Oct 6, 2024
Episode Description
In this conversation, Diaa Abu-Shaqra shares his extensive journey in cybersecurity, from his early fascination with cryptography to his current role as an entrepreneur. He discusses the evolving role of the CISO, emphasizing the need for CISOs to have a seat at the executive table and to communicate effectively with business leaders. Diaa highlights the importance of proactive security measures, staying updated with industry standards, and fostering a culture of security within organizations. He also addresses the challenges of navigating regulatory environments and the significance of incident response preparedness. Finally, Diaa offers valuable advice for aspiring security professionals and shares insights into the future of cybersecurity.
Watch On YouTube
Hi everyone. Welcome to the Hands -on CSO podcast. My name is Adi and today we'll be talking to Diya Abushakra. Diya is an innovative seasoned security professional with over 25 years of experience in government, retail, technology, and financial sectors. He led security for over 15 years for one of the largest financial institutions in the world, covering not just IT and security, but also third -party risk management, business continuity, and resiliency, as well as business processes risk management.
This combination of experience, education, industries and programs fueled Diya's success to be recognized two years in a row as top CSO to watch for. Diya, how are you doing today?
Diaa Abu-Shaqra (00:43.541)
I'm doing very well. Thank you for this kind introduction, Adi. Happy to be here.
Adi (00:48.242)
Amazing. So happy to have you here. Really interested in hearing how did you even get into security? What led you to this place?
Diaa Abu-Shaqra (00:58.113)
Well, took early in my career, I started off as a system administrator and I took this class that had a cryptography component into it. And it completely went past through my head. I didn't understand anything at all. So it kind of challenged me and it got me really curious. So I went back and I took
took a cryptography class again and I just fell in love. So that was really, it was more of a, I don't understand anything about this topic kind of challenge, how I got into it.
Adi (01:31.518)
Interesting and then what did your journey look like since?
Diaa Abu-Shaqra (01:36.84)
it was it's been an amazing journey to be honest i thought i often to help and actually this is a question i got a lot from people you know money getting to have a security how can get a i get it will first of all there's no one right or wrong way you can get in from anywhere almost the best place that i've seen be sort of an incubator is really dealt so my journey took me from help desk to government
to technology company, playing with state of the art devices and bells and whistles. And then I found myself at a very large financial institution doing risk assessments and living in my suitcase and traveling all over the place. But mostly it's been really centered around IT and security for the last 20 years or so.
Adi (02:27.86)
Interesting. And what does your day to day look like now versus what does it look like in different companies you've been in?
Diaa Abu-Shaqra (02:35.69)
Yeah, right now I'm an entrepreneur, founder of a small cybersecurity startup. So my day, every day is somewhat a little bit different as you're building a company and a startup. One day you're the marketing, one day you're the biz dev, one day you are the developer, right? So every day is exciting, but I'm spending most of my time actually talking to people, getting some prototypes in their hands, getting some feedback.
But generally speaking, we have a corporate job though, when I ran a team at a bank. We start off with daily or weekly meetings depending on the size of your team and whether it's a one -on -one or a whole team. But generally, I connected with my team twice a week, at least the whole team. Everybody went through what they're working on so that everybody else hears and they can share ideas, ask for each other's help.
And it also included meetings with my partners, right? It's very important for a security organization to be looking around to cultivate these partnerships. It could be within IT, it could be within business, it could be within finance, supply chain, right? Don't wait until you actually need them to start cultivating these partnerships. You should be proactive in trying to do that on a daily basis. But generally, it included both the team, the business partners, excuse me.
And there's usually an auditor or two in the house, so that usually takes up some time.
Adi (04:08.372)
Interesting. And what made you decide to move from the seesaw role, which is also interesting because seesaws, would assume tend to be people who are very risk aware, very like, maybe even risk averse. What made you go from that to being an entrepreneur, starting your own company?
Diaa Abu-Shaqra (04:28.308)
Yeah, so this is actually my second attempt in starting my own company. Being a CISO, you almost need these two opposing extremes of the spectrum. You need the business acumen so that you can help your business partners really understand the risk and make informed decisions. It's not up to you to decide what that risk is or whether, not decide what it is, but
whether it should be accepted or not. That's usually a business decision, right? So the CSOs job is really to be the eyes and ears of the business and help them make informed decisions. Whether they accept it or not, at the end of the day, that's their decision. On the other end, almost need to be, and again, depending on the size of the team and the capabilities, but you almost need the technical experience. So if it's a small team, for example, and you have technical functions, they're going to be looking to you to be their technical lead.
So you can't really get away with just saying, I'm a CSO, I'm just going to focus on business, right? So depending on the size of the organization, you might need both. I am an entrepreneur by spirit. And to me, CSO was a role that I went through as a phase in my career. I didn't start there, and I'm not going to end there. It's part of my journey, and I'm very grateful to have gone through this journey.
