For the past three years, Nils Puhlmann was head of security for Zynga, the social games company that created mega-hits Farmville and Words With Friends.
Managing Zynga's converged security department was a challenging job that Puhlmann says has left him ready for a break. But don't expect him to be relaxing for too long. Puhlmann is also the co-founder of the Cloud Security Alliance (CSA), a community of over 33,000 security professionals worldwide that promotes the use of best practices for security in cloud computing. His work with CSA continues to evolve.
Puhlmann recently spoke with CSO about his plans for the next chapter of his career and what changes hed like to see the security industry adopt.
CSO: You recently left Zynga, where you had served as CSO since 2009. What are your plans now?
Nils Puhlmann: I don't have any specific plan at the moment, other than spending time with family. Helping to make a startup company successful and turn it into a public company from a security point of view is intense; it's a lot of work. The job had different challenges than working for a very established company.
I'll be letting things come toward me in the coming months and then decide what type of security I want to do next; where I want to apply my experience, knowledge and insight. Security is no longer clear-cut. It has different factors and aspects now. But I've been excited so far about all of the different opportunities that have already been sent to me since announcing that I was leaving Zynga.
[CSO resumes: 5 tips to make yours shine]
What lessons did you learn from your time at Zynga?
That's a loaded question. I have learned there is no such thing as "one size fits all" in security.
On the other hand, the principals and philosophies that we all learned growing up in the security industry are always valid. A lot of folks now enter the security space or take on more managerial oversight and responsibility. Flexibility and adjusting and adapting to different markets is what a company needs. But at the same time, sticking to what has worked for so long and figuring out what those things are --remembering that certain basic rules and philosophies or principles in security will never go away, and never should --is the balance everyone will have to find. That's going to be a challenge.
The new generation of security professionals might overemphasize change and flexibility and might not have enough years under their belts to have learned about these principles. Having both sides, making sure both ends of the spectrum are covered, is crucial. Flexibility is needed all around, but not flexibility that sacrifices security.
Talk about the security industry's next few years. Which trends or concerns are you keeping an eye on?
The next few years are going to be make-or-break for security. Either it will make itself heard --and heard not just for noise, but innovation --or it will be pushed aside. I think it's time for the industry to wake up. I haven't really seen it. Anyone who has been going to the same conferences year after year sees buzzwords each year, but it's mostly old technologies rebranded under new buzzwords or themes.
[See also: Stress and burnout in infosec careers]
There is cloud, compliance, mobility, to name a few. But the amount of true innovation that goes into these solutions is actually small compared to traditional tech. It forces the practitioners to fill the vacuum through creative work, and I don't think that's sustainable. So either that lack of innovation is addressed and fixed in the industry, or it becomes an afterthought as the pendulum swings from one side to the other.
It could create big issues. It could mean bad things happen around the world that impact business and consumer confidence. In the online and offline world, it can lead to a knee-jerk reaction because you can't force innovation, but you can force legislation. I always say that in the absence of innovation, there will be legislation, and that will force security to the forefront, but that's not an efficient place to be.
I see what is happening and it's worrisome, and it should be worrying everyone. I think it's up to everyone in the industry to change it --to stop the train and make it move in a different direction before it ends up in a place we don't want.
What else would you like to see change in security?
I think the organizational aspect of security is something that needs to be addressed. Every company is trying to come up with their own job architectures, trying to figure where to place security, what they should focus on and do. Security is actually the only profession inside most corporations that tries to solve that individually over and over again. At some point the industry needs to come up with a baseline and ask: What does good look like? What kinds of functions should be available in the company to really cover security well? Where should they be placed and what should they do?
I had a thought recently: At a company that has had a security executive for five years, how does the CEO of that company know the security program is running well? For every other profession, you have industry publications. There are other companies you can ask because there is enough comparative information. But because security is so individual and unique, it's hard to compare that. That shouldn't be the case. That makes it hard for any company, any board of directors, to assess what needs to be changed or fixed or adjusted.
In 2008 you co-founded the Cloud Security Alliance, a nonprofit information-sharing group. What are your plans for CSA?
CSA was such an innovative step that when it first started people said, "Great idea, but it won't go anywhere." Now it's globally available, there are lots of people as members actively contributing content and knowledge, which is exactly what we wanted.
We wanted to bring others together to share what works. That concept has worked well and has shown me there is a lot of combined knowledge in this industry, it just needs to be brought together with the right incentives and it will flourish.
CSA will continue to evolve to other areas that we feel need to be addressed, or that people need to be thinking about and sharing their experiences of what has worked, what hasn't, and make it better. So don't expect it just to be about cloud. There are other areas to address. We have already started a working group on mobile and mobility.