Blogs Interview Series: The Tra...
November 12, 2021
In the latest installment of The Transformational CISO, our co-founder and CSO, Drew Rose, sat down with Summer Craze Fowler, CIO of Argo AI. Argo AI is a software company focused on changing the world by building self-driving technology to create a safer, more affordable, and more accessible driving solution to the world.
Missed the live version? We've included a recording of their conversation as well as the full transcript below.
Highlights from their discussion:
The Transformational CISO With Summer Fowler, CIO of Argo AI
Drew Rose: Welcome to the transformational CISO, a series of conversations with CISOs and CIOs around some of the hardest things that we're working on in our industry. My name is Drew Rose. I'm one of the co-founders and chief strategy officer of Living Security. Today I'm excited to introduce you to Summer Craze Fowler, who is the CIO of Argo AI. Argo AI is a software company focused on changing the world by building self-driving technology to provide a safer, more affordable, and accessible driving solution to the world. Summer, welcome to the show. How are you doing today?
Summer Craze Fowler: I'm great. Thanks for having me. I know it's a mouthful.
Drew Rose: Yeah. No, it's good. I'm really excited to dive into our conversation. The first thing that we like to talk about on this show because of the type of people that we invite on, and it's called a transformational CISO, which I understand you have kind of elevated one step above to the CIO at Argo.
Summer Craze Fowler: Yeah.
Drew Rose: How did you get into this seat? What was your career trajectory? What were some of the things from even your background as you described your career that really influenced you to focus on cybersecurity and information technology?
Summer Craze Fowler: It's a great question. And it's interesting. One of the reasons I got into cyber is because I love people, and a lot of people think, wow, it's strange. There's tech—that's what they think of is the person sitting behind the keyboard. But I started as a software engineer. I went to school—I went to college—thinking I was going to be an attorney, really. And I thought, for sure, this is the direction I want to take. Went my freshman year, got a job at the law school, at the university of Pittsburgh. I was in the law school library. And then I realized I don't want to be an attorney anymore. So I was a little lost. It was that middle, sophomore year. What the heck am I going to do? Had a roommate, and she was in computer science. And I said, oh, I could try that. That sounds really fun.
And then I fell in love. And so it was software engineering. I still did my graduate degree at the University of Pittsburgh and then went to a defense contractor where I was working and building software for tactical ground systems. It was really amazing to work with the military. Gave me a complete appreciation for the user experience because there's nothing like being in a Humvee with a gunnery sergeant from the Marines, leaning over your shoulder and saying, ”Why isn't this working?” to realize, I sure as better make this work and it should be a great user experience for those Marines. It's life and death for real. So I was in software—and I like to think of my life in these 10-year spans. I knew several years in that software was amazing. It's a great place to be, but what was going to be next and what was even harder than software? And it was cybersecurity. So I made a career switch after I met my husband at work. We got married.
Drew Rose: He wasn't the gunnery sergeant; was he?
Summer Craze Fowler: He was not the gunnery sergeant. No, it's me yelling over his shoulder usually, but no, we got married, we started a family and I wanted to diversify a little bit. So I went to Johns Hopkins Applied Physics Lab and really got into cyber security. Also with the government, we decided to move back to Pittsburgh. My husband happened to be from Pittsburgh, even though we met in the Baltimore area, and I wanted to stick with cyber. I'd only been doing it a couple of years, started at Carnegie Mellon University. And I worked in the CERT Division there. So the CERT Division actually has its roots in what's now CERT CC inside of the Department of Homeland Security. And so we really focused on working with public and private companies. And I loved diving into that. Loved working with people, loved working with the government, loved working with private industry to figure out: why is cyber so hard? What is it that we need to do differently?
Building frameworks and models, and then true to my 10-year plan, I said, “What's next?” And I looked around Pittsburgh. I wanted desperately to stay in Pittsburgh. It's home for us, and it's robotics, autonomous vehicles. And so I started looking at the companies and Argo AI—I went there after meeting and interviewing with the CEO, Brian Celski, and it was just a wonderful fit from the standpoint of the direction that the company was going. The fact that I could really apply what I had been learning and actually teaching at Carnegie Mellon in cyber and then also be with a company that really met my values. So long story, but here I am.
