Coming from a heavy generalist background as a software developer, Principal Software Engineer Zachary Flower has been in and out of cybersecurity his entire career. From brief stints working in cybersecurity at the National Security Agency and the University of Colorado to working at startups focusing on broadcasting, genealogy and various B2B services, Zach brings a variety of experience to the table at Automox.
So, whether that’s working on forms improvements, diagnosing bugs and issues, or his involvement in developing a “more cohesive” hiring process at Automox that’s resulted in great hires and co-workers he’s excited to work with, Zach’s duties and responsibilities focus on moving Automox forward by way of a “quality-first” mantra.
“The philosophy I like to go by is, we move forward together as a team or we don’t move forward at all.”
In this week’s Get to Know the Automox Team blog post, Zach shares a bit about his role as Principal Software Engineer, his thoughts about the never-plateauing cybersecurity industry, and why Automox’s commitment to a quality-first software development process always ensures a high-level product.
Cybersecurity — A Moving Target
Zach has always enjoyed the challenges posed by working in the cybersecurity industry because as the adage goes, “attackers only have to find one vulnerability, whereas defenders have to find a way to close up every vulnerability.”
It’s much harder to be the defender than it is to be the attacker, and everything is always changing with digital security — there’s always a new breach and new things to learn about, so Zach finds it interesting to be on the side of “trying to keep things from being broken when it’s very easy to break stuff.”
“Cybersecurity is very much an always-moving target, it’s non-stop. The world is constantly becoming more connected, never less — and it’s not just people, but things. At a consumer level, we have smart fridges, microwaves, coffee machines, TVs, cars, etc., so cybersecurity is one of those industries that will always be necessary because criminals don’t take holidays off.”
As more companies move their IT infrastructures from on-premise to the cloud, more connectivity risk is introduced and new vulnerabilities are revealed. As such, cybersecurity is a learning process. There’s always going to be a growing attack surface area, and the areas of expertise that will be required to remediate that are constantly evolving.
“We’re constantly going to be surprised by new security vulnerabilities and new technologies. A lot of times, we learn how to do things with technologies much faster than we learn how to secure them, and the internet of things (IoT) is a great example of this.”
Zach has spent a significant amount of time at Automox working on our guide to cyber hygiene because he says it’s not just as simple as just applying patches once and being done with it.
“Just like hygiene, security’s an ongoing practice. It’s something you have to do every day — you have to shower every day, you have to brush your teeth every day, you have to wash your hands several times a day. It’s an ongoing thing, you can’t shower once and say, ‘great, I’m clean. I never have to shower again.’”
As simple as it is to say ‘just patch everything’, Zach says you also have to have insight into your systems and know what’s going on on your network. You have to stay aware of new vulnerabilities as they’re happening, and you have to educate your users because there’s not just an automation and technical component to it, there’s a human element to it as well.
Companies can patch everything and have the most secure networks, but the second a human who isn’t as technically skilled is introduced into it, according to Zach, that’s where things like phishing and data breaches happen — not just because a bug was exploited but because a person was exploited.
“If you’re vulnerable, it’s not a matter of if you will be hacked, if your industry is desirable or if you have desirable data, it’s just a matter of when because all it takes is somebody or an automated program to discover your vulnerable infrastructure.”
Even if your company has systems that come back as clean, Zach says you should still be doing regular audits, making sure monitoring tools are doing their job, that the information you’re getting back is accurate and that the automation you’re doing is being applied in the way that you expect it to be. Trust but verify.
We live in a world where you can’t take cybersecurity for granted anymore. It’s not OK to pretend like the problems don’t exist or to claim you’re “not a computer person.” Cybersecurity is a process, it’s a daily habit, and there’s no better time to start doing it than now because if you wait too long, Zach believes it’s only going to be more difficult to get those habits in place.
Automox’s quality-first software development process ensures a significantly higher standard that’s passed on to end user. Every feature goes through a rigorous testing and validation process to ensure there have been no regressions in the code, no previous features broke and that the new feature works as expected.
At its core, cybersecurity is a high-risk industry, and Zach and his team work to make sure that they are not introducing any issues or inconsistencies into our customers’ environments. Consequently, this process ensures a significantly higher level of quality that we can then pass on to end user.
“That commitment to quality has been huge. It means that when we push code out, we have a confidence in knowing that it will work. And if something goes wrong, we know how to fix it and adapt to it, ensuring that the product is always at a high level of expected quality without any unforeseen issues.”
But this process took time to get to where it is today. The impact of the service that we provide is huge, which means the risk is huge as well. So, while leaning into the quality aspect, and testing earlier and more often, makes it harder to write code because it takes longer, Zach believes “we’re better served by moving not slowly but deliberately.”
“Think of it as tortoise and the hare. The hare didn’t lose because he was too fast, he lost due to arrogance. We’re better off moving at a consistent and predictable pace, reducing the bugs, reducing the defects and the negative impacts before our releases go out rather than trying to move too fast in order to hit deadlines. It took a while for us to adapt to moving at a deliberate pace and finding a consistent cadence and speed, but now that we’re there, it’s been a big win in terms of reliability, consistency and customer trust in our product.”
That quality-first mantra stems from Automox’s company culture. As an “unashamed Automox cheerleader,” Zach enjoys our “very people-first management style” where the goal is to find the right role for everyone, where they’re set up for success. When people are driven and excited to do what they’re doing everyday, that brings a cool energy.
Beyond the encouragement of learning, education and mentorship, one of the things that struck Zach about Automox’s culture is there’s never been an instance where someone was discouraged from contributing to a conversation.
“In the past, I’ve experienced the stay-in-your-lane attitude, and that doesn’t exist here. It doesn’t matter what department you’re in, what your role is, if you have something to contribute that might improve or solve a problem, then your experience is treated as valuable. We’ve all worn a lot of hats, and that experience can lead to solutions, and solutions can come from anybody. Like I said, it’s either, we move forward together as team or we don’t move forward at all.”
Automox is a cloud-based patch management and endpoint protection platform that provides the foundation for a strong security framework by automating the fundamentals of security hygiene to reduce a company’s attack surface by over 80 percent. A powerful set of user-defined controls enables IT managers to filter and report on the vulnerability status of their infrastructure and intuitively manage cross-platform OS patching, third party patching, software deployment, and configuration management. To sign up for a free, 15-day trial of Automox’s cloud-based, automated patch management solution visit www.automox.com/signup.