Profile: Stacy Williams, CISO, Zappos

VIEW STACY'S PROFILE
VIEW MAGAZINE

Stacy Williams’ 29+ year tenure in information security began while working at a telephone company where he was first exposed to IT security during the organization’s largescale migration from mainframe systems to distributed client server systems. Williams undertook the responsibility of setting up controls and boundaries around what people could and couldn’t do, along with what they should and shouldn’t have access to.

After working across many verticals, including information security roles at JP Morgan, the U.S. Department of Energy national laboratory, and Sears, Williams sought a new vertical to explore, leading him to Boyd Gaming in Las Vegas. He saw this vertical as a challenge and took a leap moving from Chicago to Las Vegas for the role.

While living in Las Vegas, the opportunity of being the new CISO at Zappos was brought to Williams. He explains, “I had an opportunity to get to meet and know both CISO predecessors at Zappos that sat in the seat before I did. The one before me, she had reached out and told me she was leaving and was tagged with finding her replacement and she thought that I would be a really good fit. She thought that my personality would fit within the management style that Zappos practices. And I looked into it and had some conversations with some folks and I saw that as another challenge, another opportunity to do something that I hadn’t done before, learn a different vertical and hopefully bring something to the organization that they didn’t have or hadn’t had in any of their previous people that had sat in the seat.”

During this process, Williams had conversations with other members of the Zappos team and researched Zappo’s Holacracy management approach. Holacracy is defined as a method of decentralized management and organizational governance, in which authority and decision-making are distributed throughout a holarchy of self-organizing teams rather than being vested in a management hierarchy, something that peaked Williams interest.

Williams says, “I love the environment. It’s different from the standpoint of a traditional corporate environment where you have that top down management approach. Within our current environment, things are a bit different with everyone being self-managed under the Holacracy structure. I can’t directly go to someone and say, you need to fix this and fix this now because they have a set of priorities that they’re working on, and their priorities don’t always align directly with mine. I’d actually have to go through the process of not necessarily negotiating, but explaining to people why they need to care about things at the same level as I do. I can tell you one of the things that has definitely increased for me are my negotiation skills, just from the standpoint of being able to convince others that, hey, you need to care about this as much as I do. We probably need to put a plan in place to fix this sooner than later.”

PROACTIVE VS. REACTIVE SECURITY
For Williams and his security program to remain proactive, it requires identifying tools or technologies that enable them to stay one step ahead, giving them the opportunity to identify more avenues of a layered security approach. He says, “Those things will give us the ability to have greater insight quicker. For our environment, we may have 25 tools in our toolkit and understanding that each one of those individually were intended to provide a certain level of protection or do certain things in our environment.”

Validating that the tools in their environment are functioning as intended is key for Williams to be proactive, especially measuring this through a reoccurring audit. He comments, “We must validate that if we bought a particular endpoint protection tool to protect our endpoints that it is working closely enough with other tools that we have in our environment. We ask ourselves if it is providing us the level of protection that we thought when we invested in it or when we were sold it. Having some way to effectively measure that and then do that on a routine basis is important. But then also if you find that the tool isn’t quite hitting the mark, you have to be able to assess that, identify it, and then go back to the manufacturer to make them aware of the fact that we were told that this tool would be able to do X and it’s not.”

Furthermore, Williams believes in making yourself visible with open lines of communication with other C-levels within your organization in order to think strategically and create ties between security and the business. He relies on understanding exactly what other executives’ objectives are in terms of their priorities and the missions they operate on so you may help them achieve their goals.

BUSINESS TRANSFORMATIONS AND KEEPING PACE
Williams says time is one of the biggest challenges in trying to accomplish strategic goals. He says, “We are always trying to keep up with the business and be in the best position possible to support goals and initiatives that the business is looking to engage in. So that’s always a big issue for us as we’re looking at tools and technologies, we’d like to take our time and go through them to make sure that we can identify the best number of use cases for a particular tool. We don’t always have the luxury of time and being able to give the level of review that we would really like to. But we try to put our best effort forward in doing so and making sound decisions.”

People, process, and technology are how he approaches this challenge. Having the right people is the first component to ensuring they are doing the right thing by the organization. This includes identifying good talent and trying to attract and retain strong security-minded people. Having sound processes helps minimize what many organizations face on a regular basis. He explains, “If we have really good people, if we have really sound processes, then technology is third on the list. If you have those first two and it’s really solid, I don’t want to say you can take any technology and put it in place and it will work for you, but I think it makes the technology decision a little easier to over overcome because you’ve got really good people that will be running the technology. You’ve got sound processes in place to kind of check the bounds of those technologies and investments. The technology is important but having those first two pieces in place makes the technology decision a lot easier to make.”

RETAINING AND ATTRACTING TALENT
“I’m not a micromanager at all. Our Holacracy management style doesn’t provide for that. I believe in giving my team the opportunity to exhibit and show the strengths that they bring to the table. I’m not the manager that’ll have someone go in and write and develop a PowerPoint presentation or put together a Word doc that describes a process and then I take it forward and show it to leadership and to our board. That’s not me. I will bring my subject experts into a meeting and give them an opportunity to explain things that they know and understand, and it gives them the ability to be comfortable with speaking in that forum.
The culture at Zappos is unlike anything I’ve seen and that helps a lot in attracting talent. A lot of people are interested in joining Zappos both because of the culture and what they’ve heard about us. We try to sell the fact that we live in an area where there’s no state income tax and the housing market is reasonable here. There are a lot of things that give us the ability to attract talent. Showing that we’re willing to invest in our people by paying for certifications, paying for continued education, those kinds of things go a long way in helping us attract and retain good people.”