When I was 21, I almost lost several hundred million dollars by threatening to mutilate one of our customers.
In my senior year in college, I worked full time as an intern PM at NetApp I spent most of that time at work being groomed and prepared to be a full PM, and given that my background was in cryptography I got pulled into a lot of customer meetings related to security.
One of our customers at the time was undergoing a big change with their security architecture, and I tagged along with one of the directors to the meeting. I was one of ten PMs giving talks on roadmap and our plans, and I had 30 minutes to convince their CIO and CEO that we could integrate our new systems well with the new security infrastructure they were rolling out.
It turned out though that the CIO and CEO weren’t the only ones in the room. Joining them was the company’s Chief Security Officer (CSO). Like me, he was a young, rising star in their company with a lot to prove in a short period of time. He also didn’t like me much from the get-go; when I walked in the room he sneered, and when I went to plug in my laptop to the projector he openly asked, “Is he really going to present alone?”
When I finished my slides and hit the time for questions, he laughed and shooed me away. “Good effort, but you clearly don’t abide by our security practices.” I stared at him with tired, dagger-piercing eyes across the podium. Not only did we abide by what they needed, but I’d spent all night working on this presentation (which, combined with going to school full time, meant that I was on very little sleep). I was pissed off, and I decided to push back.
Me: “Well what specifications are you referring to?”
Customer: “You don’t understand. We are subject to a vast amount of compliance requirements inclu-”
Me: “-ding FIPS 140-2, PCI-DSS, FISMA…”
(I did my homework on the account.)
Their CEO took notice at me pushing back and seemed to wake up from his “I don’t care, when’s lunch” stupor. As the CSO and I nerd battled like we were Sith and Jedi LARPers at Gen Con, a bunch of the account reps in the back of the room tried to get me to come off stage. My director let me stay.
Finally once I had proven that we fit the spec, the CSO changed tone to something ridiculous.
Customer: “Well what about biometric scanners? We need biometric scanners.”
I blinked. Biometric f*****g scanners? We’re a storage company, not the Goddamn NSA. I responded that our authentication schemes supported most of the protocols that are used by bio-scanners, but he retorted that it needed to be first-party only.
I sighed, clearly exasperated, and responded bluntly. “We don’t make biometric scanners. You don’t need biometric scanners. They’re expensive and none of your compliance requirements need them. It’s complete overkill.” The CSO immediately (and vehemently) shot back angrily, citing his military experience and how he was going to make an infrastructure that was “unhackable.”
So I decided to turn the tables on him. “Okay, biometric scanners – what kind of biometric scanners do you need?” He gave me a basic list of specs, but having recently completed a homework assignment in my information security class (a class taught by a ex-NSA cryptanalyst who liked to talk about now-public faults in old security systems) on the topic, I hit him back with the various faults in modern bio scanners – including the gory details on how you fraud them.
Me: “So you want bio scanners with feedback right? That’s cool. Well what’s to stop me from cutting off your thumb and swiping it like in the movies? Nothing. Unless of course you want to integrate temperature and humidity monitors, and even then I’ll defeat it by running tubes into your cut-off thumb with warm water or soak it in salt water in the microwave.”
At this point, the CSO sat back horrified. The CEO of the company was dumbstruck, the account team in the back of the room was mortified, and my director was dying of laughter.
I proceeded to then go into detail about the faults of various retina scanners (“well I could pull out your eye and put a layer of visene over the retina…”) until finally the CSO sat back in his chair – both defeated in his designs and horrified at the glasses-wearing Asian kid in front of him that looked less like a brainy engineer and more like the Unabomber.
At this point, the team decided to call it. I was quickly hurried out of the room – only after thanking the customers for their time of course – to where I met with the rest of the PMs in attendance who were literally doubled over with laughter. The account rep on the team later joined us and blasted me with a series of insults, noting that my insubordination might cost them the account and that I “clearly wasn’t mature enough for my job.”
I spent the next few days calling myself an idiot and getting ready to change my LinkedIn status. But when the email feedback report on my presentation came back, I got the highest rating from the account’s exec team. They noted that the CSO can “be difficult sometimes” and they appreciated that I “had a strong command and understanding of the security requirements of our space.”
I spent the next few years at NetApp running product security. This event definitely came up during my year end review though, and since then I’ve become much better at presentation etiquette.