For Ebba Blitz, CEO of encryption service company AlertSec, running a technology company is not much different from her sailing across the Atlantic in 2000, when she didn’t see land for 16 days after leaving the harbor.

“I remember preparing for the journey, and then throwing away the ropes as I set sail, moving further from land until I had no cell phone reception.”

During the journey, which she made with five male companions, there were times when she saw nothing other than vast expanses of sea. She experienced everything from tranquility to strong, unexpected storms.

So why does that trip remind her of her current adventure running a company?

“You need to stay focused, know what you are doing, work well with your team, and be prepared for the unexpected,” she says.

“The greatest adventures all take time.” And indeed when they finally saw land, she felt gratified: The journey was an amazing experience.

Taking the leap

Blitz was a television show host in her native Sweden when in 1998, right around the tech boom, she was sent to Silicon Valley to do a program on the companies there. The main angle for her story: What made Silicon Valley such a dynamic, successful place?

She was “blown away” when she started interviewing tech entrepreneurs, both the big and small ones. “That touched on my sense of service, I guess. The startups especially identified problems and just worked and worked until they solved those problems.”

This stayed with her, and many years later, when she was hosting the Swedish version of Shark Tank, observing entrepreneurs in the program from the sidelines, she thought: “That should be me!”

At this time Blitz was already sitting on the board of AlertSec, and had been contemplating expanding into the US which comprised bulk of their customers. She then remembered a question posed by Facebook executive Sheryl Sandberg in her book “Lean In.”

The question was – “What would you do if you weren’t afraid?”

Blitz knew the answer right away and decided then she would take the leap.

A wonderful community

Moving to the U.S. was everything Blitz had expected. “Palo Alto is a beautiful place, and has a lovely climate. People have this warmth and pay-it-forward culture. That culture was what I noticed when I first came here in ‘98,” she says. “It was also one of the key factors responsible for the growth of Silicon Valley.”

But now she’s no longer doing the interviews. She’s crossed over to the other side, leading her team and making sure the company does what she has envisioned it to do.

“What we build is dependent on input from customers,” she says. “My biggest mission is to listen to their needs so I can bring that back to my team and say this is the problem we want to solve.”

In this case, AlertSec has sought to find a way for companies to ensure that the sensitive information they entrust to third parties would still be secure even from their endpoints.

Overcoming odds

Blitz’s ability to turn adversity around stems from an incident in her childhood.

“I was born with an ugly voice,” Blitz says. “I had nodules in my vocal chords. I was embarrassed about it as it was.”

One day, however, a teacher at Kids’ Club asked Blitz what was wrong with her. “Do you need to sound like that,” she was asked. “With a voice like that you will never be married!”

Blitz was six years old when she was told this, and she was sad, shocked and devastated.

“And so I worked very hard. I took a lot of therapy – speech, voice, even singing. I think the fact that I was able to work in TV and did a lot of voice-overs in Sweden was a direct consequence of working so hard to correct that ‘flaw.’”

Blitz never saw that teacher ever again, but she still remembers her name and the way she looked. “I learned a great life lesson from this event; I was so angry at first but now I am just thankful,” Blitz says. “This brutally honest and mean comment actually helped me.”

She sees all setbacks and trials in this manner – every odd would eventually push one to become better.

Valuing autonomy

Despite her busy schedule she makes sure to set aside some time to unplug all her devices. “I could go on and on working all the time, but I know that’s not good.”

She also spends precious time going to the YMCA every morning with her daughter and swimming a thousand yards. “Counting the number of laps is a great way of not thinking of anything else.”

It’s one of the ways she bonds with her older daughter, who is in high school. Blitz, who is an avid reader, also makes it a point to read to her younger daughter every night before bed.

“I don’t hope to influence them, but inspire them” she says. “I want to present them with opportunities. I value autonomy. I am happy to help but I am confident they will find their own way.

The post Ebba Blitz, CEO, AlertSec appeared first on Security Current.

The post Mike Kelley, CISO, The E.W. Scripps Company appeared first on Security Current.

The post Dave Ruedger, CISO, Risk Management Solutions, Inc. appeared first on Security Current.

For Fred Kwong, hands-on experience and formal education went hand in hand in shaping the kind of CISO he has become.

He first discovered he genuinely liked interacting with people and helping them with their concerns when he lost interest in his computer science degree and took a helpdesk support job instead.

