Working_In_Cybersecurity

Interview extracts from the first volume of an oral history of cybersecurity practitioners.


Project maintained by MichaelTanji Hosted on GitHub Pages — Theme by mattgraham

The Accelerator

Billions of dollars are invested in new companies every year, all with the hope of being the next Facebook or Uber. Investing in security companies is up, but the amounts are still trivial when compared to more pedestrian ideas. Improving outcomes in cybersecurity investments is the mission of Alex Kreilein. A veteran of the national security and policymaking space, he puts that expertise, along with serious technical acumen, to help entrepreneurs succeed, and by extension, help us all be more secure.

Alex Kreilein: Darkfield is like a number of other organizations in our field. We’re a cybersecurity accelerator. That basically means that we try and find super early stage companies, we invest in them, and then we help them build their product and go to market. Those last two things are a little bit, well … actually, quite frankly, much less … like what a lot of other organizations do. Most accelerators that also get really hands-on with their companies tend to help them raise capital, as opposed to help them build their product. We do both, but we focus on product mostly because we think the best way to improve our field is to make sure that we’re working with really great products.

So, a day in the life for me is kind of a two-tiered thing. There’s two modes that we operate in. The first is when we’re actually running a cohort, when we’re trying to take these five or six companies through a process that really focuses on company building, product building and sales. The second is raising investment capital. In both cases, we’re doing a nearly 24/7 job where we’ve really taken this whole process of company building and compressed it into about three months. For us, that means doing an enormous amount of work really quickly. We’ve operated cohorts both in person, full time, and also in a distance format, but regardless of how we implement the process, I’m on the phone or in person with founders all day, every day, oftentimes Saturday and Sunday as well, to try and do things like build a minimum viable product, various forms of testing and analysis, trying to find channel partners or your direct sales opportunities where we can test and evaluate the sales component of the process as well. We operate like we’re members of each team, and we really pride ourselves on that.

When we’re not running the cohort then we’re oftentimes analyzing deals, trying to find new deals, assessing deals that are in our pipeline. Basically, that means that we ask entrepreneurs for a really good overview of what they’re attempting to build and how they want to accomplish it. We do analysis of everything from the tech stack to their financials to, you know, how strong we think the team is. Were there any legal conflicts like patent and trademark issues?

And then, separately from that, we try and understand the founders. You know, if they are a knock-it-out-of-the-ballpark entrepreneur who’s going to want to try and take a company public or at least build a large enterprise and hopefully sell it in an acquisition, or whether or not this is more a hobby or lifestyle thing. All those things are fine, but not all those things are investable. We also represent our investors in kind of the off-season, if you will, to try and find the best possible deals. That also means that we, oftentimes, help people who’ve invested in the fund do analysis on deals that they’re looking at doing on their own. And so, we try to be really good stewards of sharing information.

How did you first get involved in security?

So, my path into security is really long and twisted. I guess it started about 12 or 13 years ago. I was living in Beijing, China. I had been studying game theory as part of my undergraduate program at Fordham University, and I got approached to move to Beijing to a center that Jesuit Universities operate over there to study Chinese politics, culture, art, religion, history, and you know, basically do a semester abroad. I really wanted to go over and try and study some applied game theory during the six-party talks for nuclear nonproliferation in the Korean peninsula with the DPRK.

So, I moved over to Beijing hoping to get some sort of access to the proceedings or to people who were part of the process. And when I was over there, probably about three months in, the talks fell apart. And I found myself without anything to do. I’ve had a colleague of mine who said, “You know, there’s a couple other things that people use game theory for other than negotiations. Why don’t you try auctions or computers?” And I didn’t know anything about computers, so I figured I’ll try auctions. I had another colleague of mine back in the States who said, “The Chinese contemporary art market is really hot. Why don’t you go and buy some contemporary art and bring it back to America?” I thought that sounded cool, and it gives me a way to test out game theory in live auctions, so let’s see what happens.

It worked out okay, but when I got back to the States it was very clear to me that while this was a good idea, I still needed a real job. Something that would actually pay you money consistently. So, I took a job working at a value-added reseller as a sales nerd. And I got really wound up really quickly with the technology, and I got amazingly interested in networking. And so I got myself like a stack of Cisco gear, and I started working on it nights and weekends, and I really finally understood what people meant about game theory being used in computer networking, in part because of contention protocols, or you know, negotiation between systems when there’s resource constraints, and it got really interesting. And I just kept on pulling this thread through, and at some point, I made a logical leap from my background and interest in strategic security and then computers into computer security.

I started working for a member of Congress at the time, a woman named Jane Harman from California, who did a lot of work on the intel agencies and energy and commerce. I really got started as a policy wonk, crafting policy and legislation, which I was in no way shape or form qualified to do, but then no congressional aide is. I loved it. And from there I took a job working in strategy in management for the Department of Homeland Security and then some other federal agencies, as well, and just kind of kept it rolling.

