Journey into the computer security space caused me to further discover passions in areas such as threat research and product delivery/design
When asked how he planned his career path to be a successful technology leader, David Mahdi, Chief Strategy Officer & Chief Information Security Officer (CISO) Advisor at Sectigo, in an exclusive interview, said, “As a child, I was always fascinated with technology, where I spent many years playing around with PCs and electronics.” It was during that time as a child that I found a passion for electronics and computing overall.
After finishing university, armed with an electrical engineering degree, I had a few stints in the defense sector, as a process and software engineer. My time in the defense sector would further influence my career, specifically as it introduced me to early concepts of cyber-security.
But I reached a point where I felt that I didn’t want to be solely technical, and as such, I discovered that my passion was at the intersection of technology and business. So, I made a transition to the cyber-security market, with a focus on the endpoint security space. This journey into the computer security space caused me to further discover passions in areas such as threat research and product delivery/design. I felt at home, and that cyber-security was an area for me.
Fast-forward years later, and I decided that I wanted to share my knowledge and experience with others by being a Gartner analyst. As an analyst, I had the distinct pleasure of helping large organisations tackle digital transformation projects that included digital identity, IoT security, and early-stage block-chain innovation efforts.
The exposure I received as a Gartner analyst prepared me for my current executive leadership role as Chief Strategy Officer and CISO advisor for Sectigo. In addition, my analyst background positioned me well to take on advisory positions at some early-stage exciting companies in the digital identity, NFT/Block-chain, and cyber-security spaces.
When asked about challenges he faced in his career path and how he overcame them, he said, “The biggest challenge was what I call the “chicken and egg” career problem.” When I first started out, many employers wanted several years of experience – but then, how do you get that experience? So, I needed a change in strategy. Rather than chasing jobs, I joined a number of tech worker communities (i.e. product design meet-ups, etc.). Through these communities, I was able to learn about the career paths of others. The biggest takeaway was that I needed to find entry-level roles, show success within those roles, and then progress. Perhaps most importantly, it was not just the immediate opportunity, but that I needed to find an organisation that was willing to invest, train, mentor, and promote from within.
When asked him about a cyber-attack or any security incident he faced and how he tackled it, he said, “Unfortunately, this is all too common nowadays.” Thankfully, the vast majority of these attacks that I faced were all quite minor. However, there is one incident that occurred at a previous employer that stands out for me – it was an APT that aimed to take out a major data centre. That APT did manage to do some damage, but it was limited. In that case, the main lines of defense were network segmentation and good privileged account control and management (IAM). While oftentimes the highly segmented network caused productivity issues, it saved us from catastrophe (we knew of others that had the same APT, and they didn’t fare so well). The lessons learned from that incident are: focus on least privilege, segment where possible, and ensure you have a well-oiled incident response team (i.e., practise makes perfect-conduct table top exercises periodically).
When asked how his organisation geared up in terms of technology in the COVID times, he said, like many organizations, this forced everyone to become remote. Luckily, we were already highly dispersed and remote, so while we added some net new security features (i.e., added more endpoint and BYOD controls), most measures for COVID were more additive. That being said, we ensured that MFA/strong authentication was enabled on more apps, whether internal (via VPN) or cloud (i.e. Office 365).
When asked about technology solutions and innovations he plans to implement in the post COVID era, he said, “We expect that hybrid and remote work will continue, and in fact, likely become a differentiator in the market.” As such, we will be continuing our investments in technologies that help to securely enable a hybrid and remote workforce. From a high level, we are looking for globally accessible and trusted cloud-based solutions with large scale, as they can help us realise business outcomes faster (while also supporting a remote and global workforce and customer base).
At my current company, Sectigo, we have placed an added emphasis on using cyber-security solutions that are interoperable and open; we now try to minimise or avoid proprietary solutions. The aim here is to mitigate the risk of vendor lock-in. Interoperability and openness will be essential in all next-generation identity, cyber-security, and investments we make going forward.
We are also exploring ways to optimise by consolidating our identity and security stack. There are simply too many security products and services, many with overlapping features. As such, gone are the days of buying the best-of-breed products and only using a small subset of features—we now scrutinise the cost and functions of security products. The aim here is to help ease the burden on our security analysts (i.e., reduce the number of products/consoles they need to manage), as well as our overall spending.
When asked about challenges faced by technology leaders today in a similar industry while implementing digital technologies, he said, simply put, the main challenges today are all about staying ahead of the game while ensuring that the business is successful. Some of the major issues that keep CIOs, CISOs, and CDOs (or generally “CXOs”) up at night today relate to staffing, digital transformation, and security. On staffing, CXOs want to ensure that they are attracting and retaining top talent, as the great resignation has had a major impact on all markets, especially in the digital markets (i.e., cyber-security).
On digital transformation, CXOs now realise that all businesses are digital. As such, more business assets will be stored in the digital realm. All of this has dramatic implications for every business today – and for some, there are many avenues to take. The challenge here is to determine which is the right one, and when and where to invest.
Last, but certainly not least, is cyber-security. CXOs now realise that since much of their business now operates in the digital realm, they cannot ignore cyber-security risks. As such, they need to ensure they are investing in the people, process, and technology of cyber-security.
When asked how technology leaders can overcome the challenges they face, he said that while many of these challenges are quite daunting, leaders today can position themselves for success. Of course, there is no perfect solution, and there will be many bumps along the way, but there are some good best practises that can be shared amongst the business community.
Tying back to the above three, on staffing, organisations need to recognise that COVID-19 has permanently changed the employee and employer equation. Employees generally want more flexibility, and they want recognition. Ensure that your organisation has or plans to have these in place.
From a high-level perspective on digital transformation, CXOs must take an active role in innovation. That is funding teams that are solely focused on looking ahead and anticipating new disruptive models and services. Expect that there will be some uncomfortable decisions, partners, or situations (i.e. an area where you might cannibalise your own products/services – the iPod vs. iPhone is a great example). So, when it comes to new business ventures, CXOs will have to get comfortable with being uncomfortable.
Similarly, from a risk and security perspective, CXOs need to invest in two high-level security teams, one that is focused on day-to-day operations (i.e., keeping the lights on) and the other team, which would be more future-forward. Again, the future-forward team, or security innovation team, aims to keep its eyes on the future to help the business anticipate new threats, regulations, and risks.
When asked about best practices/industry trends/advice he would like to suggest to fellow technology leaders for their successful professional journeys, he said, use communities (LinkedIn, Forbes, Fast Company, industry events, etc.). Leverage industry analysts but also, for very specific areas, find individual advisors (say via LinkedIn) to help with specific projects. Using myself as an example, I spend a good amount of time on LinkedIn connecting some of my CISO contacts with subject matter experts in my network to help with one-time or on-going projects. In fact, I sometimes take some of these roles as well, especially when they fall into my area of expertise.
He highlighted that this decade has already shaped up to be quite disruptive. COVID-19 and some on-going geopolitical situations are likely to further disrupt supply chains and overall business. Now is the time for CXOs to ensure they anticipate disruptions to their overall business, and there has never been a better time to re-evaluate their cyber-security strategies. The pandemic brought advancements in remote working and new operating models, creating an explosion of human and machine identities, all requiring remote access to enterprise networks. However, bad actors continue to use identity as an attack surface. Adopting an identity-first security posture to establish digital trust is a key security measure for companies to mitigate risk.
Ultimately, CXOs and their organisations need to balance their day-to-day needs while also investing in the future. Invest in innovation; that is, build teams of people, processes, and technology where their sole focus is on anticipating new business models. The organisations and executive teams that get this right will ensure success for the rest of this decade and beyond.
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics