Calendly’s first-ever CISO Frank Russo has presumably been giving the company’s proprietary appointment-scheduling platform quite the workout since joining the executive team on Oct. 18.
Scheduling meetings with leadership, engineers, sales staffers and corporate customers, Russo is in the early stages of creating a security vision for the software developer, by assessing and understanding his company’s most salient needs and its greatest strengths.
The decision to hire a CISO for the first time since the company was founded in 2010 comes as Calendly places greater emphasis on its Calendly for Enterprise offering, which caters to larger-scale organizations and their scheduling workflow needs, and include such as features as single sign-on (SSO) and System for Cross-domain Identity Management (SCIM).
Working remotely from the Bay Area, Russo joins Atlanta-based Calendly from digital payment settlement system provider Ripple, where he served for just over two years as vice president of information security. Before that, he worked in various security roles at CRM platform provider Salesforce for approximately 10 years.
In an interview with SC Media, Russo shared some of the challenges and opportunities that come along with being named a company’s very first CISO. He also talked about the various due diligence and culture-building that new security executives should engage in before finalizing their agenda moving forward.
Tell me a little about how your career background applies to your new position at Calendly.
Russo: I was head of security and CISO over at Ripple Labs. Working in the crypto space is a bit of a different challenge from all the traditional information security roles I've had in the past. … You still have an enterprise software business you've got to protect, but you also have the crypto environment. … So I just got a sense of how they see security, as well as looking at the reputational risk aspect of things.
Prior to that I spent nearly 10 years at Salesforce … where I had a fortunate encounter with [CEO] Marc Benioff. I learned about how important security and privacy were to him personally. … And that really was the catalyst to get me thinking about security leadership roles. Before I was always like: [Security is] interesting work and intellectually challenging, but how do you solve the bigger problems? And in talking to him, it was really like: You've got to be a leader, and you've got to build a team. You cannot do it yourself, no matter how good you are.
And then the Calendly opportunity came knocking. What made this job attractive to you?
[At Salesforce], I was in charge of enterprise security and doing vendor assessments. I had the vendor security team under me and we looked at a ton of different vendors. And I thought, wouldn’t it be cool to be the vendor — to turn it around, and build a security program. … And so I’m getting in early enough into Calendly to do that, to build that team from the ground up.
During the interview process, did Calendly CEO Tope Awotona provide any insight as to why the time was right to hire a CISO?
Absolutely. You look at some of the new leadership hires that Calendly has brought in — a new CPO [chief product officer], a chief customer officer — you can see that Calendly’s really gearing up for looking really hard at the enterprise. It's a big piece of our growth story.
But of course, we don't want to leave behind the rest of the folks who got us here — and so all that PLG growth, all that market is still valid and relevant, and would definitely [also] benefit from the security enhancements that we would do for the enterprise.
What are the biggest challenges to being a company’s first ever-CISO, and what are the opportunities?
Challenges, opportunities: two sides of the same coin. Coming in as the very first leader … and reporting to the CEO: this is a big deal. And part of the thing that was really attractive to me about this role was having that ability to really influence and hear directly from the CEO and his vision, and partner with him.
One of the first challenges is that … no matter how small a team is, no matter how small the startup, people are doing security work — and they're doing it all over the place. They're doing it a little bit on the sales engineering side, and customer support. There's always security work happening in IT. But as a CISO you want to come in and you want to make sure that you're harmonizing all the security efforts. And so there's this idea of going from these distributed, “federated” security teams, to a unified security team.
That's a really powerful story for especially the enterprise customers. They want to see that there's a single … leader who's really got the vision and a single person to talk to and influence. Listening to customers is a great way to get ideas of what's important to them, and what security features are relevant. ... I think that's probably the biggest [challenge] is taking all those different elements of security that are being done and starting to harmonize them that into an actual security program.
How much security technology, process and policy did you inherit upon arriving at Calendly? And how much leeway do you now have to add to it or restructure it according to your security vision?
What was inherited was a company that was already SOC2 Type II attested to. So what was being done [as foundational security] is great. It's stuff that I can build on. The how it's being done is actually where I’ve been given quite a bit of leeway.
I’m very thankful for the leadership's saying, “Hey, this is how we've been doing it all this time. Tell us if you would like to do it differently.”
Calendly is extremely open to bringing in the right solution for us to build on for later. Talking to Tope, he's very future-focused, he really is seeing the end state for us and he wants to make sure that we're building towards that without getting dragged down too much by previous investments. So I'm very excited about that.
I would image that for anyone who’s filling a newly created CISO solution, it’s important that before you create your own security agenda, you get a feel for the company culture, and better assess your needs by talking to leadership, your employee user base and your software business customers.
In looking at Calendly as a company … the very first core value that you uncover, is “Start with human.” Technology impacts all human beings in some meaningful way.
