Build IT Together’s 12 for 12 series interviews technology professionals who stand out for their innovative thinking and build creative cultures within their organizations. Catch up on previous 12 for 12 interviews here.
This month, we meet with Steve Edwards of Duo Security, based out of Ann Arbor, Michigan.
What’s your title and role within your organization/company?
I’m the Security Operations Manager at Duo. The Security Operations Manager is in charge of corporate security—everything that doesn’t relate to how our product is coded or deployed kind of falls to me.
For example, making sure that our endpoints are secure, keeping authentication and access secure, end-user awareness training. Even speaking with customers about the security practices that we have to make them feel a little bit more safe about Duo.
How do you align IT goals with organizational goals?
Duo’s still a pretty small company, so that helps. We get the entire company together to share updates from our teams throughout Duo. We all stay together on what we’re working on.
One of the interesting functions of my role is that I get to be the first customer of Duo. I run Duo’s product for Duo. I tend to get the product releases a week or two in advance, sometimes more on bigger feature enhancements and things like that. I get to give a lot of feedback to the engineering and product teams on that, to give them some of a taste of what their customers might feel. I was a Duo customer before I came and worked at Duo, as well. I have a lot experience with their product and that’s one cool way that I get to be really close to the goals.
What’s one way your organization works that could benefit other organizations?
We developed something that we call “Beyond Corp”—we stole that name from Google, they do it too. It’s just a small little web app that we wrote over the course of a few eight-hour hack sessions throughout a year.
With this tool, we’ve been able to basically replace our VPN. It sets up a really good SSL connection, which is good because some internal apps don’t always have that. There’s no more messing around with VPN configs or certificates or things like that, either. It’s just stupid simple but it provides the same level of security that we were getting from a VPN without all of the headaches.
When people need to access internal services, they just go to them like they were just accessible on the internet and our Beyond Corp just gets in the way and says, “Hey, just need you to sign in first. We’re going to check your browser for help.” It’s a huge help.
How do you maintain a skilled team?
I just have a small team right now—I have one security analyst and an intern, who directly report to me. At Duo, we have a team of recruiters who are on our staff, who do a lot to source top talent.
I think it’s just really the manager’s job to try and build a relationship with each of their direct-reports by spending face time with them one-on-one every week. By getting to know a little bit more about them, outside of work, it build the relationship. Ultimately, that’s half of what a career is: you deliver results and you establish relationships.
How do you communicate IT wins to the organization?
For some smaller things, we use Slack internally and everyone is always in there. Smaller things—birthdays or small achievements, bug fixes, things like that—we can celebrate in there. We have a Karmabot that tracks how many times people have said your username followed by ++ so you keep incrementing your score.
For bigger wins, like I said, we have an all-company meeting every month. The agenda has always been pretty accessible so if there’s something worth sharing with the entire company with a little bit of facetime, that’s a great way to do it.
What’s a dream goal you have for your organization’s IT?
Our biggest goal (something that I talked about at BIT) is simply just to have all of our devices in a healthy state—up-to-date, on secure platforms. Then, two factor authentication any time we need to authenticate to a system. Strong authentication and healthy devices should be the goal for any corporate security department. That would prevent nearly all of the breaches that we hear about in the news and through incident reports, things like that.
There’s some things like drilling in there, not all two factor authentication is made equally—some things are less secure than others. A code generator provides some additional level of security but maybe not as strong as something like a U2F token or push-based two factor authentication.
Not all secure platforms are the same, right? You can have a Windows 8.1 computer that’s completely up-to-date but that leaves something to be desired still. I know you guys at Newmind use Chromebooks and we’re big fans of them at Duo, as well, because they’re secure by default and it really takes a lot of work to put them in a state where anything bad could happen to them.
How do empower your team?
One of Duo’s three core values is “continually learning together,” so we do a lot of things to that end:
- We have book clubs and an unlimited book buying budget.
- We do lunch-and-learns, where anyone can get up and talk about basically anything. I went to a really cool one a couple months ago, talking about the advances in biomedicine and how biological medicine is being used to treat cancer, and things like that—just because someone who’s an engineering manager came from a bio-pharmaceuticals company before coming to Duo.
- We also have a site-licensed online learning class platform called Udemy, where there’s tons of great content available, if someone wants to learn a new programming language, how to be better at public speaking, or anything in between, there seems to be one course for it in there.
What do you feel will the be most important topic/trend in IT for the next 3 years?
Internet of Things (IOT). With IOT, especially when it comes to security, I think that’s still the wild, wild west. I think that trail is still being blazed and I don’t know that I have clear vision of what it’s going to look like yet. What I hope to see is more consumer advocacy and more transparency into the security that we see in that space.
A friend of mine, who’s a researcher for Rapid 7 released this terrifying study about the insecurity of all of the Wi-Fi baby monitors that are on the market. As a new dad, that definitely made me not buy an internet-connected baby monitor, because, how can I even assess which is secure? They put a lock on the package and say it’s ultra-secure but who’s saying that other than the person who stands to benefit from your purchase.
I think that’s the next horizon, at least, of security. We’re going to start seeing a lot more focus on the security of non-computer things. It won’t be a hard trail to blaze, the definition of a computer has changed so much in the past fifteen years, from mainframes and terminals to client servers to workstations, mobile devices, and cloud—IOT is just the next thing, right?
Making sure that your fridge isn’t going to get a computer virus is a thing that we’re going to have to start thinking about. Luckily, we already have strong frameworks in place to think about that, regardless of what the computer is.
The Bonus Round
Can you tell me more about any passions you have outside of IT/technology?
I’m a new dad, so takes up a lot of my time!
Aside from that, I’ve been into competitive indoor rock climbing, and that’s been a lot of fun. I sometimes switch to playing ice hockey with an Ann Arbor group called “Never Ever,” a league for people who have never played ice hockey. It turns out that we’re not great at hockey but we’re really good at event promotion. We’ve had some “homecoming” games where we’d have over 100 people come and watch us fall down, and cheer when we’re actually doing good, which is hilarious. All of this is on our team’s website: www.lol-fail.com, there’s even some live video with commentary. It’s just ridiculous, but it was a ton of fun.
What’s your go-to spot for food or drink in Ann Arbor?
If you twisted my arm and made me choose just one place to get food and drink, I would have to choose Vinology. They have a seasonal menu that completely rolls over every season, so if you only manage to make it there once every three months, you’re never going to be able to order the same thing. Their space and menu is just really cool and thought-out, and centered entirely around wine.
What’s a book you’d recommend to every colleague? Why?
I really like a book, and it’s been around forever, called Getting Things Done: The Art of Stress-Free Productivity by David Allen. He just really helps in an age where time-management is something that people aren’t always good at because we have so many conflicting priorities. He just lays it out in a no-nonsense way to get things done, like he says in the title.
How do you get into “the zone”? (music, coffee, etc)
Let’s see, get into the zone… Duo is huge into coffee culture, and my ideal coffee is a Chemex of Guatemalan coffee. Usually I don’t have headphones in, I like to hear what’s going on around me because we’re an open workspace. When I really need to tune-out the distractions—don’t laugh too much—but it’s the soundtrack from the 1995 movie “Hackers.”
Steve, thank you for taking the time to meet with us and sharing your thoughts! Keep up with Steve on Twitter and Linkedin, and be sure to check out more on Duo Security! For more tech stories and news, visit Newmind Group and Build It Together online.