Material CEO Ryan recently sat down with Emilio Escobar, CISO of monitoring giant Datadog (NASDAQ:DDOG). Emilio has been building and leading teams in Infosec for more than twenty years at major companies like Hulu and Sony. In this interview, Emilio discusses the dual role CISOs frequently must play in protecting an organization internally while accelerating its business externally. They also covered hiring security talent, the vendor/buyer relationship, security career advice, and much more.

How did you get your start in Security?

I got a PC at 13 and just started getting curious. The moment I got online, I ran into obstacles preventing me from doing things I wanted to do, so I just looked for ways around them. For instance, I remember when AOL and CompuServe were the dominant ISPs and as a kid I didn't want to pay. So I thought, "How do I find a way to get in?" Once I got dial-up, I found IRC and learned a lot there. That's where I was exposed to Linux and all that. So I got into security really just out of curiosity.

And now you're the CISO at Datadog. How did that happen? What are the major stepping stones between "I don't want to pay for my ISP" to "I'm here to revolutionize your application monitoring"?

For me, it's been riding a wave of opportunities that presented themselves. I have no career plan; I've never had one. I've managed people who do, and I think it's great if you do. But I am a YOLO when it comes to my career. I focus on people. I've always been interested in understanding their problems and how they think.

Our job as security professionals is to allow companies to operate at an acceptable level of risk, not just "Are we hacked or not?" At PlayStation, I talked to many people and found that security was typically only thought of at the end of planned releases. I was sure there was a better way, so I asked how we could get ahead of that. I started listening to people and delivering on their feedback. That was what got me to where I am. Focus on driving the business, but in a secure way. Every company has to make money, and every company has risk. You can't make money without risk.

So many organizations and individuals struggle with the different roles that security needs to play in an organization. How did you decide to make the move to become a critical part of the business?

It's very easy at a company like Datadog. Because people deploy us in their infrastructure, they trust us with their data. So the cool thing is that our founders get it. They understand that security is important, but we also have to grow the business. Their epic charter is basically "How do you get us to secure without slowing us down?" And since we're making security products, that work is influenced by how we're driving security internally. So it’s not hard to see how my work is helping the business grow.

How do you balance your time? Many security leaders struggle with this. What recipes have allowed you to succeed in the current environment, and where do you think everybody else is going wrong with it?

Time is a complicated thing. I think I have a balance. I don't know if it's a healthy balance or not, but it's okay for now. I think it helps that I'm not the kind of person who needs to own and solve all the problems myself or within my teams. I look at the core competencies that my team can provide vs. the core competencies that other teams can provide.

I don't go to another team and say "I can do it better than you" if that's not the case. For how to help customers, I rely on our sales and support team. We help them, but they know how to help customers way better than I can. It's very easy for a CISO to come into a new company and say, "Here are opportunities that we can work on, and I want to take them all. I'm going to build X team, Y team, Z team." You have to realize that external teams are probably already doing some of these things and can do so way better than what you can.

Not having an ego helps, and so does talking to people. For a CISO, I think success comes from how much influence you can drive in an organization, not how many pen-on-paper things you've built. If I can get an infra team to be better at security without adding security headcount, that's a success. Many people get caught up in how big their org is or security not being OKR number one for every team. Yes, we have the typical stuff to execute in security, but as a CISO, your job is to influence.

For a security leader, learning to communicate with people that don't understand security is paramount. How different is the communication with internal stakeholders vs. external customers?

I use the same technique, which is asking, "What are your concerns?" If I'm talking to a peer at a company I work for and that person doesn't understand security, I can be a little more direct than I can with a customer. It's easier to help somebody internally see the light because you can have coffee, walk around the office (pre-COVID), etc.

With a customer, I want to be more situationally aware of where they are in their maturity. If I talk to a customer and they're working off of a checklist or a Gartner report, then I know where they are. I can work with them to see if they've considered other possible realities and show them how they can achieve similar results by taking a different approach.

Whether I'm talking to a customer or a peer at Datadog who might not think of security every day, I try to put myself in their shoes and see where they are in terms of security maturity and understanding.

Is there anything more satisfying about talking to customers vs. internal stakeholders?

I think the thrill is bigger when talking to customers. I've been doing internal security for a long time. I've gotten an organization to flow one way; I've gotten security and development teams to work together. I've been there. But when I can get customers to think differently, I feel like I'm helping with an even more significant problem. I believe security is a community problem that needs to be solved communally. If we're pushing everyone to be better and not just our internal org, then we're contributing to something bigger. I'm an idealist, which you can probably tell. If I can get a customer company to adopt more modern practices then I feel like I've done my part.

Now that you've seen both “buy” and “sell” sides of security up close, what do you think each side needs to learn from the other?

I think security has turned into finger-pointing and CYAs, which is very unfortunate. So my advice to people is to realize you're actually more alike than you think. We're trying to solve a problem, just like you're trying to solve your problems. And then as a vendor, we're trying to solve your problems while solving our own problems.

Say a business team approaches a vendor to solve a problem. But then security gets involved and is bitter that they weren't included in the original vendor evaluation. This is where we tend to see tension and animosity of "I've been told I have to talk to you. I've been forced to go through this process because somebody else made a decision that I wasn't a part of." So it's been interesting now being on this side dealing with it.

I'm more empathetic to other vendors now. I always had empathy for vendors. At Hulu, we tried to make it as simple as possible. We’d only ask questions that apply to how we were going to implement the solution vs. asking a Linux vendor to show their active directory configuration. I always try to avoid those things, but now I have way more empathy for sure.