Now I'm ready for bigger and better things and that's why I left and decided to restart my startup again. And it really has to do with the pain points and challenges being out there, Adi. 20 plus years in security, I have yet to see comprehensive solutions in cybersecurity risk management that really help the security organization do their job. There are individual tools.
that will help you do bits and pieces like vulnerability management or endpoint detection or a CMDB or an IM. But there's no system that is inclusive enough, I'm not even going to say comprehensive, that scares off some people. But even inclusive enough to have these different components built right in. It's really an impossible, mission impossible job for CISOs this day to try to figure out how can I reconcile a dozen different systems in my company to be able to make sense of my data.
Diaa Abu-Shaqra (06:48.03)
So I set out to fix that problem.
Adi (06:53.194)
Interesting. Do you think that the fact that you're doing it as a former CISO, as someone who was actually in the field, like how much does that affect the way you act, the way you move?
Diaa Abu-Shaqra (07:08.866)
A very good question and very much so because I'm coming from a practical experience. It's not theory. not, we think you need this product. No, the technology that we built was really based on driven by need, right? So early on my first launch of the business developed a platform to really help solve a lot of the operational pain points that I ran across the prior two decades. And when I say operational,
These are the actual teams that are processing requests, interacting with end users, customers, et cetera. So for example, you need access to monday .com or workday .com, right? How do you get that? You need to submit the request and you could get the approvals and whatnot, right? You need to do a risk assessment. How do you do that? You need to identify a framework, questions, get survey responses, right? So all of these things, not only is it a program or a framework,
But there is a process to actually execute, to manage it, to maintain it. So these things typically get left out from the technology. You tend to find a platform or a tool that will allow you to maintain an inventory, for example, but not necessarily facilitate the process of requests and approvals and tracking and things like that. So the business that I built really is, to your point,
help, designed to help solve my problem as a CISO from an operational perspective. So I bring in that hands -on technical experience to the business and to the platform that we develop. Does that answer your question?
Adi (08:54.786)
I think so. think it's like, when you come with that sort of experience, you just sort of pass a lot of potential obstacles that other founders could have. Cause you're already, first of all, you know, the people in the industry saying of all, know, the issues they're dealing with all the time and you speak their language. So it's like, it's really interesting to see.
how this is going to play out. Do you think that over the years, do you think your solution now was as necessary, let's say two, five, 10 years ago, or is this more about how everything is evolving and now it's becoming a big thing?
Diaa Abu-Shaqra (09:43.72)
It's very insightful question. Well, I started the journey almost a decade ago. This business and platform was born really out of my master's studies. And it was designed at the time to address the cybersecurity risk management in very large organizations. So to your point, it was relevant back then. It was very important.
but not for everybody. Only if you were really a large organization and had the type of, let's be honest, regulatory scrutiny, right, that you had to get certain things done. That was the case. Right now, because of the proliferation of cybersecurity and the fact that almost every company, if you're alive today, you have some sort of digital footprint somehow, right?
and if you're doing business online you need cyber security somehow and i think your point right now is probably the most important time to have something like this for various reasons one being have a lot of new i'm not gonna say newcomers but it feels like they're new in industry in terms of like health care education you know even car manufacturing dealerships right we've seen recent attacks and ransomware and hacking attempts on them
They have historically not invested much in cybersecurity. Now they are. So we've also seen industry shifts from the companies that didn't previously invest to it. So it's actually, to your question, it's both. It was relevant back then to really large companies, and even more important now for all the ones that are getting in and investing in cybersecurity.
Adi (11:30.548)
Interesting. Do you think the seesaw roll changed with the change of the field or in a different way? how do you think the seesaw roll now is different than it was back then?
Diaa Abu-Shaqra (11:47.695)
Well, so to answer the first part of the question when you asked it, yes, it has to change. And I'll come back to that. The CSO role today, at least in my opinion, I think is trending towards the right direction. And that is really being a key component of the executive leadership team, having a seat at the table, so to speak. And not just any table, the executive table where the CEO is sitting.
And I think that's just evolved based on the nature and role of the CSO and organizations. It wasn't by design. It wasn't like CSOs got up one day, so, geez, think the CO, sorry, didn't wake up one day and think I need the CSO on the table with me. No, it's because they've either been told or they've experienced or the regulators told them to do so or they've recognized the importance of that function. So to go back to the earlier point,
And I think the CISOs have to start making a stance, have to start vocally expressing their views and visions on where they think they should be. So for example, I've been in organizations where the CISO was under the CIO or under the CTO or under the CRO or under the CFO, right? There was really no right or wrong place
put the CISO, right? I almost tend to think that CISOs are going through a midlife crisis right now. They're trying to figure out their place in an organization, right? We tend to think now in industry that it's almost very clear that CISOs don't really belong under the CIO. There's just various conflicts of interest there. Not just budgeting perspective, hey, they're going to want to put their budget in DevOps versus security. But also remember, insecurity, you're in everybody's business.
Right? And not by, I say not by choice, but by trade. Because the CIO, you're reporting and you're overseeing activities and programs and functions that impact the CIO. So you could be calling out things that are, don't make them look good. Unfortunately, it happens. But you can also use that rationale for any other department. You can do the same thing for risk, for the finance, or whatever else you think you might put to see so.
Diaa Abu-Shaqra (14:15.29)
there's going to be an inherent conflict of interest. Either one, they may not get the priority funding that they need. Number two, they might be put in a position where they have to report on deficiencies that are stemming from their own management activities. And that puts them in a really tough position. So I would say CISOs should be and need to be and must be direct to the CEOs in organizations moving forward. That is the only way.
