EPISODE 7: Charles Henderson

In this episode of the Cyber Thoughts Podcast, Lucas Nelson sits down with Charles Henderson, a cybersecurity virtuoso and the global managing partner and head of X-Force at IBM. Charles delves into his intriguing path to cybersecurity prominence, from early 'conferences' to leading one of the industry's most storied teams. With anecdotes of his tenure abroad and with IBM's X-Force, Charles provides a firsthand account of the evolving cybersecurity landscape, the strategic importance of demonstrating ROI in security, and the power of mentorship and community in fostering industry growth.

Welcome to the Cyber Thoughts podcast, where we explore the world of cybersecurity through the eyes of practitioners and leaders in the field. In each episode, we invite a guest from the world of Infosec to share their insights and expertise on the latest trends and developments in the cybersecurity market.

Whether you're a seasoned Infosec professional or just starting in the field, this podcast is for you; our guests will provide valuable insights and perspectives on the challenges and opportunities facing the Infosec market.

Join us as we delve into the world of Cybersecurity and learn from the experts on the Cyber Thoughts podcast.

PODCAST TRANSCRIPT

Lucas Nelson

Welcome to Adventures in Infosec, where we explore the world of cybersecurity through leaders in the field. Today is my great pleasure to welcome Charles Henderson, the global managing partner and head of X-Force at IBM. I've known Charles for more than a couple of decades. So I'm really excited to have them on the pod. Hey, Charles.

Charles Henderson

Hey Lucas Nelson, how's it going?

Lucas Nelson

I am excited to talk to you. So I'm going to start out with your long and storied history. How did you get into cybersecurity?

Charles Henderson

Well, you know, I think many of us in sort of our generation have the unique story of getting into cybersecurity before it was really an industry. You can call it independent study or whatever, but, you know, I look back sort of the early conferences that were

And I use the term conference loosely. There were presentations, some on topic, and I mean, some, you kind of had to figure out what the topic was. But they were always, they were always, enlightening if not inspiring and really it, it was more of a curiosity at that point than, than a job. And, you know, I, I thought I was going to be a lawyer when I grew up because both my parents were lawyers and that's just kind of what you do, you know? Um, and you know, in fact, I would have been a fourth generation lawyer. 

And about the time I was getting close to graduating from university, there was an emergence of this industry. And even then the industry, it just meant that you could get a job as a penetration tester, which was like amazing.

Lucas Nelson

Thank you New Years for living. Everybody's dream.

Charles Henderson

Yeah, yeah, I mean, and that and there were there were people that were hiring security folks without even really having any kind of work for them to be doing. I mean, it was like, hey, we need a security person. Do you want to come work for us? And I kind of zeroed in on service providers, you know, small consultancies.

Lucas Nelson

What was your first gig? I actually don't remember this.

Charles Henderson

Ah, this is a great story. I got hired out of school by a joint venture between a Austin venture capital group and Deutsche telecom subsidiary, SecuNet, S-E-C-U-N-E-T. And I was there for two weeks.

And my first payday, they had a company-wide meeting and announced they couldn't make payroll because the Germans had pulled out.

That was my first job. I can't recall if I ever got paid for those two weeks. I'm sure I did because, you know, I would have harassed otherwise. But from the ashes of that, I ended up working for that German parent company's subsidiaries.

Lucas Nelson

If memory serves, you actually lived abroad for a couple years?

Charles Henderson

Yeah, yeah, in Germany. And...

Charles Henderson

It was a great experience in that it kind of, it was a baptism by fire and it gave me a lot of business experience as well. And coming out of that, you know, understanding how to do fundraising, how to start up a company, it really helped me in every step along the way since then, you know, founding

AI security, working it to build and kind of create Spider Labs and within TrustWave. And then to build up X-Force, which was, you know, really a dilapidated brand. And we reinvented it, built it from the ground up.

Lucas Nelson

So you're coming ahead. Let me let me take you back. Before we get there, because I do I do want to do Spider Labs before that. But actually, um, you have fun fact about you. You have not missed a home game for

Charles Henderson

I broke that streak over COVID.

