Who is Valon: Jim and Lonnie, Security Team

From left to right: Jim and Lonnie!

In the fourth post in our series “Who is Valon?” meet Jim and Lonnie, the superstars of Valon’s Trust & Security team. Get to know them and learn how they keep Valon safe and secure!

Let’s start with your names and what you do here at Valon!

Jim: I'm Jim Hebert, the Head of Security here at Valon. That means I'm responsible for the computer systems we run, the code we write, and all of the things that are sometimes referred to as “information security” here. We tackle that through the whole life cycle of software development: getting input into features even at requirement time, having design input, having implementation input, helping people with testing, bringing in outside experts and tools, and then also dealing with the post-ship phase of the software life cycle.

​
Lonnie: I'm Lonnie Benavides. I am the Chief Trust and Safety Officer here at Valon, which is a pretty good blend of a traditional Chief Security Officer role along with a Chief Information Officer role. And that's because the areas that I cover for the team are A) security or cybersecurity, B) the IT team, or corporate technology here at Valon, and then also C) physical security or safety.


It's my understanding that you both worked together at your last job! Why don't you tell me about your background in the industry, and what you've done before coming to Valon.

Lonnie: I've been in cyber security since leaving high school. My first job out of high school, I went into the United States Air Force. My most recent gig before this was at OneLogin. As you mentioned, I got to meet Jim there. That was a smaller startup, but very security focused. So, I got to be a lot more technical in that role and really focus on our security space.

Jim: I was a Computer Science major in the time of the original dotcom boom. That'll age me a little bit! I saw that there was money to be made. So, I took some time away from school and chased into the original dotcom boom as (what they would now call) a full stack developer.

When the dotcom crash came along, I moved into Adobe, and I ended up working on security for Adobe Reader. From there I went on to Google, and I worked as a security tester on Chrome OS. Then I bounced around the industry, large scale companies and building phase startups. I’m excited to have made it here now. 


Now that you’re both here, what would you say are the challenges of your position that keep you going? 

Jim: I would say that in a startup you have two competing sources of risk. You have the risk that if you go too fast, if you cut too many corners, you may bring with it a security mistake, and your startup dies early on. There are other people also coming to market, and if you’re too cautious, if you move too slowly, there is a risk that you fail to achieve a self-sustaining business before your funding runs out. 

Lonnie: That’s the same challenge that we run into with IT, or even with safety. You know, we're building capabilities here. And we've been brought in to steer the culture towards doing things in a different way.

But a huge part of what makes us who we are, and gives us our competitive advantage, is that we're able to be agile and nimble. And so I think the biggest challenge is: how do we achieve a level of security which we feel good about, while also meeting the demands of the business and our growth goals. Scrappy, but not crappy, right?


What are some of the security particulars of mortgage servicing that you've noticed? 

Jim: I think there are servicers out there that wouldn't describe themselves as technology companies—they may have bought some off the shelf servicing software. Valon is a tech company. We've got dozens of engineers who are writing entirely bespoke things. We couldn't look at another servicer and use the size of their security team as any kind of guide. Also, normally, companies of this size aren't as visionary as Valon is, starting a security team within their first hundred or so people. So, it's a nice problem to have: what do you do when you get in this early?
​
Lonnie: Yeah, it can be scary. The financial services industry in general suffers in many cases from an outdated infrastructure which still technically does the job it's supposed to do. Not a lot of that stuff gets updated, and it doesn’t benefit from any kind of modern technology and security. In years past, you could have been a small enough company that you're not even a target. But today, there are people who make their entire income by attacking companies. And they're looking for companies just like ours, where we have a technology need, we've got important data, we’re facilitating financial transactions. Not to mention, the tactics being used are only getting more and more sophisticated. ​

​Security doesn’t stop, even during our recent move to a new office building in Arizona!

What security advice would you give to a small startup?

Jim: In the early days, when you can't afford to have a dedicated security person, it’s important to find those hybrid people in your company. Find that one developer who's willing to care about security. Spend a little money, let that person go to an OWASP or B-Sides meet-up, things like that. 

Another thing to consider is there are companies like Bugcrowd, where you can have a bug bounty program, and they’ll assign you an account manager who will help you navigate the unfamiliar world of having such a program. 

Lonnie: Great advice, Jim. I think I would say, maybe what's important for a business that has not decided to hire a security resource is to define why. Why is that? And at what point will that make sense to do?

You need to be clear as a business as to what you consider to be important to you in that space. Bug bounty programs are great ways to supplement not having a security staff. They'll test you. But, eventually, who's going to work on these things and who's going to understand them? These days, it's increasingly difficult for a company to survive without having dedicated security staff, at least a security generalist, because the issues we’re dealing with have gotten so nuanced.


What advice do you have for someone starting out in security? 

Lonnie: I think it's very important for somebody getting into security to find a way to specialize or find their passion within the subject of security. 

You can take general certifications or take a general course, which gives you some information about security at large. But when you really start to take off is when you specialize in something. By going to a security conference, attending specific talks about the thing that you're interested in, you can discover what aspect of security speaks to you. If you're trying to get on the offensive side, there are a lot of “capture the flag tournaments” or hacking challenge sites that you can use to hone your skill set.

Wherever you are now, make it known that you have an interest in finding a specialty.

Jim: Totally agree. In the beginning, I would say, learn how to find a couple of different types of vulnerabilities. You know, look at something like the OWASP Top 10 list, learn how to find those. And then once you’ve got those under control, branch out, find some more.

At the start of your career, you're going to be finding various vulnerability types, and you're going to file tickets asking for them to all be fixed according to best practices. At the next stage of maturity after that, you’ll be getting comfortable with negotiation, nuance, and risk acceptance. To me, the big differentiator between a junior and senior security person is the ability to find creative compromises where everyone goes away happier.

​
Thank you guys so much. Lastly—what are you watching? 

Jim: I'm rewatching House, M.D. I think everyone who has worked in security has probably worked with the information security equivalent of Dr. Gregory House.

Lonnie: I'm addicted to so many shows on the History Channel. I really think that they've got my brain mapped or something. I'm watching Lost Gold of the Aztecs, The Curse of Oak Island, and Skinwalker Ranch. I don't know what it is about the History Channel, but I just love them to death. 

It was a pleasure speaking with Jim and Lonnie. If you’re interested in joining Valon’s team, check out our job postings here!