![Dave Farrow: The guy that enabled the business. [Security leadership] [Career Notes] — CyberWire Daily cover](https://megaphone.imgix.net/podcasts/b5d7861a-d9d9-11ef-9635-83337cec5ef9/image/910aaf148c5fdf3b9f89208a91f19df4.png?ixlib=rails-4.3.1&max-w=3000&max-h=3000&fit=crop&auto=format,compress)
Loading summary
A
You're listening to the Cyberwire network powered by N2K. And now a message from our sponsor. Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs. Yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface. Making apps and IPs invisible. Eliminating lateral movement. Connecting users only to specific apps, not the entire network. Continuously verifying every request based on identity and context. Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@zscaler.com Security.
B
I am Dave Farrow. I am a senior Director of Information Security at Barracuda Networks and I am responsible for their entire internal security program. At the end of high school, my father was into technology. He was an early adopter, which is odd because he was in human relations HR all of his life and he had this Kaypro and he kept trying to get me to play with this Kaypro computer that he had and I wanted nothing to do with it. He thought he might lure me in with a Commodore 64 and I preferred to surf and ride my bike around Southern California. It wasn't until I spent a quarter at college doing a non techn. Non engineering course of study that I realized that I didn't, I didn't like that, that I really wanted something more concrete. And at that point I picked up and started studying electrical engineering. I chose electrical engineering because at that point I'd had a couple of classes in, you know, the prerequisite classes in physics and whatnot and all of the mechanical stuff sort of made logical sense to me. And I thought, I'm going to go with electrical because it makes absolutely no sense to me. And if I'm going to pay for this or my parents are going to, you know, put me through this, I should at least learn something that I couldn't learn on my own. And so I chose something that made no sense to me at all. You know, it's funny because, you know, my life is filled with doing a bunch of things I never said I would do. I swore I would never do software because at least in the electrical engineering school at Berkeley, there was this snobbery that said the only people that were in software were people that couldn't make it through the EE program. And it's funny because as soon as I graduated, I had an offer from an old aerospace company that's gone now called TRW that said, hey, we'll pay you to learn software. And something tickled in the back of my mind saying, this is an offer that you probably shouldn't refuse. And once I actually got into writing software, I just fell in love with it and realized that that snobbery was just that it was snobbery and I almost missed something great. I got into development, like I said, in aerospace. A couple years into that, I went out on my own as a contractor and did contract gigs in a lot of different industries, from telecom to data warehouses. Around the time that the dot com bubble burst back in about 2000, I had a contract that was winding up. Long story short, I ended up finding a contract gig in Fresno, California, which might be the least technically oriented city in California, actually. I did software architecture for probably the first 15 years of my career and then moved into building and developing teams. I was looking around for how else I could meaningfully contribute to Barracuda and just sort of backed my way into the security role. At that time, one of our lead architects on the email security team had been managing our privately run bug bounty programs. And so I offered to take on that job just so that this architect could focus on developing the product that he was the lead for. And that sort of blossomed into an internal security team over the course of the next couple of years. We do vulnerability management, network scans, logging and monitoring. We do incident response. And when I'm not supporting the teams that are doing those things, a lot of my time is spent in defining our security policies and communicating those with the rest of the company and really sort of communicating the good work that the team is doing to the leadership of the rest of the organizations. The people that we talk to are working in this space on a regular basis. You still have challenges because a team that does email security may not be as well versed in the nuances of network vulnerabilities, and a firewall team may not be versed in the nuances of web application vulnerabilities. The challenges that we run into are the challenges that I think everybody runs into, which is that I think that the real challenge in security is when you're Trying to interact with the business is recognizing that there are other threats to the business besides cybersecurity threats and being able to become part of the risk management conversation. If the security guy rolls in and says everything has to be fixed, you're going to take away resources that you might, that might cost you opportunities in the future. I think that's a problem that all of us in the security industry have to recognize, is that we're part of the economic strategy of the company. You're going to apply different security controls if you're worried about cyber vandals than you will if you're worried about nation states. Right? But the fear is that if I don't tell you about every single possible exploit that a nation state might throw at you if you get hacked, you might come back to me as a security guy and say, hey, what did you, what did you miss? It's a real challenge to correctly align the, the investment in security with the threat that you're protecting against. I hope to be remembered as the security guy that understood that cybersecurity threats were not the only threat that a business supposed. You know, I, I have stuck in my mind because I spent so many years as a developer. My picture of the security guy was that he was the guy that was always saying, no. And I want to be remembered as the guy that said, yes, we can do that if we do it in this responsible way.
