Utah’s Security Leaders: Trenton Bond, Head of Information Security at Pluralsight
Pluralsight has had an exciting year with a successful IPO in May and Pluralsight Live in August. Trent Bond was willing to sit down with me to discuss his thoughts on information security and how he approaches it at Pluralsight. Trent’s security career began deep in the network where he focused on network traffic and detecting malicious activity. Early in his career, he worked at IBM where he helped write IBM’s first network intrusion detection system. His work involved analyzing packets, checking the bits set in packet headers, and writing rules to flag hostile traffic. Things progressed from there as he worked as a security engineer, security architect, and now head of information security at Pluralsight.
Working at Pluralsight has been an exciting adventure for Trent. He was the first employee that was hired to be dedicated solely to security. As a result, he was able to build out the security program without the organization have an entrenched method of doing security. In fact, he cited the fact that as a relatively young company still, Pluralsight was able to set up a very agile and responsive way of addressing security. While setting up a security program can be a daunting challenge, Trent stated that Pluralsight made the process much easier due to its culture and the strong support of the C-suite.
One of the things that have made security simpler for executives is that Trent translates security risk to business risk. For example, he stated that if he went to the executives and led off with a SQL injection flaw and where it exists in an app, then he would be making it more difficult for the executives to make a right decision on. Instead, he said that it is much more effective to say that there was a weakness that could lead to a large amount of data being accessed by an attacker. Then translate that into financial costs associated with doing incident response and breach notification.
Trent also uses risk scores for various components of the business and trends them over time. As issues are resolved or as controls are implemented, those scores drop and provide a visual representation of the change. It’s something that is easy for everyone to grasp at a glance. Not only that, the executives are able to guide the security of Pluralsight using the scores. He cited the example of being asked what needed to be done to bring the risk score down in one area of the business. It has been an effective way to collaborate and gain the support of senior management for projects.
Involvement in security isn’t limited to infosec and the executive team at Pluralsight. Trent has worked to create an environment where it feels safe for his co-workers to participate in security. Safe in this context means that employees don’t have to worry about berated not knowing something already. Trent observed that developers want to build secure and reliable applications already. So he encourages that by demonstrating how applications can be attacked and what the impact is. Because Pluralsight developers work in pairs, this information spreads quickly. Trent states, “not only are they learning it themselves, but as they change pairing and develop together, they teach each other. Once they teach each other, it becomes part of their persona and who they are.”
Finally, I asked Trent how he keeps interested in his work and stays energized. “I like visiting with and talking with other technology leaders. It sounds kind of weird, but if I can get out to a conference or a meetup and talk to somebody what is a really hard problem they are dealing with. It’s where I get energy.” Working on personal projects on his own is also an excellent refresher. Trent still likes to get his hands on the keyboard and break out Wireshark to examine network traffic or do something on a Raspberry Pi. Building a little project and seeing it work is always a great a boost. If you are at SAINTCON in Provo next week, keep an eye out for Trent and say hi. He’ll probably be lurking about.
