As January of this year rolled around, I hadn’t planned on changing jobs but I knew the year ahead would be interesting.  During my tenure at Verizon Business I learned quite a bit and met many wonderful people.  When I decided to join the company two years prior I did so because of the people.  One lesson I learned long ago is to rank my job by: (1) what I will be learning and (2) who I will be working with.

Tenure with Great People

The most wonderful thing about working for Verizon Business was working with the RISK Intelligence team, led by people like Wade Baker and Alex Hutton.  These gentlemen and their team are responsible for the famous Data Breach Investigations Report (DBIR) and the Verizon Enterprise Risk and Sharing (VERIS) risk modeling tool.  Many companies put out research reports but few focus so much on making their methodology transparent and unbiased.

One of my favorite projects from 2010 was working with the Verizon RISK team on the first annual Verizon PCI Compliance Report (PCIR).  It was hard work, and needed to happen alongside an already heavy work load, but it’s one of the most important projects I’ve worked on.  The reason why is that it analyzed reports and data over the two years prior – of actual assessments – and portrayed the results openly.  This year, Martin McKeay is taking over the PCIR and kicking it up a notch by providing even more ways of splicing the data.  I can’t wait to read it!

My eternal three items for improving the information security industry (in response to Josh Corman asking) have been:

  1. Education, education, education
  2. Flexibility of controls
  3. More data for risk modeling

It’s the #3 that the RISK Team at Verizon is famously known for.  In fact, security researcher, Anton Chuvakin recently referred to the DBIR as “a piece of juicy awesomeness that only comes once a year”.

It’s Good to have Options – but hard to Choose

I hadn’t planned on moving on but when a good opportunity came along for me to grow and learn, I had to take it.  I received a number of casual job offers during RSA 2011 week, during which Martin and I presented on PCI compliance in the Cloud and the entire Security B-Sides team had a successful BSidesSanFrancisco event.  Nothing was compelling enough to make the big switch.  Then came Square.

Thanks to Sam Quigley, I had the awesome opportunity to contract at Square, a mobile payments startup in San Francisco. Square is not just another startup, it’s a company that is going to revolutionize the payments and social landscape.  They make payments simple and elegant.  Check out the TechCrunch post/video of Jack Dorsey’s famous “bridge” speech as to why they will be the Apple of payments.

Why will Square succeed?  Because they are a company of people following their passion and have a community of customers who love them.

Although I love the company, and will pimp them every chance I get, I decided to take another path.  I still love the people I met at Square and the lessons I learned.  So here are a few of those lessons:

  1. Follow your passion, passionately.
  2. Everyone in the company is part of idea creation, but it’s the leader’s job to be the “editor” of these ideas.
  3. Ideas that are not used do not get discarded, they go “on the shelf” for later use or re-evaluation.
  4. Measure everything.  “If you cannot measure it, you cannot improve it” – Lord Kelvin
  5. Don’t fail fast; iterate fast.
  6. Know and tell your story well.

I cannot emphasize this last part enough.  Watch Jack Dorsey tell his story at Stanford.  He does so without slides or prompts.  He knows his passion and his direction and can articulate it easily.  How many of us can tell our story this well?

Knowing your story and being able to articulate it helps us live the direction we want to go instead of just zig-zagging through life.


Although Square is a great company and will change the world, I believe that my work there would not be as impactful as it would at another company.  I’ve decided to take a job as Director of Threat and Vulnerability Management (TVM) at PricewaterhouseCoopers (PwC).  Here I will be able to follow my passion and have an enormous impact.

My fundamental passion is empowering people to have a greater impact on the world around them.  At PwC, mentor programs are built into the DNA of the company and I’ll be able to help grow a team.  Much like I do with Security B-Sides, I’ll be able to leverage a team of people to be more than the sum of their parts.  I have some great plans for working in a leadership position at a multi-national and well-respected firm.

Much like at Verizon, at PwC I’ll be able to work with a smart team of professionals such as Gary Loveland and Mark Lobel who curate the PwC Global Information Security Survey.  I’ll be able to move beyond PCI compliance and focus on helping companies manage risk, however it makes the most sense for their company.

Most of all, we as a firm will leverage the talented and ambitious professionals that make up PwC.  I always thought that the Big4 sold products and services, but the reality is that their only service is their people.  I look forward to working with a group of talented professionals and helping them grow as a team.

When interviewing at PwC, I was asked a question I will never forget.  “Anyone can sell themselves.  How will you sell your team?” It’s true that you reach a point in your career when it’s simple to sell yourself, but the true measure of a leader is how well they grow, position, and market their entire team.

I look forward to the challenge and am excited to see what the future brings.