You are currently viewing Secret CSO: Andy Ellis, Orca Security

Secret CSO: Andy Ellis, Orca Security

Name: Andy Ellis

Organization: Orc Security

Job title: CISO consulting

Start date of current role: September 2021

Location: Massachusetts

Andy Ellis is the Advisory CISO at Orca Security. Ellis is a seasoned technology and business executive with deep expertise in security, risk management and managing an inclusive culture. An MIT graduate and former Air Force officer, Ellis has designed, built, and brought to market many of Akamai’s security products. His leadership helped propel the Fortune 1000 company from its beginnings as a content delivery network to an industrial powerhouse with a billion-dollar cybersecurity business. During her twenty-year tenure, Ellis led Akamai’s information security organization from a single individual to a team of more than 90 people, more than 40% of whom were women. Widely respected in the cybersecurity industry for his pragmatic approach to aligning security and business needs, Ellis speaks and writes regularly on cybersecurity, leadership, diversity and inclusion, and decision-making. Ellis has received a wide variety of accolades including the CSO Compass Award, Air Force Commendation Medal, Spirit of Disneyland Award, Wine Spectator Award of Excellence (for The Arlington Inn), and won the Sherman Oaks Galleria Spelling Bee. He was inducted into the CSO Hall of Fame in 2021.

What was your first job? Site cleaning. My parents were still building, both professionally and personally, and the first thing I remember getting paid for was cleaning up the yards at the end of the day. Knowing which tools went where was really important!

How did you get involved in cybersecurity? While I was a cadet in the Air Force ROTC, I spent a summer at Luke AFB in the rear in F-16s, because I really wanted to be in operations. One afternoon, I received a call from a major in the 609th Information Warfare Squadron, who was actively recruiting me. And by “actively,” I mean, “he had to decide, and he decided he wanted me.”

What was your education like? Do you have certifications? What are they? I have a bachelor’s degree in computer science, with a minor in math, from MIT. I used to be CISSP but dropped that many years ago.

Explain your professional background. Did you take any detours? If so, discuss. My career is completely hijacked! I was fired, uh, I went on indefinite leave from MIT after my freshman year. I spent two years working at DisneyLand. Then I spent two years in Vermont as a sommelier, bartender, innkeeper, ski bum, and physical security guard. I came back to MIT on an ROTC scholarship, but to meet the age requirement I had to graduate in two and a half years, and my failed freshman year left me with three classes on my transcript. grades. During those two and a half years, I also served as Vice Master of the MIT Assassin’s Guild, Wing Commander of the AFROTC Detachment, and member of the Student Information Processing Board. I include these in my career section because I rely on the skills I learned in each of them every day of my career.

When I graduated, I spent three years, five months, and fourteen days on active duty; first with a tour to South Carolina to do information warfare, then to Boston to do acquisition test management. After my separation, I spent just over two decades at Akamai, taking on just about every security role from engineer to CSO, including as CTO for our security business, and building a amazing team of professionals who can solve almost any problem with a diversity and deep skill set.

Now, I enjoy being entirely on the vendor side as an advisory CISO of Orca Security, and I’m also an operating partner at YL Ventures, helping companies bring their big ideas to market.

Has anyone inspired or mentored you in your career? The list is really too long to try to list, but some of the best sources of inspiration and mentorship came not from the people who came before me in the organization, but from the people who worked for me. From each of them, I learned new ways of leading and better understood the challenges that others had to face.

What do you think is the most important aspect of your job? Communication. Learn to speak to very different audiences, using a language they will connect with. Because if you can’t communicate, you can’t change the world.

What indicators or KPIs do you use to measure security effectiveness? The most difficult, because it is mainly about anecdotes, is that of the “incidents dodged”. It’s really useful, however, both for studying the landscape (Did Industry Incident X affect you? Why not? What checks saved you?), as well as for examining quasi- crashes (oh, that Sev 2 crash would have been much worse if we hadn’t implemented System Y yet).

Cover. Too many checks are really limited in scope of assets, so when you ask “are we testing?” you get a “yes”. But what’s left of the conversation is how many systems you are not apply this control to. So, for any KPI, a coverage metric is essential.

Days in SLA. Many controls, like vulnerability management, look at a given time (“how many open vulnerabilities do we have today?”), when what is interesting is how often the SLA has been met. In the last quarter, what percentage of the time have we been outside of the SLA we wrote to fix things?

Is the security skills shortage affecting your organization? What roles or skills do you find most difficult to fill? Well, I don’t have a security team at the moment, as an advisory CISO, but speaking on behalf of the team I built in my last job, I’m pretty sure that “skills shortage”, while not entirely a myth, is really a polite way of saying that “HR and management don’t know how to recruit and retain talent”. Too many security posts call for unicorns who can fly, seeking omniskilled polymaths at all levels. This might work for a startup hiring a security person, but not for a team. Teams need to hire people who will be good for the job you hire them for and who can grow. This often means that you don’t hire career security professionals. Need to write research reports? Make sure your team has a former journalist. Managing thousands of documents to prepare for audits? Consider a librarian. The list goes on and on; it is easier to hire qualified professionals and teach them about security than to hire security operators and teach them new skills.

Cybersecurity is constantly evolving – how do you keep learning? While I know a lot of people are down on social media, I find Twitter to be a great way to draw attention to new hot topics that I should pay attention to. I’m also in a handful of loose channels that do the same for me, and I regularly have conversations with CISOs and security managers across multiple industries to hear what’s hot on their radar.

What conferences are on your must-see list? CSO50, of course!

What is the current top trend in cybersecurity? The worst? The best? Move to the cloud and reinvent your security program to be more agile.

The worst? Move to the cloud, not reinvent your security program.

What’s the best career advice you’ve ever received? Networking is doing someone a favor when you get nothing in return. Building a network of goodwill is one of the best ways to propel your career into the future.

What advice would you give to aspiring security managers? Make small, effective changes that your business partners will love. Don’t tackle tough problems that everyone will hate until you have accumulated enough political capital to spend.

What has been your greatest professional achievement? The team I built around me when I was at Akamai. 94 people, no turnover for 15 months there, more than 40% women, and an incredibly inclusive team. Ask anyone who’s worked there and you’ll hear fantastic stories of people who feel everyone supports each other and managers who are invested in developing their people. It’s the kind of team any CISO worth their salt would want to have.

Looking back with 20:20 back, what would you have done differently? I’m really happy with where I am now, so I’m not sure I want to alter this good result. But for someone facing the same challenges, I think at the start of my career, I wish I had been a better listener. When someone tells you something that you think cannot be true, it should tell you that you are out of touch with the real situation in a dangerous way.

What is your favorite quote? Voltaire: “The best is the enemy of the best.” Make progress now, rather than refusing to work until you have a path to perfection. Military leaders often phrase this as a variant of “A 70% plan, executed violently now, will defeat the 100% plan you are still devising.”

What are you reading right now? Well, that changes from day to day, because I tend to devour books. Professionally, my reading list currently counts Cybersecurity Sales, The myth of charismaand Sapiens all above.

In my spare time, I like… Lily. I’ve been working my way through the GameLit genre for a while, waiting for the latest books to come out from my favorite authors.

Most people don’t know that I… am a triathlete. I mean, I’ve done two triathlons, so I think that counts. You can find me training on my platoon as @ChiefSweatOfcr.

Ask me to do anything except… lie to people who work for me.

Leave a Reply