For Selim Aissi, it is important to have a mix of industry, real-world security experience, along with the innate ability to deal with most critical security incidents both at the execution-level as well as within the leadership and board of director ranks, to be an effective cybersecurity leader. As a company executive, the CSO should posses the aptitude and ability to drive a large number of conflicting demands, ranging from daily security incidents, to strategic discussions, to external executive-level discussions while driving growth within the security program.
At the highest-level, Aissi believes that an effective cybersecurity program starts with five key imperatives: a well-defined strategy, a good understanding of the company’s threat-landscape, hiring/retaining top talent, continuous security innovation, and, effective communication.
Effective communication should range from the board of directors and C-suite, down to every employee across the company, and including prospects, customers, partners, and regulators. Aissi makes regular presentations to the board as well as the executive team and reaches out to the rest of the company in various ways, including articles in the company’s newsletter.
“I make sure everybody is aware of what we are doing, what is going on” says the SVP and CSO of leading mortgage company Ellie Mae. He is acutely aware that the integrity of the company’s cybersecurity posture depends on all of its employees.
He breaks down his messages into three parts: He tries to remind his colleagues about how security is embedded in their daily responsibilities. He reminds them of the consequences of certain actions – falling prey to phishing attacks, for instance. He apprises the employees of various security initiatives and gives them a sense of where the company is heading.
“Everyone should be aware that cybersecurity is not just the business of the security team. Security is everyone’s job in the company. I think we are making strides in this direction,” he says.
Developing defensiveness
Aissi had imbibed a security mindset long before he embarked on a cybersecurity career. His first job was at General Dynamics where he had an opportunity to build some of the most advanced Department of Defense systems requirements into military vehicles. “ Security was embedded in everything the DoD did,” he says.
This inclination saw Aissi through his transition from the safety-critical embedded systems, to research and development, to computing systems, to fintech – through his journey from General Dynamics to General Motors to Intel, to Visa, and on to his current role at Ellie Mae.
“This was the result of solid technical and leadership foundation I had earned for my career, while having some amazing coaches along the line” he says. He has designed and built some of the most complex security systems, but also has had a chance to grow his leadership and soft skills through his career.
Now steeped in the financial space, he acknowledges that every company is a target. “You always have to be prepared, because everybody is on the list. The only question is where you are on that list. You really have to work on very solid defenses. You cannot stay stagnant.”
“In fintech, evolution is very important,” Aissi says. “It’s critical to continuously check the health of the security controls and all related standards, tools, and processes. A CSO has to implement a measured, risk-based approach to examining the maturity and health of the security program.”
A circle of trust
Aissi is in constant touch with his peers – other CSOs/CISOs in many other companies globally, as well as cybersecurity leaders in state/federal government and venture capital.
The discussions within this closed circle of trust ranges from coaching each other, exchanging threat intelligence, sharing up-and-coming security/privacy legislation, discussing best practices, simply helping each other, and discussing some of the biggest challenges they all face.
“We have many concerns and the range is quite wide, but often we talk about hiring top talent. Finding and retaining good people is always a challenge.”
It’s fortunate that in the San Francisco Bay area, “the talent pool is well defined. It takes some knowledge of the whole talent pool to find the right people.” Job ads don’t normally work for the most critical positions in cybersecurity. “It’s a trust-based domain. You have to trust the people you are hiring. Most of the time, you already know the people you are hiring.”
Without top talent, Aissi says, even the best technology will not go far.
What cybersecurity leaders are made of
Technical chops are important. “You have to make sure you understand all the challenges and make all the right decisions, from vendor selection, breaking glass in war-room situations, making decisions on critical incidents, to handling technical conversations with customers at the CTO and CIO-levels” he says.
However, leadership and communication skills are also essential as well. “A CSO has to be able to successful manage, in real-time, a 360-degree communication. He has to get his message across to engineers, other leaders, the board, prospects, and customers. The CSO needs to have the ability to go deep in technology if necessary, but also to explain to other audiences in simple.”
Finally, only passion would make the daunting task manageable. “Being a CSO is really a 24×7 job,” Aissi says. “If you are not passionate about what you do, it would be difficult to perform.”
Personal time
Aissi has been recognized by his colleagues for his security leadership and innovation and received several awards, including the CSO50 Award (twice), the Reboot Technology Leadership Award, Top 100 CISOs Globally, Most Influential CISOs, and Security 500 Award (twice).
“Dedicating and blocking the necessary time to unwind and relax is critical for a CSO,” he says. He enjoys road trips with his family, going to the gym, and giving back to the community by helping several state- and national-level organizations with advice and coaching to advance their missions.
Aissi has also helped establish several security think-tanks, such as the UC Berkeley CISO Institute and the National Technology Security Coalition (NTSC), where he has been serving a Founding Board Member.
Aissi has also been serving as an Advisory Board Member for a number of security companies and venture capital firms.
He swears by The Speed of Trust: The One Thing That Changes Everything, by Stephen M. R. Covey. “This is an exceptional book that I live by every day!”