We can really drive that executive change that we need and have an independent voice. Look at audit organizations. In most places today, they are independent. They don't report to anybody else. They report to the board. And that's because over the decades, we've recognized the importance of that function. It has to be independent.
Adi (15:04.948)
Interesting. Do you think most CISOs would agree with that statement or do you think that's like a controversial thing?
Diaa Abu-Shaqra (15:12.001)
I think more of them are agreeing with that statement because again, only probably due to their own frustrations as far as trying to get things done in their own companies and running into these prioritization issues between what the CIO needs to do versus what the CISO needs to do. But I think majority of them are realizing the importance of their function. mind you, they may not be comfortable with it. They might not like it.
But I think they are recognizing that is the right thing to do. Because again, when you're at that speed, you need a little different level of expertise and skill set to be able to sit at the executive table. Let's just be honest, right? So even though lot of C -suites executives have the title but don't necessarily have the experience in working with executives. So yes, while also they might want it and think it's the right thing to do,
they might be a little bit hesitant because it's a different ballgame and you're sitting at the executive table, you need to be able to speak their language, you need to be able to sell your ideas too, convince them or help them see your vision. So I think it might bring along with it opportunities for further developing CISOs as really truly added business professionals and partners.
Adi (16:38.484)
Interesting. How do you think the, let's say the top CSOs, people who are really like, A game, how do they learn? How do they find information, learn what is even relevant? Cause I'm sure you can consume endless amounts of like new things. And most of it is just like repeating other things. Like how do you actually stay up to date?
Diaa Abu-Shaqra (17:05.145)
So there's two things to that question. Knowing what you need to do. So almost knowing like, hey, I'm a CISO. What am I supposed to do? And by the way, if a company hires a CISO and tells them what to do, that's probably a big red flag because you usually hire a CISO so they can tell you what you need to do. That's first thing. The best way to approach the CISO organization is
what I would call an anchor on frameworks and standards. So in other words, don't try to reinvent the wheel, at least not off the get -go. Look at the NIST cybersecurity framework, for example. The version two has a hundred or so controls in there, the NIST CSF cybersecurity framework. It's agnostic, globally available, and it could be adopted to any industry in any size. So it is the perfect starting ground for anybody who just has no idea where to start.
the NIST cybersecurity framework. Once you also start getting a little bit more comfortable with it, look at the Center for Internet Security. They have baselines and they have guidelines. They have a wide range of services also that can help you identify not only the top controls that you should be looking at, but also the baseline configuration for a lot of technologies. And that is a fundamental component of security architecture. You need those baselines in place.
The third piece I would say is look at international standards like ISO 27002. A couple of years ago they came up with an updated version. Used to be 133 controls, five, six different areas. They've regrouped them, but roughly around the same number or so. Again, excellent source if you're trying to figure out what does a security organization need to do. Now keep this in mind also, you don't have to implement every control, but you have to consider it.
So when your auditors and regulators and business partners come in and say, hey, Adi, how come you're not doing XYZ? You can say, well, we've looked at it. We've considered it. We've discussed it. And we've deemed it irrelevant or not within the scope of what we want to do something along those lines. That is an OK conversation to have. The one that's not OK to have is, oops, I didn't know, or jeez, we didn't decide that, right?
Diaa Abu-Shaqra (19:32.033)
You don't want to have that conversation. You want to be prepared. You want to say, yes, we looked at it, we adopted it, or we partially adopted it, and here's why. And here's when we plan on taking on the rest, right? Auditors, regulators love to see people who are top of their game. They don't have to be perfect, by the way. You do not have to be perfect in front of anybody or any entity. But you have to show that you're on top of your game. You know what your own gaps are and that you're working. You have a plan to actually fix them. They'll work with you.
But if you're finding out these things on the spot while they're on site, it's not going to go very well.
Adi (20:08.532)
Interesting. So you've been in a few different industries. Have you seen a significant difference between companies that are more regulated space or more like fintech health tech, like that versus maybe things that have less sensitive data? does that look any different?
Diaa Abu-Shaqra (20:28.286)
Very much so, And when we talk about heavily regulated environments, banks obviously is one of them, and I spent most of my career there. Government is also very heavily regulated, as you can imagine. Completely different ballgame, actually, when you talk about regulation. And a lot of different takes on data and confidentiality and transparency, right? Certain things, for example, when you work, so, you know, I worked for the city government, I was
see so you would think it would be confidential but you can't because you're a government you have to be open so you have to be transparent. So I actually had to make certain business cases sometimes going back to the City Council to explain to them why we should keep for example certain information secret and not publicly disclose it because it had to do with vulnerabilities and things that could impact system safety and security. So while the idea of sharing everything with the public is great
that are also you know concerned that that come along with that the other thing they need to keep in mind also there's what the regulators want actually the most of that is not a secret at all the for example for a bank there's a f of i a c handbook out they literally tell you exactly what they're going to look for and all the controls they want
it's very comprehensive though and it's got many booklets and you know hundreds of pages so if you don't take the time and go through it yes every visit will look like a surprise but if you have taken the time and gone through that you should be prepared but that is only a piece of the puzzle that is only part of the challenge other challenges include what about industry requirements so PCI is not a law it's an industry standard SOX is a law GLBA is a law right
But PCI is not. So when you talk about a company as a bank, not only do I need to comply with regulators, I also need to comply with industry standards that I'm a part of. The third piece to that is not only do I need to comply with those two, now I've signed contracts and MSAs with business partners with their own requirements. So as a compliance or security organization, I have to understand all of those three so that I can help the business.
