Let’s start with your names and what you do here at Valon!
Jim: Sure. So, I’m Jim Hebert. I’m the Head of Security here at Valon. That means I’m responsible for the computer systems we run, the code we write, and all of the things that are sometimes referred to as “information security” here.
We tackle that through the whole life cycle of software development: getting input into features even at requirement time, having design input, having implementation input, helping people with testing, bringing in outside experts and tools, and then also dealing with the post-ship phase of the software life cycle.
Lonnie: Yeah. So I’m Lonnie Benavides. I am the Chief Trust and Safety Officer here at Valon, which is a pretty good blend of a traditional Chief Security Officer role along with a Chief Information Officer role. And that’s because the areas that I cover for the team are A) security or cybersecurity, B) the IT team, or corporate technology here at Valon, and then also C) physical security or safety.
It’s my understanding that you both worked together at your last job! Why don’t you tell me about your background in the industry, and what you’ve done before coming to Valon.
Lonnie: I’ve been in cyber security since leaving high school. My first job out of high school, I went into the United States Air Force.
I picked my job out of a big book. We used books back then and not a website. The job I picked was called Secure Communications Technician. And the reason I picked it was that one word stood out to me in the description, and that word was encryption.
Then I transferred to the Air National Guard, and I was working as a civilian doing technology stuff. I ended up getting into an Air National Guard unit, which was the first in the Air National Guard hacking team.
And so, we got to go around and break into military bases and government installations, in order to let them know how we got in, so they could fix it. And that eventually turned into me later launching a very similar team for the Boeing company. Then, right around 2009, I joined DocuSign.
That was my first role where I was on the defensive side of the house. That really marked another pivotal turn in my career, where I was really going towards more security leadership and holistic security, not just offensive and preventative.
And then my last gig before this was at OneLogin. As you mentioned, I got to meet Jim there. That was a smaller startup, but very security focused. So, I got to be a lot more technical in that role and really focus on our security space.
Jim: So, let’s see. I was a Computer Science major in college in the time of the original dotcom boom (that’ll age me a little bit), and I saw that there was money to be made, I took some time away from school and chased into the original dotcom boom as a (what they would now call) full stack developer.
At that time, it never occurred to me that security could be a career. I just thought it was a property that I’d better take care of in order to do my job, where there isn’t somebody else I can dump security off onto, so I’d better care about it.
So, I started educating myself about this stuff. Then, the dotcom crash comes along. It was time for me to move into a more stable company. I moved into Adobe, and I ended up working on the security of Adobe reader. From there I went onto Google, and I worked as a security tester on ChromeOS.
And then, I bounced around the industry, large scale companies and building phase startups. I’m really excited to have made it here now.
Now that you are both here, what would you say are the challenges of your position that keep you going?
Jim: I would say that in a startup you have two competing sources of risk.
You have the risk that if you go too fast, if you cut too many corners, you may bring with it a security mistake, and your startup dies early on.
There’s another competing risk, which is, as a startup, you’re worried about your burn rate. There are other people also coming to market, and if you’re too cautious, if you move too slowly, there is also a risk there that you fail to achieve a self-sustaining business before your funding runs out.
Lonnie: I’ll definitely build on what Jim said because his challenge is my challenge. And it’s the same challenge that we run into with IT, or even with safety. You know, we’re building capabilities here. And we’ve been brought in to steer the culture towards doing things in a different way.
But a huge part of what makes us who we are, and gives us our competitive advantage, is that we’re able to be agile and nimble. And so I think the biggest challenge is: how do we achieve a level of security which we feel good about, while also meeting the demands of the business and our growth goals. Scrappy, but not crappy, right?
What are some of the security particulars of mortgage servicing that you’ve noticed?
Jim: I think there are mortgage servicers out there that wouldn’t describe themselves as a technology company in any way. They bought some off the shelf servicing software, they went and got some computers. Valon is a tech company. We’ve got dozens of engineers who are writing entirely bespoke things. We couldn’t look at, for example, another servicer and go, well, how big is their security team? So, one of the challenges is there’s plenty of ink that’s been spilled about what your end state security program should look like. Normally, companies of this size aren’t as visionary as Valon is, starting a security team within their first hundred or so people. So, it’s a nice problem to have to be like, wow, what do you do when you get in this early?
