CSO Spotlight: David Cook, Databricks

As CISO at Databricks, Cook’s role involves helping companies to manage and secure data at scale in the cloud. Coming from a networking and security background, he has moved over into the world of big data and building best practices to keep information secure. With so many people proclaiming that data is the new oil, keeping that data secure is now a big priority for all businesses. Here, he shares his career path and offers advice for aspiring security leaders.

What was your first job? The first role I had that involved IT was at school. I ran a computer Bulletin Board Service (BBS) in high school. It showed me how computers could be used to bring people together.

How did you get involved in cybersecurity? At HP, my manager was concerned about the security of one of our products. He asked for some help from his team members and I volunteered. Once I started to dig into cyber security, I realized this is what I wanted to do full time.

Tell us about your career path. I started my professional career around IT in software development and systems integration. This involved a mix of support, intranet design and web development. After this, I moved more into development and operations management. Once I got an opportunity to start a security program at HP, I realized that that security was my career path. I led teams focused on compliance including several ISO27001 accreditation programs for several networking companies, before moving into communications networking and now big data.

Was there anyone who has inspired or mentored you in your career? In every role, I have been fortunate to have amazing managers who have supported me and allowed me to grow. There are plenty of people out there that are happy to help you develop in your role, whether they are direct line managers, colleagues or members of industry bodies. Asking for that kind of help can be very valuable.

What do you feel is the most important aspect of your job? Collaborating with customers to ensure they have the most secure platform possible. Companies want to get the most out of their software, out of their data, and they are creating huge repositories of data either internally or in the cloud. These data sets have to be kept secure and managed, while also providing value to the business. This is a balancing act.

What metrics or KPIs do you use to measure security effectiveness? I focus a lot on the number of vulnerabilities identified from internal and external sources, number of regressions, and improvements to ISMS (Information Security Management System), and how quickly these vulnerabilities can be fixed or mitigations applied.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? Finding specialists in public cloud deployments is difficult. AWS and Azure infrastructure security roles are the most difficult positions to fill right now, as there is so much demand for those skills. For customers, moving to the cloud is a requirement as part of deploying these large machine learning applications as they have so much data to store over time. Getting the right security processes and solutions in place can help, but these do take skills to deploy.

Cybersecurity is constantly changing – how do you keep learning? I read a lot of trade magazines to keep up to speed on new threats and problems. I also like to listen to my customers around what problems they are facing.  

What is the best current trend in cybersecurity? The worst? The best trend in cyber security is the use of machine learning and artificial intelligence. Security is about spotting patterns, and new services based on machine learning can help analysts spot trends faster at scale. It’s getting cheaper and more feasible to store the data involved, so companies can improve their response times and spot potential issues faster based on having more data. The worst is the focus on appliance-based threat detection. This does not scale up and meet the kinds of problems that companies face today.

What’s the best career advice you ever received? Always follow through on your commitments. If you can demonstrate that you keep your promises, you will earn trust and be given more responsibilities over time. This becomes a virtuous circle.

What advice would you give to aspiring security leaders? Listen to your customers. Getting different perspectives on security will help you build a stronger security program.

What has been your greatest career achievement? Becoming a Chief Security Officer for a publicly traded company.

Looking back with 20:20 hindsight, what would you have done differently? I would have started working for smaller companies sooner. Working at smaller companies, you are exposed to the entire business rather than only seeing segments of IT or of the business. At smaller companies, you cannot afford to invest in the wrong tool. This forces you to scrutinize every potential security spend to make sure the tool will provide the right security benefits over time.

This interview is part of CSO’s regular Spotlight series, which focuses on the career paths of security leaders. If you know someone (or are someone) with a story worth telling, please contact kate_hoy@idg.com.