Drew Rose: That's a solid end. You can see this in your career progression. I mean, you were starting working on vehicles with the military where you're down range. I was in the military as well. So I can empathize with some of those conversations with somebody yelling over your shoulder driving and you can't hear anything anyway. So, and you're working on vehicles when they're down range; their mission is to get some different point A to point B safely. Everything else is just part of that mission. Right? And so it feels like probably in your core, like driver safety, right, is really important. And so like you're in a very interesting field. I've recently had a conversation with somebody in the healthcare field where one of the things that he has to work really hard on when we talk about people is connecting patient safety with cyber safety, cybersecurity.
And how does cybersecurity impact patient safety? You are in a field around this, a software company being driverless technology, right. Automation where you have these probably really smart engineers and software developers and PhDs that have never worked on products that could impact the physical security of a person.
Summer Craze Fowler: Yeah.
Drew Rose: Right. We're going to come off with hard questions right out of the gate. How do you connect the dots between driver safety and engineering?
Summer Craze Fowler: It's two things. One, it's actually just the fabric of the company. Safety is number one. So it's cultural. So you're Living Security, right? You know that you have to make what you want to. The most important things inside of the company, a part of the fabric and the culture of the company and our founder and CEO—the two of them, the co-founders CEO and president—they made that right from the beginning. Safety is number one. It is the core of everything that we do. And so that's just—it's part of our values. Number one...
Drew Rose: How does that show up daily? You think, if I'm a new employee starting, when's the first moment outside of the interview process and I'm like, Oh wow. This company really cares about driver safety and even pedestrian safety.
Summer Craze Fowler: You should see it in our job descriptions.
Drew Rose: Oh really?
Summer Craze Fowler: Yeah. So when I write a job description, I put our values in it, and we have 10 values, and the first value is about safety. So you should see it before you even walk in the door. And it's really important to understand because it's everything. What we're doing, everything that we build, everything that we're doing for our employees—we know that our number one challenge is not actually the technology; it's public confidence. And it's knowing that you can trust your loved one to get into a vehicle and go somewhere and know that that person is going to get there safely and everything around that vehicle is going to be safe. And it's really weaving into the fabric of that. The second thing that I was going to mention is making it a reality in your everyday life, right?
So it's one thing to talk about it. You can have the word wall. You can have it in the job description, but we really espouse it every single day in our work all the way down to the drivers that are in the car. I mean, they're actually the first thing that we think about, right? We have people in the car, and when the car is driving itself, we have two operators that are in the car, one hands around the wheel, one watching what's happening. And anyone in the company at any given time can say, "Hey, I found an error. There's something going wrong in this map. Or there's something that's an issue,” and can ground the fleet. That's not a cheap thing, right? I mean, time is money.
Drew Rose: Yeah.
Summer Craze Fowler: All of that. But we really make sure that everyone knows safety is not only the most important, but everyone in the company is responsible for it. And you're responsible for it in your individual role. We talk about that. The facilities team that I lead, what does it mean to be safe? The physical security team. So it's really throughout the fabric of the whole company.
Drew Rose: Something that always amazed me when I used to travel around and visit clients and provide training. And whenever I would go to, like, energy or oil and gas companies, every meeting you go to, they start with a quick state safety brief—no matter who you are in the company, no matter what your role is. It's 97 degrees outside. Make sure you're hydrating; look around from the nearest exit. It's rainy outside. Be careful you're not tracking in water. And you're putting—I would from a cybersecurity perspective, man, that'd be so cool. If we could have a cybersecurity tip in front of every medium, I know that's not as realistic, but I'm curious. Are there any traditions in Argo that are like things where it really starts to come out? How much do you talk about safety?
Summer Craze Fowler: So it's interesting. It's not cyber related.
Drew Rose: Yeah.
Summer Craze Fowler: But it is safety related. When our operators in the morning are getting ready, they have a meeting every morning. It's very early. They get together, and they'll do calisthenics. They'll do mental exercises. So even though you're talking about a car that's driving itself, and it does—it really does. I mean, it's not ready for commercialization yet up, but we're marching towards that. The drivers and operators have to be mentally and physically fit. And so they really get themselves in that mindset at any given time; an operator can say, "I've had a bad morning, I'm fatigued." There's some. And they come out of the vehicle, and they go do something else. And so I think that getting ready is really another way that you can say, “Let's get ready for the day. Let's do what needs to be done.” I love the cyber idea though.