Lonnie: Yeah, it can be scary. I did spend a lot of time at Washington mutual, which collapsed during the home loan crash. I was one of the last people in the building, in downtown Seattle, with all of the phones piled on the desks. I know a little bit about the consequences of the ups and downs of the mortgage industry.
The financial services industry in general suffers in many cases from an outdated infrastructure which still technically does the job it’s supposed to do. Not a lot of that stuff gets updated, and it doesn’t benefit from any kind of modern technology and security.
In years past, you could have been a small enough company that you’re not even a target. But there’s an entire industry today. There are people who make their entire income by attacking companies. And they’re looking for companies just like ours, where we have a technology need, we’ve got important data, we’re facilitating financial transactions. Not to mention, the tactics being used are only getting more and more sophisticated.
Jim: When we mentioned the older technology that’s used around the industry, I think one of the challenges is that, being a company like Valon, we cannot be an island and just ignore those technology choices if we don’t like them.
If the standard is that you drop off a CSV file full of addresses to appraise, and then the appraiser gives you back a CSV file with property values, unless we want to go into the appraisal business as well, we have to interface the way they’re prepared to interface!
What security advice would you give to a small startup?
Jim: In the early days, when you can’t afford to have a dedicated security person, it’s important to find those hybrid people in your company. Find that one developer who’s willing to care about security. Spend a little money, let that person go to Defcon, things like that.
Another thing to consider is there are companies like Bugcrowd, where you can have a bug bounty program, and they’ll assign you an account manager who will help you navigate the unfamiliar world of having such a program.
Lonnie: Great advice, Jim. I think I would say, maybe what’s important for a business that has not decided to hire a security resource is to define why. Why is that? And at what point will that make sense to do?
You need to be clear as a business as to what you consider to be important to you in that space. Bug bounty programs are great ways to supplement not having a security staff. They’ll test you. But, eventually, who’s going to work on these things and who’s going to understand them? These days, it’s increasingly difficult for a company to survive without having dedicated security staff, at least a security generalist, because the issues we’re dealing with have gotten so nuanced.
What advice do you have for someone starting out in security?
Lonnie: So I think that it’s very important for somebody getting into security, to find a way to specialize or find their passion within the subject of security.
You can take general certifications or take a general course, which gives you some information about security at large. But when you really start to take off is when you specialize in something. By going to a security conference, attending specific talks about the thing that you’re interested in, you can discover what aspect of security speaks to you. If you’re trying to get on the offensive side, there are a lot of “capture the flag tournaments” or hacking challenge sites that you can use to hone your skill set.
Wherever you are now, make it known that you have an interest in finding a specialty.
Jim: I’ll add onto that. In the beginning, I would say, learn how to find a couple of different types of vulnerabilities. You know, look at something like the OSPF top 10 list, learn how to find those. And then once you’ve got those under control, branch out, find some more.
At the start of your career, you’re going to be finding all vulnerability types, and you’re going to be looking at people going, “I’d like you to fix all of these.” At the next stage of maturity after that, you’ll be getting comfortable with negotiation, nuance, and risk acceptance. To me, the big differentiator between a junior and senior security person is the ability to compromise.
Thank you guys so much. Lastly—what are you watching?
Jim: I’m rewatching House, M.D. I think everyone who has worked in security has probably worked with the information security equivalent of Dr. Gregory House.
Lonnie: I’m addicted to so many shows on the History Channel. I really think that they’ve got my brain mapped or something. I’m watching Lost Gold of the Aztecs, The Curse of Oak Island, and Skinwalker Ranch. I don’t know what it is about the History Channel, but I just love them to death.
It was a pleasure speaking with Jim and Lonnie. If you’re interested in joining Valon’s team, check out our job postings here!