Diaa Abu-Shaqra (22:48.691)
make sure that they have the proper controls to comply and apply all of them. But it's really, you know, to your point, it's very much different working in a heavily regulated environment than not. Now, I will caution a few things actually, because I've seen this happen, and it's detrimental. When you're in a heavily regulated environment, and you haven't invested time in being proactive, you're going to be stuck for a while. And that's a problem.
And the reason you're going to be stuck is that if you don't save yourself and get out of it, but what tends to happen is regulators come in or auditors or what have you, right? They find issues. They tell you you need to fix these issues. Now you re -prioritize all your internal projects to fix these issues, right? So the more issues they find, the more re -prioritization you do, and that becomes everything you're working on and almost
that the only thing you're working on which means now that i think it is the top and now what also tend to happen in that you get back into perpetual cycle because nothing else get done could you are not being proactive so the next time dot it doesn't regular come around that also going to find new things and you're also going to be reactive and you're also going to be doing it so you get back into perpetual cycle which is dangerous very dangerous so i would take a look especially large companies need to invest
the time, whether they like it or not, into being proactive. And that could be getting more people upskilling, up training, right? Doing your own assessments and preparation. Don't wait for auditors and regulators to come and tell you you've got a problem. You should be finding those out beforehand and work on them and fix them before. But you do have to be on top of your game in heavily regulated environments.
Adi (24:43.742)
Interesting. I remember last time when we talked before this call, you told me if the vendors are telling you what your issues are, you're already in a bit of a problem.
Diaa Abu-Shaqra (24:56.405)
That's true and vice versa too, right? So part of good risk management program and the third part of risk management program is your vendor due diligence. And that goes both ways. You could be that vendor getting reviewed and depending on the agreement, they might assess you and look under the hood and look at all your processes.
So that's again another entity that could be looking over your shoulders trying to make sure you have the right controls. So it's your auditors, it's your industry regulators also, and your business partner.
Adi (25:37.718)
How much of the focus goes between, like how do you divide the focus between on the one hand education, creating a culture of security, creating a culture where it's normal for people to come to the CISO and say, this looks weird. On the other side, the controls, just making sure no one can make stupid mistakes. Like how do you see these two components?
Diaa Abu-Shaqra (26:06.401)
Well, they're very complementary to each other because what you're trying to do is you're trying to the latter part is prevent issues from happening. So thinking of just in terms of control, if we can spend a minute there for the rest of the audience, controls are generally three types. There are technical controls, physical controls, and administrative controls. Technical things are like encryption. Encryption is a technical control, right?
Administrative controls are policies, procedures, training, things that are more administrative in nature. Physical controls are like doors, turnstiles, gates, things like that. So training is an administrative control.
The controls can serve one or more purposes. It could be an administrative preventative, administrative detective, administrative corrective, or administrative deterrent, for example. So controls have three types, but they also have four different purposes generally. You can argue five. But generally, it's either a detective control, a preventative control, or a corrective control, or a deterrent control. OK?
training would be considered administrative and its purpose would be actually to prevent, to empower you with information and knowledge so that you make good choices. Could also be argued as a deterrent because some of that training includes language. If you violate our policies, we're going to fire you. That's deterrent. So you may not care so much about the security aspect, whatever, but you don't want to lose your job.
So that might actually deter you from doing that. That's not what we want though, right? We don't want to scare people, right? For example, dogs and barbed wire and cameras, these could be considered deterrent controls. Where you see them, you're scared. Like, I want nothing to do with this, right? So training end users from the standpoint of helping them make the right choices, the best approach, not scaring them, not intimidating them.
Diaa Abu-Shaqra (28:21.151)
not pointing fingers at them. That almost never works, right? What you're really trying to do is help the end users. And let's be honest, you're trying to target the 95 % maybe, right? So percentile of people who will get it and listen, right? So that they can make informed decisions. The latter part of your question, which is about the control is for people who don't listen or you don't want to take a chance. And I would say if you ever get a choice,
between a preventative control that will not disrupt the business or puts you in an appropriate balance and an administrative control. So administrative preventative or technical preventative, I would go with the technical preventative. So that even if you forget, even if you do something, you fall back on your preventative controls. So you need both. And both work in concert and synergy.
Adi (29:19.71)
Interesting. What do you think is one thing that people out of security, people who are not in the security world, don't really understand that it's really important?