“I helped our customers with things like getting connected online, resetting passwords, or solving account lockouts. The mindset of helping others came naturally to me.”

When he decided to go back to school, it was with a rather bold twist.

“Rather than try something from a computer’s perspective, why not try understanding people instead?” Kwong ended up with a double degree in psychology and professional communications.

What Kwong missed from his academic delay he more than made up for by pursuing advanced degrees after college – he soon enrolled to get his MBA – and all while honing his technical skills on the job.

“I took a management position where I managed the network, server and telephony systems. My tech training came from this or by reading on my own,” he says. Meanwhile, his MBA, where he focused on executive leadership and organizational development, helped him understand the language of the business. “I understood what the priorities were.”

He remembers his PhD studies as “a pretty daunting time.” He found himself interacting with classmates who were COOs, VPs, HR executives. “I was a network engineer at that time. I was awestruck!”

In the end he realized the intimidation was unfounded. “I learned a lot from them, but they didn’t have strong backgrounds in tech either so we were able to learn from each other. Even if they knew something that I didn’t, I also knew something that they didn’t. In the end, I made a lot of good friends.”

From the ground up
Kwong is the first-ever CISO for Delta Dental Plans Association, a healthcare insurer. Their crown jewels are the personal information of their customers – things they must guard at all times, at all costs.“Their was no one person that focused on security before I came onboard.” His role has allowed him to develop a security program from the ground up, drawing from all his experiences and lessons throughout his career.

“I feel fortunate that I am able to do that – build a program from scratch and bring in new technology and techniques,” he says. In the past two and a half years, Delta Dental Plans Association has grown to be seen as a security leader and this new status has allowed it to provide additional service to its member-companies. The company now also has a Security Operations Center which does alerting and monitoring 24/7.

As a CISO, Kwong has a twofold responsibility: First, he needs to align the security systems of 39 member-organizations, each of them separate entities. “If you have a breach in one, it’s associated with the brand.”
The second is to always ask whether the organization is moving fast enough. “The threat actors are not going to wait for you to be fully secure before they attack.”

Kwong’s approach is risk-based, approaching the highest risks first and then mitigating those. “Then again, if the risks have low potential, it also does not mean that nothing will happen.”

Anticipating the next attacks

Kwong is constantly mindful that the attacks are becoming quicker. “Once somebody gets into a system, they can propagate very quickly. So how can we react to that speed?” New technology – AI – makes all these possible; just as it helps to make attacks faster, it also provides the tool to detect these attacks.

A second trend is the need to secure the humans by transforming the culture such that security becomes top of mind for people who are on the driver’s seat.

“This is as simple as wearing a seatbelt,” Kwong says. “There is a law that says we have to. But it’s ingrained in us that we have to do it as soon as we start the car. Now the challenge is, how do we make sure that others strap on their seatbelts as well?”

He has also taken a holistic view of his career. “I think I will always be involved in cyber, but not necessarily only in security. Leadership demands that one understand all aspects of technology as they relate to the business.”

The post Fred Kwong, CISO, Delta Dental Plans Association appeared first on Security Current.

Cyber security leader Marcos Marrero is a great believer in mentoring a new generation of cyber professionals. That’s how he started in the business, and that’s how he develops his team at H.I.G. Capital where he heads security as the Global Director of Information Security.

“I’ve hired information security analysts straight from the technology department. They know the technology assets. They know how the business works. They know what we have. Teaching them the security – that’s the easy part.”

This was also Marcos’s path into cyber security. He remembers well the day 19 years ago when he took his first step into what at the time was called Information Security. He was working as a Service Desk technician for Lloyds TSB Private Bank, the private banking arm of financial giant Lloyds Banking Group in Florida when he was tasked with setting up the computer for the bank’s new head of the fledgling Information Security Department. While he was setting up the computer, he asked the new department head how he could get into Information Security. The department head said he was looking to hire a Security Analyst and asked Marcos if he had any experience. Marcos admitted that he had none.

“Doesn’t matter,” said the new Information Security Officer. “I can teach you the security aspect of it. The important thing is that you know the organization. You know what we do, you know who the players are, and you know what we have.”

That was 19 years ago. The Information Security Officer who gave Marcos his first break, to this day, has remained a mentor.

“In cybersecurity, mentoring is very important and we need to continue fostering this practice,” he says. “My first manager mentored me and brought me up through the ranks, and I have and continue to learn so much from him. He was willing to take a chance on me, helping me navigate the potential minefields that Information Security can be. And then he let me go off and do my own thing.”