Shifting gears: you're passionate about leadership. What advice do you have for individual contributors  progressing towards leadership positions?

I think there's a big ego problem in security leadership. We like to think that we're the smartest people in the room, and we tend to default to "I told you so" when there's an issue. Say we identify a problem, it doesn't get fixed, and then something goes wrong. I've seen a lot of people who say, "I created a ticket. You decided not to fix it. Therefore: you don't care."

Security needs to start feeling responsible for making security better and not just finding bad stuff. Security finding bad stuff is great, but usually that happens after many decisions have already been made. We have to strive to be part of those decisions beforehand. And that means security leaders need to be able to empathize and work with people more frequently.

Say your service is having outages every day. You're trying to keep your platform up so your company can make money. Try to go to the CTO and say, "Hey, but we must be secure." That CTO is going to walk you out of the room and say, "Help me with my uptime, and then I'll talk to you about security." So find what's burning and help with that. I think that's something where security sometimes misses the mark. Stop thinking only ones and zeros. Once you make it to leadership, there's ambiguity all over the place, and you have to be comfortable with it.

How do you approach designing and building your org? Are there any key best practices you could share?

It all starts with understanding the burning fires and hiring to solve those problems. When I joined Hulu, the platform was volatile. We were having outages all the time. So when I started structuring a team, I structured it around being able to help the platform team, who were getting paged every day. I wanted the platform and dev teams to have better visibility, and I wanted to help them achieve that while also baking in security. Security actually adds a lot of stability to those areas, so how can we cater to that?

Now I look for people who share that mindset of wanting to help. I look for people who want to understand our mission and top priorities and build teams around those needs. I also like to hire people who flat-out talk and enjoy working with others. It can be challenging to find them, but they're there. I identify the things that we must start working on immediately and then find people who can collaborate with their peers or build spheres of influence to help solve those problems. That's where I focus. I don't think that’s secret sauce or anything, and it sounds pretty obvious once you hear it, but that's what I do.

I also make it very clear that our incentives aren't to catch attackers or to trick employees into falling for phishing emails. Our incentive in security is not the gotcha. Our incentive is making us better across the board. And I look for people who share that mindset.

What's your strategy for sourcing and evaluating talent?

When I recruit, I don't try to close the role as fast as possible. I know I have to invest time, energy, and effort into it. But the more focus you put into it, the more likely you are to land the right person. Sure, it can be very time-consuming, it can be exhausting, it can suck. But I embrace the suck.

I pay close attention to the pipeline of candidates. I like to talk to people from different backgrounds, upbringings, everything, and I'm very conscious of that. I focus on getting a diverse pipeline myself and source from wherever I can find — social media, word of mouth, job boards, etc. Talent is everywhere, but opportunities are not getting to them. I embrace the suck because I know it's going to take time.

Datadog is very strict with our recruiting processes because we want to make sure that we hire people who can be successful. Some companies don't care; they're hiring and firing farms. We're not. I'm not saying we keep people who don't deliver, but we focus on the front door to ensure that we're not throwing people out frequently. I would rather hire one good person a year than hire a team of 20 and have 18 of them be ineffective. If you're trying to drive a security program based on influence, partnership, and collaboration, you can lose an entire year's worth of effort on one wrong person.

When you're evaluating somebody, is there a specific trait that is highly predictive of them being successful on your team?

Outside of their experience and the types of teams they've built previously, I like to focus a lot on the dynamics that somebody has built. I don't care so much if you've created the coolest encryption vault in the world. Great, you built something. What's next? How do you get people to adopt and use it? How do you take feedback? What are you looking for to make sure the product is successful? Those are the things that tell me how much influence you carry.

What positive developments are you seeing in the industry right now?

One thing that has me excited is that people who share the influence and user-centric philosophy are now founding companies. We're seeing security products that are user-first. We have a crap-ton of security products, and we're still dealing with the same problems. So clearly, we're not doing something right. I love that there are security professionals who understand the value of the human in the picture. They've taken the risk to build something different and not cookie-cutter because they care about the people. So that has me extremely excited.

So I run into folks that are hired at some fast-growing company. Maybe there was some security thing there before, and maybe there wasn't. Maybe it works, maybe it's broken. What is in the starter kit in terms of tactics and strategy?

I'd recommend reading The Pragmatic CSO. Yes, it's dated, but I think the techniques are still valid. You were hired for a reason. It could be that this Series A or B company is getting security questions because now they're getting larger customers. Or maybe it's that the company needs SOC2 compliance. Understand why you were hired. You're in a business that's growing, and you have to support that growth.

Bring people who are passionate about solving problems. You don't need a big team to start. Build security that enables growth and makes it easier to be secure. There are many products out there that will help you be secure and not get in people's way. Look for those solutions.

The security frameworks are great for a more mature risk management-based security program. Start with the basics. I think the CIS Top 10 is great. But if you join a startup and your first meeting with your CEO is, "Here's the CIS framework, and here's where we are," you're going to lose all trust. Your job is to hear where the company wants to be six months from now and sort how you can achieve that.

Are there any other resources you recommend for folks looking to develop their skills, either as an IC or as a leader?

If you haven't already read How to Win Friends and Influence People, and I know it's even more dated, it's a great read. Podcast-wise, I like The Engineering Leadership Podcast because they focus on bringing in non-security leaders to discuss their problems. As a security leader or even an IC, it's a great listen because it shows you what it's like to be on the other side.