Diaa Abu-Shaqra (29:35.43)
Well, it could be a multitude of things depending on who, right? So your end users are going to have certain expectations as opposed to maybe your technology and infrastructure partners, your leadership and executive team. They all have different expectations and have their own image of you. I think the one thing that I've seen get most security organizations and is really frustrating is that when it's an afterthought, when it's
when security is not included in new initiatives and new projects and new vendor relationships. Because what ends up happening is there's no way around it. You're going to need them anyway. So if you delay that engagement at the very end, it's a lose -lose situation. Because now nobody's got enough time to do a good job. Security is going to have to drop whatever they're working on so they can help support you. So it's almost being asked.
the impossible of security. I'm going to come to you at the last minute and I'm just going to expect you to drop everything you're doing because I'm really important and you're going to help me, right? Very disruptive, very frustrating. Most times they get away with it because there's no reason for security to exist if there's no business to run. So at the end of the day, they will drop what they're doing and help the business. And you probably can get away with that once or twice, but it's not sustainable.
And if you keep doing that, that becomes a very toxic culture and very reactive and is detrimental to the business. again, nuances and exceptions are going to happen, but that should never be the norm. That is, would say, one of the most frustrating things I've seen security is they're not included at the beginning of the conversations, at the beginning of projects. that way, they can also ask questions and help you.
probe and make these informed decisions and information, but bringing them at the tail end is typically a lose -lose situation for everybody.
Adi (31:35.85)
Interesting. If I'm changing the subject a little bit, can I ask you, like, you've been in security for so long. Have you ever been on working in a company, of course, no names or anything like that, but that had a significant security incident and you had to deal with it like when everything was on fire?
Diaa Abu-Shaqra (32:00.465)
Yeah, I've had a few of those scenarios. that's where you're... Well, it's part of the job. It's almost like saying you're a plumber and you had to fix the leaky faucet. know, it's just what you do, right? So part of security is incident response. And that incident could be an actual adversary, hacker in the environment. It could be somebody clicked on a phishing link on a Friday afternoon and went home.
Adi (32:04.546)That's fun.
Diaa Abu-Shaqra (32:30.109)
It could be the insider threat scenario. So somebody on the inside that already has access that is doing something nefarious, right? And I've, you know, been around that I've had to deal with any and all of those. I would say the major thing that made the difference is number one, whether we were trained on how to deal with that scenario or not. Number two, whether we had enough
support within the organization to actually build it, manage it, and maintain it. And that's almost a precursor to your training. So number one is recognizing the need for identifying basically your, there's a lot of different names get thrown out, but incident response is definitely one of them, but could also be tied to your business continuity and resiliency planning. So you could, for example, have business response
response procedure, incident response procedure on malware, some sort of virus, But you also need specific incident response procedures on your critical applications. You may not necessarily be dealing with a casual intruder or a casual virus. You may need to address or investigate the issue in that application specifically.
So I would say not only do you need your generic incident response and disaster recovery, it has to be specifically tailored for that application. There are specific procedures you have to follow, maybe certain accounts, certain processes. There are specific individuals you have to pull in, right? You may need to pull in not just your business, but your app dev team, or even your vendor, because some of the application components might be locked and you need their help, right?
So that's why you don't want to find these things out when you're actually trying to troubleshoot or fix something. So don't wait for things to happen to learn. Definitely is going to be a very important learning lesson if that happens, right? But that's again with preparation and it could be anywhere already from tabletop exercises, just walk through or talk through it all the way to actual real life simulations. So I would say, you know,
Diaa Abu-Shaqra (34:51.078)
cover your basic and major incident types, your malware, your intruder, your impossible travel, and also work with your business partners to make sure you have incident response procedures specifically for your large applications, your bread and butter basically. Make sure you have documentation. Make sure you test it, not just put the response on paper. You actually test it. And test it often, because things change. The very rapidly evolving environment
technology changes, that document is out of date by the time you're done with it.
Adi (35:26.742)
Interesting. What do you think is one blind spot CISOs tend to have? Like something they should be paying more attention to?
Diaa Abu-Shaqra (35:37.403)
I have seen a couple of places. One of them is, I'm not even going to talk about AI that requires its own, its whole episodes. what I would say is somewhat related to shadow IT, but a lot of applications. So take Teams, for example, today. There's all these apps, Teams, Zoom, right? All these applications.
They allow you to install other apps within them that do other things and can access your data. end users are going in and just turning these things on. And a lot of default settings in organizations allow them to do that. So if these are not aware of it, Microsoft has probably turned it on by default for you. And you have to go in and turn it off. So I would say we've seen a lot of profilation of that.
in in you know your generic apps is teams and others but also your past applications where they could have even completely bypassed i t insecurity and just you know when i'm subscribed to service from a vendor uploaded a spreadsheet right so you also have the shadow i t going on where the business doesn't actually really need to involve i p or security anymore they could just go by it with a credit card upload a spreadsheet and then business right
So not only is data concerned and a blind spot, imagine going in there and turning on other apps that get access to other data. That's to me like is one of the brewing areas that are going to catch organizations by surprise. Because a lot of these tools, they're free, but they're getting access to your email and calendar and shared drives and
they're pulling that information back and who knows what they're doing with it. So that's where companies need to do some of the due diligence. I would say that's a big piece. The other thing is always going to be your third parties and what they're doing with your data, how well is it secured, et cetera. Again, I've done third party due diligence for years. They are as good as your trust in that relationship, in that program. In other words, you could spend a whole month ripping your vendor apart
Diaa Abu-Shaqra (37:58.039)
When you walk out that door, everything you've done is almost obsolete because they can just go in and make some significant changes that renders your entire review useless. So, you know, while we do these assessments in due diligence, just keep in mind that a point in time really they're not eternal and you're better off reviewing processes and procedures and programs as opposed to individual checkpoints that may be out of date by the time you're done with it.
