When a security person transitions from startup businesses to CA Technologies, IBM and Microsoft, to name a few tech giants, one can imagine the flood of resources and awareness to feel like a goldmine.
And in a sense they are, said Diana Kelley, now chief technology officer and founding partner of advisory firm SecurityCurve. Every time anything gets really massively scaled, she said, you get the opportunity for maturity.
“But it also can be complicated," Kelley told SC Media. "People start getting more and more siloed. In a small business, everybody wears multiple hats. In a really large company, people get more focused on doing their job. It gets much harder to get that holistic view.”
Few things happen fast. Real impact can be difficult. It makes sense, then, why Kelley would point to a particular effort at IBM as a career highlight — one that stands out even more than her development of the widely cited “5 Indisputable Facts of IOT security” while there, or the MVP version of a security assessment tool to help non-profits use the NIST Cybersecurity Framework.
While serving as IBM’s global executive security advisor, her boss pointed to frustration getting research published in time to get noticed. Smaller companies were getting items published faster, while IBM had to deal with the lawyers of a 100-year-old company.
“We wanted to show people that we were doing really great research. But there were hundreds of researchers around the whole company, and no formal process in place,” Kelley said, adding that plenty of people actually pushed back on having one despite the goal of getting quicker recognition of their work.
Nonetheless, she built a process — working in coordination with stakeholders, many of whom were juggling guidelines tied to disclosures with external groups, as well. Ultimately, she and her team were able to establish a protocol that quickly satisfied legal requirements without delaying the ability to get valuable research to the community fast. She recalls getting a research blog published in under four hours from delivery. That was unheard previously.
“The lawyers were OK with it and research was happy. So that really made me feel like I did something,” she said.
That said, her decision to return to small business security, this time in an advisory capacity, feels like returning home. It’s where she started, back during the internet bubble when everyone expected to make their millions through startups. And even today, the payback as a security professional is different: you feel a part of something exciting, and while resources are scarce, so is hierarchy. The leadership team needs to know every aspect of what's going on. They probably know everybody in the organization. Everybody wears multiple hats.
Whether she’ll eventually return to the very large enterprise is difficult to say. Probably.
“I always like to keep a balance,” she said. “I think it's really easy to just start looking through one lens — forget what else is out there.”