Getting to Know BetterCloud's New VP of Security Brett Greenwood

Brett Greenwood sits down to answer questions about the evolving nature of cloud security, its importance to BetterCloud and our customers, and how his experience with companies like Adobe and Boeing have prepared him for his new role as BetterCloud’s VP of Security.

Brett has a Masters in Systems Architecture & Engineering from The University of Southern California and a Bachelor’s Degree in IT from Brigham Young University.

You come from big companies like Adobe and Boeing, both of which take security extremely seriously. How has that experience prepared you for your new role as BetterCloud’s VP of Security?

Working for both Adobe and Boeing gave me some great perspective on how each organization built security programs and deal with real threats. At Boeing, I was working in a large enterprise environment where security was critical to protecting intellectual property and even classified information. My focus was around designing and implementing effective security controls, whether it was at the perimeter or around data within applications, to ensure that Boeing’s systems and data remained protected.

At Adobe, I worked on protecting a set of large cloud services. We needed to place controls around environments that were directly interacting with billions of endpoints across the internet. We had to be sure that we protected our systems so that the data customers entrusted us with remained secure. Not only did I work on building an effective security program from an organizational perspective, but also on the the execution of those programs, especially on the technical side where we made sure we could detect and respond to threats effectively.

What kind of experiences can you draw from working at Adobe and Boeing that will help you here at BetterCloud?

Adobe is a cloud services provider, so right off of the bat there are some similarities there. In both cases, customers are entrusting us with their data. At both Adobe and now with BetterCloud we need to ensure that we don’t become a path for an attacker to get to our customers. To do so, we need to protect our environment through good design. That’s really critical. Also, we need to be sure that we are properly monitoring our environments in order to detect anything unusual and have the procedures in place to respond before it becomes an issue.

You just moved from Utah to Atlanta–a pretty significant change–what was it about BetterCloud that made you confident enough to make that leap?

The thing that stood out to me most about BetterCloud was the business strategy. There’s a great opportunity here to help other companies effectively use cloud services. There are gaps in the capabilities that companies like Google and Microsoft provide to their customer base that we can fill. The overall product strategy that BetterCloud is laying out is a solid one and there is great growth potential. Today, we have a great customer base and we’ve got some great momentum. I feel like I can trust my career with a company like BetterCloud.

Was the heat of Atlanta any concern to you compared to Utah?

Utah can actually get pretty hot. The difference is the humidity, but I actually lived in the Philippines for two years so I’m not afraid of a little humidity. I love the outdoors and I really love to explore new areas and this is my first time living on the East Coast. There is just so much to go see, not only in Atlanta, but also I plan to get out with my family and go explore neighboring states. We want to make some trips to the coast and see a lot of things that we’ve never seen before.

What does it say to you when you see an organization like BetterCloud (a young born-in-the-cloud startup) hire a VP of Security?

To me it shows that BetterCloud is committed to having a secure product offering and that the executive team is aware of the importance of security. It shows that BetterCloud values security as integral to the success of the company and our customers. This is just another step in continuing to grow and improve upon the security that has already been put in place. It shows commitment, but it’s certainly not the last step in our investment in security.

What do you plan to accomplish at BetterCloud?

BetterCloud has a great security foundation already. We’re SOC 2 certified which goes to show that we have the appropriate security processes and controls around our systems–including the way we develop, deploy and operate our application.

I’m taking that foundation and I’m looking at how we can take it to the next level. Already, I’ve done an internal risk assessment. I’m looking at where we are now and what opportunities we have to improve our security program. From there, I’m going to be layering on additional security controls so that we further drive down risk and improve our capabilities to detect and stop any malicious activity against our applications and the data we are protecting.

I am also partnering with other departments across BetterCloud like our development and operations teams to ensure that they have the tools and knowledge to be successful in implementing a secure product.

Working with big companies in the past, what excites you about coming to work for a smaller company?

BetterCloud has great energy. There is a lot of excitement around the work that we’re doing. There is a lot of focus around being lean and efficient and getting things done quickly.

This provides the opportunity to usher in change in a short amount of time. The creative attitudes and the skills of everyone I’m working with here are making me very optimistic that we can continue to do great things.

What are some of the most common misconceptions you hear about the cloud as they relate to security?

One of the most common misconceptions that I hear is that the cloud is insecure. I’ve heard that if you use cloud services you are either inviting yourself to expose the data you put out there or that you’re fully at the mercy of your cloud providers. Customers do need to use due diligence in evaluating the providers that they choose. They should have a defined process where they evaluate things like the security controls their provider has in place. Third-party certifications like SOC 2 can help with that evaluation.

The IT community should remember that the cloud presents a different paradigm. We need to approach security in the cloud differently. This is a partnership where security responsibilities are shared between the provider and the customer. Cloud services give us new capabilities to manage and secure our data. Organizations need to leverage these capabilities effectively. In doing so, they can accomplish more in less time than in a traditional on-premises environment.

How do you see cloud security evolving over the next couple of years?

The security capabilities that are offered by cloud providers are going to continue to evolve in order to make security easier and more simple to configure and deploy. That’s a trend that has been occurring and will continue to occur as we move forward. Customers will gain more control and visibility over their cloud services and will be able to more easily integrate new or existing security tools and processes.

For example, BetterCloud is providing our customers with the ability to audit data that is stored in their Google Drive and Microsoft OneDrive for Business accounts. In the future we need to make it easier to externalize audit alerts and other event information from the BetterCloud products, allowing our customers to integrate with their own security monitoring and log analysis tools. To effectively implement security monitoring, we all need ways to centralize our visibility of activity and alerting. Customer demands will continue to drive more openness from cloud providers in this area.

What are some of the most common cloud security mistakes that you see organizations making today?

Perhaps the most common mistake is to overlook details of how an organization is using a service. There may be certain settings or capabilities that are available to you that you’re just passing up. With the constant demand to get things done, this is not uncommon. Organizations need to make full use of the security capabilities that are available to them and exercise good practices. Simple things count like using good password practices and implementing multi-factor authentication wherever it’s available. Also, consider taking extra steps to protect administrative account credentials, and regularly audit security-relevant settings you have in place, and monitor activity on the service.

Why did you pursue a career in security?

I got into the security space over 10 years ago, it really caught my attention because I love the challenge of solving problems. In the security space, there are always new problems to solve because the threats continue to grow and evolve. Security is a great place for me to continue to grow as an individual and to challenge myself to learn new things.

Security is also incredibly important to every organization. We are past the days when companies can do just a few basic things and expect that they are secure and that they won’t be compromised in some way.

There are different layers to security (technical vs. individual), how do you ensure employees are educated about the threats that exists and work with and to help prevent breaches rather than be a part of them?

Security is a shared responsibility across all individuals within an organization. The security team needs to take the lead in education and transferring knowledge about the risks and the threats that exists.

BetterCloud’s IT Director Tim Burke wrote an excellent article about building a security culture within an organization and he talked about having personal conversations with individuals. I totally agree with his points. The security culture starts with the leadership team and goes all the way down the organization.

What do you think BetterCloud customers should know about how we as a company–and as people–value and view security?

We want BetterCloud’s customers to know that we take the responsibility to protect their data very seriously. We consider securing their data to be a core competency of BetterCloud. We will continue to invest the time and resources necessary to keep their data safe, ensure the availability of our services, and to stay ahead of the growing threats that exist.