Adi (38:28.054)
That's really interesting. You know, what you said about the, like the fourth parties, like the things that people can give access to on different platforms. That was really how ClearSight was founded because the founder of the company had an app on one of the platforms and he realized that he's getting a ton of data from a lot of different companies. And there was never any process of talking to anybody from security.
except for very, very specific companies that reached out about it. And when we reached out to the company saying, hey, we've been receiving your data and you haven't even like turned this on. They were like, no, what? didn't know about it. And that's how like the, we got started with understanding this world. And so it's so interesting that you see it like that way. I'll also ask you, how do you see like the...
Diaa Abu-Shaqra (39:09.4)
Yeah.Adi (39:24.83)
the balance between business and security. Cause in the end of the day, you can block everything. can say, you know, put like technical blocks on everything and impact the secure, the, how much the business can operate significantly. But then if you don't do it, it's, do you see it as a balance? I seeing it?
Diaa Abu-Shaqra (39:49.442)
right right it's an art it's an art yes balance implies
that you have same or similar or close proximity, right? When you say balance, it almost feels like they're close. There may not be, depending on what industry you're in and what your risk appetite is. The role of security is to help the business make informed decisions. And this is a mind shift. This is a different way of thinking about securities. I've been in many organizations where they view security as the
decision -maker, ultimate decision -maker, you got to get security clearance, you got to, and in some cases you do to make sure you know people aren't doing something stupid, but most of the time it's a gateway or a check to keep the honest on it, right? It's meant to be the gatekeeper for organizations. So when we're talking about striking a balance so to speak, you really have to understand
the industry and domain. That is the key. So successful CISOs have the technical acumen and have the business acumen. Both. You need both. And they have the industry subject matter expertise, industry knowledge. What I mean by that is finance, healthcare, education, manufacturing, Knowing the industry so that when you receive, because remember the CISO isn't out there, you know,
looking under every rock, right, and opening every door. They're also relying on information and telemetry from their teams, from assessments, from third party, right? And they're supposed to take all of that, digest it, synthesize it, and relay it to their leadership team to help them make these informed decisions, right? So some of that also depends on the CISOs' expertise in that industry.
Diaa Abu-Shaqra (41:53.73)
so that when i am reading the reports and documents i can understand they okay well this vendor isn't really doing x y d but based on what how we use them and what they do maybe it's not a big deal right thought that knowledge and some of it is passive knowledge you just happen to know because you've been in the industry for so long right you may even know that the company itself and you may even know bob who runs that function right in that in that company so i get depending on your level of expertise
But I would say is you should always be top of your game. So if you're a CISO, you are expected to know your threat landscape. You're expected to know what's important for your company. What is their bread and butter? How do they make money? You have to understand that. If you don't understand how your company makes money and what's important to them, I suggest you go find something else to do. Because your role as a CISO, and that may sound a little bit harsh, but it is true.
If you're not there to support the business, do what they need to do in the most secure way, you're not doing your job. So the balance at the end of the day is going to be a business call. However, having a trusted experienced CISO is almost priceless. Because you can have anybody sitting in that seat and it
you they can't give you that insight to help you make those informed decisions it's really going to be difficult for you as an executive to do that because to your point you're almost going to be a risk adverse well maybe okay maybe it's too much risk let's not do it right it's okay to take risk we're not so security is not not about not taking risk security is about making informed decisions about taking the risk
See the difference?
Adi (43:40.424)
Yeah, it's a nice quote. putting that in mind, that it's not about no risk at all, because that's not really possible if you're running a company. So it's interesting. Do you remember any decision that you made either in the leadership side or in the security side that you made and then turned out to be maybe not the best decision? And then what did you do about it?
Diaa Abu-Shaqra (43:52.643)
Exactly.
Diaa Abu-Shaqra (44:11.881)
Yeah, that happened to me a couple of times. One of them had to do with how I reorganized my organization. So basically one of my jobs, my group kept growing and growing and I kept giving more responsibilities and building more teams. And at some point, you can't have as many direct reports to you. You need to restructure things, right? So and that always, you know, again, there is no rule book.
that you can look through and say, I need one manager here, two over there, and these people should only have three versus four versus five, right? There's no magic number or anything. But I think the lesson learned for me really was the skill set that I need to be looking for when I'm appointing or realigning or making people leads as opposed to managers, right? So for example, one of the things that
I started emphasizing this from that point on with anybody I ever led was soft skills, communication skills, presentation skills. So I had really, really strong technical people, but they couldn't put two slides together to save their lives. They just couldn't. And it was very challenging because as a director, I relied on my team also to be my eyes and ears.
and i ran function that supported a portfolio of you know thousands of vendors so if you come to me say hey do you know we need more people i'm gonna look at but i need more information okay what led you to that conclusion well we have more workload again can you tell me number can you show me something i can work with and i would say you know you can be a brilliant technical person but if you're not able to convince your manager or leader
why you need to hire more people you're not going to be a successful let's just be honest right and and i asked the person okay well can you put two slides for me so i can take it to my leadership but i just got done asking them for five people for that other group and now you're coming to me asking for four more people right so i need to justify that so i help me put some information together and what i realized was the people that i put in these roles didn't have the skills
Diaa Abu-Shaqra (46:35.37)
that I needed to help me make these decisions. Made my job very difficult because now I had to do their job.