Marcos credits his mentor with guiding him as he set up different aspects of the banking group’s Information Security program.

“It was definitely a combination. He did not necessarily hold my hand the whole time, but he did provide the required guidance when I needed it.”

He tries to do the same with his staff. He sees it as an achievement rather than a setback when they leave him to step out into the world. “Those are good problems to have. When your folks outgrow the organization and move on to bigger and better things, you indirectly contribute to the community because that’s just another CISO that now is part of the much wider group of CISOs in a particular location.”

An evolving role

Marcos believes that a CISO can come into an organization in two ways.

First, if an organization already has an established Information Security program, the new CISO assesses what’s in place, makes a changes/enhancements here and there and continues running things the way they are with existing staff and resources.

But a second, more enjoyable path is to come into an organization that maybe doesn’t have any Information Security at all, or it has bits and pieces spread out throughout the organization, some of it with the technology, risk or compliance teams.

“You are actually building the cybersecurity function from the ground up and establishing administrative, technical and physical controls.”

Depending on the size and complexity of the organization, the process could take a few years to achieve a good maturity level that one sets out to reach. And then, the CISO could be at crossroads.

“You can be the type of CISO who says ‘Okay, my work is done. I build programs and then I move on to the next challenge.’”

“Or you can say ‘Okay. I built this program, now it’s just a matter of continuing to mature it.’”

In this sense, the CISO evolves from being a technical person to being a trusted advisor to the organization, protecting its assets. CISOs must understand the underlying security technology, but they can’t get into the nitty gritty of things. Instead they need to deeply understand the business and its overall strategy and meld that together with the organization’s cybersecurity needs.

This means they have to be very practical and adaptable with a strong focus on what’s best for the overall business.

“CISOs are no longer the individuals that say, ‘No, you can’t do this because of this compliance or requirement, or this regulation says that you can’t do it.’ It’s ‘Yes, you can do this. But we’ve got to find a secure way of doing it.’”

Looking ahead

“I see us as CISOs going into what I like to call Security 3.0; we’ve been at 2.0 for a while now. I think the 3.0 is when we start to mature our controls. We’re starting to get a grasp on things and we have security programs that are functioning. They’re in place, we have a good set of controls. We’re starting to have that exposure to the senior management of the organization. We’ve gotten their attention,” he says.

Organizations, Marcos says, will face challenges because of two things: Lack of staffing, and a continuing mindset, among some, that cybersecurity is simply a way to comply with regulations.

“The issue with the lack of staffing is not that we’re not training folks fast enough. Our problem is that the technology has moved and continues to move so fast we have not had the time to train up the next generation of professionals that’s coming in behind to work within Information Security Programs, be it as an analyst, an engineer, or incident response professional. Because it moves so quickly, we haven’t had the time to properly train those folks,” he says.

On the second issue, “there remain organizations out there that just don’t understand Information Security. They see it as this thing I need to have because some regulation says I need to have it. And even with all the breaches and incidents that you see in the news they still don’t think that they’re a target.”

“Breaches in the news certainly help; when someone in the C-suite sees one of those breaches on the front page the WSJ or New York Times, they ask if it could happen to us. Seize that opportunity. That’s your chance to go in and brief them on that potential issue and what you are doing to reduce the risk of it occurring.”

Marcos has always lived and breathed technology and security. Indeed, he has come a long way from the 16-year-old expat in the Dominican Republic, teaching computer courses to folks much older than he was in his aunt’s computer training school. He has learned much along the way and looks forward to doing more for his organization, for his CISO peers and for the wider community now facing constantly evolving and different security threats.

“I guess this directly relates back to my upbringing,” he says. “My parents always fostered in my brother and me the virtue of helping others. It’s my way of giving back and positively contributing to a greater good.”

The post Marcos Marrero, Global Dir., Information Security, H.I.G. Capital appeared first on Security Current.

Chief Information Security Officers (CISOs) Laud Baffle for Innovation and Twist & Shout for Ease of Use

San Francisco, CA – Security Current™ announced that CISOs selected advanced data protection firm Baffle and entertaining security awareness training campaign company Twist & Shout as the Security Shark Tank® winners held during the RSA Conference.

At the Security Shark Tank®, security providers get 15 minutes to pitch their products to CISOs seeking innovative solutions for their most pressing security issues.

