Amar Singh, CEO and founder of Cyber Management talked in length to Saqib Chaudry, CISO at the world-renowned Cleveland Clinic in Abu Dhabi on a range of topics including his early career in consulting, security certifications, whether the ability to hack is a step up to a security job, and the importance of threat intelligence.
Saqib sums up his role in three words: curiosity, risk taking and pragmatism.
When it comes to curiosity, Saqib never stayed within one domain of IT. His desire to learn more, from IT to non-IT and business in general was important to him. It taught him the importance of understanding how technology and security can impact the business.
He never shied away from taking a risk in taking up challenges, leading rules, never being afraid of failure but more being afraid of not taking the initiative.
Security is a complex beast. For Saqib, the purpose is to make sure that you have enough security where the risk is managed, but also operational efficiency. Understanding the business and the operational constraints is how to make it secure – pragmatism.
Starting out as an Helpdesk analyst; moving into systems and engineering, all as a consultant, allowed Saqib to choose projects to work on in between being a student. Saqib highly recommends starting a career in consulting, enabling you to gain experience in different technologies and business continuity. The role of CISO, to Saqib, is less with technology and more with understanding the processes, end to end, for an organisation.
“Consulting firms already have a set list of clients across various industries which gives you a broad spectrum of what’s out there – makes your decision easier for the major you will work on.”
From a personal development perspective, elaborates Saqib, is to focus on developing you as a person. Within a consulting firm, you can learn a range of different skills; from sales to dealing with executives, proposal writing, different cultures and how to market yourself.
“You have 7 seconds to hold your senior executive’s attention so, when they ask you a question, answer it with a yes, no or I don’t know, before you launch into your explanation.”
Security, to Saqib, is a very diverse field. In the past, the system administrator was responsible for security. Now, it’s a specific role. For Saqib, the qualification he looks for depends on the position available. So, from a technical perspective, he would look for certifications within a particular technology, such as malware, firewall, Juniper, etc. From a governance perspective, it is CISSP which delivers a broad perspective. From a control assurance and security assessment perspective, it’s CISA because of the audit experience – understanding the technology, understanding how it’s set up, how to carry out an audit and report on it, how you assess risk and how you ask questions is important.
It probably used to be the case 10-15 years ago, says Saqib, but now the landscape has changed drastically. A hacker may not necessarily have the incident response experience, or the self-assessment and audit experience, so just having the hacking experience whilst good for a domain, you don’t have the overall experience.
For Saqib, it’s a challenge and opportunity perspective. In terms of general technology, organisations are moving in to Big Data, cloud computing, networking and the Internet of Things. These technologies pose unique challenges that need to be dealt with, such as the integration with existing infrastructures and legacy applications
From a security perspective, Saqib belives there are a few things that need to be highlighted. Data privacy is becoming more of a focus, more important.
“I see a lot of organisations spending money on protecting end user devices but in an age of BYOD, Big Data and the cloud, it makes more sense to shift some of the focus on to protecting the actual data.”
One security area that is still being ignored is the people factor, says Saqib. Organisations are doing better with a lot of process related control of information, but this aspect needs more focus. User awareness is key and to monitor the insider threat with privileged access – a big concern for CISOs.
For Saqib, threat intelligence is very important. Just one intelligence feed is not enough – you need to subscribe to many as they all have their own sources for gathering information, including vendors such as Kaspersky, Microsoft and Semantec. Threat modelling is definitely a buzz word but it has a lot of potential.
"Once the security tools have been implemented, we’re now thinking, what is the next step against attacks? The insider threat is probably the most difficult to detect.”
The way you implement threat intelligence and decide on what works best for you will depend on having a complete understanding of your organisation and its processes, top to bottom. The more the more information you have about how your business works, the better model you will be able to create.
For more information on Cyber Management Alliance, their GCHQ Certified CIPR training and other courses, webinars, Wisdom of Crowds live and virtual events, and their Insights with Cyber Leaders series of executive interviews, contact us today.