Ibrahima Mbaye sets aside time in his busy schedule to have coffee, lunch or dinner with young cybersecurity graduates and college students.
Mentoring young graduates and students entering the profession is his way of giving back to an industry that gave him enormous opportunities after he migrated to the United States from his native Senegal.
“I advise them what classes to take, what things they should focus on, how they can prepare themselves for the real working environment,” he says. “I guide them through the interview process and tell them what they should expect and which bad habits they need to drop.”
He also tells these young people about the difficult things he had to learn on his own, or helps them avoid the mistakes he committed when he was younger.
“I used to think that if I had an awesome tool, I would always be protected,” Mbaye, now CISO of Computer Generated Solutions, says. “Now I know that is not exactly the case. It’s a myth. A successful cyber program is also about processes, doing things right. And you can only do that by being disciplined and if you see things through.”
Mbaye’s brothers and sisters all followed a pre-determined path: College, law school, a promising legal career. He, however, had other inclinations. He was seven years old when he first became acquainted with computers; by 11, he had his own Commodore 64.
“Most of my friends asked me: ‘What is this for? What use will you have for a computer other than writing a video game?’”
In response, Mbaye told them that computers were the future, and that one day everything they would do would require a computer. “They thought I was crazy,” he says.
He went to the US for college, but he did not want to pursue the path his siblings took. “You could say I was a little bit lazy,” Mbaye says. “So, computers made a lot of sense. I thought a degree in computer science would be best. I already knew computers, so I could still have decent grades while being able to party.”
But while computers proved easy, adjusting to the language was not. French was the predominant language in Senegal, and while he already knew some English, all of a sudden Mbaye had to “think, speak, study eat and do everything” in this other language.
To overcome this hurdle, and fast, Mbaye took a job at a nearby supermarket. There he was able to practice his language by interacting constantly with people who spoke English.
Mbaye interned for an IT consulting company while he was still studying, and it was here that he was first able to apply his computer facility to everyday business. Much later, his university put him in an internship program at a nascent management firm on Wall Street. Mbaye did so well he was offered a full-time post after only three months. He continued his schooling at night.
And then the “I Love You” virus came, paralyzing the office’s operations for one full day. Mbaye’s boss saw how he responded to the event and soon asked him if he wanted to handle security.
These days, Mbaye is getting settled into his CISO role in CGS, an applications, learning and outsourcing company which he joined in September 2018. His first few months have been good — learning about the business, trying to identify gaps and working toward a proper risk management framework for the company.
“My approach to information security is more risk-based. I want to avoid security framework driven by random best practices or compliance to standards,” he says. “I think at this point in the evolving role of the CISO, he or she is a risk manager, identifying risks and making sure there are appropriate controls around that risk.”
He likens his objectives to a navy destroyer. “My main goal is to reduce the surface of attack of the organization,” he says. “Once a destroyer is in combat, it tries to reduce the surface of attack so that another gunshot or missile will be likely to miss it.”
He then tries to put controls around those things he cannot reduce.
“A good CISO has to have a good understanding of the business and its processes. It’s not about being Mr. No. We have to ensure we enable the business without it worrying about cyber-attacks, data leakage and data exposure,” he says.
He may be new in the company, but Mbaye’s years of experience in the industry have taught him that the best approach is to understand what the other person is trying to do. “If they want to do is not safe for the organization, I work with them and find workarounds that are safer. ‘No’ is not just part of my vocabulary.”
In dealing with C-level executives, Mbaye tries to be receptive and forthcoming, “I take time to listen to their processes and pain points, and address these in a subtle manner. I try not to be obtrusive in their day-to-day work.”
A CISO must also always bear in mind that businesses change, and what is applicable today may not necessarily be applicable in six months or a year. “You should be able to adapt to the business and you are able to modify or shift security policies when needed.”
Networking with his peers – other CISOs – is also helpful to Mbaye. “If I find myself facing an issue, for example protecting source code or sensitive intellectual property from leaving, or effectively monitoring the cloud, I will likely find somebody who has gone through the same.”
Leading by example
Mbaye likes playing soccer and spending time with his kids. Physical activity helps him clear his mind and do better at his job.
But a big part of his free time is spent mentoring others, repeating the lessons he has learned over the years.
Aside from advising individuals, Mbaye also talks to startups on their products and how they go about their business. He validates their ideas and talks about market demands, Mbaye provides advice on the broader nature of enterprises, and the things that make or break businesses, drawing from his experience across various enterprises and dealing with numerous vendors, himself.
“I like to think that I lead by example,” he says. “The cyber field is constantly evolving, and we professionals have to evolve along with it.”