Lucas Nelson

Oh, tell people what the streak was because I still think their time in Germany is the most impressive piece of that entire story.

Charles Henderson

Yes, I had a streak of University of Texas home games dating back to 1983 that was broken in 2020. And I had not missed a University of Texas home game over that time, including when I lived in Germany because part of my employment agreement was they had to fly me home for all UT home games.

You know, for the youngins that are listening, this was during the dot-com boom, and some ludicrous agreements were made during that period. That made it really obvious why it failed. I was younger when I made the demand, but, you know, honestly, it probably kept me sane. It gave me a chance to get home,

you know, it made it less trying to be over there. But I really enjoyed my time in Germany. That is where my mother was born. It's where that side of the family is from. So it was great to sort of reconnect with those roots. I would go see aunts and uncles on the weekends and get lost in the German train system. But, you know, in retrospect, that was a really neat time for me within the industry, because not only was I learning through self-education, vulnerability research, that type of thing, but I was also learning about how to run a business. And part of that was learning how to run a business in sort of different cultures, because there's different aspects to it. I think it prepared me to be more of a global leader than a regional leader when the time came. And you look at… you know, whether it be X-Force, Spider Labs, working in a global economy and having a global team, you really need to understand the differences that may exist regionally, culturally, et cetera.

Lucas Nelson

Cool, so let's jump into Spider Labs because that was one of the formative things that kind of really, I'll say put you on the map outside of a smaller piece of the industry and the larger piece. So why don't you explain what Spider Labs is and who you're working for. Give us that piece of the story.

Charles Henderson

Mm-hmm.

Charles Henderson

So, you know, one of our mutual friends, Jacob Carlson, called me up and said, hey, you know, this firm that I'm working for merged with another firm that was Ambron and TrustWave. And for a while it was Ambron and TrustWave was the name of it because that just rolled off the tongue and they're like, from a branding perspective, we can't pass up on this genius. They eventually took it back down to TrustWave, but there was, he was working for this largely compliance shop and that didn't really excite me. I was really much more interested in, you know, what we were at the time calling cool stuff, right? And what I quickly realized was, no, I was actually very interested in the compliance shop because having a group that was multifaceted had different business lines so that you weren't the only business line allowed you to secure investment for growth. It allowed you to do some pretty cool stuff, you know, that diversification, that wider portfolio.

Lucas Nelson

So what was the mission of Spider Labs inside of TrustWave? So TrustWave is big brand, it's an appliance.

Charles Henderson

It was the elite security services. So it was the penetration testing, the incident response, the vulnerability research, the threat intelligence. So you're really combining those. It was really a similar mission to X-Force, but on a smaller scale. It was mid-market mostly. We did have some enterprise, but it wasn't quite as top of the market like X-Force has become.

Lucas Nelson

So you ran Spider Labs and then, so give us the high, low. I ran Spider Labs for X years, then I moved on to IBM. Is everybody goes to IBM?

Charles Henderson

Yeah, well, now, so, you know, um, Spider Labs, you know, started, uh, started over there. It was a Nick Pococo was, uh, was, um, running and it was kind of his baby and quickly came in and they were just doing a lot of compliance penetration testing and, um, uh, PCI IRs and, um,

I convinced Nick to let me start up an application security testing arm of Spider Labs. And very quickly, that became one of our central missions within Spider Labs was doing that application testing. From just a size and scope capability, it grew very quickly. And we had Andy Bocor, who was one of the great people co-founders of Ambron who really helped us in that mission. And, um, then when Nick left, um, you know, I, uh, largely folded under Andy and took sort of a, a more central role in, um, being that, um, being sort of a face of Spider Labs, especially externally.

Did a lot of PR, really moved from being somebody that would speak at hacker conferences to somebody that speak in a more public facing role to non-hackers, which was really a shift for me. I remember as I got started in PR, I had several people that helped me along the way.