Baffle, Twist & Shout and other solution providers faced CISOs in a rapid-fire question-and-answer session. The CISOs scored them on innovation and vision, ease of use and implementation, value to the industry and the presenter’s ability to clearly and effectively articulate their solution and business value.

“The Security Shark Tank® during RSAC was the epitome of interaction between Security Executives and Startups!,” said Selim Aissi, SVP and CSO of Ellie Mae. “The startup pitches were relevant and the rapid-fire CISO questions were pertinent. This distinctive Security Shark Tank® platform also allowed some great discussions between CISO peers.”

The Federal Reserve System’s CISO, Devon Bryan, hosted and moderated the event.

“It is always an honor to be part of the Security Shark Tanks® whether in San Francisco, New York City, Chicago, Miami or San Diego,” said Bryan. “My peers and I welcome hearing our colleagues’ questions while learning about the newest solutions available to combat the ever-evolving security challenges we face.”

The panel included:
Al Ghous, Product Cyber Security Leader, GE Digital
BG Badriprasad, CSA, Ross Stores
David Cass, CISO, IBM Cloud and SaaS Operational Services
Dave Ruedger, CISO RMS
David Hahn, CSO, Silicon Valley Bank
Devon Bryon, CISO, The Federal Reserve System
Frank Aiello, CISO, MAXIMUS
Frank Fischer, CISO, Deutsche Bahn
Hussein Syed, CISO, RWJBarnabas Health
Jeff Trudeau, CSO, Credit Karma
Joey Johnson, CISO, Premise Health
Kevin McKenzie, CISO, The Dollar Tree Stores
Matt Hollcraft, CISO, Maxim Integrated
Meg Anderson, CISO, Principal Financial
Richard Latayan, CISO, Hollister
Selim Aissi, CISO, Ellie Mae
Shaun Gordon, CISO, New Relic
Vanessa Pegueros, CISO, DocuSign
Virginia Lyons, CISO, Williams-Sonoma, Inc.

“As a CISO it is easy to get consumed by day-to-day concerns and our immediate security needs. Events such as the Security Shark Tank® allow us to take a step back and discuss our common concerns while hearing about the latest technology that is available,” said Hussein Syed, CISO, RWJBarnabas Health. “I commend all of the participating vendors who are working to meet our needs.”

Meanwhile, Matt Hollcraft, Maxim Integrated CISO, said he looks forward to the next Security Shark Tank® and other CISO driven, invitation-only Security Current events. “It is during these exclusive, closed-door events like the Security Shark Tank® and CISOs Connect™ that we can air our concerns, ask questions, and receive and provide guidance to our peers on how to best address today’s pressing issues.”

Joey Johnson, Premise Health’s CISO, added: “The Security Shark Tank® provides a value on both the vendor side, and the customer side. For the vendors the exposure to the thought leadership is clear, as even beyond a direct sales opportunity the candid feedback from the Security Shark Tank® panelists provides a realistic understanding of what is driving the investment rationale of the leading security executives in the market. But also, from the consumer side, the opportunity to sit in a room with other leaders where we all hold each other’s opinions in such high regard, presents a unique opportunity to re-evaluate and calibrate our own perspectives on the value prop of a specific technology set as we collectively provide feedback to help drive that vendor’s roadmap to what we actually want to see.”

This is the second win for Baffle, which was founded to battle the increasing threats to enterprise assets in public and private clouds. It provides an advanced data protection solution that safeguards data in memory, in process and at-rest to reduce insider threat and data theft risk. Its solution goes beyond legacy encryption to truly close gaps in the data threat model.

Twist & Shout’s Restricted Intelligence combines one-part viral marketing techniques, one-part security awareness training, and a generous helping of pure entertainment to deliver real awareness and engagement to a company’s employees. However, Restricted Intelligence is more than a series of creatively crafted films, it’s a complete campaign, a veritable toolbox, of security resources that are used to deliver simple, compelling messages to inspire everyone to take responsibility for protecting the organization’s valuable data.

The post Baffle and Twist & Shout Win the Security Shark Tank® Held During RSA appeared first on Security Current.

The proverbial bike shop

Chad Boeckmann, CEO and founder of TrustMAPP, believes that security leaders are the driving force to innovative solutions becoming successful. “Ultimately CISOs vote with their dollars and by peer-to-peer exchange of ideas and solutions that are working,” he says.

