Profile: Dan Garcia, CISO, EnterpriseDB

VIEW DAN'S FULL PROFILE
VIEW FEATS OF STRENGTH MAGAZINE

Dan Garcia first became interested in information security over a decade ago when he attended an RSA conference as a collaboration architect. He explains, “I was trying to determine a way of measuring digital engagement between employees and departments, as a way of justifying and continuing investments in this area. At RSA, I attended a session about SIEMs that discussed the purpose of collecting telemetry on user behavior and system activity to be able to replay events in a way that helps the forensics process, which is core to incident response and security operations. When I looked at it from an analytical perspective, I realized that it could allow me to evaluate digital employee engagement, assess inter-departmental communication, and identify opportunities to drive employee retention.”

At the time, his organization was investing in a security analytics program that required a leader with a different mindset to approach the detection and response problem. He made the jump to security and decided early on not to specialize in one area in security, but to take a strategic view to his career progression in information security.

Dan has worked in engineering and architecture, core fundamentals of security. He says, “The security operations experience enabled me to understand how to detect and respond to events across the enterprise, while my risk management experience allowed me to make better investment decisions and to better communicate risk to business leaders. On the product side, my focus was on driving the roadmap and strategy that aligned with understanding customer needs and improving customer protection. This led to corporate development collaboration and M&A execution of targets that helped build a 6-billion-dollar business. It’s been a career evolution into different new areas of information security, where there’s always a lot to learn, and I worked never to stay stagnant in one area.”

Currently, Dan is two months into the CISO role at EnterpriseDB (EDB), a global software and services organization that enables businesses and governments to harness Postgres, the world’s leading open-source database.

RESPONSIBILITIES

Dan has three main areas of responsibility in his role. First is to ensure that security investments EDB makes in product and development help drive business growth, and that they are compliant with SOC2 industry requirements, with an eye on FedRAMP.
The second area of his responsibility looks at reducing information technology risks. This involves putting in place the people, process, and technology controls that help reduce the frequency of adverse events or reduce their impact if they occur. Lastly, he has a focus on customers, their needs around security and how that translates into the EDB Postgres product portfolio.
Underneath that, Dan manages standard security operations, incident response, and control engineering, as well as educating the stakeholders who own security objectives, as they need to be successful to support the overall program.

Dan’s top focus areas to continue to mature and improve the security program include establishing a unified control set across the company and establishing governance. He comments, “We will be focusing on building up our competencies in the security operations space to enable better incident response capabilities and to optimize the existing investments in the security stack. Additionally, we will be investing time and resources to put in place stronger device and identity management capabilities across the organization. This will involve pushing WebAuthN and adaptive authentication, establishing good network segmentation, and the operational ability to tie all these resources together with the right visibility into the activity within the environment.”

He continues, “We have made many investments in technology, and in the next 12 months we’ll be working on the integration and operationalization. I’m resisting the urge to rip and replace and focusing instead on the current portfolio of solutions to make them integrate really well, rather than trying to optimize one or two new tools. In the long run, this approach will lead to a better overall information security outcome across the organization.”

CLOUD TRANSFORMATION & SASE

As a traditionally on-premises software company, the cloud-based EDB BigAnimal product has gone to market with customers on the platform. Dan says initial investments have been made in EDB’s digital transformation journey, and they are focused on having security baked in from the start. He comments, “From a security perspective, this leaves me with the job of integrating the cloud capabilities with the corporate security stack and unifying the environment with a common set of controls. It’s important that our control framework supports the differences that exist in system architectures.”

From a Secure Access Service Edge (SASE) perspective, EDB has made investments in a market-leading platform that will support part of their secure computing environment for employees. Adding this to a strong endpoint management and identity strategy will build up their zero-trust principles with on-going micro-segmentation work being done within the cloud.

LEADERSHIP

Dan believes in being a strategic and structured leader who looks at company goals, establishes a vision that supports its growth, and aligns the work to the interests of the individuals on his team or on other teams. He says, “My leadership style is more about empowering individuals and allowing them to grow in the space where work needs to be done. If you can tap into your team members’ self-mastery, understand what they care about, give them work that aligns with their interests and freedom within a framework where they can operate, you generally get very good outcomes.”

A technologist at heart, Dan always seeks to understand new trends, architectures, and challenges. Working at a product company has opened up the need for him to be proficient in a number of new business domains such as product development, marketing, go-to-market, and speaking with customers about their needs. This makes his role more dynamic than traditional CISOs, where there is a need to have enough foundational knowledge in these domains in order to have the expected impact.
Dan concludes, “Learning how to translate information security to better support corporate development and drive business growth has been one of the most rewarding aspects of my career since jumping over from financial services.”