Drew Rose: Yeah. So how do you have new teams come? I mean, you're growing; you're scaling; you're bringing new people on. How do you handle the ones that are far removed? The project managers, the customer support, but maybe not the people that are hands in the code, because it's in your company culture, how do you get them? How do you get it to click?
Summer Craze Fowler: Yeah. There's a couple of things that we've done from our own training standpoint. One, our onboarding really speaks to what's important from a cyber standpoint as well we have a weekly all hands. And so the whole company comes together, and we'll often have discussions around cyber activities, things that are important. And we do a monthly—we call it our cyber Slack snack. So it's a tough one there.
Drew Rose: I love it.
Summer Craze Fowler: But we use Slack. We are prolific users of Slack, and the cyber team will pick a topic. And say it's May,and people are going to be going on vacation. We did a cyber Slack snack, which was just a quick hit on Slack that said some reminders about cybersecurity safety when you're traveling. And then you could click a link, and it would take you to a full paper on it. Or when a certain ransomware attack happened, what do you want to know about that? And you will teach people about it. So it's interesting that we'll just try to do quick hits here and there. And then, of course, Cybersecurity Awareness Month, we do that. We have our annual training. We do other types of events.
Drew Rose: All right. So I'm going to tease this out a little bit more. So engineers are in code, developing software that is looking for anomalous detections in the road. They're looking to make decisions based upon what they're seeing on all these cameras and sensors. But when we take it one step further in this organization of yours, we think about cybersecurity—we think about confidentiality, availability, integrity, right? We think about the supply chain, right?
Summer Craze Fowler: Yeah.
Drew Rose: We think about DDoS attacks on your servers, shutting down systems. There's a huge impact on what's going on. They may be five steps away from code, but your end user still has an impact on what can be happening to the safety. So let's talk about, broadly, for the rest of that company, when you're thinking about decisions they're making, how do you effectively tie that back to your number one value statement around your culture statement you were telling?
Summer Craze Fowler: Yeah, it's a tough one, but with the way we do it is, really, we're naming cyber ambassadors in each team. Right? And in each area to say, “Okay, what's important here? What are the things that we need to be cognizant of?” We do have a little bit of separation between enterprise security, corporate security, and then product security. And we have some team members who bridge both. And so that becomes really important as well in terms of understanding, “How can an enterprise activity impact the developer, which ultimately impacts products and vice versa?” So we have good separation in the sense of we don't want an enterprise activity to have anything to do with the vehicles, but that training and awareness is really important to understand. So some of it's a lot of traditional activities. So you think about “what are your requirements,” right?
So going back to the military days, right? So what are the requirements that we have? What do we functionally want to be able to do? And then how do we bake in that cybersecurity to make sure that it's safe operations? And then other things become very brand new. As you talked about supply chain, how do we make sure that our open source that we may use is okay from a legal standpoint and okay from a vulnerability standpoint, and how do we stay on top of that? So we're really working a lot with the engineers getting next to them because the last thing you want is to come in and say, “No, you can't do that instead.” You want to sit down next to them and say, “Show me what you need to do. Now let's find the most secure way to do it.”
Drew Rose: Yeah, no, that's, that's interesting. The notion around blameless security came up—which I thought that terminology was really smart—of anybody in your company being able to raise their hand and say there's a problem. How do you prove that that works? I can empathize with a 24-year-old, $250,000 software engineer coming in kind of hot shot, ready to go. In this big company that is solving massive problems and being like, “That doesn't look right. But I'm the new guy. Smart. But these guys are way smarter than me. I don't want to look dumb, and I don't want somebody to look at me like I'm trying to cause problems.” Like, it seems like such a big hurdle to get over, especially if you’re one of these 24- to 30-year-old software engineers, insanely smart. So what are your thoughts there?