Charles Henderson

Abby Ross was our PR person and she really sort of coached me and helped me understand that, hey, you're not speaking to your friends here. I mean, they may watch it, but really you're speaking to somebody that has never been on your professional radar. They need to understand it for it to be compelling. And as I developed that sort of that public persona, it really sort of helped me even in the running of the business because I was really better able to connect with a lot of clients, I think. Media training does an amazing thing. Pretty quickly, I was not only dealing with clients, I was dealing at the board level. I was doing a lot of board briefings and things like that, which it's strange to say, but my media training became quintessential there because...

You know, one of the things you're always prepared for in media training is the unexpected question. And there's nothing like a board meeting to get something out of the blue, you know, because you have such diverse figures in a lot of these boards that, you know, one of them may just be, you know, playing stump the chump or they may have legitimate questions that some of which you may never have heard before. So you've got to be able to think quickly.

And it really did help me and quickly I sort of earned a reputation as a trusted person you could put in front of the board. And, you know, it started out with boards of like, you know, video game companies and things like that. It quickly moved to major financials in New York. Pretty soon I was, I was Speaking to people that spoke like the Peter Schmitz in Family Guy and

You know, it was a very quick evolution, I would say.

Lucas Nelson

Let's use that as the jumping point. How did you end up at IBM? Because that wasn't an obvious choice at the time, I would say.

Charles Henderson

No, no, and I, you know, a mutual friend of ours, when IBM reached out, a mutual friend of ours, Aziz Gulani told me, you've gotta take that interview, if only as a courtesy, because you know, there's so many people, ex-IBMers that are out in the VC world, if you're ever raising money, you're gonna, you know, run across somebody and piss them off. And...

So I went to Armonk to take the interview. And I remember there's a guy named Chris Esemplare who I still talk to this day, he's a great resource. He's the CEO over at DeepSeas now, but at the time he was the GM of IBM Security Services. And he was very blunt about the fact that they were off track and everything was messed up. And he knew I was interviewing elsewhere, but.

Here, I could really create and really independently do something that I wouldn't have the opportunity to elsewhere. And so that conversation stuck with me. You know, he said, somewhere, everywhere else you'll be executing someone else's vision. Here, it's your vision. You tell us what to do. And he, to his credit, those were not just recruiting words. When I got in, he really...

He taught me a lot about being a general manager because he took a step back and he enabled rather than trying to exert undue influence on something that he really didn't understand. He knew the outcome he wanted, but he didn't know how to get there. If he knew how to get there, I wouldn't have been there. And he really gave me the tools I needed would go to bat for me and focused on Charles and what you need rather than Charles, what are you doing? And the results quickly spoke for themselves. And so that really got me more buy-in at the executive level. As an executive, you have executives too. And very quickly,

Charles Henderson

Chris was becoming my biggest champion. And anytime you're succeeding, whether you're the CEO or you're an individual contributor, the CEO has champions on the board. The individual has champions above them in the organization. Somewhere in the organization, you need a champion because it is enormously difficult, even as a founder to do things alone. And there is a misconception that your champions always need to be above you in the hierarchy, in the org structure. I think very often some of your directs or maybe even somebody that you're your second level manager of, they can be your champions too. They can champion up. But.

It's really important from cultural perspective to know that you have people that you depend on and that will go to bat for you. Go that extra mile.

Lucas Nelson

Yep. So you brought, I'm going to take this a little bit differently. Oh, and that like you brought back an old brand that was a, a favorite of ours when it first came out. So X-Force. So give the quick maybe 30 second history of X-Force and then, you know, what you guys did with it over the next, over the last few years.

Charles Henderson

Sure, and it was the elite group in an old company called ISS that IBM had acquired and became a large part of IBM's security.

Lucas Nelson

Internet Security Systems, right? Like back when that was a novel name for a company, as opposed to most thing you could think of, right?

Charles Henderson

Yeah, yeah. I mean, you know, it's, you know, it's kind of like Kleenex at the day. You know, I don't know who their main competitor is, but I've never heard of them, you know? It was, they were the only show in town back then. It was one of the first. And X-Force just had this, I mean, it was all our friends. And, you know, they had this sense of pride and the swagger.