Security leaders, Boeckmann says, should constantly be on the lookout for solutions that either solve new challenges (e.g. reduce manual effort) or reduce cost with legacy automation. Additionally, they should make themselves visible – present, deliver presentations, write a blog or a white paper or become a guest on different podcasts. Doing so will help the market respond to the challenges and new approaches that they raise while building their own brand.

Defining a goal

Boeckmann had an early go at entrepreneurship. At age 12 he had a newspaper route in his hometown of St. Augusta, Minnesota. “It was rewarding. It got me outside and I was able to exercise,” he says. Aside from delivering the papers on his bike, he also had to collect payments from his customers. Out of this experience came a desire to set up his own business. At that time, it was to own his own bike shop.

“That began a journey for me. I looked at all the skills I would need in order to make owning a business a reality.”

By the time he finished college, however, Boeckmann had set aside his bike shop aspirations and found himself steeped in technology. “I knew then in the late ‘90s that information security was going to be a big thing,” he says.

What remained was his practice of acquiring the skills he believed he needed once he had settled on a goal. And so he obtained the necessary certifications – the GSEC, CISSP, the CISA – and worked as a consultant to get to know various enterprises’ security needs in a short amount of time. Through this experience Boeckmann began to assess how customers’ information security needs could be met in a more effective way.

In one of his customer meetings, a CIO raised a set of questions: “Where is our security program today, where do we need to be, and what is it going to take to get there?” That set of questions got Boeckmann thinking about the value he wanted to provide his customers on a broader scale. This set of questions ultimately was the genesis of TrustMAPP®. “Our team began to apply and refine an approach with our customers to create a repeatable process that is highly automated. And then we constantly improved the capabilities by obtaining feedback from our customers and refining it accordingly. This approach is still core to our product development lifecycle today, three years later.”

Different yet similar

Having been in the security industry for more than 20 years, Boeckmann has been able to observe the security landscape. “A lot has changed, but a lot has also stayed the same.”

Back when he started his career, most companies’ definition of security focused on network perimeter security and access control. “But today the perimeter has become almost transparent, so you have to focus instead on data management.”

Despite this, the broader heading of risk management has been around a long time and Boeckmann believes that old challenges should be tackled in new ways. “We are beginning to see a new form of risk management tools emerge to quantify risk. I believe there are still two general camps, the camp that focuses on operational metrics like vulnerability numbers and results of phishing exercises. Then the other camp that focuses on performance of security as it is aligned to the business objectives. Operational metrics like vulnerability count and results of a phishing exercise are important and should be monitored however they are table stakes and not drivers of business objectives. These types of activities often fall into the maintenance category,” he says.

Another challenge that doesn’t seem to yet be solved is companies’ ability to build security into their processes at the outset, rather than as an afterthought.

“The challenges we’ve been dealing with for the past 20 years are likely to remain for a while but in a difference context,” Boeckmann says. “For example instead of focusing on internal-centered processes and controls we as an industry must now adapt process and controls to shared services like cloud services and evolve from a 100% on-premise model. Cost and convenience, in my opinion, are the ultimate business-drivers for this change.”

The opposite of micro

Boeckmann describes himself as an executive who hires people who do a better job than he can in specific areas. “I am the opposite of a micro-manager,” he says, “I like to hire and manage toward people’s strengths and also challenge them, asking team members to create stretch goals and take on tasks outside of what they have been used to.”

“There are many forms of learning and I think a big part of it is pushing people beyond their comfort zones, so they could prove to themselves that they can actually do what they thought they couldn’t.”

No business is successful by a single individual. “The success a company is a result of a team of people, who are all working together for the same mission and ambition. The team is not just employees but advisors, customers and consultants.”

Boeckmann takes pride in knowing how to bring people together for best results. “It comes down to skill sets, personality, and culture.”

Extra activities

Boeckmann likes spending time with his family, going to the lake in his native Minnesota and taking the occasional scuba diving trip.

He also started a podcast in early 2018. “I really enjoy it. I get to talk to and listen to very interesting people from across the country with varied backgrounds. The podcast is titled the Business of Security Podcast Series.”

The podcast focuses on the business and leadership aspects of security. “We focus on how security drives value for the business and get the perspective of executives. We want to raise the volume of the global conversation about how (cyber) security is a core function of the business instead of something that is just a by-product of the technology department.”

Boeckmann says three virtues have served him well over the years: Integrity, humility and gratitude. “I feel honored to know the people I do. This includes our advisors, our customers, and peers in the industry. Being part of this community is really special, and I appreciate learning from their experiences and their knowledge,” he says.