A
Foreign cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with Threat Locker, the cybersecurity solution trusted by businesses worldwide. Threat Locker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.
Title: Dave Farrow: The Guy That Enabled the Business
Host/Author: N2K Networks
Release Date: January 26, 2025
In this episode of CyberWire Daily, host N2K Networks engages in an insightful conversation with Dave Farrow, Senior Director of Information Security at Barracuda Networks. The discussion delves into Farrow's career trajectory, his approach to security leadership, and the intricate balance between cybersecurity and overall business strategy.
Timestamp: [01:31]
Dave Farrow begins by sharing his unconventional entry into the field of technology. Contrary to initial expectations, Farrow's journey was not a straightforward path into cybersecurity.
Early Disinterest in Technology:
"At the end of high school, my father was into technology... I wanted nothing to do with it." ([01:31])
Academic Shift:
Farrow recounts his transition from a non-technical college course to electrical engineering. His decision was driven by a desire to study something concrete and challenging.
"I chose electrical engineering because it makes absolutely no sense to me... something I couldn't learn on my own." ([02:10])
Embracing Software Development:
Despite initial reluctance and prevailing snobbery against software in an electrical engineering program, Farrow embraced software development at TRW, an aerospace company.
"I just fell in love with it and realized that that snobbery was just that it was snobbery." ([03:45])
Timestamp: [04:20]
After spending the first 15 years of his career in software architecture across various industries, including telecom and data warehouses, Farrow sought a more meaningful contribution to Barracuda Networks.
Pivot to Security:
Farrow describes how he initially took on the role of managing the company's bug bounty programs to support the email security team. This role organically expanded into leading the internal security team.
"I offered to take on that job... and that sort of blossomed into an internal security team." ([05:00])
Responsibilities:
His team handles vulnerability management, network scans, logging and monitoring, and incident response. Additionally, Farrow focuses on defining security policies and communicating the team's achievements to company leadership.
"A lot of my time is spent in defining our security policies and communicating those with the rest of the company." ([06:15])
Timestamp: [06:45]
Farrow emphasizes the importance of integrating security within the broader business strategy rather than viewing it in isolation.
Balancing Security and Business Needs:
"The real challenge in security is... recognizing that there are other threats to the business besides cybersecurity threats and being able to become part of the risk management conversation." ([07:00])
Economic Strategy Integration:
He advocates for aligning security investments with the specific threats a business faces, whether from cyber vandals or nation-state actors.
"We're part of the economic strategy of the company... apply different security controls if you're worried about cyber vandals than you will if you're worried about nation states." ([07:30])
Positive Security Culture:
Farrow aspires to be remembered not as the traditional "no" security guy but as someone who facilitates business objectives responsibly.
"I want to be remembered as the guy that said, yes, we can do that if we do it in this responsible way." ([07:55])
Timestamp: [08:00]
Farrow outlines common challenges faced in the cybersecurity sector, particularly the need for specialized knowledge across different security domains.
Specialization Gaps:
"A team that does email security may not be as well versed in the nuances of network vulnerabilities, and a firewall team may not be versed in the nuances of web application vulnerabilities." ([08:05])
Aligning Security with Business Goals:
Ensuring that security measures support rather than hinder business growth is a persistent challenge.
"If the security guy rolls in and says everything has to be fixed, you're going to take away resources that might cost you opportunities in the future." ([08:20])
Dave Farrow's narrative underscores the pivotal role of security leaders in bridging the gap between robust cybersecurity measures and overarching business objectives. His approach highlights the necessity of flexibility, communication, and strategic alignment in fostering a secure and prosperous organizational environment.
"I chose electrical engineering because it makes absolutely no sense to me... something I couldn't learn on my own." — Dave Farrow ([02:10])
"I just fell in love with it and realized that that snobbery was just that it was snobbery." — Dave Farrow ([03:45])
"The real challenge in security is... recognizing that there are other threats to the business besides cybersecurity threats and being able to become part of the risk management conversation." — Dave Farrow ([07:00])
"I want to be remembered as the guy that said, yes, we can do that if we do it in this responsible way." — Dave Farrow ([07:55])
This episode provides valuable insights into the evolving role of security leaders and the importance of integrating cybersecurity within the broader business framework. Dave Farrow's experiences and philosophies offer a roadmap for aspiring security professionals aiming to make meaningful contributions to their organizations.