Lucas Nelson

Yep.

Charles Henderson

And it didn't really, I mean, it didn't really exist anymore. You'd see the name applied to things that didn't really in any way connect to that old image. So we started up this sort of new group, and it was the offensive security group within IBM. It was X-Force Red. It was a throwback to X-Force. Very quickly after I started, a woman by the name of Wendy Whitmore came in and started X-Force Iris, which was when we learned that you couldn't use the word blue to refer to a product offering in IBM, that you wanted to use blue. But Iris, Incident Response and Intelligence Services, which just rolls off the tongue, was gonna be the IR and Intel arm. And I mean we were putting up video game numbers for years because when you're starting from nothing I mean and you get growth. It's like Your growth percentage is crazy. And you know, you're hitting all your metrics and we were putting up we just knocked it out of the park, you know and really started to grow and then all of a sudden, you know, I sort of survey my surroundings and realize I built an honest to God big business. And it, you know, you were starting to do a lot of national TV appearances. We're hitting all our business metrics.

Lucas Nelson

Can you give us a rough idea of how big you are at this point?

Charles Henderson

Unfortunately, no, as a publicly traded firm, I really can't speak to financial.

Lucas Nelson

We should. Worth asking.

Charles Henderson

Big. So, you know, I mean, the thing is, we're just, we're hitting all our success. About that time, Wendy left IBM to go to another firm and they kept Iris sort of off the side for a little bit and then came to me and said, hey, we're ready to unify X-Force. And I remember when I interviewed with Essem, I said, you know, you need to start them as separate missions.

Really you need the focus to build an offensive security group and an IR group and an intelligence group. And those are different cultures and just at least initially they need time to sort of build their own identity. And we were finally ready to, you know, unify it. And so I went from managing partner and head of X-Force Red to managing partner and head of X-Force overnight. And we unified the groups and it turned out they really had a similar sense of humor, which I think was the unifying factor. But off we went and it was, I think it was an amazing journey and it was kind of neat to finally sort of realize that goal that we'd started several years before of having a unified X-Force.

Lucas Nelson

All right, so I'm gonna take us an entire different direction now and talk about the industry at large a little more You've got a really interesting catbird seat you know, you get to work IBM you get to work with everybody you to see everything So what are the issues in the industry that keep you up at night? Like what's interesting to you in 2024?

Charles Henderson

Well, I mean, the thing that I think scares me the most is that the industry isn't all that mature yet.

And we've been going at it for decades and we, we still have the problem of rallying behind a silver bullet product or service and saying this is what's gonna finally solve security, at least from a marketing standpoint. And we still have a problem demonstrating return on investment for security. And this is important from a business perspective, it's important from a delivery perspective. I don't care if you're running a billion dollar ARR security firm, or whether you're a penetration tester doing a, or a red team are doing a adversary simulation engagement.

Charles Henderson

You, your work as a security professional needs to demonstrate some level of ROI. You know, why are we doing this? And it doesn't necessarily need to be the traditional ROI from a business sense. You know, it's helpful for a lot of people above you if it is, but your activities should demonstrate, hey, this is, this is worth doing. Here's why. Here's the benefit you get from this activity.

Because otherwise it's just a distraction. Okay. And we have more trouble as an industry demonstrating ROI than any other industry I've seen.

And the longer that continues, the less people will be bought into our mission.

And, you know, it's one of the things that I really harp on with my teams is, you know, at the tail end of this, people need to understand why they did it in the first place. And I think very often we hear, oh, this is great data. And we think that that's enough. Great data is, is wonderful, but if you cannot use it, it's also completely and utterly meaningless.

And I think we have problems as an industry with that final hurdle. Applicability of data. I mean, you can look at like the threat intelligence world and we dump all this threat intelligence in a CISO and, you know, you ask the CISO, Hey, do you have good threat intelligence? Yeah. Well, how are you using it? And there's a long pause there.

