In early January, network security provider Fortinet announced that it had hired former NSA cyber task force executive Philip Quade as chief information security officer (CISO), reporting to founder, chairman and CEO, Ken Xie.
Quade is the company’s first CISO and his role encompasses many of the responsibilities previously held by Tyson Macaulay, Fortinet’s former chief security strategist and vice president of security services, who left the post in August 2016. “However, Mr. Quade has a much broader scope of responsibility as CISO that spans protecting Fortinet’s enterprise and product security, the expansion of the company’s Federal business and being a strategic advisor role to Fortinet’s c-level customers,” a Fortinet representative told me via email.
Prior to joining Fortinet, Quade was the NSA Director’s Special Assistant for Cyber and Chief of the NSA Cyber Task Force. He also served as the chief operating officer of the Information Assurance Directorate at the NSA, managing day-to-day operations, strategy, planning, integration, and relationships in cybersecurity.
“With Phil’s extensive background working at the National Security Agency and with the Defense Department he brings incredible insight on the technologies, threat landscape and partnerships needed to deliver the most effective approaches to data security,” Xie said in a statement.
Curious how Quade's public sector background influences how he approaches his new role and how his perspective may have changed since joining Fortinet, I asked him a couple of questions on this topic. Here are his responses (submitted via email):
I listened to a Federal News Radio interview from last year in which you compared cybersecurity to a team sport. Now that you have changed positions on that team, how has your perspective changed? How is your approach to cybersecurity different from someone who had only private sector experience?
When a Federal employee says ‘cybersecurity is a team sport’, it’s partially a call to tear down sometimes-artificial barriers that get in the way of progress, with some of those barriers being within the government. But there’s a technology side to this as well, a side that drives innovation in developing sophisticated defenses against cybercriminals, and it’s the reason I joined Fortinet.
Customers want, and need, to leverage security solutions at all parts of the enterprise, and have them operate according to a consistent, always-on security policy. Security needs to be applied at the endpoint, where users connect via desktops, laptops, or personal cell phones, within their enterprise data center, even within the cloud. Fortinet is leading the charge with meeting these customer demands with its automated end-to-end security solutions, which excited me about changing positions on the team and joining the private sector.
Cybersecurity is a team sport on the private sector side as well. I like to be part of the team that crushes the competition (malicious cyber activity). Fortinet is uniquely positioned to do that, because its products, over a Security Fabric architecture, work as a team. I sometimes use the hockey analogy, since it comes closest to representing how cybersecurity needs to be played – fast & exquisitely talented athletes who play together as one unit, changing from defense and offense (cyber hardening and mitigations) in the blink of an eye.
At Fortinet, I have a great opportunity to build and foster strategic private and public sector partnerships so that we can leverage the best of both worlds to solve hard cybersecurity problems, like the protection of our critical infrastructures. In doing so, we need to respect each other’s responsibilities and contributions. My goal is to leverage experience in managing complex cyber strategies and solutions, in both the foreign and domestic domains, to ensure that both Fortinet and its global customers have the most effective, broad security postures.
I’d like to think that having a former NSA fed working and learning in Silicon Valley will help with some cross-pollination of the collective team and ultimately help improve defenses against advanced cyber adversaries.
Also in that interview, you quip that, knowing what you know about cyber threats, you sleep like a baby, waking up in a panic every two hours. Are you sleeping better now?
There’s no doubt that a heavy burden weighs on you and you’re never quite able to leave at work the knowledge of what foreign adversaries are seeking to do, and in some cases, actually doing. I’m definitely grateful to those working in the public sector of the cyber business.
Ironically, now in the private sector, there is a new type of responsibility to carry that is different, but related. Coming into the private sector you have a responsibility to achieve optimal customer satisfaction based on evolving cybersecurity requirements and achieve maximum shareholder value — awesome responsibilities that serve as the engine to our global economy. But you also need to help shape the direction of commercial strategy and technology so that it is postured to address evolving threats, since commercial solutions are a tide that floats all boats: the solutions that we develop are used in both private and public (e.g., government) applications. A great example of that is Fortinet’s work as a founding member of the Cyber Threat Alliance, where we formed an alliance with our direct competitors to share global threat intelligence with each other, to better serve our customers and organizations around the world.
So we all have reasons to lose sleep when we are laser focused on combatting global cybercriminals amidst a threat landscape that is ever-changing. However, I’m energized to now be a part of the private sector and help drive strategy and innovation at Fortinet, a company that is committed to playing its part to protect global enterprises and organizations through both its cutting-edge technology innovations and strategic partnerships. The reality for me is you can ‘take the man out of the mission’ but you ‘can’t take the mission out of the man’, and I carry this forward with me every day as Fortinet’s CISO in our fight against cyber adversaries.