering school at Berkeley,
there was this snobbery that said the only people that were in software were people that couldn't
make it through the EE program. And it's funny because as soon as I graduated, I had an offer from an old aerospace company that's gone now called TRW that said, hey, we'll pay you to learn software.
And something tickled the back of my mind saying, this is an offer that you probably shouldn't refuse.
And once I actually got into writing software, I just I fell in love with it and realized that that snobbery was just that it was it was snobbery.
And I almost missed something great.
I got into development, like I said, in aerospace.
A couple years into that, I went out on my own as a contractor
and did contract gigs in a lot of different industries,
from telecom to data warehouses. Around the time that the dot-com
bubble burst back in about 2000, I had a contract that was winding up. Long story short, I ended up
finding a contract gig in Fresno, California, which might be the least technically oriented
city in California. Actually, I did software architecture for probably the first 15 years of my career
and then moved into building and developing teams.
I was looking around for how else I could meaningfully contribute to Barracuda
and just sort of backed my way into the security role.
At that time, one of our lead architects on the email security team
had been managing our privately run bug bounty programs.
And so I offered to take on that job just so that this architect
could focus on developing the product that he was the lead for.
And that sort of blossomed into an internal security team over the course of the next couple of years.
We do vulnerability management, network scans, logging and monitoring.
We do incident response.
And when I'm not supporting the teams that are doing those things, a lot of my time is spent in defining our security policies and communicating those with the rest of the company and really sort of communicating the good work that the team is doing to the leadership of the rest of the organizations.
The people that we talk to are working in this space on a regular basis.
are working in this space on a regular basis.
You know, you still have challenges because, you know,
a team that does email security may not be as well versed in the nuances of network vulnerabilities, right?
And a firewall team may not be versed in the nuances of web application vulnerabilities.
The challenges that we run into are the challenges that I think everybody runs into,
which is that I think that the real challenge in security
is when you're trying to interact with the business,
is recognizing that there are other threats to the business
besides cybersecurity threats
and being able to become part of the risk management
conversation. If the security guy rolls in and says everything has to be fixed, you're going to
take away resources that might cost you opportunities in the future. I think that's a
problem that all of us in the security industry have to recognize is that we're part of the economic strategy of the company.
You're going to apply different security controls if you're worried about cyber vandals than you
will if you're worried about nation states, right? But the fear is that if I don't tell you about
every single possible exploit that a nation state
might throw at you, if you get hacked, you might come back to me as a security guy and say, hey,
what did you miss? It's a real challenge to correctly align the investment in security with the threat that you're protecting against.
I hope to be remembered as the security guy that understood that cybersecurity threats
were not the only threat that our business posed.
I have stuck in my mind,
because I spent so many years as a developer,
my picture of the security guy was that he was the guy
that was always saying no. And I want to be remembered as a developer, my picture of the security guy was that he was the guy that was always saying no.
And I want to be remembered as the guy that said, yes, we can do that if we do it in this responsible way.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.