Lucas Nelson

So I want to dig in on this because I've, you know, threat intelligence platforms tips, I've never really understood them well, which is a startling thing to have to admit given what we do. But can you explain kind of what's the promise there and where they're failing to deliver?

Charles Henderson

The promise is that you're going to be so informed that everything you do is going to have context. But the problem is that if you're not contextualizing on the fly, really not just giving the data a presentation layer, but actually working it into the things you do. If you have to connect those dots on the fly, you're really counting on the fact that everyone in your security team, every vendor you use, everybody is up to date on the threat intelligence is just going to work it into everything they do.

And the simple fact is that's not true. It's the biggest problem we have in, I think, threat intelligence today or security day is that we really need to be contextualizing everything we do with threat intelligence and we may even think we do, we may even have products that tell us that's what they're doing. But the inherent problem is it's very difficult in security and in anything you do to

contextualize on the fly. And if you have to tell, you know, everyone always is hot on AI right now. The one thing that would be really cool if AI managed to do is actually help us with this, you know?

Lucas Nelson

So, give me an example.

Lucas Nelson

So what's your dream product that does that? Like what's the Intel source and then how does it get surfaced to this?

Charles Henderson

If I had a dream product that did that, you know, we would be having a much different conversation on this call. What I would say is you almost need each individual product at this point to have a mission to better leverage the information available to contextualize everything that I do.

Charles Henderson

You know, something as simple as ASM, you know, tax office management. If they're leveraging Intel very, very well and it sort of solves that segment, but you really need all of your products doing it. And I think you also need greater unification of threat intelligence. The other, I think, downside is you have so many disparate sources now, and the tip is supposed to unify that. But in reality we've really kind of siloed the threat intelligence industry.

Lucas Nelson

So let me give an example and tell if I got it right, because I think I had an aha moment there, which is your attack surface management, you've got a list of bugs you're supposed to fix, they're one through a thousand or whatever, and if your tip said, oh, by the way, there's a new exploit out for bug number 12, it'd jump from number 12 up to number one and do it in real time. Does that sound like?

Charles Henderson

I mean, ideally, it doesn't say it in your tip because you don't want to have to go to a second screen in glass to see why something's important. OK?

Lucas Nelson

It would pull that information in and say, I'm moving this.

Charles Henderson

All that information in and CVSS is a crappy way to go about fixing things. Okay. So look, if you know that, and this is something we do for clients, but you know, there's, there's a lot of ways it can be used outside of the vulnerability space. But I'll use the vulnerabilities as an example. If you know you have 15 vulnerabilities to fix.

One of them is theoretically exploitable, but there's no exploits. One of them is just frankly not exploitable. One of them, there are five exploit kits being sold currently on the dark web and the rest of them are lower ranking issues. You know right now, the most important one you've got is the one that has all these exploit kits being sold on the dark web, because it actually is, A, it's being utilized, B, it has value because people are actually making money selling exploit kits for it. There's all these things pointing to that one being the most important. But if you don't have that data, you're treating them all equal. And let's be honest,

The average enterprise class firm has something like 1.5 million unpatched vulnerabilities at any given time. So looking at that, and you're saying some sort of focus is required. And that's supposed to be what the mission of threat intelligence, but it only works if it's pervasive everywhere. It's got to be unified. And when it's siloed, you end up with individual silos becoming sort of the squeaky wheel, where they're getting attention only because they're threat-led. And everything else is just getting ignored because you don't know what to do.

Lucas Nelson

Got it. Cool, all right, so we're running late on time. So I'm gonna move quickly into the rapid fire questions. So let me start out with what, you know, if someone's just getting into cybersecurity or is trying to learn about the industry, what's a resource you love?

Charles Henderson

You know, so...