People are used to doing things a certain way, and understanding how to get them on board if we need to do things differently definitely [requires] a bit of cultural sensitivity and meeting with folks. Not just with the leadership team, but all the way down the stack to all the [individual contributors], to some of the sales leaders.
Actually, an account executive just sent me an email last night, asking to meet with me. She said she's got this tricky account problem. How do you want to work through it? Let’s grab time. Let's talk about it. Let me understand, let me get a sense of how you do your work, so I can be empathetic… And that's where you get the buy-in.
I don't want people to say, “I don't like it and I don't understand why we need to do it. …” I would love them to say, “I like it and it's good for our customers … [But] it's OK to get to a point [where they say], “I may not like it. But I do understand why it's important to Calendly and its customers.” That’s the goal.
Communicating that understanding is really the key to unlocking security value from the rest of the employee base. … What you can't do is, you can't say, “Here are the rules and I don't care what you have to do to make it happen.” That's a recipe for disaster. And really, you're not going to get the security result you need. … Your job is really to convince them why it's important for Calendly and its customers.
You only started on Oct. 18. So you must still be going through this communications process now, right?
Half my day is meetings. Just understanding what's going on. And also, if [there are security initiatives already] in flight, you have to make a little bit of a snap call: “We're almost there, should we still do it?”
I think some of the most relevant information tends to come from the folks who know where the bodies are buried, which is really talking to the engineers and engineering management, as well as the sales and customer support leaders. “Which part of this process kind of keeps you up at night?” “What gives you the most heartburn?” These are questions I ask from the CEO down. … As you go down the stack, you start to see themes emerge.
[And that is also] definitely building their confidence in you as a leader, as someone who's open to hearing the bad as well as the good. I think that's a big piece of it is coming with a no-blame approach and really crowdsourcing that information.
It’s early, but are you already formulating a security strategy for the company? For instance, you said one reason Calendly created a CISO position was because of the company’s growing emphasis on its enterprise customer business. Would you say, therefore, that AppSec and DevSecOps are going to play a major role in your plan moving forward, in addition to your own internal network security?
I would say definitely — at least a balance of internal and customer-facing. I met with my first [Calendly software] customer this week. It went great. It was a very good meeting — they had excellent points and they really challenged us in some ways that I think that that we need to be ready for. … We want to capture all that stuff on the front end.
I was [also] very happy to see … we have already incorporated lots of DevSecOps approaches. The question really becomes, where's it going to be done? Does the DevSecOps role report to the CTO or to the CISO? That’s the part where spending more time learning the culture and … [developing a] long-term vision of those folks’ careers is what drives [those decisions]. How do I build a career roadmap for this person? [What’s going to] give them the exposure they need to move their career forward?
But, like every place, the internal side of security is really the soft spot, especially in the remote work world. That’s where attackers are coming after people. Phishing is still a thing. It's still super effective. That's how you get malware dropped. That’s how you get ransomware dropped.
So you do have to really lean into the education piece. I think that's the most important change [since work went largely remote]. We need to double down on remote worker education, leveling their security posture. There are lots of priorities — but this one is a priority that's close to my heart. So I'll … make sure that employees understand how to act securely under various situations. It’s foundational to so many things because I can bring in whatever whizbang technology I want; they’re just gonna click [a button they shouldn’t], and then it's gonna bypass all of that stuff.
We’ve talked about communicating with leadership, employees and your customers. But there’s another missing piece here: third-party vendors. Especially when you work for a software company, I would imagine that gaining visibility into your third-party partnership ecosystem and identifying risk spots within this supply chain is one of the more daunting challenges of a brand new CISO.
Oh, yeah. Where's the data?
It's super important to Calendly from a data security standpoint, but also from a reputational risk standpoint — because we are that third party that people are entrusting data to. And if we're doing a bad job or not doing as good a job as we could vetting our third parties, how do we look? So, it’s super-relevant. Third-party risk is everyone's top of mind and it is a huge problem.
I think the industry as a whole has an obligation to build up this shared understanding of what it means to have a security program and how we tag and track that data. … And that's going to take probably more time than anything to really get the bottom on.
Normally you would start with procurement and say, “Where are we spending money?” That's one way to do it from a non-technical standpoint. There are a couple of other technical tools or agents you can put on that can look to see what cloud services your employees are [using.] That's a less preferred route, but that's another tool that you can use. But I think start with following the money. This is usually the mantra that seems to work best.
How in your newly created position will you approach the process of creating a security budget moving forward?
[We’ll look at] last year's run rate. But I would love to start with a zero base and talk about what capabilities does Calendly need … and plugging those holes with dollars. Right now, I'm still in the capabilities analysis phase. But I don't want to miss my chance to make sure that we have a reasonable budget. So I’ll be using some of the experience I've had, in terms of what I think it would cost … for certain types of technologies.
If I would have come in in August, it definitely would have been a lot easier to get a handle on it. But you come in when you come in, and I really do believe that the company is going to be supporting me. If we need to make some decisions or make some changes to things … I feel like there's a ton of support for that.