Steve Morlan started his career as a ‘Cowboy of the Sky’ — another name for a structural ironworker. The role is largely reserved for daredevils who erect and connect iron beams to form a building’s skeleton. In time, he yearned for a different adventure — one that was still thrilling, but perhaps a little safer.
Hacking had been another exhilarating hobby in his youth, so Steve decided to pursue a Computer Science degree. After graduating, he found the roles he truly wanted required several years experience. Struggling to find his first gig and get a foot in the door, he got involved in the security industry. Steve signed up as a DEF CON goon, a behind-the-scenes event staff at the world’s largest hacker convention.
One day during DEF CON, he got a call that he was needed for an emergency. When Steve arrived on-site, he was surprised to learn it wasn’t a matter of crowd control or logistics — instead, a team needed an additional player in their game of social engineering capture the flag. And he performed brilliantly. So well, in fact, that he won a Black Badge — lifetime attendance to DEF CON — and Salesforce’s Red Team soon came knocking.
Today Steve is a Senior Infrastructure Security Engineer, his third role at Salesforce. Through his experience he’s discovered what it takes to crack into Security, and the surprising skill sets that are needed to flourish.
Security is a mindset, not a pedigree
“You don’t have to have a traditional path to break into Security. When I look at our team, we have some really diverse backgrounds. A former janitor. A prior bio-med student. There’s no one recipe for developing strong Security skills,” he shared. “And diversity of thought improves our approach for the whole team.”
However, one universal prerequisite is having a deeply analytical mindset. “You have to understand where worth lies. Truly understand risk. And you must be deeply concerned with maintaining our customers’ trust by protecting data.”
Interpersonal Skills Help Engineers Flourish
At a company as large as Salesforce, communication is key. Engineers who can relate security challenges to non-technical employees will be far more effective. One suggestion to achieve this is using someone else’s language. “If I were trying to frame up the importance of a step, I might use a metaphor like, ‘You don’t construct a building without a foundation.’ Or if the person is a car buff, maybe I’d say ‘don’t use a sedan engine on a heavy duty truck.’” Relating to something the stakeholder understands is critical.
You can play offense on Red and Blue Teams
“My path at Salesforce has been a bit of a discovery and is still evolving,” Steve commented. He started off doing pentesting, or penetration testing, which is actively attacking a service or host to gain access in a simulated attack, on the Red Team. Through this he saw opportunities to improve our security controls and join the growing talent on the defensive Blue Team.
And while he loves playing defense, Steve is quick to point out that Infrastructure is offensive, too. Beyond just making life harder for his adversaries, Steve says, “The Infrastructure Team strategizes, verifies, and advises. As part of that verification process, we still do a lot of pentesting. We get to break things as we see fit and attack them to test our solutions.” If you’re dead set on a position, consider expanding and trying a role on the other team.
Pursuing Interests Builds New Skills
Steve’s work has impacted engineers throughout the company. His projects standardize procedures for improving systems — for example, (1) a metadata effort to identify which employees have contributed to code, (2) secrets management, and (3) automating the security review assignment process.
Expanding beyond his initial interests of malware and popping boxes, within Infra, Steve has “the opportunity to learn about countless technologies and grow under incredible leadership.”
Volunteering at Conferences Fast-Tracks Networking
His experience at DEF CON left a lasting impression. Today, Steve and a number of his team members leverage their volunteer time off (VTO) to improve attendee experience at conferences. While there are many great events to choose from, some of his favorites are ToorCon, BSidesSF, ShmooCon, and Day of Shecurity. In addition to being great learning opportunities, these conferences “help you build friendships and camaraderie with people you wouldn’t have otherwise met. And those are the relationships that help you get deeper into the industry.”
An added benefit of this networking is getting private Slacks, which help him up-level his game even more than go-to resources like Hacker News or Reddit.
At Salesforce, trust is our number one value, which means the growth opportunities within the Security team are endless. Ready to join us and engineer more than software? We’re hiring for Security Engineers and a VP, Enterprise Security. Or, browse all of our open roles.
