From Founder to CISO: My Unconventional Journey and the Road Ahead
A few weeks ago, I announced my departure as CSO of Robinhood, and since then, many people have inquired about my future plans. I appreciate the ask, and thought it would be easier to share my thoughts here.
Besides taking some much needed time off, In order to answer that question, first you need to know some background.
What many people don’t realize is that my experience as a CISO started out as an experiment. Most of my career has been as a Founder/CTO/CEO of cyber security companies. When my last company (Bluebox) was acquired I pursued looking for the next thing to start, However when I looked around at all the cyber security startups and the types of breaches that were happening in the news I noticed a gap. There are a lot of cutting edge security products but the breaches were caused by lack of basic fundamentals. The question I wanted to answer was “simple”. Why was this gap here? Clearly it can’t be a technology problem?
To answer this question I could ask CISOs why this gap exists OR I could just go and learn it myself. So, That’s what I did.
The plan was simple — go from being someone who built the weapons (vendor) to being in the battlefield and figure out how to use them (operations). I would target two primary types of companies.
First, I wanted to go to a top financial institution that had a massive cyber budget, a large team, and a reputation for innovation (Capital One). After that, my goal was to join a small Silicon Valley tech startup with a limited budget and build a cybersecurity team from scratch (Databricks).
Although it wasn’t part of my original plan, I also joined a fast-growing fintech company (Robinhood), during its transition from pre-IPO to post-IPO. Where I faced the challenges of building and maturing a cybersecurity program. The theory is that whatever problems that were the same across all of these organizations were the problems that needed to be solved.
Side note: At the time I started this journey I recall feeling quite confident. I thought to myself, “I’ve been in security for a long time and founded and led multiple cyber companies — I’m well equipped to lead and understand cyber operations” — Oh how naive I was. This is the equivalent of taking the CEO of a weapons manufacturing company and throwing them in the middle of a warzone with a knife. Note to others: being a CEO of a cyber company and being a CISO are EXTREMELY different — so different that the advice of one barely is relevant to the other.
Why Leave Now?
It’s been 5 years since I began this experiment, which started as a way to understand why organizations face breaches from simple issues. Throughout this time, I’ve dealt with hundreds of incidents and challenges. Now, I’m well-versed in the problems that can arise at nearly every stage, and I’ve documented all the painful issues that need solving based on my experience.
With this list of problems in hand, the next step is figuring out how to solve them. I’ve noticed that many issues on my list seemed unsolvable just 6 months ago, but with recent advances in AI, these problems are now solvable. AI is becoming the new cloud — just as AWS revolutionized infrastructure, OpenAI is transforming app development. The potential is limitless, and the technology is progressing so rapidly that even missing a few days puts you at a disadvantage. There’s no better time to dive in.
What’s Next?
Initially, I pursued a single idea, but as I delved deeper into the challenges facing our industry, I realized there are numerous opportunities for transformative change. This realization has led me to consider adopting an incubator like model.
The goal is to proactively identify and assemble teams to tackle specific problems that I’m passionate about solving. This is not about funding other companies but about building those teams from scratch and driving them in the right direction. I’ve done this in a slightly different way with companies you may know of today (Eclypsium, JupiterOne, ProjectDiscovery)
I’ve still got a lot more relaxing and research to do but I’m extremely excited about what’s coming next.
Lastly, I want to extend my heartfelt gratitude to everyone who has been a part of this operations journey with me. I’m especially grateful to my managers and peers — David Cook, Ali Ghodsi, Hatim Shafique, Rob Alexander, Tony Spinelli, and Vlad — who took a chance on me and demonstrated incredible patience along the way.
To my teams, I want to say a huge thank you for placing your trust in me and for being such an integral part of our collective success. Your outstanding work has truly made me look good, and I appreciate your patience with the never-ending stream of questions I always seem to have.
Thank you all for making this journey so rewarding and memorable.
