Maarten Van Horenbeeck was inspired by a movie – he watched WarGames as a child. He became fascinated by the potential of interconnected, communicating computers and the security issues that come with them.
“Deep inside, I immediately felt this is what I would do,” he said, “it really motivated me. When I got a bit older, I realized there’s a whole community of people finding and exploiting security bugs, and another community finding and fixing them. It just drew me in. and I’ve never really done anything else since I started my very first job.”
Van Horenbeeck’s first role was a technical writer for an early security website. “I wrote articles about security vulnerabilities and security issues, and I published them on the website. It was a great way to get into security, because I had so much exposure to all these things that were happening. I wasn’t an expert, but I had to study them to be able to write about them.”
It was this self-taught knowledge, desire, and experience rather than any academic qualifications that opened the door to a career in security. That career came to include some of the biggest companies in tech: Verizon, Microsoft, Google, Amazon, Zendesk, and now SVP and CSO at Adobe.
Leadership was also self-taught. “I was actually quite shy when I was young; not loud or outspoken in any way.” But security is about teamwork, and he quickly learned that harnessing the power of a team provided the outcomes he wanted to achieve. Leading that team was the best way to succeed.
“In one of my first roles, I became the manager of the SOC. But as much as I liked doing the technical work, there were always people around me who were just better and had better ideas on how to solve specific technical issues. I realized that when you can build a team and have the freedom to go look for people with different perspectives and different approaches, and you can bring them together, you can do far more in the world than if you try to be the expert at every single thing.”
Leadership was not the objective, but it was a tool to become better, and he taught himself how to do it. “You learn how to be a leader. You make mistakes, you make some errors. People give you feedback, and over time, you refine your approach. Leadership is a continuous journey. I make mistakes every single day, and when I’m lucky, people tell me. Then I can learn and become a better leader.”
His career path was forged with such on-the-job learning, but perhaps solidified by later personal academic improvement. “I didn’t have a university degree when I started working. I did security work for about seven years before I realized it would be good for me to get a degree – so I went back to school and got a degree in information security.”
As time passed, he realized that a second interest he had was becoming increasingly important to security: public policy. “So, I went back to school again and got another degree in International Relations.” The global nature of security and the increasing influence of geopolitics suggest this was a good decision. But he wasn’t finished. “Throughout my career I have also looked for opportunities to increase my technical knowledge – for example, I took a series of SANS courses which both improved my networking and expanded my skillset in areas like forensics and intrusion detection and so on.”
Our key learning here is that you don’t need to have academic training to get started on a successful career in cybersecurity provided you have that initial desire and then a continuing willingness for self-improvement.
We discussed Van Horenbeeck’s approach to some of the key concerns facing CISOs today: the skills gap, the digital divide, and the introduction of artificial intelligence.
The skills gap
The skills gap is a controversial subject. There is little doubt that companies struggle to fill security roles. But the often quoted figures that attempt to quantify the skills gap are difficult to believe.
“The quoted numbers are hard to validate,” agreed Van Horenbeeck; “but there is merit to the basic idea that it is difficult to fill all the security vacancies.” However, he doesn’t think of the problem as a ‘skills gap’, but rather an ‘opportunity gap’.
“I think there’s an opportunity problem for people that are starting out in cybersecurity to find their way into the cybersecurity community. When I started in the early 2000s, I joined with relatively little experience, but a lot of motivation, and I got the opportunity to do a lot of different things. One day I was asked to configure a firewall, the next day, I was asked to do a forensic investigation, the next day, I was helping a customer build a threat model for what it was developing. And it was a really great opportunity to learn very, very quickly.”
He doesn’t believe the same opportunities exist today. “I think it is now much harder for new people, new entrants, to find their way into the cybersecurity community.” So, his approach to solving the skills gap is to increase opportunity – on a global scale including but not limited to Adobe. Within Adobe, he focuses on an internship program. “Every year we take in new entrants in the cybersecurity community from various colleges to join our team and learn what it means to operate in a security organization.”
Outside of Adobe, he collaborates with different organizations that also seek to expand security career opportunities. One example is BlackGirlsHack, a non-profit organization that helps bridge the gap between education and security skills. “We do our best to provide funding, training, and the availability of our staff to help these organizations,” he explained.
Another example is the CyberPeace Institute based in Switzerland. It matches experienced staffers from larger organizations with non-profits and NGOs that have a need for cybersecurity expertise, but not the funding to buy in a full-time specialist or consultant. “Our staff provide pro bono work through the Institute so that the smaller organizations can learn from their expertise.”
Van Horenbeeck accepts there is a skills gap, but lays much of the blame on opportunities. “I think it’s up to us as cybersecurity leaders to provide opportunities for people to bridge that opportunity gap – which is much wider today than it was 20 years ago – to enter the cybersecurity community or simply widen their skills within that community.”
The digital divide
The digital divide is simple to understand but complex to solve. Fundamentally, it separates those who have access to cyber and cyber knowledge from those who do not. There are areas of the world and socio-economic groups or demographics who have little or very limited access to the internet, and consequently very little awareness of cybersecurity.
