“I've only learned recently that it has become really valuable for me to give myself time to allow the creative process to happen.”

Twitter: @s7ephen • Website: about.me/s7ephen

Stephen A. Ridley is a security researcher with more than 15 years of experience in software development, software security, and reverse engineering. Within the last few years, he has presented his research and spoken about reverse engineering and software security research on every continent except Antarctica. Stephen and his work have been featured on NPR and NBC and in The Wall Street Journal, The New York Times, Wired, The Washington Post, Fast Company, VentureBeat, Slashdot, The Register, and other publications.

Stephen has authored a number of information security articles and cowritten several texts, the most recent of which is Android Hacker's Handbook, published by John Wiley & Sons. Stephen has guest lectured at NYU, Rensselaer Polytechnic Institute (RPI), Dartmouth, and other universities on the subjects of software exploitation and reverse engineering.

In late 2019 Stephen became adjunct professor of Hardware & Software Exploitation at the NYU Tandon School of Engineering in New York, an NSA Center of Academic Excellence in Cyber Operations. Stephen has served on the programming/review committees of USENIX WOOT, Securing Smart Cities, BuildItSecure.ly, and others Stephen also serves on the board of IndySci.org, a California nonprofit devoted to making “open source” pharmaceuticals a reality.

Do you believe there is a massive shortage of career cybersecurity professionals?

This is really a tough one. I go back and forth on this. Companies and governments definitely need higher-quality cybersecurity professionals, but I sometimes wonder where that demand is coming from. I am sure there was a healthy demand for talented farriers (the people who make horseshoes) right up to a time when the first automobiles were being delivered to early adopters.

In a lot of organizations, the status quo is to just throw money and bodies at a problem, but this doesn't necessarily mean that the problem demands either of those…the problem may just need clever solutions. Clever solutions come from really passionate (and/or smart) people creating things. I'm not really sure if we need more cybersecurity professionals or just more of the existing professionals focusing on creating solutions.

Social media certainly isn't helping. It rewards people who haven't actually done “the things.” It rewards people who say they have done “the things.” This is an epidemic for a number of industries, InfoSec included. It is unfortunate because if the skills gap and the shortage is in fact real, then it comes at a time when the supply of competent people is also actually a bit diluted with noise.

What's the most important decision you've made or action you've taken related to a business risk?

I am technical, and I like creating things. So most of the recent business risks I have had to take in the last few years (as a founder) have mostly involved trying to balance two things: running the business and finding time to be creative and focus on the very projects (and “art”) that created the business to begin with. The hardest part for me about this balancing process is that oftentimes the creative process actually includes things like procrastination and boredom, but I'm conditioned to believe that “downtime” like that is actually counterproductive. I've only learned recently that it has become really valuable for me to give myself time to allow the creative process to happen. This includes allowing myself to “play” around on the computer by doing small technical things that may not have a direct line to the task. It is often during these moments that the epiphany comes about how to leapfrog to your mission objective.

How do you make hard decisions? Do you find yourself more often making people, process, or technology decisions?

Hard decisions are hard. Perhaps the hardest thing about hard decisions is that you can't hide from them. You can't delegate them away. You can't procrastinate them. Jeff Bezos has a great quote about this: “Stress primarily comes from not taking action over something you can have some control over.” This (I think) is also why hard decisions are so stressful. While you are deliberating, the clock is ticking, and you still haven't taken action. Finally, I think the worst thing about hard decisions is that they isolate you. And this is where things can get negative. It is very easy to begin spiraling once you are stressed and struggling with something that keeps you isolated. So, the best thing I have learned to do is to have great advisers, friends, and colleagues I can safely share things with to help me work through.

What's something that you struggle with as a leader and how do you overcome that?

Acting as CEO of a venture-backed technology startup was the biggest challenge of my career (and my life of recent memory). I struggled a lot with intentionally taking the time to do the kinds of things that rejuvenate me professionally (research, development, tinkering, etc.). These things seemed less relevant to the immediate needs of the startup, so I triaged them away, but what I didn't take into consideration was how those very things stoked my optimism. They kept me engaged in the subject matter. Without that time to “play,” I was grinding metal-on-metal without any lubrication.

How do you lead your team to execute and get results?

I was fortunate that my most recent team and those of the past were technical. Furthermore, I was fortunate that all my colleagues somewhat respected my abilities. This made my job easier. What I really struggled with was working with team members who weren't “my people.” It is easy to get along with people who come from the same “tribe” (similar humor, understanding, worldview), but I had to learn a bit about how to work with people outside my tribe. That was difficult, and I am still learning.

Do you have a workforce philosophy or unique approach to talent acquisition?