But this whole thesis of … you know … how do we how do we optimize systems? How do we preserve things under contention? How do we really manage resources effectively? Those are really big concepts in cybersecurity, and that’s really how I got hooked in.

Perfect timing, because one of the things that I wanted to touch on was your time working for Congresswoman Harman. What was a day in the life like in the policy-making environment? That’s an area that security people tend to ignore or discount, but absent policy, there is no mandate to change, which is something just about everyone agrees is necessary if things are going to improve.

It’s really difficult. Everybody is so young and so smart … even if they don’t know the information, even if they don’t have the content … they’re very intelligent. And that’s helpful except that you’re constantly—if you’re built like me, anyway—you’re constantly trying to increase the amount of content you know. Right? So this is where you find yourself getting up at like five in the morning, and reading all the information that you can, and then you get on the Metro, and you ride to the Capitol, and you get off, and on the way you’ve read like 15 other articles, and you get to the office and sit down, and you pile through more content. You’re just trying to absorb so much information.

And then, at some point —right?— the door slams in, the boss walks in, and everybody has to cinch their ties up and sit up straight, and you’re in a really friendly work environment. It’s a small group of people who are trying incredibly hard to do really great things, but everybody working for the 500-other odd members is, and very few people are aligned. So, what ends up happening is there’s just a lot of energy, but there’s very little direction. Working in Congress is like a game theory pressure cooker. And it really is about, you know, contention and negotiation. It may be, at least when I work there doesn’t seem like that’s the case so much anymore.

Who has been a mentor to you, and how important have they been to your success?

I’ve had a couple, but it’s been a little weird because a lot of my mentors aren’t actually in INFOSEC. I think I actually only really have like two in the security space who have really taken time and attention and effort to, like, really help me. Most of my mentors have actually come out of either business, or technology and policy.

The top one for me is this incredibly storied legend named Dale Hatfield, who is the father of American telecommunications policy. He’s been the FCC chief technology officer or chief technologist multiple times. He’s been the Deputy Assistant Secretary of Information for the President of the United States. All these incredible roles. He’s a highly lauded technologist, and he lives in Boulder.

I met Dale when I was working in Congress. Somebody said, “Alex, you actually know things about computers, and you work here; why don’t you go hear Dale’s lecture on wireless telecommunications policy?” This is my first real introduction to wireless, which is where I spent most of my career working in government. Whether that was working as an LTE architect, or whether that was doing spectrum management policy, I started in wireless. So that’s how I met Dale. Fast forward four years … Jane Harman quits. She did not tell her staff. We found out watching it on TV in her office, and Dale offers to fly me, on his own dime, out to Boulder Colorado to look at CU engineering. And he fought to get me in the program, even though I didn’t have a background in math or engineering—like everyone else did—and you know he has been a close, personal friend for years. He taught me a lot about how to work with people … how to manage, how to manage yourself, how to manage your mouth, which I still don’t do.

I was going to say, you could use a little more work in that area.

(Laughing) Yeah, thanks!

And also how to have a real wide perspective on technology and not be so myopic that you’re, like, solely focused on … well, it has to be this chipset, or it or it has to be these frequencies, we have to use this hash, have a broader view of what you are we trying to accomplish and what are the tools at your disposal.

Another mentor is a guy named Jamie Barnett, who was a rear admiral in the U.S. Navy, he spent years helping me. Whether it’s a letter of recommendation, or helping refocus me, Jamie’s been really helpful.

And I think the last one is the current Assistant Secretary for Cybersecurity and Communications. Her name is Jeanette Manfra. Not only have we built a really good personal relationship, but she’s been a great mentor in that instead of trying to get me to change my perspective, she’s actually been a person who’s called on me, I think eight or ten times now, to try and help change other people’s perspectives. And that’s something that most mentors tend not to do. They generally try and tell people how they should rethink an argument or how they might do something differently. I think the thing that Jannette does better than anybody else that I know, is she actually tries to help you put that into practice, and try to do it by helping you change organizations. We made some huge changes at DHS together. I think together she and I actually got the department started in doing mobile app security vetting. She brought me into the effort behind the cybersecurity executive order that President Obama signed, so I worked on that team, which was really cool. She made sure that I could transfer and be a research fellow at NIST in Boulder, so that I could help them change their thinking about how they were spending their money, and also the Department of Homeland Security money. It’s a cool thing when a mentor doesn’t just give you advice, but the confidence to help you put it in action, and she’s really been doing that for years for me.


Chapter 2: The Advocate

To read the full interview, and learn more about the working lives of a range of security practitioners, order Working in Cybersecurity at Amazon.com.