'Inside Security' with Veer Singh (Staff Security Engineer, Infoblox)

Blog
Leen Security
July 8, 2024

Today we’re excited to launch the first edition of 'Inside Security', a long form, bi-monthly blog series dedicated to sharing the stories and learnings from the people who make security possible.

We kickoff it off with Veer Singh, Staff Security Engineer at Infoblox.

Bare beginnings

After graduating with a bachelor’s degree in electronics engineering, Veer began his career as a backend developer, integrating security products within a banking environment. This was his accidental start in the world of security. But like many of us, it wasn’t all love at first-sight with security.

The pivotal moment in Veer's security career came with the emergence of Stuxnet, a notorious computer worm that gained infamy in 2010 for its targeted attacks on Iranian nuclear facilities. The impact of Stuxnet's infiltration, resulting in the disruption of nuclear power plants, initially baffled Veer. He struggled to comprehend how a malicious actor could manipulate the intricate workings of a nuclear reactor to such catastrophic effect. This event marked a turning point for Veer, igniting a deeper curiosity and prompting him to pursue a Master’s degree in cybersecurity from Indiana University Bloomington.

Veer has always been intentional and thoughtful about his career. Despite his background in electronics, he quickly realized that fields like VLSI, VHDL, or chip development held little appeal for him. Similarly, traditional software engineering, with its emphasis on tasks like tweaking user interfaces for better user engagement, failed to capture his interest.

Although Veer specialized in data security and protection during his education, he took his time to familiarize himself with different facets of the security industry before committing to a specific path. Recognizing consulting as an effective way to gain comprehensive insight, he opted to engage in security consulting, providing him with a valuable overview of the industry's inner workings.

“If you ask me, if I had to restart things all over again, I’d skip my Master’s degree and focus on obtaining technical certifications in security, because most of the skills that I learned, that I use to this day, are from security certifications and on-the-job experience.”

While there is a conception that a masters degree in anything might prepare students for a career in a specific industry, academia and business generally have different priorities, and skills required to excel differ vastly.

Impact of mentors and good leadership on one’s career

One of the hardest skills to develop as an engineer or any working professional is identifying who to pick as a mentor or model to learn things from. It's just as crucial as learning new skills. A good mentor can greatly impact the direction of your career for the better.

Veer shares the belief that finding excellent mentors was vital for his development. Looking back on his career, he feels lucky to have collaborated with highly respected individuals in the security field.

“I was fortunate enough to sort of work with some of the best folks in the security industry. These folks are pretty well respected, and some that I had the good fortune of collaborating with don't quite have formal education, say, a bachelor's or master’s. But what I did get from them is their perspective on how to approach things. Through them I learned that you don't necessarily need a degree in things to be good at something.”

Some of the people he worked with, whom he cites as role models include Tim Michaud (Security Engineer, Moveworks) Travis Biehn (Former Principal Consultant, Synopsys) Will Douglas and Robbie Gallagher (Head of Product Security, Calendly).

Veer emphasizes that his career has been shaped by learning from the best in the field. Through collaborating with these experienced leaders, he gained insights into navigating new fields & concepts, evaluating technologies, and managing large-scale projects. Most importantly, he learned how to establish solid frameworks even in the face of uncertainty and ambiguity.

"I may be a disorganized person, but I like structure when I learn, think and work. Understanding my mentors’ approach to security and ambiguity instilled in me the fundamental principles of critical thinking, which proved to be invaluable."

He recalled a time when he first put some of his learnings in practice.

"Back in 2010, cloud computing was still a new idea, not as widely used as it is now. Exploring cloud computing felt overwhelming at first. However, relying on the principles I had learned helped me shift my perspective. Strategic learning and focusing on specific areas rather than trying to learn everything at once have been key to advancing my career”.

Balancing technical proficiency with management responsibilities

Proficiency goes beyond technical skills; it requires a grasp of business operations and people management. While technical consultants typically progress into product management or engineering management roles, both of which often entails extensive collaboration with various stakeholders, albeit with less emphasis on direct security engineering tasks.

Veer was firm in his commitment to maintaining his technical prowess.

"I'm inherently a technical person at heart. I'm determined not to lose my technical skills, even as I age. I want to stay abreast of emerging technologies from innovative companies and avoid struggling with documentation and other technical intricacies as I grow older."