Summer Craze Fowler: It's carrot and stick, right? So you really want to offer the carrot. And so even when we have someone from the finance team who may stand up and say, “I think I may have clicked on something, or I may have made a payment that I'm questioning now.” You really applaud them for bringing the awareness and the attention.
Drew Rose: Who applauds them?
Summer Craze Fowler: The CEO. I mean, frankly, the culture is there. Yeah. And it becomes a matter of a reach out, whether it's a private reach out that says, “Great job, thank you.” Or a very public one in an all-hands to say, “Hey, Sally, that software engineer noticed that there was something that we weren't checking. Great job.”
Drew Rose: Okay. So you’ve been—a year or two years—going on two years, right?
Summer Craze Fowler: Almost three.
Drew Rose: Almost three years. Excuse me. Sorry. So you've been at Argo almost three years coming from a very esteemed career—raising up, like being intentional on your next move. I feel from knowing you a little bit that this type of CEO—it was important that they had these characteristics, these beliefs. As you were assessing this company, what were the questions you were asking? And like, how could you get beyond, “Oh, these are just the right words to say,” versus “This is how we act.” Talk about your process. For all the other CISOs out there that are looking for the next CEO that they want to help bring security to their company in a bigger, better way, what are some tangible things that they can bring into that interview process?
Summer Craze Fowler: It was a lot of listening and a lot of the questions that Brian asked me, so I was really paying attention to the things that he was asking me to see. Is it really important? Is this something that actually matters? He wasn't quizzing me for my cybersecurity skills. I mean, we didn't have a lot of that discussion, but it was also about how am I going to approach this? How will I work with him? How will I work with the other engineers at the time? The company was a lot smaller. We're about 1500 employees now. Then, we were under 300. So at that time, the question was really, how are you going to do a lot with very little? And so that excited me, I thought, This is fantastic. I'm going to love this. Now we're at a point where it's, “How quickly can you grow?” We have a lot going on. How much can you expand? So I think also it was a question of us getting to know each other. Could I scale with the company?
Drew Rose: Yeah.
Summer Craze Fowler: And quite frankly, maybe the answer was going to be no, and I was going to get the company to a certain point. And honestly, really, that's what happened. And I don't mean that, but cyber outgrew what I could handle in terms of all of my other roles, [so] we just hired a CISO. And so I’m really excited about that. And I think that was also something important that my CEO was looking to me to know when that point was. And I probably waited just slightly too long. Right. And he was saying, “Okay, it's time to go. Yes, let's move this. Let's build this and grow together.” But having those open, honest conversations. And I think looking for that CEO who is intentional about what the need is for the company and whether or not it fits you and your values is just critical.
Drew Rose: It's hard. I mean, I've talked to lots of CSOs where they make a big career move. They go to a big Fortune 500 or fast-growing startup, and they're expecting one thing. And then what plays out is something completely different. And I think that a lot of the CISO turnover comes from mis-expectations or misalignments or just false narratives by trying to get a good CISO in. But I can imagine us having a different conversation if your CEO is expecting you to maintain the same size team at 300 and at 1500.
Summer Craze Fowler: Absolutely. Right. Yeah. It would be a completely different discussion, but I think that's the other thing that you're looking for is, what is this person's vision for the company, for the department, for overall? Where are you going?
Drew Rose: Yeah. So let's get back. I love to learn things. I don't know. Not that I know a lot at all, barely a little. In your field, what are some of the threats that you're most concerned and worried about?
Summer Craze Fowler: Yeah. There are lots of things that keep me up at night. I always talk about three. One is the insider threat. So it's really malicious or unintentional. We know it's mainly unintentional, right? So it's really smart people I work with. When I walk into a room—they always say, don't be the smartest person in the room—I am probably the least smart person in the room when I walk into any room at Argo. We have tremendous pressure to produce. So it's making sure that the team can stay on step or a little ahead of everyone in the room and that we are giving them the tools to do at speed what they need to do. And so that's the issue. It's really the unintentional issue of, oh no, did we allow someone to upload something to a public space that we should have been blocking? Did we do something incorrectly that we should have not enabled or are trained differently, etc.? So that's a big deal, especially because when you think about IP, intellectual property is what we have.
