Fireside Chat with Patrick Ritto: Meet Okta’s New VP of Infrastructure Security

From the challenges of engineering-security collaboration to the limitations of compliance, our new Vice President of Infrastructure, Patrick Ritto, brings a fresh perspective with expertise and empathy. 

He recently sat down for an interview with Tanner Nicol, an Okta Staff Software Engineer in Engineering Security. The duo chatted through Patrick’s background in engineering and security, plus some of the complex challenges their team is hard at work solving. 

Tanner Nicol: It’s great to have you here on the team. Can you share a bit about your background and why Okta was the right place for you at this point in your career?

Patrick Ritto: I’ve spent a long time in platform and software development and engineering in the infrastructure, SaaS, and cloud spaces. Then I pivoted to leading an identity engineering team, followed by multiple platform security teams. I try to bring technical expertise and software engineering best practices to the security and compliance domains to make the best of both worlds.

I’m so excited for the opportunity to partner closely with the Okta Security team. We’re building the tools and processes we need to scale globally, while at the same time minimizing risk for our customers, employees, shareholders, and the company as a whole. It's a great role and opportunity at a time when Okta is growing so rapidly. As we grow, we have the chance to further invest and advance our security expertise and maturity. It was an option I couldn't pass up.

TN: Our team sits at the intersection of engineering and security. How do you hope to strengthen this partnership? 

PR: As you know, it’s pretty common for security teams and engineering teams to butt heads over various issues. It could be how we deal with an incident or vulnerabilities, or how we collaborate (or not) on building secure products and services. It can be a challenging relationship. I've personally seen it from both sides, as an engineer and also working in security. I understand and empathize with all parties.

Things become even more complex when compliance enters the picture. There are an increasing number of regulatory compliance requirements across the globe, especially around data and privacy. Engineers often view compliance as friction, as something that gets in the way and inevitably slows productivity. That can certainly be true when it’s not implemented well. I’ve worked hard to create a partnership environment where we solve problems together. We're all trying to achieve the same thing: deliver great products and services at high velocity that are also secure and compliant.

I’ve combined this perspective with creating successful processes and engagement models at prior companies, big and small. I'm excited to bring this experience to Okta. It’s definitely possible to achieve a “win-win” situation. You can build for security and compliance while also moving fast. It requires thoughtful planning to establish durable and effective processes and systems, then automating everything as much as possible through technology.

TN: I’d like to learn more about your leadership style. What should our team, or any engineers out there interested in Okta, expect if they were to join this team? 

PR: I hope they would appreciate that I've been both an engineer and a security individual contributor. I understand the challenges. I've run operations and been on operations teams. I can speak about some of the pain points from my experience and empathize with folks. 

I use a servant leadership and empowerment model. I like to work with the team to align on what we're trying to achieve together, to fulfill a common vision and mission. Then I give people the opportunity to work on what they're most passionate about, moving toward that goal.

Because of the complex dynamic between engineering and security, we need to define a certain amount of process. I know that “process” is often considered a bad word in engineering circles. But good process – just the right amount so that we're fast and efficient, but not overbearing or heavyweight - can be incredibly powerful and freeing. It’s a delicate and challenging balance, but my experience has shown me the pitfalls and what to avoid. I hope I can help the whole team run well together using lightweight, well-defined standards that will help us scale.

I like the analogy of us creating a “paved road” for our engineers to be successful. What are the tools, frameworks, and services we can develop to be secure and compliant right out of the box so you’re able to move with speed to build your service, system, or product?

TN: Our team is doing a ton of hiring. What are some of the areas these folks may work on if they decide to join Okta? 

PR: We’re looking for a diverse set of talent with both software engineering and security backgrounds because we have projects across every dimension. 

If you think of the security pillars Prevent, Detect, Respond, Training, and Awareness, we'll be driving improvements, more mature processes and scale, in all of these areas. We’ll have opportunities for you to build state-of-the-art automation for development, security, and operations (DevSecOps), with balanced governance, regardless of where you sit on the spectrum. We’ll achieve this in a way that enhances developer productivity, even as we work to address ever-increasing compliance requirements.

We also want to be awesome and world-class in everything we do to manage risk, security, and compliance. We have every flavor of work in these different domains, and the opportunities are big and broad.