So from that point on, when I do goal planning, performance planning, and I sit with my team, one of the first things we talk about is communication skills, writing skills. Because I don't care how smart you are, if you can't communicate your ideas, you're not going to be as successful. You're going to struggle with it. So take writing courses. Take presentation courses. Learn how to distill. Because technical people want to write dissertations. Managers don't care about that.
Adi (46:43.97)Hmm.
Diaa Abu-Shaqra (47:13.209)
They could care less about all these great ideas in your head. What they want to know is why is this thing not working and what do want from me? That's what they want to know. They don't want a dissertation. So this thing is not working because we have more requirements to do more things right now and the people that are on our team are already tied up doing the other requirements. That's why this is not working and we need more people. So the argument could be, okay, well, can we get away with contractors as opposed to full -time people?
as a leader you have to consider that and you can say you know what yes we could probably get away with contractors however you could argue say the type of work is very technical very detailed it's going to take those people you six to nine months to be able to even understand what we're doing and be productive so if your contract tenure is almost a year and a half only you're going to lose a lot of productivity there so you also need to think about that aspect too
But it was really more around the skill sets on my team and aligning those skill sets with the proper roles on the team. That bit me a few times.
Adi (48:23.658)
Interesting. Do you think that CSOs, whether they have a team or they don't have a team, it's a role that has a lot of different components, like both as an executive, but also as someone who has to be hands on, has to like know what's happening. You're always on, like you're always ready for something to happen. You're always ready for like something to go wrong. How have you...
managed to figure out what is the best way to handle that in terms of stress, in terms of not wearing your people out.
Diaa Abu-Shaqra (49:01.715)
That's a good question and I think a lot of people struggle with that, because the nature of being in security has that inherent in it. You can't get away from it or get around it. So stress is an inherent component of working in security. However, though, it doesn't have to be as bad. It doesn't have to be more stressful than any other job or you crossing the street and worrying about somebody coming in fast.
So the best way to get in front of it is to be proactive. It's to stay on top of your game, right? Most people, even when we talk about forget about security, most people who are stressed or have anxiety about something, it's either one of those, one of two things. Either something you can't do anything about, and at that point you're just torturing yourself. There's absolutely no point in stressing out. Or there's something you can do something about and you're not.
that you can do something about and that is really what i think a lot of people are are are doing much better actually they are spending time talking to their peers in industry last couple of months i was in a you know doesn't different events and i can't tell you how happy i am and how happy my peers are to be in these venues to be talking to to to to other peers as well because that that helps alleviate a lot of that
concern, hey, I'm running into these challenges. What are you guys doing about it? So you do need that level of support. And I think it's one of those things where you get better at it as you do it, obviously, as you gain the experience. But being proactive in terms of, for example, pre -testing your controls. If you think your DLP works great,
test it, try to put something through. If you think your malware and detection processes work great, hire a pen testing company. Come and have them prove you otherwise, right? So some of this stress is also sitting on preconceived ideas that you're going to be great when you've never tested any of that stuff. So don't wait for the auditors or the hackers to present the truth to you, is what I would tell people. You need to find out the harsh truth yourself. And by the way, you know,
Diaa Abu-Shaqra (51:27.281)
early bad news is good news so if you find out early on you have a problem that's actually good news because now you actually have time and hopefully resources to fix it but i would say the last thing is a couple of things you know don't take anything personal most of the time nobody's out there to get you personally they're just frustrated and upset because the project is delayed or you're asking them to do something they weren't planning for right
And the other thing is you have to be comfortable with ambiguity. People who work in security, it's not black and white. It's not north or south. You're typically somewhere in between. And you have to navigate that. So you have to be comfortable with things that are not written down letter by letter. You have to figure things out. So some of these these that I saw weren't really successful in their spaces because they're not comfortable with ambiguity. They need things set.
and i tell them i'm sorry to break the news for you that is not the right career for you it's just the nature of what it is
Adi (52:34.046)
Interesting. What do you think the field is going to look like in a few years?
Diaa Abu-Shaqra (52:42.611)
The CISO role, you mean? Or what is it going to look like? What's going to look like in a few years? I didn't catch that part.
Adi (52:48.674)
Both the CSO role, but also the cybersecurity role, like what will be the focus?
Diaa Abu-Shaqra (52:53.343)
Cybers.