More than anything, it is Boeckmann’s inherent good spirits that have allowed him to prosper and thrive. “If I had a bad day on Monday, I don’t allow that to wreck the rest of my week. So, Tuesday is gonna be a fresh start and I make that a conscious choice. I begin each day thinking it will be the best it can possibly be.”

He may not have been able to actualize his childhood dream, but Boeckmann has certainly found his place. “This is my bike shop.”

The post Chad Boeckmann, CEO and Founder, TrustMAPP appeared first on Security Current.

For Selim Aissi, it is important to have a mix of industry, real-world security experience, along with the innate ability to deal with most critical security incidents both at the execution-level as well as within the leadership and board of director ranks, to be an effective cybersecurity leader. As a company executive, the CSO should posses the aptitude and ability to drive a large number of conflicting demands, ranging from daily security incidents, to strategic discussions, to external executive-level discussions while driving growth within the security program.

At the highest-level, Aissi believes that an effective cybersecurity program starts with five key imperatives: a well-defined strategy, a good understanding of the company’s threat-landscape, hiring/retaining top talent, continuous security innovation, and, effective communication.

Effective communication should range from the board of directors and C-suite, down to every employee across the company, and including prospects, customers, partners, and regulators. Aissi makes regular presentations to the board as well as the executive team and reaches out to the rest of the company in various ways, including articles in the company’s newsletter.

“I make sure everybody is aware of what we are doing, what is going on” says the SVP and CSO of leading mortgage company Ellie Mae. He is acutely aware that the integrity of the company’s cybersecurity posture depends on all of its employees.

He breaks down his messages into three parts: He tries to remind his colleagues about how security is embedded in their daily responsibilities. He reminds them of the consequences of certain actions – falling prey to phishing attacks, for instance. He apprises the employees of various security initiatives and gives them a sense of where the company is heading.

“Everyone should be aware that cybersecurity is not just the business of the security team. Security is everyone’s job in the company. I think we are making strides in this direction,” he says.

Developing defensiveness
Aissi had imbibed a security mindset long before he embarked on a cybersecurity career. His first job was at General Dynamics where he had an opportunity to build some of the most advanced Department of Defense systems requirements into military vehicles. “ Security was embedded in everything the DoD did,” he says.

This inclination saw Aissi through his transition from the safety-critical embedded systems, to research and development, to computing systems, to fintech – through his journey from General Dynamics to General Motors to Intel, to Visa, and on to his current role at Ellie Mae.

“This was the result of solid technical and leadership foundation I had earned for my career, while having some amazing coaches along the line” he says. He has designed and built some of the most complex security systems, but also has had a chance to grow his leadership and soft skills through his career.

Now steeped in the financial space, he acknowledges that every company is a target. “You always have to be prepared, because everybody is on the list. The only question is where you are on that list. You really have to work on very solid defenses. You cannot stay stagnant.”

“In fintech, evolution is very important,” Aissi says. “It’s critical to continuously check the health of the security controls and all related standards, tools, and processes. A CSO has to implement a measured, risk-based approach to examining the maturity and health of the security program.”

A circle of trust
Aissi is in constant touch with his peers – other CSOs/CISOs in many other companies globally, as well as cybersecurity leaders in state/federal government and venture capital.

The discussions within this closed circle of trust ranges from coaching each other, exchanging threat intelligence, sharing up-and-coming security/privacy legislation, discussing best practices, simply helping each other, and discussing some of the biggest challenges they all face.

“We have many concerns and the range is quite wide, but often we talk about hiring top talent. Finding and retaining good people is always a challenge.”

It’s fortunate that in the San Francisco Bay area, “the talent pool is well defined. It takes some knowledge of the whole talent pool to find the right people.” Job ads don’t normally work for the most critical positions in cybersecurity. “It’s a trust-based domain. You have to trust the people you are hiring. Most of the time, you already know the people you are hiring.”
Without top talent, Aissi says, even the best technology will not go far.

What cybersecurity leaders are made of
Technical chops are important. “You have to make sure you understand all the challenges and make all the right decisions, from vendor selection, breaking glass in war-room situations, making decisions on critical incidents, to handling technical conversations with customers at the CTO and CIO-levels” he says.

However, leadership and communication skills are also essential as well. “A CSO has to be able to successful manage, in real-time, a 360-degree communication. He has to get his message across to engineers, other leaders, the board, prospects, and customers. The CSO needs to have the ability to go deep in technology if necessary, but also to explain to other audiences in simple.”

