How To Become a CISO (Chief Information Security Officer) in 2020

Updated: Jan 20

Aakassh is a Chief Information Security Officer in Australia for a long time and during 1 hour interview, he discussed the mindset that could lead to CISO position and lead the security strategy of a large insurance organization.

Aakassh is a down to earth person who knows what it takes to become a Chief Information Security Officer. It is not about security aspect of the IT anymore, it is about how to control risk within the business and enable the business to do tasks securely. In our 1 hour interview, he discussed lot of different topics, but what I can say is it's all about mindset and how to provide value securely to the organization.

1. Tell my readers about your background and what you do and your responsibilities now.

I have been in IT for a number of years, played variety of roles ranging from programmer, team lead, Project Manager, Delivery Manager, managing large application outsourcing deals in the ANZ region for large systems integrator and service providers. The mindset of keeping the customers in the front comes from the various functions within IT that I have been involved with such as Operations, business transformation, consulting and project/program management,

In everything I do, I try to put the customer first and with my background in IT, I'm fortunate to see both sides of the business and this includes both as a consumer and as a buyer.

Today, I'm a Chief Information Security Officer (CISO) for a large insurance organization. I do not restrict myself with KPIs as I believe they are counter-productive and limits one's capabilities. Imagine a threat actor on the other side (or sometimes internal to your organization), they are not bound by KPIS. To them persistence and relentless attitude is key to their endeavor. As we scale higher in tech leadership pyramid, the accountability grows and with that noise and chatter. In order for me to be successful, I should be in a position to pick and remove the noise, make decisions based on business priorities, identify priorities of my peers leaders in the organization and set the organisation to achieve greater success.

My day starts at 5am in the morning with a brief morning routine (being health-wise). Just like many others in the industry, I go through what happened the previous night, read blogs, hear podcasts on my way to work etc. My typical day is filled with providing security advisory, consultancy and assessment of projects/programs, reviewing outcomes of previous assessment with the business. So, in effect a 360 approach is applied in terms of where we are and how we have enhanced from a security perspective.

2. What is the main reason that your organization thinks you’re the perfect for this position? What are some of the qualifications that makes you unique?

Organization lacks the security function it should have. I am providing this as a value to lead the security strategy and constantly advise them on the necessary steps they need to take. My job is not just provide reports, it is to drive sound business decisions that doesn't impact the security posture. To my organization, security is just a one item out of the many different things they have to deal with. My job is to keep them up to date, from compliance, privacy, regulatory and legal perspective. To me, Security domain is evolving and changing very fast and I never hesitate to say "no". But I don't say that please you. I am assertive enough to say no and make sure we are making best decision for the business.

It is not about certifications / credentials I hold. I am sure lot of people have these certifications. Whether technical or governance perspective, you need to pick and choose what area you want to pursue. In my area I am more concentrated on risk advisory and management side of security.

CISO is no longer IT or security within IT, it is BISO. Means security person with business mindset.

3. How you make sure that security is aligned with the business?

Every organizations should know what the business wants. Every business has unique requirements in IT and Security, the business will be the key driver. Security is essentially managing risk within the business. There is no way we can say we have eliminated risk. It depends on how we look at risk. If it is negative, mitigate it. If it is positive, let's leverage it to our benefit. It has to be supporting the business. It is how we can enable the business to do things better and more securely.

4. How you measure success for your job and what makes you successful for your position?

I guess success is varies and subjective. For an organization that is just starting its journey on Security Information and Event Management, success was its ability to ingest a new data source in the centralised logging platform. Fast forward twelve months from there, it will not be unrealistic to expect a new system to have the capability baked-in its standard operating environment (SOE). What required a project to accomplish, is now BAU. It is how we can improvise more and give the control back. So that Security is not a the problem of the security team's, it is everyone's responsibility. For an IT project or a large transformation program, it is the ability to embedd application security early on in teh development lifecycle and not expect penetration testing to catch the vulnerabilities. I do not wait to roll out new application and then check it's security right at the end. We constantly test and validate all the security issues during the development life cycle. Thus giving the control back to the developers is the new success.

5. How do you see Digital Transformation changing the dynamics of security?

Digital Transformation is a blessing, not just the security aspects surrounding it but also other aspects as well. It was Gartner or Forrester research that said that over 90% of the Fortune 500 companies are in some phase of the digital transformation with an expectation to go-live by the year 2020. Transformation is one of the biggest disruptors not in IT but to the entire business. What it means is if we look at the network that we know of, the traditional premieter does not exist anymore the endpoints are scattered every where you can think of. You cannot think that this geographic location or boundary is my network. It also changes the dynamics of security. Not only from external perspective.. next-gen firewalls etc. but also internally.

It is how we can make people and processes more resilient.

6. 3 things that keeps you up at night?

Personally speaking, my three year old!!! :)

What is the uknown-uknown that is going to surprise you? When I say unknown I am talking about plain simple stuff which is happening in every organization in the name of Shadow IT. It is the shadow the worries me. You cannot control if you cannot see it. It is because of this, organizations do not know what services or data has been compromised.

7. If you can change one thing on how you work, or acquire just one skill, what would that be?

If I can predict what my CIO / business wants next! :)

I would say, to go back 10 or 15 years and get more skills on Networks side of technology. Because, in security network is the base of everything we do. It is the plumbing to an enterprise. I also recommend to understand how financial management (capital expenditure and operation expenditure) works. Strategic thinking is key to grow in an enterprise.

8. What books you recommend for our readers to read to help them along the way to become successful security leaders?

My school of thoughts is going to The 7 Habits of Highly Effective People, first published in 1989 by Stephen Covey. That is something I started several years ago for self development. Leadership is about to becoming self aware and being a good listener. Being able to empathy to your colleagues and customers. One minute manager is a good tool as well especially when you want to give negative feedback, you keep it very short in only 1 minute and short, precise and then leave it there. But in terms of positive feedback as celebrative as possible. Plus, personally, I avoid giving negative feedback in email, I try to do it face to face, and not over the phone. Positive feedback I shout to all that this guy did hell of a good job.

From security perspective, have it as practice to read newsletters, blogs and bulletins and listen to security leaders, participate in meetups and attend seminars to meet like minded people. I just started few years ago and it is very effective.

9. What is the role of coaching, when one wants to transition to leadership roles from technology background?

Coaching is essential. I do have couple of go to people and seek advise no matter what. I suggest you find that external voice that can help you. Security is like every other unit in a business (Marketing, Sales, Legal, IT...) and you definitely need somebody to steer you. Depending on the level of an individual's experience, you should have trainer and then move to coaching. It is a step by step journey. I am open for people to reach out to me . I was in the position to coach people to become certified in security certifications as well. Ask for help. See for connections and collaboration. Help is always available, it is the just the matter of asking.

#digitalTransformation #business #technology #strategy #cio #digital #it #growth #architect #blog #speaker #cloud #marketing #PublicRelations #pr #cmo #branding #PersonalBrand #security #ciso

I Sometimes Send Newsletters

© 2020 by Houman Asefi