For the past 20 years, Justin Dolly, new Chief Security Officer at Sauce Labs, has been leading security at public and private companies. He’s enjoyed his work. “I’ve really enjoyed it because no two days are ever the same. I’ve been doing this for a long time, and I’ve never had the same day twice.”
Dolly began his security career in the late 1990s, working at Wells Fargo as a network engineer. “Back then, network was where a lot of security lived,” Dolly explains. “It was about firewalls, VPN devices, network perimeters, circuits in data centers. It was very traditional in nature – vastly different from today’s landscape.”
Inevitably, Dolly says, he was pulled into many different security conversations as a network engineer, ranging from architecting and building networks for the bank and the various branches and departments, each having their own security requirements.
In 2000, he moved on to Macromedia, as Director and Information Security Officer, where he had global responsibility for ensuring the security and integrity of information, infrastructure and intellectual property. He also led product security, risk management, audit compliance and business continuity initiatives.
After six years, he began a new role as Vice President of Systems Operations and Information Security at CNET Networks, now known as CBS Interactive. There, he worked on building online platforms, streaming events such as March Madness and the Grammys, all while ensuring entertainment was delivered safely. “Now, we take streaming services for granted, but it was a different proposition back then,” he adds.
At Kaiser Permanente, he was Information Security Change Leader, where he developed and led a cultural transformation strategy for the entire organization in order to shape security awareness behaviors.
It was at VMware, as CISO, where Dolly played a key role in risk management, security engineering and operations, and compliance initiatives. Then, he moved on to ServiceNow as CISO and focused on building a high-performing security team, as well as fostering a security culture. His career also includes a stint as an advisor for CrowdStrike, Smarsh and Illumio. Prior to Sauce Labs, he was EVP, CSO and CIO at Malwarebytes and COO and CSO at SecureAuth Corp.
In January 2020, he took on the role of CSO at Sauce Labs, a privately held company and provider of continuous testing solutions. Dolly is responsible for developing, implementing and enforcing the company’s security strategy. He is also responsible for ensuring that Sauce Labs customers across the world have the necessary cybersecurity elements in place to innovate across cloud computing environments and meet existing and emergency regulatory compliance requirements.
He works closely with the product and engineering teams, as well, to explore opportunities to deliver security testing capabilities within the company’s platform. As with every CSO role, he often gets pulled into different areas, including HR, privacy, physical security, customer advocacy and everything else that touches security or privacy. But, at the heart of his responsibility is ensuring he can protect and safeguard not only customer data, but the safety and security of every employee at Sauce Labs.
Building Security Teams
One task that Dolly enjoys is building teams and watching those teams execute, flourish and deliver. “I’ve built big teams in the past, and I’ve had super small teams. The company culture should define the size and the scope of your security organization,” he says.
At Sauce Labs, Dolly says he is fortunate that the organization has made smart security decisions by hiring smart technical people. “I don’t have to go back to square one and start from there with the security program.”
The company also allows him to use his experience to move the security program forward “to not only strengthen the security of users, networks, intellectual property, but also the security of the platform so the services that we provide are as secure as they can be.”
To ensure a world-class security program is in place, Dolly leverages “data centers, a number of cloud environments, firewalls, web application firewalls, intrusion detection systems and various telemetry and deployment systems to ensure our security posture or attack surface doesn’t change without our awareness.”
Security in Perspective
Dolly is a firm believer that he learns something new every day. “It sounds trite to say something like that, but I actually do learn something every day. Often times, when meetings finish, I say to myself: What do I know now that I didn’t know 45 minutes ago or 60 minutes ago?” There is always something learned.
This mentality has taught him to think of security with simplicity in mind. He simply views the majority of security elements in two particular ways: defensive and offensive. The defensive strategy includes the tools that the organization employs to harden its environment and ensure it is not easy to attack, he explains. “And then there’s an offensive side of it, which is, are we testing ourselves? Do we test the defensive elements we put in place? Are we “pentesting” ourselves? And then beyond infrastructure and services: Are we reviewing the code that we wrote? Are we checking for security issues in our codebase? Are we using the right methodologies? Do we use the right libraries? If so, are they current?”
Whatever the size of your team, he says, “you should be, at the very least, looking at those two sides of the ball when it comes to security.”
In addition, having been in the banking, financial services, software and network industry has also taught him to communicate security risk to those that may not deeply understand it, he says. “You have to be really flexible in not only gauging risk because everybody’s risk is different, but also in describing the ways that people should think about that risk, and the possibilities for how you can offset some of that risk, or ideally eliminate it.”
Every role, he notes, has given him a bedrock of experience that he can draw upon and has allowed him to be more flexible with communicating the value of security. Often, he says, security conversations tend to get too technical. “Whether you’re working with hundreds of thousands of employees, or at a small company with a hundred employees, it’s critical to communicate with them in a way that allows them to understand security, and for everyone to feel that it is relevant to them.”
If he explains security accurately, says Dolly, his team and the organization can all get to the finish line together.
Communicating During Incidents
Learning how to communicate and explain risk becomes critical when an incident response plan is activated, he says. It’s important to create a list of roles and responsibilities for the incident response team members, a business continuity plan, a summary of the critical network and data recovery processes and physical and cyber tools that must be in place. Communications, both internal and external, is just as critical, he says.
“Externally [outside of the technical teams], you have to communicate with top executives at the organization, HR, legal and marketing teams and even with media. It’s important that whatever your plan looks like, however you manage it, whatever timeline you’re working against and however complicated it might be, to manage the crisis, you have to describe everything in a way that’s palatable for everybody.”
“Internally, one of the most important things in managing an incident is worrying about the people who are working for you on that incident. When an incident occurs, it’s all hands on deck for security teams.”
Most of the time, an incident only lasts for a few minutes or maybe only a few hours, he explains. But when it extends into days, the problem is, Dolly says, security teams are too dedicated, too invested in the outcome. “They don’t want to go home or even sleep. They want to be there when it’s all done – not because they want a pat on the back, but because this is who they are.”
When incidents last longer than a couple of days you start to have to manage people’s emotions and their energy levels. “Making sure that the human emotional aspect is part of your incident response plan is critically important.”
Changes in the Landscape
Security was vastly different 20 years ago, Dolly says, and was somewhat siloed or segmented away from other departments and even from other technology teams. “The only time the security team interacted with the rest of the company was when there was a security event – it was very adversarial,” partly because there wasn’t a focus on security.
Looking at the security industry today, Dolly notes, “It’s massive. It has blown up over the last 20 years and is worth billions of dollars. From a cultural perspective, we’ve bridged that gap. We have connected security to the business and helped demonstrate how security makes things better, not worse, and how it enables good behaviors and not necessarily just prohibits bad behaviors.”
Of course, the risk has grown exponentially, as well, he says. “The majority of data loss and breaches have occurred in the last five to 10 years, but this has helped security describe itself better” and has led a vast majority of people to have some level of understanding of security, he claims. Since everyone is concerned about security, it has become part of the conversation at the Board of Directors level at most companies, he says.
“I like the fact that security is now a voice at the table. It’s been a long time coming, but we also had to earn that credibility and earn those stripes. It’s taken time for security leaders to figure out the right messages to deliver, and deliver them in the right ways,” he says. “Going forward, we shouldn’t be afraid of the security conversation, which should occur openly and should be well understood by those involved. We should always ensure we have the conversation, so we can all be clear where we are and where we can make improvements.”