Finally, only passion would make the daunting task manageable. “Being a CSO is really a 24×7 job,” Aissi says. “If you are not passionate about what you do, it would be difficult to perform.”

Personal time
Aissi has been recognized by his colleagues for his security leadership and innovation and received several awards, including the CSO50 Award (twice), the Reboot Technology Leadership Award, Top 100 CISOs Globally, Most Influential CISOs, and Security 500 Award (twice).

“Dedicating and blocking the necessary time to unwind and relax is critical for a CSO,” he says. He enjoys road trips with his family, going to the gym, and giving back to the community by helping several state- and national-level organizations with advice and coaching to advance their missions.

Aissi has also helped establish several security think-tanks, such as the UC Berkeley CISO Institute and the National Technology Security Coalition (NTSC), where he has been serving a Founding Board Member.

Aissi has also been serving as an Advisory Board Member for a number of security companies and venture capital firms.

He swears by The Speed of Trust: The One Thing That Changes Everything, by Stephen M. R. Covey. “This is an exceptional book that I live by every day!”

The post Selim Aissi, SVP and CSO, Ellie Mae appeared first on Security Current.

It’s no secret that all it takes is the weakest human link to compromise a company’s cybersecurity. To mitigate this risk, companies need to understand their employees’ habits and behaviors; they need to be aware of their people’s self-control levels when implementing security programs.

In a study of 6,000 participants in the Netherlands, a team of Dutch and American researchers found a correlation between self-control and the probability of malicious software infections.

“Companies can refer to their employees’ level of self-control to know who among them are in need of greater reinforcement and training on computer use and security protocols,” said Dr. Thomas Holt, lead author of the study Testing an Integrated Self-Control and Routine Activities Framework to Examine Malware Infection Victimization which was published in Social Science Computer Review. Holt is also professor of criminal justice at Michigan State University.

Organizations can also introduce regulations on Internet access or device use and automated implementation of security tools, he added.

The study by Holt, Johan van Wilsem, Steve van de Weijer and Rutger Leukfeldt explores the extent to which personal characteristics and user behaviors affect the probability of malicious software infections, a serious form of cybercrime, using the integrated routine activities and self-control theory of victimization.

The self-control theory of victimization

Self-control is a set of attributes that is easy to measure using a 24-item scale, Holt said.

Low self-control is manifested through short-sightedness, negligence, physical versus verbal behavior, and an inability to delay gratification.

“HR could be a useful means to assess these characteristics,” he said. “Risky online behaviors that may reflect low self-control could be measured based on activity while on company computers and networks such as viewing pornography or downloading pirated materials.”

The researchers found that people with low self-control have an increased risk of malware victimization because their routines place them in close proximity to motivated offenders and decrease their willingness to utilize appropriate guardianship factors.

“Basically, your ability to regulate your behavior influences how you act and when,” Holt said.

“Those with low self-control are more impulsive, risk-taking and short-sighted. This makes them less willing to take appropriate security measures and may increase the likelihood they wind up in risky situations that put them near offenders.”

To mitigate this risk, Holt said, companies can restrict certain activities like “the ability to download/install third party applications without authorization, downloading pirated software and automating security protocols such as AV scans would help to partially reduce risk.”

“While we don’t know that offenders are deliberately targeting those with low self-control, we do know that malware writers and social engineers often target those who are more likely to respond or interact with their tools through malicious links and websites,” Holt said.

“That may affect those with low self-control at a higher rate as they don’t pay sufficient attention to potential risks or take proactive steps to secure their devices.”

A representative sample

“The Dutch population is largely representative of other European and western populations. Additionally, they have robust survey data relevant to cybercrime victimization that is not present in other countries, especially the US,” Holt said.

Participants were asked a series of questions about how they might react in certain situations to measure victimization, and describe their devices as having slower processing, crashing, unexpected pop-ups, and the homepage changing on their web browser.

Holt said the findings lead him and his team to potential further research.

“I am interested to see how we can better develop resources to automate security protocols for use among populations with low self-control to reduce the risk of compromise,” he said. “I am also interested in the extent to which cyber security education is implemented in practice across various age groups as that is a key concern. If we communicate risk but people don’t use this information to protect themselves, we have to figure out why and how we can change this issue.”

The post The link between self-control and security appeared first on Security Current.