TN: I’ve heard you use the phrase “security mavens”. Can you describe the model?

PR: Security mavens are embedded, security-focused engineers who can be found throughout our organization. They’re experts in their domains, but passionate about security too. They get the opportunity to drive the security component of whatever it is they work on – whether that’s building a piece of the product, a microservice, or internal development tools.

We’ve developed a funding model where engineering teams may hire one or more security mavens. They’re full-fledged members of their teams, building and enhancing the systems they own and operate, but focused particularly on the slice of security-related projects and requirements. At the same time, they’re also part of our Extended Security team with visibility into company-wide priorities. This gives them the context to advocate for superior best practices, and the opportunity to put them into action within their teams.

It’s a powerful concept. Security mavens sit at the junction between these worlds, with visibility into their own engineering teams and the overall security portfolio. It gives them unique views and opportunities that no one else has.

TN: I’d like to dig into some technical questions that I have. Okta is heavily dependent on asymmetric cryptography for SAML and OAuth use cases. Most researchers think quantum computing will break current asymmetric crypto algorithms (RSA and ECDH) within the next 10 years. What can we do today to prepare ourselves for a post-quantum future? 

PR: Great question. It's an interesting space with a lot of activity. There was a recent National Institute of Standards and Technology (NIST) post-quantum cryptography competition. They announced a couple of algorithms that have been selected as quantum-resistant. As one of the leading security companies, it's incumbent upon us to be aware of everything out there and which algorithms are susceptible. 

It's smart for us to be prepared and use quantum-resistant cryptographic algorithms as much as possible going forward. We can work toward incorporating them even before the standards bodies have ratified them, and adjust as needed along the way. That’s going to be the safest approach.

I like the idea of a hybrid-model approach. You get the post-quantum benefits, as systems start supporting them, while maintaining functionality by defaulting to ECDH-RSA as we have today. It's important we start developing and using those algorithms soon.

TN: Let’s say a company the size of Okta writes over a million lines of code a year, and those lines of code will bring in billions of lines of dependency code. Open source code often contains vulnerabilities that become a known CVE and popular attack vector (i.e. Heartbleed, Shellshock, Struts). How can Okta utilize open source libraries while minimizing the inherent risk?

PR: This is an important topic — third-party and fourth-party supply chain attack vectors and the ways we incorporate and manage open source code and packages. The tools are starting to improve, but they’re not yet where we need them to be. It’s essential to have open-source scanning built into your tool chain. We have a process for quickly detecting and blessing the source packages and repositories we manage internally. Ideally it would be as automated as possible, but frankly, it’s challenging to implement because we don’t have all the tools to make it really simple yet. We must build pieces of the solution ourselves, alongside some of the vendors we use for open-source scanning.

We need to make sure developers aren't pulling in packages with known vulnerabilities, while also making sure they have what they need in terms of features and functionality. The management process for this requires a fair amount of focus and effort. More generally, we also need to continue improving our tools and automation around bill of materials and inventory tracking. It won’t be trivial, but it will be a powerful capability with the promise of “win-win” benefits in both risk management and developer velocity.

The pair decided to end their conversation with a classic “get-to-know-you”: the rapid-fire question round for Patrick:

• Favorite hobby: I sing opera. I've done a lot of musical theater and operatic performances as a tenor. It's my art-to-logic balance. 
• Favorite organizations to support: Metropolitan Opera in NYC, San Francisco Opera, and San Diego Opera. Even more important is supporting the many smaller local theater and opera companies, helping them develop and grow, and funding the arts in our schools. It's a tough area to be in – they're generally not very well-funded in the U.S.
• Recent movie you loved: I thought CODA was just phenomenal. I highly recommend it.
• Last show you watched: Stranger Things Season 4
• Philosophy: I'm a big supporter of STEAM (science, technology, engineering, arts, math) vs. STEM. Adding in the arts brings in the human element, particularly that powerful combination of creativity and discipline. You can establish a foundation – whether it's in code, music, or something else - then build on it from there to create integrated, complex, and impactful works.

What an inspiring conversation. We’re thrilled to welcome Patrick to our team, and we can’t wait to see the next stage in cybersecurity's future.