Drew Rose: And when I think about smart engineer type, they're going to be the most creative in finding a solution if you don't give them an option.
Summer Craze Fowler: Absolutely. Because they have to make this happen. They have entirely different pressures and motivations. And so that's part of that. Tying the fabric together to say, “Our motivations are actually exactly the same. I want you to get this software out there and I want you to meet that deadline. So let's work together on how we can get it there in a way that also meets all of our corporate principles for security and safety.”
Drew Rose: And that's why it’s very important for the CIO or the CISO to be very aligned with What are the business outcomes? What are our objectives this year? What are we trying to achieve as a company?, versus coming in there and saying, “I just need to secure all the things.” If you don't know why or for what reason, you'll end up not providing the right type of security experience to those engineers that are looking for solutions to meet the same goals that you're trying to meet.
Summer Craze Fowler: Yeah. Our technical program managers actually do a lot in that regard to align us. So we do quarterly OKRs—objectives and key results—like a lot of companies do. And they will ensure that we're aligned to say, “All right, these are the goals that we have and the objectives that we need to achieve. Now we have annual goals, of course, but over the next quarter, we have to get to X, Y, Z. What do we need then from IR and physical security and cybersecurity to get there?”
Drew Rose: That's awesome.
Summer Craze Fowler: And so that alignment happens every quarter and throughout, right?
Drew Rose: That's awesome.
Summer Craze Fowler: And so that's really good.
Drew Rose: Yeah. We're a big believer in OKRs at Living Security and it does—it changes quarterly. Sometimes it changes mid-quarter, and sometimes we have to be flexible, but making sure that each team is aligned to what our top-level goals are is very important, especially as you're growing, because we're going to make different decisions. I made this analogy yesterday. It's like, hey, we are developing a new feature. It gets us from zero to 75. Yes. Do we really need to get to 85? Do we need to get to 90? What's that time investment going to be? Is it going to be worth that invest? And if we don't know, if we can't calibrate against how important just 75 is, then it's hard to understand how much time we need to invest in a different solution.
Summer Craze Fowler: Sure. Yeah. And we even say to our teams, “Shoot high because we want you to be stretching yourselves, but understand that if you don't quite achieve it, we target, like, 70%.” We're looking to make sure when we set those goals and key results.
Drew Rose: So insider threat—malicious or non-malicious, making sure that they have the right tools and to be able to make the right decisions. Which are the other two?
Summer Craze Fowler: The other two, third-party relationships. So absolutely, of course, and that just becomes a matter of working with the right companies, helping those companies get better, and help[ing] ourselves get better. But that keeps me up at night. Who has access to our data, making sure that we have done it in the most secure manner possible, and any exceptions are being handled in the right way. And I think that's something like the healthcare industry sees all the time, the financial industry. And so I worry about that, especially as we grow, because we have more and more of those relationships. And I see that's something that's evolved as the CIO and CISO roles; it's become more and more about managing the vendor and partner relationships.
Drew Rose: So working at a startup—I mean, Argo AI, definitely a startup—300 to 1500 employees in three years. Does it make it easier or harder for you to work with other startups?
Summer Craze Fowler: I think it depends. It really depends on the culture of that company and what they've established as their security program and their overall program. Right? So we're assessing and looking across the full fabric of that company as well. So I think it really depends on the company.
Drew Rose: How are you assessing their technology? How are you assessing that? They're not taking that. If you're looking at adopting an integration where this partner driver pedestrian safety is not the number one part of their culture—it's scale, it's revenue, it's growth—how do you assess whether you're not getting, excuse me, how do you assess if you're getting into a relationship with somebody who's—maybe their technology or their architecture is—not going to align with the values of Argo?
Summer Craze Fowler: Depending on the tier of importance of what we're doing, I could give you an example of if we're going to put something in the vehicle that could be just—we're looking to see what their security program entails. We're looking to see what their physical security, even their human resources or people operations. So we're looking at across all of those programs, we may, and we have also done penetration testing where we've actually said, “All right, if this is going to go onto a vehicle, or this is something we want, [you need] to test this,” and then we'll work with that company to say, “Okay, these are the things that we found.” These are things that we need to fix to work together. So it can be a big range. And we do that based on the priority of the vendor and the tool or system that we're using.