Scaling mountains

It’s no coincidence that Pravin Madhani’s company K2 was named after the second-highest mountain in the world.

“Imagine looking at a mountain from the base,” he says. “You are impressed by its sheer size but you also realize how daunting it is to climb it.”

There is fear in your heart. “Will it work? Will it fail? I have a safe job now, but should I leave it and risk everything in the startup?”

And yet, you decide to climb anyway. “You prepare well. You have to enjoy the journey, even if it means running into wild animals, experiencing bad weather, and encountering other unknowns.”

Once you reach the top of the mountain, be prepared to be awed. “It’s really beautiful, really satisfying. It will be worth it.”

It runs in the family

When Madhani was a ninth grader in Mumbai, his father – a trader of forest products – was called away to an emergency travel. The boy was left to mind the office and negotiate deals with customers.

His father was happy upon his return. Apparently, the son had done a good job. But the younger Madhani realized, more than ever, that businesses at that time was inefficient. “This was India in the 1980s, and everything was done manually. The cost of computers was too steep for a small business.”

That episode convinced him that his life path had been set.

“I grew up surrounded by entrepreneurs – my father, my family, my extended family,” Madhani says. “It appeared that building companies runs in the family, and nothing less was expected of me.”

He pursued his natural curiosity of what made things work, and work better. He was admitted to the prestigious Indian Institute of Technology, Mumbai for college, and obtained a scholarship to the United States for a masters in computer engineering.

His father’s only piece of advice was “Start your business sooner rather than later.”

Soon after graduation from University of Texas at Austin he moved from Texas to Silicon Valley and set out to create his venture amid the challenges of starting a company in another country where “you had no backing and no infrastructure.”

He established Everest Design Automation in 1997 and Sierra Design Automation in 2003. Both were soon acquired by bigger companies. Between these ventures, he was also an angel investor but realized he wanted to do more than passive investing.

In March 2017, Madhani embarked again on doing what he does best – building companies. He started working on providing a solution to minimizing the damage from zero-day attacks. He no longer just deals with large customers. “Now, everybody needs security, from homes to small businesses to big companies,” he says.

“Today when there is an attack, everybody looks at signatures. Currently companies try to determine where the attack came from and what to do the next time it happens. But what can they do if it’s a first-time attack nobody has seen before? Those attacks which have never been seen before are called zero-day attacks and we protect against them.” he says.

One of the crucial challenges is to make customers understand the technology. “It is new and there will be skeptics, but that is something we are prepared to overcome.” The company launched out of stealth February 20.

Climbing lessons

The most important part of the climb is to believe in what you are doing, Madhani says. “Are you convinced that your product could address the pain points and change the world around you?” If you are, then employees, investors and customers will eventually see things the way you do. “You can convert anybody into a believer if you do your homework.”

Second, it’s all about the team. “There is no ‘I’ when you are working in a startup. It’s always a ‘we.’ It’s the team that makes things happen,” he says, adding that even the way the office is arranged in a way that encourages openness and teamwork.

“When there is a problem, you discuss and arrive at solutions together. There is no place for egos here,” he says.

Finally, always listen to the customer. “Many times you can get carried away by your ideas or where you think things should be. But your customers might have other ideas. You should be flexible enough to adapt to their needs and wants rather than the other way around.”

Persistence is a virtue that never goes out of fashion for entrepreneurs, Madhani believes. “You always do everything to improve your company and your product, to bring value to customers.”

Sure, there will be the proverbial wild animals and inclement weather. You will hear a lot of noises and run into blank walls. “But if you do not ask, the answer will always be ‘no.’ Only through asking can you find out the answer could be ‘yes.’”

A soft spot for education

Madhani is a member of the advisory board for the University of Texas in Austin and UC Berkeley. This is what keeps him busy aside from running K2.

“I have seen my own life change with good education,” he says. “So I talk to young people from every field, not only in tech, and I tell them that if they work hard for eight years, in high school and college, then they will have a nice 80 years after that.”

There is just no substitute for hard work. “Focus on learning, ask questions, always wonder you can do things better or differently, and put in the hours – long hours.”

On Saturday mornings, Madhani goes hiking in Silicon Valley, spending two hours climbing. “When you get to the top, the view of the valley is just breathtaking,” he says. It’s a great way to renew his commitment to keep climbing mountains, and more importantly, to relish the journey, every time.

The post Pravin Madhani, CEO, K2 Cyber Security appeared first on Security Current.