Back
Q&A: David Quisenberry Discusses Cybersecurity Careers, Collaboration, Mentorship, and OWASP Portland
Being a cybersecurity leader is not for the faint of heart. The increasing sophistication of adversaries and number of successful breaches puts significant pressure on security teams today. For advice, I invited Pacific Northwest infosec leader David Quisenberry to join me on the Agent of Influence podcast, a series of interviews with industry leaders and security gurus where we share best practices and trends in the world of cybersecurity and vulnerability management.
During our conversation, David shared four ways he’s approaching cybersecurity leadership today by:
- Tapping into his wealth management experience.
- Collaborating across the organization.
- Working closely with his local security community as the president of OWASP Portland, Oregon.
- Creating a solid network of mentors.
Continue reading for highlights from our conversation around wealth management, collaboration mentorship, OWASP Portland, and more. You can listen to the full episode on the NetSPI website, or wherever you listen to podcasts.
Can you tell me about your career transition from wealth management to cybersecurity?
David Quisenberry: The decisions you make, the careers you go down, the things you do – everything’s interrelated and connected. There are some differences, but there are also a lot of similarities. In wealth management, you deal a lot with risk tolerance. Like companies, when someone is just starting off as an investor, they don’t have a lot of money and they’re much more willing to take on risk and do things that a more established person, family, or trust might not do with their money because they have a fiduciary standard to make sure that they invested wisely for all the beneficiaries.
Again, like companies, when they’re building out their foundation of revenue, security may not be as front and center to a lot of the decisions that get make. But as companies grow, a lot of enterprise corporations view security and risk tolerance much differently. They want to understand all the risks that go into each decision they make as a business. Risk tolerance is a similar theme.
Another thing that’s very similar between the world of wealth management and the world of cybersecurity is you’re always reading, always studying. As a wealth manager, you’re constantly keeping up to speed on all the trends with global investment flows, global economics, and mutual funds. That obviously translates into the security world where you’re reading and learning things all the time.
Lastly, convincing others to take action. As a wealth manager, there’s this tension, especially if you’re working with families where you want them to save as much as possible so that they can have a lot of money in retirement for their kids, for their charities. They care about their future self, but they also want to live life. There are these tensions, and you have to convince someone to spend their dollars one way versus the other. This is very similar to security work with developers, product owners, product managers, et cetera. It’s a constant game of understanding all the various priorities and working together to identify that sweet spot of paying security debt, staying on top of future security debt, as well as getting other features built to drive your business forward.
You are taking some unique approaches to better collaborate across different teams within your organization. Can you share with us the approach you’re taking? Are there things that worked well or not?
David Quisenberry: One of the philosophies I have about most things is “relationships first.” As an information security manager, I’ve tried to take the approach of being available and approachable. If somebody sends me a question or an email, most of the time I will drop what I’m doing so that I can answer them in that moment. Even when people get frustrated with me, I take the opportunity to take a step back and think, “We have a tension right now. But they’re thinking about security. What’s not clear? How do I communicate the why?” If I can accurately explain the why, it’s going to help so much. I try to take that relationship first approach, identify those early wins, and set clear expectations of what is a milestone and then celebrate those when we hit them.
It’s important to have regular monthly meetings with the scrum masters with the various leadership teams for the different products, engineering managers, project managers. I encourage them to ask questions and know that we’re going to have an opportunity to dig into things. To prepare for those meetings, we have a working agenda that both parties can add to, and I also try to give visibility into data and analytics.
As the president of the OWASP chapter in Portland, how did you get involved with the community? And what are some interesting things that you’re doing that might be different from other chapters?
David Quisenberry: David Merrick introduced me to the chapter. I started going to the chapter meetings whenever I could. Around late 2018/2019, I started being mentored by the previous chapter President, Ian Melvin, who’s been an amazing mentor and really helped me along in my progress. He got me more involved on the on the leadership side.
What I found is most OWASP chapters have leadership that have been laboring hard for a long time to keep the chapter going. If you’re willing to help bring in speakers, engage in membership, promote social media activity, or think of topics to present, they’ll open up. Especially if you prove yourself and that you can deliver on it. What I found with the Portland chapter was that, as I started getting involved, we needed to meet developers where they’re at.
We did a lot early on when I took over as president of the Portland OWASP chapter. We built out a mentorship program where we had around 24 people with varying skill levels meeting regularly. We really ramped up our social media presence, specifically Twitter and LinkedIn. We used meetup.com which helped us solidify returning visitors and provided an easy mechanism for people to RSVP to our monthly meetings. By the end of 2019, we were close to 50-60 people per meeting. And we brought in a lot of great speakers.
And then then COVID-19 hits, and suddenly you can’t meet in person anymore. We had to do everything virtually, but we were able to continue our path of monthly, or bi-monthly meetings. We also have another thing that we do as a local chapter, which is study sessions. More hands-on, shorter sessions or labs and then 40-minutes hands on keyboard. Working with Burp Suite or Wireshark. You name it. We started a podcast in late 2019 and that’s been super successful. We had 6,500 listeners or so over this last year and some interesting guests. We’re also exploring some other opportunities for cybersecurity training with other chapters. We’ve been trying to collaborate more with the chapters around us and that’s been going quite well.
NetSPI’s Portland, OR office is growing. Check out our open cybersecurity careers in PDX!
I wouldn’t be where I am today without my involvement with OWASP. If you’re interested in truly excelling and expanding your horizons in the security space, these community meetings and chapters really pay dividends in the long run. I’d be curious to get your perspective on any guidance you have on how to choose a mentor that’s right for you?
David Quisenberry: The first thing I would say is don’t have one mentor. And I think of it almost as a personal board of directors. For myself what I want is people from across the spectrum. So, business leaders, engineering leadership, security leadership, different types of security leadership. I want 4-10 people that I talk with quarterly, some people more often. I want to be able to have multiple perspectives to bounce ideas off when I’m having a hard time with something at work or a moral decision I need to make or just trying to understand what is normal or what is acceptable.
One of the big things that I always try to push with my mentors is what are you learning? What are you reading? What are the things that you go back to time and time again? There is a saying that I always think about: “If you dig, you get diamonds.” Where can you dig to get diamonds? With mentors, I try to have a lot of people, I try to be real with them, and make it clear that this is only between us. And I also try to pay it forward. I want to help people and lots of people have helped me.
There is a book by Keith Ferrazi I read a long time ago, it’s called Never Eat Alone. It’s all about how people like to help people. We’re all hesitant to ask for advice or ask for help. But the most successful people ask for help all the time. As humans, we like to help each other. His whole thing is to find out what you want to do and where you want to get, and then build a relationship action plan to move your way there. He’s also big on building your network before you really need it. If you’re in a job hunt, and you’re trying to build your mentorship, or mentor platform at that point in time, that’s going to be hard to do. But if you’re in career, and you start building that network, and you don’t need to use it for a couple years, by the time you do need to use it those people will know that you’re genuine and know who you really are. They’ll be more than willing to help you.
For more, listen to episode 23 of Agent of Influence. Or, connect with David on LinkedIn or listen to the OWASP Portland podcast.
