Former Zynga CSO: Innovate or Die

Nils Puhlmann reflects on what he's learned and explains why he thinks the industry needs more pioneers

For the past three years, Nils Puhlmann was head of security for Zynga, the social games company that created mega-hits Farmville and Words With Friends.

Managing Zynga's converged security department was a challenging job that Puhlmann says has left him ready for a break. But don't expect him to be relaxing for too long. Puhlmann is also the co-founder of the Cloud Security Alliance (CSA), a community of over 33,000 security professionals worldwide that promotes the use of best practices for security in cloud computing. His work with CSA continues to evolve.

Puhlmann recently spoke with CSO about his plans for the next chapter of his career and what changes hed like to see the security industry adopt.

CSO: You recently left Zynga, where you had served as CSO since 2009. What are your plans now?

Nils Puhlmann: I don't have any specific plan at the moment, other than spending time with family. Helping to make a startup company successful and turn it into a public company from a security point of view is intense; it's a lot of work. The job had different challenges than working for a very established company.

I'll be letting things come toward me in the coming months and then decide what type of security I want to do next; where I want to apply my experience, knowledge and insight. Security is no longer clear-cut. It has different factors and aspects now. But I've been excited so far about all of the different opportunities that have already been sent to me since announcing that I was leaving Zynga.

[CSO resumes: 5 tips to make yours shine]

What lessons did you learn from your time at Zynga?

That's a loaded question. I have learned there is no such thing as "one size fits all" in security.

On the other hand, the principals and philosophies that we all learned growing up in the security industry are always valid. A lot of folks now enter the security space or take on more managerial oversight and responsibility. Flexibility and adjusting and adapting to different markets is what a company needs. But at the same time, sticking to what has worked for so long and figuring out what those things are --remembering that certain basic rules and philosophies or principles in security will never go away, and never should --is the balance everyone will have to find. That's going to be a challenge.

The new generation of security professionals might overemphasize change and flexibility and might not have enough years under their belts to have learned about these principles. Having both sides, making sure both ends of the spectrum are covered, is crucial. Flexibility is needed all around, but not flexibility that sacrifices security.

Talk about the security industry's next few years. Which trends or concerns are you keeping an eye on?

The next few years are going to be make-or-break for security. Either it will make itself heard --and heard not just for noise, but innovation --or it will be pushed aside. I think it's time for the industry to wake up. I haven't really seen it. Anyone who has been going to the same conferences year after year sees buzzwords each year, but it's mostly old technologies rebranded under new buzzwords or themes.

[See also: Stress and burnout in infosec careers]

There is cloud, compliance, mobility, to name a few. But the amount of true innovation that goes into these solutions is actually small compared to traditional tech. It forces the practitioners to fill the vacuum through creative work, and I don't think that's sustainable. So either that lack of innovation is addressed and fixed in the industry, or it becomes an afterthought as the pendulum swings from one side to the other.

It could create big issues. It could mean bad things happen around the world that impact business and consumer confidence. In the online and offline world, it can lead to a knee-jerk reaction because you can't force innovation, but you can force legislation. I always say that in the absence of innovation, there will be legislation, and that will force security to the forefront, but that's not an efficient place to be.

I see what is happening and it's worrisome, and it should be worrying everyone. I think it's up to everyone in the industry to change it --to stop the train and make it move in a different direction before it ends up in a place we don't want.

What else would you like to see change in security?

I think the organizational aspect of security is something that needs to be addressed. Every company is trying to come up with their own job architectures, trying to figure where to place security, what they should focus on and do. Security is actually the only profession inside most corporations that tries to solve that individually over and over again. At some point the industry needs to come up with a baseline and ask: What does good look like? What kinds of functions should be available in the company to really cover security well? Where should they be placed and what should they do?

I had a thought recently: At a company that has had a security executive for five years, how does the CEO of that company know the security program is running well? For every other profession, you have industry publications. There are other companies you can ask because there is enough comparative information. But because security is so individual and unique, it's hard to compare that. That shouldn't be the case. That makes it hard for any company, any board of directors, to assess what needs to be changed or fixed or adjusted.

In 2008 you co-founded the Cloud Security Alliance, a nonprofit information-sharing group. What are your plans for CSA?

CSA was such an innovative step that when it first started people said, "Great idea, but it won't go anywhere." Now it's globally available, there are lots of people as members actively contributing content and knowledge, which is exactly what we wanted.

We wanted to bring others together to share what works. That concept has worked well and has shown me there is a lot of combined knowledge in this industry, it just needs to be brought together with the right incentives and it will flourish.

CSA will continue to evolve to other areas that we feel need to be addressed, or that people need to be thinking about and sharing their experiences of what has worked, what hasn't, and make it better. So don't expect it just to be about cloud. There are other areas to address. We have already started a working group on mobile and mobility.

Join the CSO newsletter!

Error: Please check your email address.

Tags Zyngasecuritycloud security allianceNils PuhlmannIT management

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts