Rafi Khan sees his career as a series of crossroads for taking his professional path to new levels.
Three factors help him to balance these decision points, said Khan, the Chief Information Security Officer at New Jersey Transit.
“One is the will to push back on system security compromises, whether it’s corporate pushback or political pushback or even market pushback,” Khan said. “If it’s going to compromise my company, the safety of my staff or the safety of my constituents, I will not budge – unless you assume that risk and put it in writing.”
The second has been a willingness “to pivot from one industry and then dive to another.” That flexibility has taken him from a longtime career in health care to e-commerce, and now public transit, where he’s tasked with protecting critical infrastructure and all the other touchpoints related to travel.
The third item has been “building the right culture within your team.” That includes upskilling talent, which is key when you have a very competitive recruitment environment, he said.
“We ensure that we provide them all the right tools so they are not confined to some older technology that may not be marketable 99% of the time. That way they understand we are not short-changing them and they will not be looking outwards,” he said.
“There’s also our culture of providing a better work-life balance, the culture of understanding that we have your back. If something happens, there’s no blame game. There are always lessons to be learned that we can evolve from to the next level of challenges. It’s been successful.”
Khan got into cybersecurity after studying and practicing nuclear medicine technology, a discipline that required a very strong understanding of computer analysis. That experience grounded his understanding of where computer technologies would be going, sharpened his awareness of data privacy, and taught him the value of empathy.
“Execution of the CISO role requires a deep understanding of who will be impacted in today’s cybersecurity space, because so many touchpoints will be affected,” he said. “If you have a vendor who has a vulnerability, for instance, how do you manage that? The execution will be a fine line between, ‘Hey, you folks are compromised,’ and ‘We will not compromise our systems by exposure to yours.’ And that fine line is saying, ‘We understand that we are on the same side. We want to help you.’ Let’s help each other.” The same goes for colleagues. CISOs cannot work in a vacuum. Partnership is very, very important.”
Alliances with federal agencies and law enforcement is also crucial in his current role, where in addition to ensuring safety for NJ Transit’s ridership, staff, data and systems, Khan must look outward to see what threat intelligence he might be able to gain.
A successful CISO, Khan said, learns from colleagues and shares what he learns.
“They will share with us some threat intelligence and they may even glean something from us. It’s a two-way street. It is very, very important that we work together,” he said.
Khan’s program rests on three foundations.
“We have to intelligently select and continuously improve on our cybersecurity tool chest. We can’t have gaps in the program. We always have to be looking at different technologies, and that’s where the partnership with vendors comes in. And you always have to optimize, optimize, optimize. If you don’t optimize your infrastructure to prepare for the next attack, it’ll be more difficult when it happens,” he said.
Khan is busy integrating artificial intelligence and machine learning within his organization’s tool chest.
“We want to include security orchestration, automation and response to support our security operations folks,” he said. “The logs we receive are voluminous. It’s not humanly possible for even a huge army of analysts to review the intrusion attempts.”
His team is also adopting a zero trust security strategy, with a layered defense approach to support it.
It’s challenging to build a test environment that’s reflective of a diverse ridership base that’s approaching a million riders a day on weekdays. Networking with other players in the space is essential as technologies and bad actors evolve, Khan said.
“My team does an incredible job. But sometimes it’s almost impossible to anticipate all the potential different scenarios. That’s why we work very closely with other transit systems and law enforcement, because together we all provide each other the best intel,” he said.
“The pressure is always on. We must always adapt faster. We must always look at new tech innovations and whatever our customers might be demanding,” he added. “We have to balance things to make sure we are not leaving any vulnerabilities with our cybersecurity approach. I cannot remove guardrails, even when there are tensions to open up everything.”
Early on in the job, Khan met with different business units to identify their security pain points, recognizing that communication with other departments and executive leadership is critical.
“We have to partner with communications folks. We have to partner with legal. We have to partner with executive management. We also have to look what’s in the offing and communicate that risk to leadership. All of that will happen only if I have built that relationship, if I’ve had lunch with them, or coffee, to break the ice,” he said.
Threats that occupy him are business email compromise, and the very high quality compute power that malicious actors can now harness to crack passwords. Third-party vulnerabilities are another concern.
“We’re looking at their SLAs, putting their feet to the fire on them, because if they are vulnerable and don’t have strong cyber hygiene, then doing business with them might be a risk,” he said.
A successful CISO, Khan said, learns from colleagues and shares what he learns.
“You need to have an open mind because there will be times when you are jaded by your experiences and think you know what you’re dealing with, when you may not. Therefore you have to confer. CISOs cannot be successful by their own thinking alone. My approach is always to consult, consult, consult. It’s going back to the crossroads. We are at a crossroads every day in making decisions on how to mitigate risk, or how to enable business without adding risks.”
Khan’s advice to people just entering the field is to show humility.
“If we are humble, we understand there’s always another thing or two or three that we’ll be learning in the future. So stay humble, but also stay hungry,” he said. “You’re never done learning in cybersecurity. And if you do stop growing and learning, you have to understand that you have to realign and put the train back on the rails and don’t stagnate.
“Another thing I’d advise is be there. If you have to drive a five-hour round trip to meet up with a group of talented people for a two-hour dinner – and I’ve done that – then do that to build your network. Showing up, in my view, is 90% of success.”
Khan finds an outlet from the intense pressure of his job by rebuilding vintage stereo amplifiers and working on his Mazdaspeed3 sports car. Rebuilding amplifiers definitely has very strong tie-ins to his job because it’s all electrical, he said. Working on the car is a similar extension because “it’s all about understanding checklists, understanding what you’ve missed, and understanding how you can improve,” he said.
“I drive a Japanese speed rocket,” he said. “I like to tune it. I drive a six-speed, and I put in a cold air intake so it can breathe better and run faster, and gain horsepower. I changed the suspension to go around corners better. It’s good therapy for me. It’s fun. It keeps your brain tuned as well as your car tuned.”