CyberWire Daily - Rick Doten: There is a rainbow of different roles in cybersecurity. [VP] [Career Notes]
Episode Date: September 3, 2023This week's guest is Rick Doten, the VP of Information Security at Centene Corporation, he sits down to share his story and provide wise words of wisdom after conquering this industry for 30 years. Ri...ck, like many others in the field started off not knowing what he wanted to do, so he tried out a few things, including doing in-user training and desktop support, eventually evolving to do systems analysis work and designing software. Rick shares that his main day to day roles are spending time helping out the corporate global CISO, CTO, and head of platform within the organization, he shares that his nickname is the neighborhood cat because he's everywhere. Rick shares advice for people getting into the industry for the first time, saying "There is a rainbow of different roles in cyber security, and I feel like I've done all of them in the last 30 years. So there are different things that, that you, the thing that like appeal to you the most because you're going to excel and want to hyper focus on the thing that you really, really are interested in and not the thing that you're not" We thank Rick for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. More at zscaler.com slash security.
Hello, my name is Rick Doughton.
I'm the VP of Information Security at Centene Corporation,
and I'm also the CISO for Carolina Complete Health,
which is one of the Centene Medicaid health plans.
My father was a pilot in the Air Force.
I knew I didn't want to do that.
I actually almost went to chef school.
I worked in restaurants all my teenage years and filled out the application to go to Johnson and Wales, which is now here in Charlotte, But then realized I didn't want to work that hard
when I was younger. I always look for ways to streamline things and do it the most efficient way.
And I knew I was always going to be in, I mean, when I was in college, I was interning for a
government contractor in Washington, D.C. and at 19 years old was flying around the country,
installing software, you know, over modems, you know, connecting to mainframes over modems, you know, when I was too young to rent a car or even had
a credit card. And so, you know, I knew that computers were going to be the thing that I will
be working in. And I used some of those techniques to help me better do customer support. And then,
you know, just kept trying to do different things.
And it went on from there. Like most people, you know, in my generation, security kind of finds
you, you don't find it. And so, you know, I started off just doing end user training and desktop
support, and then evolved to do like systems analysis work and desktop support, and then evolved to do systems analysis work and designing
software, and then did a short stint as a technical recruiter because one of my mentors,
she ran a programming team when I was an intern, and she said she really likes to get to talk to
people. And I think that was probably the best career advice I had was watching what was popular
and what was important as I was placing people in these jobs. And this
was the early 90s. So I was very fortunate to go to a very big defense contractor to start as a
recruiter and then join the team for this, you know, online system that we were making for the
FBI. And that was really the tipping point. I used to joke that when you have your contracting
officer carries a gun because he was an FBI agent, you pretty much do what they say. And so they kept asking,
well, can you do this? What can you do this? And so we spent a lot of time the first three years
figuring out how to do early intrusion detection systems and firewalling, a stateful inspection,
firewalling and VPNs and multi-factor authentication. And then I was asked by one of the
VPs there if I wanted to join one
of their ethical hacking teams that was for government thing. And I'm like, I don't know
anything about hacking. And he goes, well, you know how to protect a network. Just see if they
would do the same thing you would have done to protect it. And then was offered to transition
over to Global Integrity, which was one of the early security boutiques. So that's kind of like, that's when it got on the slide.
So to me, it was all about, you know, how we do the things and how the people manage,
protect and maintain these things.
And that changes as we have new technology come in place and then wireless and
then the web. And then, you know, now we get into cloud computing. And so how it completely changes
how we have to manage things while the fundamentals are all still the same. You know, I've been part
of the editorial panel for the CIS critical security controls for over 10 years and, you know,
helping and making sure that people are doing the fundamentals through those controls.
We have different approaches depending on how the technology works.
And one of my favorite keynotes is talking about what I did just literally two days ago
was about the difference between cloud security and on-premise and data center security. So I'm very fortunate in my role that, you know, I don't have
a lot of administrative overhead because, as I said, I'm a CISO of a health plan, but that's
very, very lightweight. So I spend most of my time helping out the corporate global CISO, CTO, and head of
platform in just helping out all of the people within the organization, whether I'm a lot of
calls, they refer to me as a neighborhood cat because I'm everywhere. So over the last few
years, I've up-leveled our incident response program and our application and cloud security
program and help with our talent acquisition process and provide
guidance and mentorship to a lot of the leadership. But a lot of things that I do are supporting the
community. I learn a lot by talking to all these different vendors and I get different perspectives
and I feel like it helps the industry because I give them a lot of guidance on how to position
what they're doing and how different the selling into a Fortune 500 company is
versus the 5 million other companies in the United States.
And then I do a lot of talking on podcasts and doing keynotes and just evangelizing about cybersecurity
because, you know, as we just discussed, I've grown up in this industry and I've kind of seen how things are.
And I've kind of seen how things are.
So I always kind of say I lead from the front.
And it's like, there's nothing that I am above doing.
If, you know, we go into a place and I need to pick up a shovel or wash windows, I'm happy to do that.
And, you know, and kind of lead by example. But I'm also, you know, very conscientious about individuals are motivated and learn and process things differently.
Really, it boils down to treating them as individuals and recognizing what their superpower is and helping them lean into that thing that they do better than everybody else and not trying to make people do the things that they're inherently not good at.
And I think that's a challenge in the cybersecurity industry. And I think that helping folks like lean into the things that they want to
do keeps them much happier, much more productive, and then let them kind of expand and give them
own agencies instead of like, you know, being told to do things that they're uncomfortable
in doing because of their personality. Where I came in and a lot of people my age, it was, like I said, security finds you.
You have to be in a place and you answer a question or you do something and then everyone says you're the security person.
But here we have a much more direct path and there is education, there is certification, there's training.
And I think the first thing is kind of find a mentor of like somebody where you'll be.
I think find the things that you want to do.
There is a rainbow of different roles in cybersecurity.
And I feel like I've done all of them in the last 30 years.
And there are different things that you,
the things that like appeal to you the most
because you're going to excel
and want to hyper-focus on the thing
that you really, really are interested in
and not the thing that you're not.
And so I would just say keep trying and fail quickly and expect that the thing that you think you want is probably not the thing that ultimately you're going to really learn to love because you don't know until you get in it.
I'm at the age where I think about my glide path out
and I pretty much don't ever expect not to be working
and helping people.
And whether I'm doing keynotes
or whether I'm doing advisement or virtual CISO work
like I used to do,
or just leading communities of people
and trying to help folks or helping out startups or helping out venture capital firms and find what the next big thing is.
I just want people to know like that I was always trying to do the best thing for the industry.
You know, long time ago, I told one of my bosses, like, I'm loyal to my industry first,
my customer second, and my company third. Because if I'm doing well for the first two,
then I'm doing what's best for the
company. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.