What would you describe as your most memorable achievement in the cybersecurity industry?
My most memorable achievement in the cybersecurity industry is building a world-class information security management system (ISMS) from scratch and achieving ISO 27001 certification in an unprecedented two months. I was able to achieve this because the organisation had considerable momentum attained from customer requirements and commitments.
What first made you think of a career in cybersecurity?
As with so many in cyber, I seemed to just fall into it. I had an initial interest in cybersecurity during secondary school and joined the US Air Force directly after to become a network engineer. From there, I officially entered the world of cybersecurity when I was working as a consultant and the company at the time sent me to firewall training, after which they changed my title to Security Engineer’. This developed into giving me more and more security tasks. From here, I seemed to be getting into various different areas of cybersecurity and at some point, I started seeking out those different areas in an attempt to broaden the depth and scope of knowledge and understanding.
What style of management philosophy do you employ with your current position?
I try to hire really naturally smart people and encourage independent work from my team. I am about building relationships and fostering open communication to ensure the team has the resources to perform in their roles. I have also fully set out professional development goals for all team members, including myself, as part of our annual goals. There is also a budget set aside which focuses on training employees and expanding their knowledge. This prioritises enabling them to attend conferences and broaden their understanding of cyber and all that this entails.
What do you think is the current hot cybersecurity talking point?
The problem with ‘hot cybersecurity talking points’ is that they’re generally buzz words and marketing budgets. What should be hot topics in cybersecurity should be ‘doing all the basics, all the time’. This means prioritising things like knowing where all your assets are, what data you have and who is accessing it. Once you have these basics down and are doing them all the time, things like Machine Learning and threat hunting become ideas to pursue. A lot of the recent data breaches are caused by someone not doing the basics, such as misconfigured cloud storage databases, or not patching servers in a timely manner, etc.
How do you deal with stress and unwind outside the office?
I like to get out of the technology space while keeping things technical and analytical, as contradictory as that may sound. As a risk management professional, I enjoy managing risk in my hobbies as well – I fly aeroplanes and ride motorcycles. I have been riding motorcycles for the last two decades and enjoy the scenery that Northern California and the Bay Area have to offer. And for the last few years, I have been working on and earned a private pilot’s license with instrument rating and I continue to seek new aviation ratings.
If you could go back and change one career decision what would it be?
I like to have a philosophy of no regrets. I may have made some decisions that might have negatively impacted my path or caused me some trouble, pain, or slowed me down in some ways, but I like where I’m at and what I’m doing now. Who’s to say that if I would have changed anything I would end up here.
What do you currently identify as the major areas of investment in the cybersecurity industry?
I see a lot of investment in automation, AI/ML, cloud security. Also, an understanding of the need for security across the software development life cycle and applying the proper, tested tools. What I would like to see is more companies focusing on people and processes to build it in, rather than bolt it on.
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?
For me, the primary differences based on region are not so much within the cybersecurity realm, because best practices don’t vary depending on where in the world you are. However, there are differences in how you’d approach a given problem with regards to local regulations or how you communicate within a region or across regions. For example, in the case of Aryaka with our global footprint, there are issues around licensing requirements, regulatory issues and import/export rules.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
Boards and organisational leadership are becoming more educated in cybersecurity requirements. Also, increasingly the role is moving from an IT problem to a business problem. The CIOs and CISOs I work with are becoming more sophisticated because of this.
What advice would you offer somebody aspiring to obtain C-level position in the security industry?
Try and get exposure to as many different aspects of cybersecurity as you can: network security, system administration, email security, forensics, incident response, vulnerability management, penetration testing, compliance, risk management and privacy. The field is so broad, you don’t need to know all of it; but the more you know, the easier you can address issues or hire the right people to address your issues. Also, try to think of problems and solutions from a business and risk perspective rather than a technology perspective. Stay current and, crucially, never stop learning!