Deja vu Security is a cybersecurity consulting firm known for, in the words of George Hallam (Ethereum Foundation, Melonport), “some of the best minds in the space.” Securing the world’s most prolific technology companies, Deja’s team of security consultants—professional hackers— continues to experience significant growth. But hackers alone cannot scope, build, and track Deja’s many, sometimes massive, long-term projects.
Will Gray is a program manager at Deja, one of a number tasked with identifying the parameters of large-scale computer security engagements: What a client and Deja are trying to accomplish, what the boundaries of the project are, who the stakeholders are, and how to keep the project on track.
But Gray wasn’t always in cybersecurity project management: Before coming to Deja, he worked for a decade in law.
Like many undergrads unsure of their direction in life, Gray says he "messed around" academically for the first two years of college at Washington State University in 2004. He didn't become really passionate about anything until taking a philosophy of political science class during his third year. "I really enjoyed logic and argument, and at that point, I decided I wanted to go to law school."
Gray started his law career early while working toward his JD at Gonzaga University in Washington. At a non-profit social justice law firm in Spokane, he worked on public interest cases, such as representing low-income tenants with housing rights issues. Unfortunately, despite his passion for helping "make people's lives better," Gray realized that the work of a lawyer was very different from the work that got him interested in law in the first place. While assisting overworked litigation attorneys who had few chances to dive deep into topics and instead had to pivot wildly from one issue to the next—the exact opposite of how Gray liked to work—he decided that the actual day-to-day reality of being a lawyer was too far from the direction he'd hoped to go intellectually. "My favorite types of work usually involve thinking really deliberately about processes or topics and synthesizing complex arguments. Unfortunately, that's often not what being a lawyer is about."
Luckily, his decade in law wasn’t for nothing: His honed logic and analytical skills serve him well as a program manager: “Legal work is about figuring out ways to solve problems, and that’s basically what being a project manager is also all about.” As a program manager, Gray gets to dive deep into and consider complicated and sometimes novel issues. He currently works on-site with a Deja client, one of the largest technology companies in the world. On an average day, Gray spends his morning monitoring, tracking, and reviewing activities on reported vulnerabilities and taking any actions required in coordination with Deja’s security consultants and the client’s security team. Most afternoons, he looks at higher-severity and newer issues, helps Deja’s consultants prioritize, and facilitates communication and remediation between teams.
He gives an example of the value of his role for Deja’s clients: “One thing [the client] is currently figuring out how to do is having a consolidated approach to communicating with third-party security contacts. Because they have [Deja’s project managers] here, they’ve been able to hand off a lot of those issues to us, and we create consistency for them.”
He tells another story, about his first project at Deja: “The first engagement [I was assigned to] didn’t seem to require as much project management as we thought, so I asked around and figured out where I could provide value in something we weren’t already doing. That seems to have been what both Deja and the client appreciated. They need people who can be autonomous.”
Being a project manager is a weighty responsibility though: “If a project goes south, it’s on you, the project manager, because the person you asked to do a task is the person you asked to do a task. It’s up to you to make sure a project actually gets completed. That can get messy: You can organize everything at the beginning and hand it off, but then a person forgets they were supposed to do something, and you get cascading conflicts. There’s a high level of responsibility for things outside your control, and that can be tough.” But Gray considers that a blessing as well: “On the other hand, being the person driving things has a number of perks. You get to think about the big picture. You have a universe of things to get done, and you have the capacity to figure out how to do them in the most efficient way possible. That amount of freedom is compelling to me.”
Gray also spoke candidly about the cultural divide between the legal profession and working for Deja. “I’m no longer the weird guy with tattoos; I was well liked [when I was in law], but I never felt like I fit in. Law is a stiff culture. At Deja, I feel like I fit in.” He grins, adding, “Deja is kind of like an office full of rebels. Companies want to hire Deja because they want people who think outside the box and break their stuff. They want our hacker mentality.” On working with Deja’s consultants one-on-one: “They’re brilliant. The hardest thing is being able to keep up with the way they think. I had to learn really quickly to say I didn’t understand something and to ask them to teach me; I had to learn to not be scared to ask questions. They’re very intelligent and highly knowledgeable.” He offered a humorous story of what it was like starting work at Deja as a project manager, working with highly technical people: "[Cybersecurity people] have a lot of jargon. My first month, I kept hearing a particular acronym. I know now that it basically means, ‘Don’t just tell me you think a system is vulnerable—write a file that actually exploits it.’ But I heard the phrase about ten times before I finally asked what it was.”
Helping manage cybersecurity projects for the world's largest technology companies, Gray sees firsthand exactly how crucial it is for organizations of all sizes to hire consultants like Deja's: "No ecosystem is permanently secure. Ecosystems and code are always evolving so they're always becoming vulnerable in new ways. Vulnerabilities just keep popping up. It's like whack-a-mole out there.” But he’s optimistic about Deja’s role in helping make the world more secure: “Deja is securing some of the largest software platforms in the world. That’s pretty cool.”
- Hire Deja vu Security's world-class security experts? Email firstname.lastname@example.org
- Join Deja vu Security's team? Email email@example.com