In celebration of this year’s Cybersecurity Awareness Month theme – See Yourself in Cyber – we are spotlighting five VMware security pros to ask them five questions about their career path.
Alex Tosheff is VMware’s Chief Security Officer, Senior Vice President and Global Crisis Management Chair. Based in Palo Alto, California, he leads all aspects of VMware’s cybersecurity, physical security and enterprise resiliency across the global enterprise.
An industry veteran with more than 25 years of business and technical leadership, Alex is an ardent proponent of cybersecurity as a driver of business value. He is a recognized expert on the nexus between security and technology innovation, and he has led transformational initiatives at VMware to establish zero trust principles, accelerate time-to-value on security investments and enable a secure, global work-from-anywhere workforce.
Alex is passionate about agile leadership and empowers VMware’s global team of security professionals to develop new and innovative ways of protecting VMware, employees, customers and partners.
Alex joined VMware in July 2014 as Vice President and Chief Information Security Officer (CISO), after previously serving as CISO at PayPal and BillMeLater. He also previously served as Venture Partner for St. Paul Venture Capital and Chief Technology Officer at Science Applications International Corporation (SAIC). Alex holds a Bachelor of Science in Physics from California State University.
1. How did you get involved in cybersecurity?
I was hired as a Unix systems engineer at SAIC a defense contractor headquartered in San Diego, CA. My boss at the time brought me into a DoD/DISA project that was under pressure to be completed. I basically got put into a room lacking windows with a bunch of Sun SPARC workstations, a Trusted Solaris OS boot tape, a stack of manuals and a heavily dog-eared copy of the DoD Orange Book used to evaluate trusted systems. It took more than a few months to go from CONOPS to deployment, but we ended up with one of the first DISA accredited B1 multi-level trusted systems, and I got to travel around the world deploying it. Afterwards I was lucky to have opportunities to branch out to other security project in architecture, firewalls and public key infrastructure.
2. Explain your career path. Did you take any detours?
I’ve held a variety of different roles but always circle back to security. There wasn’t a defined CISO role when I started my career and honestly, it wasn’t something I was deliberate about then. Over the years I worked as a systems engineer, systems administrator, and a systems integrator. In later years I moved into leadership positions and worked at start-ups including one called BillMeLater, which was later acquired by PayPal. I was then at PayPal for about 7 years before joining VMware.
I didn’t take a focused path to CSO until later in my career, and there were definitely fun detours along the way. Having a diverse background can be particularly helpful for security pros looking to move into leadership positions. One of the other opportunities I took was working as a venture partner for a venture fund. That experience taught me a portfolio approach which translates to how I manage security in a company today. The time I spent in board meetings during those venture days also helps me interact more effectively with boards in my current role. I also think an important part of being a security leader is balance. When my kids were little, I consulted for around 7-8 years so I could spend more time with them. Fun fact, if we go further back in time, I’ve also done a stint in construction work as a carpenter.
3. Was there anyone who has inspired you in your career to help you see yourself in cyber?
Fortunately, I had some amazing mentors early on. I quit college football in my junior year in order to focus on my academic career and ultimately went back to school to get my 4-year degree. I discovered the Unix and VAX data center in the basement of the science building – it was so cool. I used to show up early in the morning and pester the staff member who ran the computer systems to let me come in and play around. He was great and basically told me “you break it you fix it.” It was through this process of breaking and having to fix things, asking questions and reading a lot of manuals — that I learned all my initial skills on Unix and networking.
Ultimately, someone gave me the opportunity to ask a lot of questions, make mistakes and learn from them early in my career and that’s always helped me. To this day, I have people in my life that are close friends and mentors. I think it’s important to have someone you can trust to give thoughtful and critical feedback on a particular situation or just life in general. I also noticed my mentors never really gave me solutions to problems directly but they encouraged me to think through situations through other perspectives, which remains one of the most powerful lessons I’ve learned in my career. On the flip side, my mentors really gave me a sense of duty around mentoring others as I progressed in my career.
4. What’s the best career advice you ever received?
Be yourself. Everyone else is already taken. This advice landed at an important time in my career and helped me get over things that a lot of leadership can feel, such as imposter syndrome. Instead of worrying about our persona, we should just be focusing on bringing all of ourselves to the leadership roles we hold.
5. What advice would you give to aspiring security leaders?
I’d give that same advice about being yourself, but also add that if you don’t make the time to invest in yourself as a leader, a situation will force you to find that time in the most stressful way possible. Unpacking yourself and knowing what makes you really engaged, actively seeking and listening to feedback, and understanding your preferences in how you learn is always helpful from my experience. Good companies will support your growth and development, but you have to take the first step yourself. Otherwise, you’ll always be in reactive mode.
