Utah’s Security Leaders: Brandon Greenwood, VP Of Information Security At Overstock
Utah’s vibrant and growing technology community has given rise to an impressive landscape of startups and well-established companies. New services and apps are being released to improve businesses, address consumer needs, and try to make life better. The problem that all of these companies face is that their services are online in a hostile environment. Criminals have long since turned to the internet as a source of ill-gotten gains. Fortunately, Utah has a talented pool of security leaders and technologists working to protect the Silicon Slopes.
I’ve started doing a series of interviews with the security leaders working at some well-known companies here in Utah. Who are these people and how did they reach their current positions? What are their methods for protecting their organizations? What issues do they see on the horizon? These are some of the questions I’ve been asking as we talked about their backgrounds and approaches to security.
Brandon Greenwood — VP of Information Security, Overstock.com
I met Brandon Greenwood not long after I moved to Utah and is one of our security leaders here. Last month Brandon was promoted from Senior Director to Vice President of Information Security at Overstock.com. He has always had an interest in security and started out working as a network administrator. After the events of September 11, 2001 his employer started focusing more on information security and Brandon volunteered to help in those efforts. His security career moved on from there and now he responsible for heading up security at Overstock.
One of the interesting comments that he made during our conversation was the need for security leaders to translate security risks to business risks. For example, instead of talking about denial of service attacks, convert that into terms of availability. What does is the probability of a system going down and how much does it cost when it does? The risks denial of service attacks can be addressed by efforts to improve availability. One of his comments were, “Business does not exist support security. Security exists support the business. That is the way it should be done.”
Brandon’s overall approach is to work with the different teams in Overstock to improve security. Instead of trying to lay down the law, his preference is to understand where the various teams are coming from and use their terminology when speaking with them. One of his examples was that you never know when the other person will bring up something that you weren’t aware of, which addresses your original concern. In particular, he prefers to “make allies, not adversaries.”
One of the challenges that he sees as clearly present in technology and security is the pace that business moves now. In the past, it took significant time to acquire new hardware, stand up new servers, and deploy applications. Now, this happens rapidly and at a scale that can’t be readily done in an on-premise data center. Security needs to apply effective practices to cloud computing and make them scale. In this world, it means working well with DevOps and not introducing friction.
I asked Brandon about how he goes about recharging and relaxing. Reading was one of the things he brought up as a significant benefit. He is currently reading several books on risk management, such as “Measuring and Managing Information Risk: A FAIR Approach” and “The Failure of Risk Management: Why It’s Broken and How to Fix It.” In the past, his reading was more technical but now is much more business-centric. The transition from technology to business is challenging, but one that Brandon has found to be very rewarding.
As we wrapped up our conversation, Brandon mentioned that he would be at SANS Network Security 2018 in Las Vegas this month. If you find yourself out that way, give him a shout. He’s more than happy to meet up and talk shop with you.