But cyber and cyber threats are worldwide; and technology is increasingly integrated and interconnected globally. “Cyber issues emanating from the digital divide don’t just play out far away from our homes – they play out very close to our homes as well,” warns Van Horenbeeck. “There’s a huge divide between people who know, for example, not to reuse passwords, to use multi factor authentication, and those individuals that have none of that experience at all.” In effect the digital divide creates a largely invisible and unseen threat surface for the long-connected world.
He believes that technology companies can play a part in solving this problem by making cybersecurity features easy to understand and use. and cites two examples of the Adobe approach. “We invested, for example, in support for passkeys because we feel it’s a more effective and easier method of authentication that is also more secure.”
The second approach is to make the fruits of his own security team freely available to others. He believes that global security is best achieved when security knowledge and practices are freely shared. “So, we spend a lot of time working to open source some of the practices that we have. A good example is our Common Controls Framework. It’s essentially a mapping of different compliance frameworks to a set of security controls that organizations can apply in their business, making it much easier for them to achieve compliance within a significantly widening set of regulatory requirements.”
He believes, “By making security easier to use, whether it’s for individuals or for partners and peers, by sharing these practices, I think we get a better community – that we get an internet that’s more trustworthy for everyone. That’s really a big goal for us.”
Artificial intelligence
A CISO’s responsibility goes beyond defending the company’s IT infrastructure and ensuring its ongoing profitability – it extends into the security of apps developed, whether they are for own use or sale to customers and third parties. Artificial intelligence offers insight into this side of the CISO role since it is a new technology being widely adopted. Many firms are grappling with the need or choice to develop AI-based products for sale and/or AI-assisted services for in-house use. We asked Van Horenbeeck how he approaches this task.
“The way we think about any new innovation, and AI is just one example,” he said, “is that we need to build security from the bottom up and then ongoing.” This basically falls into two phases: ensuring security by design and ensuring security in use.
“We always start with threat modeling. Our engineering teams think about the different threats that may affect a particular product. They essentially break down the product into different data stores and services and analyze how they communicate and what information they exchange – and they think through what threats could arise in these different transitions between the components, and how those threats could be mitigated.”
The aim is to provide a solid baseline for the product – but this is just the first phase. The second phase is to ensure the app can withstand adversarial attacks when in use. This is effectively ongoing development and has three prongs: pentesting, red teaming, and bug bounties.
“We have an internal pentesting team. It tests the app against the threat model we developed in the first phase, but also uses its own expertise plus knowledge drawn from what it sees in academia (important for a new technology like artificial intelligence).”
The second prong is red teaming. While pentesting may look for vulnerabilities, the red team explores the potential of those vulnerabilities, by examining how they could be used within the app rather than simply getting into the app. “Combined pentesting and red teaming,” said Van Horenbeeck, “is really about finding one way in, and then going as deep as possible to test the effectiveness of having defense in depth security controls.”
The final prong is bug bounties. “This is the way to get different perspectives,” he said. “When you hire a new security engineer, from day one that person starts thinking more and more like you do; new employees start to adjust their own thought processes on opportunities and weaknesses and threats to what they see within the organization. So, it’s important we continue to engage with security researchers from outside the company who have completely different ways of thinking and new approaches to attacking. We see a well-run bug bounty program as a critical way for us to engage those outside communities and get them tied into what we do.”
In short, Van Horenbeeck’s approach to new app security is firstly security by design and development, and then ongoing security maintenance through pentesting, red teaming and bug bounties.
The best career advice Van Horenbeeck ever received concerned personal networking. “At a security conference, a colleague – who was a brilliant networker – encouraged me to approach people I didn’t know rather than hang out with people I did know,” he explained.
“Few things are more important than the network you build. In security we all face the same issues. Having the ability to share our concerns with others, and learn from each other’s experiences, is crucial to feeling supported and building a happy and healthy career in cybersecurity.”
“The advice I give to my own team,” he continued, “is to accept challenging tasks. When you’re asked to solve a new and novel problem, say ‘yes’ as often as you can. Learning how to solve problems and how to approach new issues, when the path is unclear to many other people, is a really great opportunity to broaden your skills and horizon.”
“One threat I think about is the deepening integration of various technology products throughout the industry,” he said. “Few software products stand alone today. Most of them integrate with other products, whether in the cloud, or on prem. We’re all becoming more reliant on each other. If one application is compromised, it can impact the data another one relies upon”
The threat is global complexity, but he remains an optimist. “This future of interconnection also offers opportunities. For instance, if one application hosts critical data, but relies on another application to authenticate its users, perhaps the data-hosting app can alert the authentication service when it notices suspicious data access patterns. If so, the authenticator can take action to protect other services too.”
He is specifically referencing the Shared Signals Framework, but adds, “There are many other ways security can benefit from interconnection.” In this sense, Maarten Van Horenbeeck’s journey has come full circle. He was inspired into cybersecurity by a movie about bad hacking threatening society yet being saved by good hacking. Nothing much has changed in his outlook: bad hackers are still threatening society as we know it, but they can still be neutralized by good hackers.
Related: CISO Conversations: Julien Soriano (Box) and Chris Peake (Smartsheet)
Related: CISO Conversations: Jaya Baloo From Rapid7 and Jonathan Trull From Qualys
Related: CISO Conversations: Frank Kim (YL Ventures) and Charles Blauner (Team8)
Related: CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy Rosen