This mindset and clear thinking led him to Infoblox where he now works on securing multi-million dollar product catalogs for the company.

Uncovering the bottlenecks in security

In this series, we aim to uncover the challenges security practitioners have faced, are currently facing, and observations from working with peers in the industry. With this in mind, we asked Veer to share his observations from over twelve years of working in security.

Security has a people and lack of resource problem

There is a demand now for more security engineers than ever before. The industry is short of 3.5 million security practitioners according to Cybersecurity Magazine. Veer echoes that sentiment as well:

"We as security teams are constantly under-staffed and under-resourced. That’s a fact with any security team across the industry. The biggest challenge of my career always presents itself in the way of maximizing output with limited resources”.

We agree with Veer’s observation. When we at Leen were initially validating our thesis for a Unified API to scale security integrations to free up engineering resources and time, the one thing that kept coming up repeatedly was how resource-constrained security teams were/are. Be that at an early-stage startup, growth-stage company or an enterprises, exacerbating with the company's size.

The million dollar question

Every industry has its own set of challenges that keep practitioners awake at nights. Security is no different, and for Veer that problem is about 'how to scale security operations'. Having had the privilege of viewing the industry from different lenses, this is one thing that has kept coming up over and over again over again during his career. Veer spends some of his deep thinking hours trying to experiment to understand how best operations can scale – through technology, people, and collaboration. But he also warns practitioners like himself who get caught up in this evergreen question:

"Do new things and experiment. The objective is to keep learning. Finding that right balance of how much to focus on work, versus how do you focus on yourself and build yourself to scale and do multiple things is the challenge. Be curious, learn and experiment”.

Security fails when you work in silos

This is something Veer truly believes in and underscores the significance of fostering a culture of collaboration, effective communication, and deliberate talent development.

“At the end of the day, everything within an organization really boils down to the people. So if you want to build the right culture, your first few hires are very critical, because they sort of set the tone as to what your team does, and how it does things. But I’d caveat it by saying hiring for culture fit is great, but you don't necessarily always want to do that. You want to hire for culture-add”.

Culture-add refers to the likelihood that a candidate hired by the company will reflect the company’s values and behaviors in everything they’re doing, to the improvement of others in the company. Culture-Fit hiring on the other hand hinges on implicit bias.

Learn to grow within security

At a personal level, Veer is a student of security and feels there’s very little time in one’s lifetime to understand every technical aspect about the industry. But this has also helped him not be too harsh on himself, and take a different perspective in the form of prioritization.

“I am kind of a person that likes to know everything. So I’ve made peace with the fact that there's too much to learn and we only have a finite number of years on this planet or the industry. Given how our days are structured, you just can't focus all of it on learning. And even if you do, you can't really boil the ocean down, but only pick areas of priority at that given point of time in my career.

Building a successful career in security

Security is a tough space to build a career in. It’s not as straightforward as it might appear. Reputation holds significant weight in this field, often surpassing other factors. Senior security professionals and investors alike will attest to this reality. Though security was once deemed "boring," perceptions of the industry have evolved in recent years. Nonetheless, Veer remains cautious. While welcoming fresh talent is positive, the concern lingers: are they motivated by the right reasons?

“If you're looking to build a career in any industry, you have to bring some sort of value to the organization. Within security, I think that becomes more important because I think the caliber of talent that exists in security is slightly higher than most industries. If someone is starting out right now, I would advise them to do an honest assessment of their skills. There are multiple different roles within cybersecurity. Some are supremely technical, some are a mix of technical and soft skills. Once you have that idea, distill it, make a list of all the different types of roles within the security space and categorize them, within those three buckets of technical, non-technical and a mix of both, and perhaps, also categorize them into domains or verticals. You can then focus on trying to understand where you fit in”.

As we conclude the first edition of the 'Inside Security' series, Veer's journey reminds us that the path in security is rarely straightforward. However, those who approach it with curiosity, determination, and a willingness to experiment can navigate the challenges and thrive. Ultimately, the key lies in finding the right balance between work, self-development, and an unwavering commitment to pushing the boundaries security engineering.

To connect with Veer, you can reach out to him via his LinkedIn and/or email: veer[at]graveaccstudios.com.