MICHAEL: Welcome, Steve. I’ve been looking forward to this virtual discussion.

STEVE: Me too, Michael. As long we are not going to talk about which is the best pizza in New York City. (Laughing)

MICHAEL: (Also laughing). Oh no, not at all. But really, I know where to get it. Hit me up.

STEVE: We will see about that!

MICHAEL: Let’s kick this off by learning a bit about your background. How did your path lead you here to Trellix.

STEVE: I went to school for information security, so sort of a tangent to computer science. I minored in computer science at University of Wisconsin–Eau Claire, and when I graduated, I started in network security for a company called TippingPoint. Right off the bat, I got involved in intrusion prevention, so I kind of grew up learning the product side of security, the white hat side of things. Within five years, I was managing technical teams there, the development and product groups. I then got really interested in research and began running research squads and building some overseas teams. I focused on research and that was kind of a natural transition to McAfee. My family's out here in Portland, and I wanted to be closer to family and also build and run an original research team.

MICHAEL: Did you ever get involved in hacking back in the early years?

STEVE: I did indeed! I used to help run the Zero Day Initiative’s Pwn2Own, one of the more prominent hacking competitions out there.

MICHAEL: That’s great. Tell me about your role here at Trellix.

STEVE: So today my role is technically principal engineer and head of Advanced Threat Research. I joined McAfee five years ago. Today I run the vulnerability research team, which does all the original vulnerability research for the company, as well as public disclosures. I came in with plans to run a big team and ended up having to build from the ground up. That was a unique and difficult challenge.

MICHAEL: That must have been hard given the shortage of talent. How did you go about doing that?

STEVE: It was pretty brutal. But I know this industry really well since I've been doing network security for almost 15 years now. So, I tapped colleagues and leaned on people at the company. I drove out and pitched jobs to OSU and University of Oregon students and recruited at job fairs.

MICHAEL: Fast forward to today. What’s your team look like now?

STEVE: You know, I'd consider it world class at this point. Very operationally efficient and effective. We pump out constant groundbreaking research on at least a bimonthly cadence. I’m very proud, personally and professionally, about what we deliver.

MICHAEL: That’s great. Who are your closest colleagues and peers at Trellix these days?

STEVE: Well, John Fokker runs the malware research team. He is out of the Netherlands. And John Fokker, head of Cyber Investigations, is there too. There’s also Pat Flynn at our sister team, Advanced Programs Group. They’re actually doing targeted research for a lot of the “three letter” agencies, as well as our private industry clients.

MICHAEL: I’m going to throw you a curve ball here. This is actually one of the more critical questions I was going to ask you. Since you know these guys so well, if each one was a rock star, who would they be?

STEVE: Oh, that’s easy. The Go Go girls. Actually, in all seriousness, John’s gotta be EDM all the way, or a punk DJ in a bright green spandex suit. You know, he does side-mixing as a pet project. He’s pretty good. John’s got the long hair going. Definitely Bon Jovi – or at least a seven-foot version of him. As for Pat? Oh, man. He’s going to kill me for this. I’m going to go with country and western. I can definitely see Pat on stage as Willie Nelson, belting out “Shotgun Willie” with a four-foot ponytail whipping around behind him.

MICHAEL: Wow. I need a minute to take all that in. Where does that leave you? Or should we give Pat a chance at some sweet revenge?

STEVE: (Laughing). No, don’t give him a chance. I’ll be Coldplay, or something. I play piano and have for 20 years. Just long enough to embarrass myself in public.

MICHAEL: Aside from work, how do you relax? I see the piano in the background of your home office there.

“We can bring a CTO or a CEO or the FBI or whoever, sit them in the chair and say ‘this is what industrial control system vulnerabilities look like and feel like. Why don't you be the one on the keyboard? This is what it's like to cause the car to accelerate autonomously. This is what it means to hack an infusion pump and get the rate of medication flowing twice as fast.”

STEVE: Yes (laughing), I play as much as I can. And I love to be with my family. I have a six-year-old and a nine-year-old, two daughters who are really the center of my life. Really the most important thing in the world to me. I also love to get outdoors. When at home, I have a few go-to podcasts. Like Hackable, which I contribute to frequently, and another called the CyberWire podcast.

MICHAEL: That’s odd. I never would have guessed those.

STEVE: (Laughing again). Another podcast I’m really invested in is called Respectful Parenting. It’s this idea that over years generations have built up really unhealthy habits, especially in the US, where work is our primary culture and focus. I'm really passionate about how I balance my work and my life and what kind of model I represent for my kids.

MICHAEL: I love that. Let’s pivot back to cybersecurity. When you look into your “crystal ball,” do you see anything in the future that worries you, that “gives you pause.”

STEVE: That’s a great question. Two quick answers, though I don’t want to go into detail here. One is converging lines between the everyday cyber threats we address on a regular basis and emerging methods of waging modern warfare. We've been talking for years about that, and I think we're starting to see that evolution for the first time ever.

MICHAEL: That’s an intriguing topic. Let’s consider Ukraine for a moment. Do you anticipate any positive impacts to your world from what we’re seeing? As you said, from monitoring the evolution of modern warfare?

STEVE: Yes, I’m hoping for a silver lining here. We're getting all sorts of valuable intelligence --metrics, information, boots-on-the-ground kind of data – that we didn't necessarily have access to before. From a vulnerability perspective, think back to 2015, right? Russia attacked the Ukrainian power grid and took it down for five days or so. And 300,000 people lost power. The writing has been on the wall from a cyber perspective for many years. Russia has been testing out these cyber weapons for a long time, so for us it's been interesting tracking that evolution, seeing how much we're able to prepare and what the warning signs are. That let’s us be more proactive and improve our ability to prevent, intervene and mediate impacts on an expansive scale.

MICHAEL: What is the second area of concern you see in the Povolney Crystal Ball?

STEVE: Healthcare. The medical industry has been getting hammered by cyber threats for nearly a decade – as has all kinds of critical infrastructure. I don’t see these environments getting any easier in these areas. The technology we rely on to run this planet is getting interconnected, and the state of security is just so – porous and vulnerable. These thoughts drive the weight of responsibility I feel. I keep asking myself “Are we doing enough?” and “What can we do better?”

MICHAEL: Is there an event, incident or decision that you are particularly proud of?

STEVE: Let me think. Yes. Several years ago, five or so people on my team contributed to a Microsoft “bug bounty” program. Together, we identified vulnerabilities in Microsoft Azure, which is kind of an IoT cloud-based target. Our team ended up winning first place. We generated $169,000 of income, which we donated to a couple of charities. That was a really, really proud moment for me and the team.

MICHAEL: That’s a great story. As we wrap this up, tell me: why are you at Trellix?

STEVE: Well, I believe in the leadership here from the top-down. I think they've brought in the right people to run the company. I think that they have made some really strong and strategic decisions on what sandboxes we do and don't play in.

But it’s also personal for me, you know? One of the first things I implemented as a policy for the team was every time we released a piece of vulnerability research, we were going to simulate what an attacker would do with it. And we would build that and do a physical demo. So, for years now, we’ve been running our demos out in our Oregon lab. Every single piece of research that we've done over the past five years has a running demo where we can bring a CTO or a CEO or the FBI or whoever, sit them in the chair and say “this is what industrial control system vulnerabilities look like and feel like. Why don't you be the one on the keyboard? This is what it's like to cause the car to accelerate autonomously. This is what it means to hack an infusion pump and get the rate of medication flowing twice as fast.” To me, that's the most exciting thing about this job: watching people's faces, watching them respond, helping them visualize and experience living security.