Drew Rose: So insider threat—malicious, non-malicious—vendor risk management, supply chain.
Summer Craze Fowler: Supply chain's actually the other one.
Drew Rose: The third one.
Summer Craze Fowler: The third one is supply chain.
Drew Rose: Okay. Got it. Got it.
Summer Craze Fowler: It's really nice we separate that out because I, I look at even the more traditional supply chain for vehicles. Or the traditional supply chain for software development. And so that's something that I'm really helping and working with the team to focus on over the next year because I think it's uncharted territory for us in some ways. I mean, we have a supply chain program—we have supply chain risk management—but I think there are new elements of that even as we get into supply chain shortages. And we don't want to make shortcuts. We don't want to take that. We are sourcing from around the world. So how do I make sure that I'm sourcing from the right locations and that there aren't going to be things inserted in that supply chain? So that's a whole different challenge.
Drew Rose: And, and it's so interesting because here's a new company, your supply chain, we're talking about car manufacturers and other automobile institutions that are 50, 75, a hundred years old. And they're trying to catch up and they're trying to keep up as well, but their culture's a lot different than a startup is. And so that must be very challenging.
Summer Craze Fowler: We have a great relationship with our OEMs, but yeah, you're right. I mean, they are working to come up to speed as well, and we actually lean on them. So it's oftentimes that you think, “Oh wow, the new AV company is going to know more,” but we do work with those OEMs to say, “What is it that you've learned over time?” And we work with other vendors to say, “What is it that you have learned over time?” Because we're learning from them. We're adding the new things that we know. It's a great relationship. I will say the supply chain one is the one—it's that third one that I name and the one that I'm coming up to speed on and learning the most about in my current job.
Drew Rose: And what about cybersecurity impacts the supply chain relationships? Are you talking to the CSOs of your OEMs? Are you having one-on-one relationships with them or...?
Summer Craze Fowler: Yeah. CSOs, CIOs, engineer leads, we have really good meetings every week with the cyber teams from the OEMs that we're working with closely. And so that becomes really important—that relationship building—which, again, I love people. So it's a great role.
Drew Rose: Okay. Last question. So, last question of this conversation—I could go on for hours, days, probably. What is the biggest threat that you think is flying under the radar? This can be specific to your industry or just in general.
Summer Craze Fowler: It's sad. I don't have a super exciting answer to this, but frankly, I think it's back to the basics. I think companies—we think so big, and we're worried so much about, oh, IoT. And we think about, oh my goodness, what is it that we're going to solve for? We talk about this sexy threat of ransomware. And frankly, when you look at how these attacks are happening, it goes back to the basics. You can go back and look at the CIS top six, and I don't have the statistics, but I would say a high percentage of very sophisticated attacks—or what we think of as sophisticated attacks—are really happening because we're not getting that top six correct. Asset management—knowing our right controls—and access management. So those two things, and I think it still keeps flying under the radar and biting us in the butt.
Drew Rose: Summer, thank you so much for joining us today. Any final thoughts?
Summer Craze Fowler: Yeah. I want to thank you because I think that one of the things that Living Security is really bringing that—I talk about this with my teams—is we have to make security a part of what someone's daily job is. And I talk about this with the news. If you hear that there is a fire somewhere in your metropolitan area, and you're listening to the news in the background, you might think, Oh wow, that's really awful. If you hear that there was a fire somewhere within your neighborhood, you listen a little more. If you heard there's a fire on your street, you're paying attention.
So what Living Security enables us to do is to target what it is that we're trying to train for and those different roles and those different responsibilities. I think that's critical because now we're talking about the fire on someone's street. And they're paying attention; they're listening. So I've loved that about the training. I think that's really super important. And tying that to the data that then I can say that training actually has had a result in the fabric of what my organization is trying to accomplish. It's really priceless. So great job to Living Security. Thanks for having me here. And I look forward to continuing to work with you.
Drew Rose: Awesome. Thank you, Summer.
Living Security is proud to present The Transformational CISO, a series of conversations with leading CISOs and CIOs about the most pressing security challenges businesses face today. If you’re just discovering this series, subscribe for updates so you never miss an episode.