I believe that if you treat people like adults, you'll have the best results. I tend to not micromanage, or “hover.” I prefer to treat team members like equals. I think this is because most of my career I have worked in “think tank,” “skunkworks” teams that are small but highly skilled and specialized. So, I prefer to just review the objective with everyone, make sure they have what they need, and then let them get to work. But, that said, the hardest part of doing things this way is that you have to get very good at firing at the first sign that your style is being taken advantage of. I have historically not been good at this and had people take severe advantage of this. It is always extremely disappointing when you realize that people are taking advantage of the freedom you yourself would want to be given in the workplace.

Have you created a cohesive strategy for your information security program or business unit?

I hail from the R&D side of InfoSec, so the hammer doesn't fall on me for these kinds of things.

That said, as a consultant, I often helped companies fix or architect away these things. The three most important things in that capacity seem to be competence, situational awareness, and boldness. You need at least one person in a position of prominence who is deeply competent but also situationally aware enough to see when things are off course. They also need to be bold enough to say something about it and use their competence to suggest a solution. Every organization is different, but as a consultant, where I saw the healthiest programs was where there was a person of prominence with those three characteristics…and also where this role was mostly “left alone” and not so mired with day-to-day operations that their heads-up situational awareness subsequently suffered.

What are your communication tips for interacting with executive leadership?

This is an interesting one. I don't know how to articulate the nugget at the root of my answer to this question, so I will beat around the bush…Miyamoto Musashi is the author of a book called The Book of the Five Rings. Musashi was the self-taught swordsman who eschewed formal swordsmanship and pioneered his own style. He traveled around Japan defeating the masters of each prestigious school of swordsmanship in duels to the death. To add insult to injury, he won all those duels using wooden practice swords against his opponents' priceless razorsharp steel.

I can't articulate what I mean, so I offer this: communicating with competent and high-quality executive leadership is what I imagine swordsman duels to be like. No frills. Concise, sharp, and straight to the point. But you also don't need fancy sword lessons or expensive swords to be a great swordsman.

How do you cultivate productive relationships with your boss, peers, direct reports, and other team members?

I actually learned this by observing one of my advisers. Whenever interacting with him, I noticed I always felt like he was “sneaking away” to give me more time than he gave everyone else. He always made time for me. Then I realized that it was virtually impossible that he was giving just me so much time; he just had a magic way of making people feel as though he was giving them this time. Ever since I started trying to model my interactions with people based on his ways, my work and personal relationships improved quite a bit.

Have you encountered challenges collaborating with revenue-generating teams like sales and product development?

This actually harkens back to my earlier point about “different tribes.” It can be easy to interact with people from the same “tribe,” but for an organization to succeed, it (much like a biological organism) needs to have different parts that specialize in different things. The mistake I made as a founder was assuming that “sales guys” had to be from a different “tribe.” In reality, this is not true. You can find “your people” in a whole series of disciplines. The challenging part (especially for a startup and a founder) is finding those people in a timely fashion. This latter point I can't recommend anything for…I still struggle with this.

Have you encountered challenges collaborating with technology teams like information technology and software development?

Many years ago as a mid-20-something researcher at McAfee, I sat in the office of the CTO.

When not auditing the code of all the McAfee products with my research partners, Mark Dowd and Brandon Edwards, I had to advise the CTO on technical due diligence for acquisitions. So I had to interface with a lot of different parts of the organization within McAfee and without. Even at an InfoSec company like McAfee, security can be high friction to the needs of the organization. For example, at best, code auditors can only slow things down and deliver bad news.

So I think I learned the most about how to handle this when I was building a team at my startup. Information security is actually quite a bit more multidisciplinary than many may give it credit for.

There are so many great specialties within InfoSec that can be leveraged to interface (as an InfoSec company) with the real world. For example, the social engineering InfoSec types may make great salespeople. The extraverted “con scene” kind of people make really good sales engineers, consultants, and customer-facing subject-matter experts. Researchers can do everything from being content marketing engineers (blogposts, videos, published research) to VP of engineering, VP of research, or VP of product. Within InfoSec alone, we actually have a wealth of diverse personalities and disciplines to pull from.

Also, at the end of the day, smart people can do whatever they set their minds to, so never underestimate what smart members of your team can do.

Do you have any favorite books to recommend for people who want to lead cybersecurity teams?

I am actually a reluctant leader, so I may not be the best person to ask this question. I didn't ever want to start companies or lead anyone. I just wanted to do “the thing,” and starting a company or rallying a group of people to help out was the only way to do it at any appreciable scale. So, I cannot recommend any great books about leadership, since I never really sought it or studied up on it. I think if I had to summarize the single most influential advice I have ever read on the topic, it was a quote that said: “Never send someone to charge over a hill you wouldn't yourself charge over.” I think the kind of people who are worth working with are also the kind of people who don't seek to be led. They just follow their minds and their hearts to work on something that they deem of value. In that way, you are all working collaboratively on the same effort, and they “follow” you simply because you started marching toward the objective first, and they trust you not to send them on a fool's errand.