“I wish I could tell you I planned it all, and that this was all thought through,” says Berin Lautenbach of his path from the start of his career to his present role as Asia Pacific CISO of Australian telco giant Telstra.
But he did not plan to be where he now is. It was all serendipity. “It all worked out well.”
He got his degree in computer science at the National Australia University and on his fourth year did a sub-thesis on the subject. He did not just like what he was doing – he had fun with it.
“And so when I went searching for a job, I wanted something to do with programming supercomputers.” He had a choice between the Bureau of Meteorology and the Defense Department, the only two institutions in Australia that provided such an opportunity at that time. He chose the latter.
On his first day on the job, however, he was told instead that he would be assigned to the security department.
It was not what he had expected, but perhaps it was youth that made him say he was ok with his surprise assignment. “Easy come, easy go.”
Except that Lautenbach has not gone. He has remained in security for 25 years.
Wide and deep
Working for the Australia’s Defense Department, Lautenbach mainly performed security evaluations. “In defense you get brilliant grounding in security, security architecture, how to really think about a problem,” he says. But defense also tends to be risk averse, and the main issue was avoiding risks.
He moved to Melbourne after getting married, and then worked as an information security consultant. He went around Australia and a bit around the world, before joining National Australia Bank, and then another consultancy, and later, GE Capital.
Lautenbach’s experience in the private sector taught him the lesson of determining the right levels of control for any given risk. Risk was, after all, unavoidable and one can only manage it.
While working as a consultant for Sun Microsystems and Dimension Data allowed Lautenbach to work in many different organizations, his stints with NAB and GE Capital provided him depth in terms of appreciating security issues. “I have always liked that contrast,” he says.
He was also able to get varying perspectives working for different sectors – government, financial services, and telco.
“In a bank, it’s about data and transactions and financial security. In a telco, it’s also data and the rest of it – but you’re running a network infrastructure that’s critical to the wider community,” he says.
Fundamentals and nuances
Cybersecurity issues in Australia and Asia, his areas of responsibility in Telstra, are exactly the same as the issues in other parts of the world. “In this interconnected world someone in any country can take an action and that action will have an impact on us here.”
Fundamentals also come into play in the discussion of the kind of information security threats today.
“Any security person’s job is predicting the bad things that will happen,” says Lautenbach. Many years ago he and his peers talked about how you would be able to harvest passwords, and send email with malicious attachments. “And now these are coming to pass.”
Then, too, people were just enjoying themselves, connecting with their computers and seeing what they could do. Threat actors now have financial motivation for their activities. “The moment you can make money out of something, it becomes worthwhile to do it.”
Then again, people have been stealing from each other since time immemorial. They have always been bullying each other. There has always been activism of some sort. “What I will say is there is nothing new under the sun. It’s just a new vehicle…all of these things have been happening all the time in human society. All that is happening now is that we are transposing them to cyberspace.”
The ‘perfect’ CISO
Lautenbach heads a team of around 300 in his current post. But what makes one a good CISO?
“There is no single answer to that,” he says. “It depends on the organization itself. What makes a CISO good in one organization might not make him or her good in another.”
Still, there is a common trait that boosts a CISO’s effectiveness. Communication is a prime skill. CISOs communicate more and more with incredibly diverse stakeholders who may have no technical knowledge at all. The CISOs should be able to articulate complex concepts to all the people in the organization.
A life of rituals
Lautenbach describes himself as an early riser, and who always tries to be out of the office “by 5:30/6pm. I cannot tell you I succeed every night, though.”
He also makes it a point to exercise and listen to some classical music, especially since he used to play the violin and the piano in his youth.
Fatherhood takes up a lot of his time – his children are aged 20, 18, 16 and 12 — and he marvels at how this role has evolved. “It changes as I get older. It has become less about me and them leading different lives. I come home and all of them are doing something on their own.”
Nonetheless, every Saturday night is a treat. They go out as a family, pick out a place where they could go and have dinner together.
“It’s those habits or rituals that keep you connected and rounded,” he says.
A beautiful mix
Lautenbach revels at how he has managed to find a career that combines what he loves to do – “the geeky stuff” – with something he thinks is profound and important.
“There is a beautiful mix of an interesting job that is also I think really worthwhile. I’m doing something for the wider community.”
But while established in his career, he keeps himself open to surprises.
“I would love to have a crystal ball to tell me where we will be in a few years’ time, but my one learning in the past 25 years is, you’ve got to be ready for almost anything because people change, the game changes – overnight sometimes. It’s hard to predict what that’s going to be.”