How To Become a SaaS CISO (Chief Information Security Officer)
Aakassh is a SaaS Chief Information Security Officer in Australia for a long time and during 1-hour interview, he discussed the mindset that could lead to the CISO position and lead the security strategy of a large SaaS insurance organization.
Aakassh is a down to earth person who knows what it takes to become a Chief Information Security Officer. It is not about the security aspect of the IT anymore, it is about how to control risk within the business and enable the business to do tasks securely. In our 1 hour interview, he discussed a lot of different topics, but what I can say is it’s all about mindset and how to provide value securely to the SaaS organization.
1. Tell my readers about your background and what you do and your responsibilities now.
I have been in IT for a number of years, played a variety of roles ranging from the programmer, team lead, Project Manager, Delivery Manager, managing large application outsourcing deals in the ANZ region for large systems integrator and service providers. The mindset of keeping the customers in the front comes from the various functions within IT that I have been involved with such as Operations, business transformation, consulting and project/program management,
In everything I do, I try to put the customer first, and with my background in SaaS, I’m fortunate to see both sides of the business and this includes both as a consumer and as a buyer.
Today, I’m a Chief Information Security Officer (CISO) for a large insurance organization. I do not restrict myself with KPIs as I believe they are counter-productive and limit one’s capabilities. Imagine a threat actor on the other side (or sometimes internal to your organization), they are not bound by KPIs. To them, persistence and relentless attitude is key to their endeavor. As we scale higher in tech leadership pyramid, the accountability grows, and with that noise and chatter. In order for me to be successful, I should be in a position to pick and remove the noise, make decisions based on business priorities, identify priorities of my peers’ leaders in the organization and set the organization to achieve greater success.
My day starts at 5 am in the morning with a brief morning routine (being health-wise). Just like many others in the industry, I go through what happened the previous night, read blogs, hear podcasts on my way to work, etc. My typical day is filled with providing security advisory, consultancy, and assessment of projects/programs, reviewing outcomes of previous assessment with the business. So, in effect, a 360 approach is applied in terms of where we are and how we have enhanced from a security perspective.
2. What is the main reason that your organization thinks you’re perfect for this position? What are some of the qualifications that make you unique?
SaaS Organization lacks the security function it should have. I am providing this as a value to lead the security strategy and constantly advise them on the necessary steps they need to take. My job is not just to provide reports, it is to drive sound business decisions that doesn’t impact the security posture. To my organization, security is just one item out of the many different things they have to deal with. My job is to keep them up to date, from compliance, privacy, regulatory and legal perspective. To me, the Security domain is evolving and changing very fast and I never hesitate to say “no”. But I don’t say that please you. I am assertive enough to say no and make sure we are making the best decisions for the business.
It is not about certifications/credentials I hold. I am sure a lot of people have these certifications. Whether technical or governance perspective, you need to pick and choose what area you want to pursue. In my area, I am more concentrated on risk advisory and management side of security.
CISO is no longer IT or security within IT, it is BISO. Means a security person with a business mindset.
3. How you make sure that security is aligned with the business?
Every SaaS organization should know what the business wants. Every SaaS business has unique requirements in IT and Security, the business will be the key driver. Security is essentially managing risk within the business. There is no way we can say we have eliminated risk. It depends on how we look at risk. If it is negative, mitigate it. If it is positive, let’s leverage it to our benefit. It has to be supporting the business. It is how we can enable the business to do things better and more securely.
4. How you measure success for your job and what makes you successful for your position?
I guess success is varies and subjective. For a SaaS organization that is just starting its journey on Security Information and Event Management, success was its ability to ingest a new data source in the centralized logging platform. Fast forward twelve months from there, it will not be unrealistic to expect a new system to have the capability baked-in its standard operating environment (SOE). What required a project to accomplish, is now BAU. It is how we can improvise more and give the control back. So that Security is not the problem of the security team’s, it is everyone’s responsibility. For an IT project or a large transformation program, it is the ability to embed application security early on in the development lifecycle and not expect penetration testing to patch the vulnerabilities. I do not wait to roll out a new application and then check it’s security right at the end. We constantly test and validate all the security issues during the development life cycle. Thus giving the control back to the developers is the new success.
5. How do you see Digital Transformation changing the dynamics of security?
Digital Transformation is a blessing, not just the security aspects surrounding it but also other aspects as well. It was Gartner or Forrester research that said that over 90% of the Fortune 500 companies are in some phase of the digital transformation with an expectation to go-live by the year 2020. Transformation is one of the biggest disruptors not in IT but to the entire business. What it means is if we look at the network that we know of, the traditional perimeter does not exist anymore the endpoints are scattered everywhere you can think of. You cannot think that this geographic location or boundary is my network. It also changes the dynamics of security. Not only from an external perspective.. next-gen firewalls etc. but also internally.
It is how we can make people and processes more resilient.
6. 3 things that keep you up at night?
Personally speaking, my three year old!!! :)
What is the unknown-uknown that is going to surprise you? When I say unknown I am talking about plain simple stuff which is happening in every SaaS organization in the name of Shadow IT. It is the shadow the worries me. You cannot control if you cannot see it. It is because of this, organizations do not know what services or data have been compromised.
7. If you can change one thing on how you work, or acquire just one skill, what would that be?
If I can predict what my CIO / business wants next! :)
I would say, to go back 10 or 15 years and get more skills on the Networks side of technology. Because, in a security network is the base of everything we do. It is the plumbing to an enterprise. I also recommend to understand how financial management (capital expenditure and operation expenditure) works. Strategic thinking is the key to growth in an SaaS enterprise.
8. What books do you recommend for our readers to read to help them along the way to become successful security leaders?
My school of thought is going to The 7 Habits of Highly Effective People, first published in 1989 by Stephen Covey. That is something I started several years ago for self-development. Leadership is about to becoming self-aware and being a good listener. Being able to empathize with your colleagues and customers. One minute manager is a good tool as well especially when you want to give negative feedback, you keep it very short in only 1 minute and short, precise, and then leave it there. But in terms of positive feedback as celebrative as possible. Plus, personally, I avoid giving negative feedback in email, I try to do it face to face, and not over the phone. Positive feedback I shout to all that this guy did a hell of a good job.
From a security perspective, have it as a practice to read newsletters, blogs, and bulletins and listen to security leaders, participate in meetups, and attend seminars to meet like-minded people. I just started a few years ago and it is very effective.
9. What is the role of coaching, when one wants to transition to leadership roles from a technology background?
Coaching is essential. I do have a couple of go-to people and seek advice no matter what. I suggest you find that external voice that can help you. Security is like every other unit in a business (Marketing, Sales, Legal, IT…) and you definitely need somebody to steer you. Depending on the level of an individual’s experience, you should have a trainer and then move to coaching. It is a step by step journey. I am open for people to reach out to me. I was in the position to coach people to become certified in security certifications as well. Ask for help. See for connections and collaboration. Help is always available, it is just a matter of asking.