Charles Henderson

I really enjoy the security meetups, especially the vulnerability research ones if you've got one in your area where people talk about the cool projects they're doing. I also love sort of the hacker spaces, just because I'm a big believer that there's a social nature to discovery. And look, I love books. I love blogs. You know, we have a great one over at Security Intelligence for X-Force. That said, actually, you think back to when we got our start, a lot of it was sort of that social nature, working with others, learning from others. Being, having more back and forth, I think is key to really taking that next step. Finding mentors in the space that can help you, I think is exceptional. You know, look, there are other resources that are good. I don't mean to take away from them. But if you have any kind of, you know resource that is more social in nature in the way of a meetup. I think that goes a long way you know you think back to also when we got our starts all the meetups we used to have or we got together It was I think that it was a motivation factor, but it was also a rallying cry plus the regular meetups kind of keep you focused.

Lucas Nelson

Yeah, you got deliverable, right? You got to impress everybody.

Charles Henderson

Yeah, I really like the ones that actually require you to present every so often because it reminds you to do the cool stuff.

Lucas Nelson

So back in our day, I'll say it was like 2600 was one of them. And what is it Def Con? Like who's doing that today? Like where would someone go? Do you have any idea? You talk to younger hackers more than I do these days.

Charles Henderson

Yeah.

Charles Henderson

Well, I mean, like in Austin, we have AHA, and that's really cool. I think they've become a little bit more disparate, but you do have Def Con meetups that I think are really great. I'm, of course, I'm very partial to Black Hat and Def Con, but I, I really think that those meetups go a long way. I mean.

Now keep in mind, some of them become sort of more social meetings than say, um, technology meetings. I think both are important. Um, but, you know, look for a technical mentor as you start going to those meetings and getting started and saying, Hey, who can I, I really work on some neat projects and don't just work sort of in the abstract fashion. You need, you need to set goals for yourself, have a project, have, you know, what is the goal of this project?

Lucas Nelson

Nothing wrong with that.

Charles Henderson

Think about it in like a more precise project plan kind of thing. And as you do that, you kind of build discipline into yourself, you know? I think it's important for people to actually have a little bit more in the way of a little bit more rigor in their research.

And, you know, I think back to some of the people that have really done well with our industry and I think that's, they have that rigor where they, you know, they're working on a more strict schedule with, you know, what they're doing. It's not abstract.

Lucas Nelson

Yep. All right. Last one. Favorite book. Who you love? What do you love?

Charles Henderson

So, you know, look, I like to read, but there's sort of going with that last question, you know, how do you start out? There is this book that I ran across at a, of all places, a Disney management training years ago, where I didn't think Disney was going to come up here. I'm going to get your podcast sued by mentioning Disney as many times as possible. So Disney,

Lucas Nelson

Go on. Thank you.

Charles Henderson

Uh, yeah, um, so, uh, there's this book, uh, Creating Magic.

I'm going to butcher the last name, but it was Lee Cockerell, I think. And that's what Google's for. Creating Magic and it was all about like branding and sort of the lessons learned at Disney and the management system. And it really, I think helped me as I got into bigger organizations trying to build a healthy culture, brand and product, and really understanding how the market perceived our product and making the product better. I think it was really meaningful. And what's weird is I started recommending it to some of the hackers on the team and stuff like that. A lot of them started coming back and I don't know, maybe they're just trying to shine me or whatever, but they were telling me, hey, this is actually pretty cool. So it's an odd recommendation given all the books that I could be recommending here, but I'm going to try and do one that no one on your podcast has ever recommended or will ever recommend

Lucas Nelson

Love it. All right, well, that's gonna be our conversation. Anything you wanna plug before we sign off?

Charles Henderson

You know, I would just, I would encourage people to check us out on securityintelligence.com SI is probably one of my favorite blogs and we do a lot of contributions there and that's no small measure. And you know, hey, reach out to me on Twitter, LinkedIn, wherever. I always love making new connections.

I'm sorry, X, and still haven't really adopted that. And more than anything, I look forward to seeing everybody at the next conference.

Lucas Nelson

Thank you, Charles Henderson. It's been really a pleasure having you on the pod.

Charles Henderson

Hey, great catching up.

Lucas Nelson

Bye.