The cybersecurity realm is a labyrinth—a maze of threats and vulnerabilities. Here, constant vigilance is crucial to stay ahead of attackers, and innovation is the key to fortifying defenses. In this continually advancing landscape, even the slightest misstep can have catastrophic consequences; therefore, skilled leadership is more important than ever.
David Chasteen is emerging as a seasoned leader in this realm with a distinctive journey that bridges the military, intelligence, and now corporate domains. His career path began in the trenches of national security, combating threats to US computer systems and critical infrastructure during his tenure with the CIA.
Transitioning from federal service to the dynamic tech hub of San Francisco, David found himself drawn deeper into the world of cybersecurity. His experience in standing up security operations for the city and later assuming the role of CISO for the San Francisco Police Department underscored his knack for navigating complex security challenges with strategic finesse.
Today, as Chief Operating Officer at SideChannel , David leverages his formidable background to drive forward-thinking cybersecurity solutions. His approach is not merely technical but stems from a mindset cultivated during his time in the Army and CIA—a mindset characterized by unconventional thinking and an innate curiosity about the inner workings of systems.
Let us learn more about his journey:
Forging a Secure Future
SideChannel was originally founded by Brian Haugli, who served as the CISO at the Pentagon. David had begun transitioning to the private sector after leaving CCSF and had joined the board of directors at Cipherloc, a publicly traded Post-Quantum Encryption company.
Seeking to continue his work as a CISO, David connected with Brian just as SideChannel was getting started. They discovered they shared similar ideas and goals, which led to David becoming a partner at SideChannel.
Ultimately, it made sense to merge Cipherloc and SideChannel, resulting in the current entity. By this time, David was the CEO at Cipherloc, so it was logical for Brian to become the CEO of the new company while David took on the role of COO, overseeing operations. Nick—the CTO and Ryan—the CFO had previously held these roles at Cipherloc and seamlessly transitioned to their respective positions in the new company.
The leadership team at the newly formed entity is highly aligned and collaborative, with David noting the pleasure of working with colleagues he both likes and respects.
Team-Centric Philosophy
Most of his career, particularly during his time at the CIA, David had the privilege of working with remarkable teams. He humbly acknowledges that he was never the smartest person in the room, emphasizing that collective intelligence always surpasses individual brilliance.
David believes in the importance of clear chains of command and procedures that encourage the entire team to contribute ideas and take ownership of solutions. This approach has consistently proven to be a best practice, especially as the stakes get higher. For him, inclusive leadership is not just ethically right; it’s also the most effective strategy.
Approach to Cybersecurity and Bureaucratic Agility
People often assume that bureaucracies are necessarily hidebound and difficult to navigate. David has found that in the military and intelligence communities, 90% of individuals genuinely prioritize the mission. When there is a clear mission that people believe in and it’s communicated effectively, a bureaucracy can adapt and change remarkably quickly. The key is connecting with individuals on a personal level, looking them in the eye.
David also appreciates the human scale of city government, noting that it is much easier to find and directly interact with the right person. This direct interaction makes city government more agile compared to the federal government, capable of rapid adaptation when necessary.
Unconventional Wisdom
David emphasizes the importance of mindset in effective security practice. While frameworks are helpful and necessary, they still require a practitioner with the right mindset—someone skilled in thinking about how to break the rules. Many security protocols operate on the assumption that people will always do the right thing.
For example, many point-of-sale devices that accept tap-to-pay also ask for a PIN but allow bypassing the PIN by using the debit card as a credit card. In such cases, the PIN becomes a mere security theater. If a threat actor can bypass a control, and if the control is optional, it fails to mitigate risk effectively.
David observes that human nature often leads to security vulnerabilities. He recalls working in a city building with a secure front entrance, but because it was farther from the restaurants where city employees went for lunch, they would prop open a back door closer to the restaurants, thus undermining the front door’s security measures.
A human practitioner must see the totality of the environment and infrastructure, consider how an adversary would view the opportunities, understand what the adversary might want to achieve, and then build systems that account for all these factors. He believes this is why having an experienced security leader is far more valuable than simply relying on an engineer or, worse, an LLM following a checklist.
Honoring Commitments
David has always felt somewhat frustrated by the concept of “Veterans Charity.” While he acknowledges the important work done by veteran service organizations, he believes that veterans should not need to ask for handouts.
According to David, America owes its veterans the healthcare and benefits they were promised, much like employees are owed their salary and healthcare as part of their compensation. It’s not a favor; it’s a responsibility.
Through his experience, he has learned that leadership, as a paradigm, is overrated. A great leader cannot make a bad team good, but a bad leader can make a good team bad. Leadership comes with responsibilities, and good leaders honor those responsibilities.
Success is due to having a great team, not necessarily because of a great leader. Even if one is a great leader, honoring commitments—doing what one says they will do—is paramount. This manifests in numerous small, often mundane ways. For instance, if leaders tell their team members they are entitled to leave but don’t create opportunities for them to take that leave, they are failing in their leadership.
Empowering team members to make decisions, exercise judgment, and utilize their strengths is crucial. If a leader forces team members to constantly remind them about benefits or approvals, that leader is failing. Respecting team members by providing them with benefits, autonomy, self-determination, credit, and fair compensation is key to good leadership.
David attributes his successes to adhering to these principles and recognizes that when his teams haven’t succeeded, it is usually his fault. This mindset, ingrained in the Army’s officer culture, is something he brought to IAVA and has carried with him throughout his career.
The Urgent Need for Proactive Cybersecurity
David observes that information campaigns by foreign governments, organized crime, and other transnational threat actors are effectively legal in the United States. With critical infrastructure largely in private, state, or local hands, there is a significant challenge in how the U.S. military and national security structures, which are designed to protect geography and military assets, can pivot to defend this infrastructure. These structures do not own and do not have clear legal authorities to even observe much of this critical infrastructure.
David notes that the U.S. tends to be reactive rather than proactive in addressing such threats, often waiting for high-profile catastrophes before allocating the necessary fiscal and policy resources to mitigate these threats properly.
The current corporate incentives exacerbate the issue, with risks often socialized while profits are privatized. The number of serious breaches made public is just a fraction of the actual breaches occurring. Consequently, consumers, citizens, and insurance companies are exposed to unmeasured levels of cyber and privacy risk, with no effective regulatory regime to counter these trends.
There have been some high-profile cases of CISOs facing federal prosecution for lying to investigators and defrauding limited regulatory structures. While this is a step in the right direction, as long as it remains profitable to impose risk on customers and taxpayers non-consensually and break the law without facing serious consequences, these issues will persist.
David believes the situation will worsen before it improves. Smart organizations will make the relatively small investments needed to get ahead of the risk, while less prudent organizations will continue to play fast and loose, joining the growing ranks of those destroyed by their unwillingness to recognize the reality of the threat.