What would you describe as your most memorable achievement in the cybersecurity industry?
I have a few memorable moments. My team at AT&T Wireless was the team that tested the first-ever iPhone outside of the folks at Apple. Little did we know how impactful that would be then. Steve Jobs only allowed two phones to be given to AT&T Wireless and my security team had one of the phones. The other phone was with the team that tested new devices on the cellular network.
When we did see it for the first time, its user interface was so disruptive and unlike anything anyone had ever seen. That was a huge, historical moment in technology and the mobile space.
Another memorable moment for me personally was taking a company public (DocuSign) as a security leader, after the company suffered a security breach. This was a very memorable time and very gratifying after a long journey.
What first made you think of a career in cybersecurity?
Well, I didn’t think of a career in cybersecurity. When I was at AT&T wireless, the head of security at that time had hired an outside firm to do an assessment of our security posture. The outcome was not good and my boss’ boss asked him to dedicate a director to ‘fix security.’ So he called me into his office and said ‘you’re going to go fix security’. I was already a technology leader and had one security architect on my team but I didn’t know much of what he did. Security wasn’t such a big thing back then.
So basically, I said ‘ok’ and that launched my career in cybersecurity.
The lesson here is that when the door opens, sometimes you need to take that opportunity and not let the unknown stop you. People fear that they don’t know how to do it, but in reality you may be turning down a career-defining moment.
What style of management philosophy do you employ with your current position?
I am a servant-leader and employ that philosophy. I feel like the power comes in the group and everybody performing in the group and having common goals with clear roles and responsibilities relative to those goals.
I believe that even though I am the boss, I am no different than the rest of the team, I just have a different role. Everyone needs to be highly accountable and carry their load.
They need to help the overall team achieve its objectives as well as their own individual objectives which can be achieved when we all work together.
Your individual objectives shouldn’t be counter to the team objectives. Having clear goals, being highly accountable and honest and respectful.
I am there to help the team be successful, to help them develop in their careers and to help the company achieve its goals.
What do you think is the current hot cybersecurity talking point?
Artificial Intelligence, Deep Learning and Machine Learning are the hot topics of today. The trends, they go in waves. SOAR was a hot topic last year. Automation and AI often are very trendy topics. CASB was once the hot term. Right now it is all about AI and ML.
How do you deal with stress and unwind outside the office?
Sleep and physical activity like hiking, working out, yoga and meditation.
What do you currently identify as the major areas of investment in the cybersecurity industry?
Obviously, the people. Talented people are getting more and more expensive. The supply is short and demand is high causing the professionals’ price to go up.
I believe since talent is in such short supply, automation should be a big investment area. Businesses are starting to think, ‘how can we automate processes and tasks that a machine can do easily, and why waste a valuable resource like a person to do that work?’
A lot of investment is still going on in gaining visibility to the environment and the network from a security standpoint. Businesses are prioritising getting more effective detections in place for any malicious activity.
In addition, more and more time is being spent on data governance – managing where the data is, what systems hold the data and what people are doing with the data. If you don’t know where your data is how do you protect it?
Privacy is a main driver for this activity and causing more time to be spent on data governance.
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?
Yes. For example, Europe is more privacy-centric. They are generally ahead in terms of workers’ rights and privacy.
It depends on the country. Germany is very different than Italy, for example. Germany has a rigour they put around security control that, say, Italy doesn’t. The cultural overlays in Germany are very procedural and process-oriented. Others, take Italy again, are less focused on process and are more free-flowing.
Different cultures even within Europe will deal with cybersecurity challenges differently.
Europe is coming from a point of strength around privacy and building their competencies around cybersecurity. Whereas here in the Americas, we are going the other way. We have a lot of stuff around security and now trying to figure out how to build competencies around privacy.
What advice would you offer somebody aspiring to obtain C-level position in the security industry?
Work for a company that really values security and sees it as important to the company’s success. And not just talk the talk, but also take action around it.
Here at OneLogin I report directly to the CEO. I impact the product roadmap, and I have an impact on the sales process and go to market strategy.
The key is knowing the business and balancing yourself out as not just a technical leader but also as a business leader. Working with a company that values and wants your input will be critical.
To be a business and tech leader, it’s key to knowing the business inside.
I think a trend will be as companies who critically need security – the role of security leader will elevate in those companies.
Over time, a model like the one that we have at OneLogin will become more common. If the company cares about security, they will need to elevate the security leaders’ role to go beyond security and to encompass business leadership as well.