Diaa Abu-Shaqra (52:56.901)
So cybersecurity is going to, well, it's actually, it's almost a pendulum that swings both ends every few years. And that pendulum is around centralizing and decentralizing the cybersecurity function. So in some of my prior roles, for example, I was around long enough to see the pendulum swing back and forth, back and forth, where you have in a decentralized organization,
security is embedded in the business. So you have your HR team, have your finance team, and there's somebody from security in finance, somebody from security in HR. That's who they report to. They just happen to be aligned with the security organization. We've also seen the pendulum swing where they're like, nope, this is too specialized. We're going to pull you out of the business, and we're going to put you in a centralized group. So I see this.
pendulum continuing to swing and I think it has to do with the one organizational maturity journey. Sometimes it makes sense to decentralize and sometimes it makes sense to centralize. So depending on where you are in your journey, I see these changes happening quite a bit actually. I'm more in favor of both. Actually, it's not mutually exclusive. You need certain things centralized, but what companies are struggling with, which I think is going to grow as a function, the idea is
your what what what are being frank to us champion security champions or liaison or or consultants right this is somebody was embedded in the business but the primary job is to help the business with their security with the third party with the bcp because it's not just security remember when you blow up that image a little bit you start seeing the pressure on the businesses from all the other groups right so we need to have
compassion for that. need to be empathetic. We need to understand that we need to work together with other risk groups to make sure that experience is as smooth and as streamlined as possible. Because chances are, security questionnaire and third party questionnaire, they have a lot in common. Yet we're both hitting up these business partners at two different times and causing confusion. So I think the other thing that's going to happen is maybe a little bit more synergy within the organization and the risk
Diaa Abu-Shaqra (55:19.579)
teams, those coming together. And last but not least, as I said, the CISO having the seat at the table, being a direct to the CEO going forward.
Adi (55:30.956)
Perfect. All right. So one final question before we're out of time. And before that, thank you so much. This has been really interesting. feel like you, like, I can feel the intense amount of experience that you've put into this conversation. And also after I asked you this question, I'm also going to ask you to tell us like about the company that you're building right now. And if anyone wants to check it out, then that's super cool.
So, okay, so my last question is what would you advise to someone who is either wanting to get into the security field or wanting to like advance to a CISO role? Like what should they focus on?
Diaa Abu-Shaqra (56:17.499)
to the first part getting into the part of the field i would say yes we have a huge shortage in that space we need the mental capacity of all the worst background actually preferably hopefully women and minorities we have because we can really like that i mean it's it's it's embarrassing i would say help that's good a great place to be in by the way if you're if you're gonna help that that's a great pivoting point
think of it as an incubator in my last job, I hired three people out of the health test and into the security organization. However, though, not just any three people, they demonstrated aptitude. They were already studying or going to school for something that has to do with security, or they were already working in that space. They were just in the wrong title, right? So I would say somebody is looking to get into cybersecurity. This is a great time, as we were talking earlier, a lot of industries are going into it.
It pays well. It's not for everybody, like I said. So if you're not comfortable with ambiguity, you might want to think about other career opportunities as well. There's so much going on there. If you want to grow, if you are in the field and want to advance into the CISO role, you need to start moving more towards and gravitate towards the business and understand third party risk, understand business continuity risk, understand
the critical functions and components in the company outside of IT and security, because that's where you're going to start adding the value. for CISOs, you need to elevate your game, not just IT. You need to speak the business language, spend time focusing on that, improve your communication skills, your presentation skills, make sure that you're cultivating these relationships with the business partners.
before you need them or before you start complaining, why aren't you part of the conversation?
Adi (58:21.494)
Perfect. So thank you so much for anyone who wants to see what you're building and your company. Where can they find you?
Diaa Abu-Shaqra (58:29.655)
Absolutely. So we are secure one labs .com. You can find us on the internet under that URL or address. And we are a cyber security consultancy company that offers four different services, so to speak. One of them is technology. So we have a platform that integrates GRC governance, risk and compliance, IAM, identity and access management and asset management all in one platform.
So this is something brand new. We're still working on it. We're about a month away, but we're very excited. It's going to be a game changer. And we have engaged sub -germata experts in the field to start engaging with us and give us feedback early on. So we're really excited about that. The other thing we're doing is training. So we do offer training for your end users, for your executives, and for your technical power users and CISO training. So for those who are looking to get into the CISO, we have a two -day course.
for preparing you to do that. We also do testing services, penetration testing, and control testing. So again, back to my point about don't wait for the auditors and regulators to come and tell you what your issues are. Hire or do it yourself, find out what those are. And last but not least, we offer what we call transformative consulting. So think of it as you're a company, you're trying to build in an IAM program or a TVM program or a DLP program, but not
stuck with the legacy issues that you have. transformation, the difference between transformation and changes, change is stuck with the legacy, with the old, with the past. Transformation, you can start from scratch with a clean slate. So typically when we approach engagements with companies, we're approaching the latter transformation consulting so that if you are trying to change and improve, you're not stuck with what got you into the problem you're in with today.
So in a nutshell, we're really positioned very well to help companies manage their cybersecurity and risk with secure on that.
Adi (01:00:34.612)
Amazing. That sounds very helpful to many different companies. So I'm really happy you shared. And I think that is it for today. Thank you so much, dear.
Diaa Abu-Shaqra (01:00:46.356)
My pleasure. Thank you for having me. Talk to you later. Bye.