We utilise a strict standard of security operations and governance reviews, says George Al-Koura, Chief Information Security Officer (CISO) at ruby

We utilise a strict standard of security operations and governance reviews, says George Al-Koura, Chief Information Security Officer (CISO) at ruby
We utilise a strict standard of security operations and governance reviews, says George Al-Koura, Chief Information Security Officer (CISO) at ruby

By implementing and mandating full and consistent participation in the program, we ensure that security remains a top-of-mind priority for members regardless of their project priorities

When asked how he planned his career path to be a successful CISO, George Al-Koura, Chief Information Security Officer (CISO) at ruby, in an exclusive interview with CIO News, said, “I didn’t!” To be honest, when I first got into InfoSec, I really just about wanted to do something interesting. I first got the idea of getting into cyber security near the tail end of my army career, when I knew I wanted something different, but I didn’t know what I could be qualified for or even capable of doing. It was 2015 and I felt a bit career-hopeless. It then occurred to me that the army gave me skills—I just needed to learn how to apply them differently. I knew about security intelligence and that the fundamental principles of the profession remained relatively the same regardless of the type of data being assessed. I also knew that one of my closest long-time army buddies had recently gotten into the field and seemed to be doing well at it, so I asked them for some basic resources to start learning.

Then, when my professional desires began growing towards a life outside of the army, cyber security seemed like a logical transition from the military communications world that I had spent most of my working life in by that point. When it comes to cyber, the data and tools are different, but the core logic of security still remains the same.

Thinking back to those years, even after I got in, I actually remember going to my first Black Hat (Las Vegas) conference in 2017 as a SOC Analyst—learning CTI at the time—thinking that I had nothing in common with the CISOs there. History would show me that I couldn’t have been more wrong, as having a non-traditional academic background has been one of the biggest strengths that I’ve used to progress myself up the ranks in industry. The emphasis in my academic life and first career on establishing strong leadership principles and an ethical standard of behaviour that was above societal norms allowed me to not only demonstrate value as a sole contributor but as an orchestrator of teams, programs, and services at scale. The opportunity to build and manage relationships in support of a sales cycle also provided me with another avenue to demonstrate professional value and viability to my employers.

Being a successful CISO is not simply a matter of being able to programme code or analyse packets faster or more efficiently than anyone else (we have tools for that now!); it’s about your ability to be a leader in both strategic and tactical contexts for technical and non-technical personnel with equal effectiveness. Particularly in this climate of a global resource shortage, the “soft skills” component of being a CISO is the most underrated yet directly valuable part of the job!

When asked about challenges he faced in his career path and how he overcame them, he said, “I am proud of being self-taught and having built my skills through an endless series of trials by fire for every new challenge along my journey.” Unfortunately, I’ve encountered some individuals and entire shops that had overly competitive, toxic cultures. The key to overcoming those types of people and organisations is learning to identify the traits and tendencies that do not align with your own principles. Further, you must not be afraid to walk away from the table when you recognise that they just aren’t a good fit for you.

When asked about a cyber-attack or any security incident faced by his current organisation and how he tackled it, he said, while I cannot reveal specific incidents or events, I can say that a big part of building the organization’s internal security programme has been a substantial investment into Security Awareness Training and the reinforcement of a “security first” culture across all divisions (technical and business process). Our training programme has new content modules that are provided every month to each member and contracted resource for our organization, giving participants “bite-sized” lessons with confirmation testing of basic individual and enterprise cyber hygiene fundamentals. By implementing and mandating full and consistent participation in the program, we ensure that security remains a top-of-mind priority for members regardless of their project priorities. From a pure security metrics standpoint and in combination with good email filtering, our mandated awareness programme has also tangibly reduced our instances of user permitted compromises by bad actors utilising phishing, SMS, and social engineering-based attacks.

Additionally, as a large cloud-based company, we utilise a strict standard of security operations and governance reviews across every external organisation within our supply chain. Our methodologies are developed based on the industry-leading standards of the NIST CSF and the entire organization, from ownership down to individual developers or customer service representatives, understands that the protection and privacy of our customer data is our foremost priority.

When asked how his organisation geared up in terms of technology in the COVID times, he said, “I joined my current organisation in Fall 2021, so they had already made their biggest transformations by that point in that the company went fully remote in 2020.” When it became unclear as to if or when standard “on site” work would return, my organisation had a beat on the forward trends of successful modern commercial organizations. The decision was made to sell the main brick and mortar office in downtown Toronto (the other being in Europe), go fully remote from (almost) anywhere in the world, and move to a four-day workweek to boot!

While I am exceptionally proud to work at a place with such a healthy employee-centric culture, making these kinds of moves requires a great deal of effort and growth from a technology standpoint. Once the on-premises data centre was transitioned fully to the cloud, substantial financial and human resource investment had to be made in core InfoSec programme components such as Identity and Access Management, Secrets Management, firewall optimization, log centralization from the multitude of security and ISM devices, complete endpoint visibility, and the updating of corporate processes and policies. While we will never be fully satisfied with our state of security because there are always ways to continue improving, our organisation is constantly working toward keeping on the cutting edge of industry standard best practises for data security, operations, and privacy.

When asked about technology solutions and innovations he plans to implement in the post COVID era, he said, while I won’t get into one specific vendor or technology, I will say that the pride of our security operation this year from a programme roadmap standpoint has been our ruby Cloud Security Program (rCSP). Working with our supply chain partners, we have been able to plan, coordinate, stand up and manage a strong, secure technical programme that has broken down silos between teams and cross-functional groups. The improved cohesion necessary to modernize our infrastructure in the backend while still providing our customers with a stable and secure internet-facing platform has shown an immediate return on investment.

Built on the concept of establishing “Confidence Through Visibility and Control“, our rCSP has allowed security considerations to be part of conversations from the very beginning of any new development or implementation project. From a leadership standpoint, the programme has also facilitated our ability to work with partners in conducting Table Top Exercises (TTX) with key functional decision makers across the entire organization. Given that infosec is still fundamentally a human game, these TTX ensure that our business and technical leadership are aligned on various critical scenarios; those improved decision-making skills add another layer of protection for our customer’s data.

When asked about challenges faced by CISOs today in a similar industry while implementing digital technologies, he said, the biggest challenges honestly come down to three main areas, as I’ve experienced across the board:

  • People: We are in the midst of a massive personnel shortage across all competencies in the information security industry. This means thousands of roles have been left unfilled; the salary war to land and retain quality domestic talent has made the situation nearly unfeasible for many small and medium-sized organizations. Outsourcing can provide a short-term solution, but that also provides its own unique set of technical and management problems.
  • Education: There is a widespread knowledge gap about cyber hygiene and information security across the entirety of society, let alone in one industry or another. When cyber security personnel, tools, and training resources all cost as much as they do and many businesses still have the mindset that “security is just IT’s problem”, a serious elevation in knowledge is needed to both protect individuals and organisations at the enterprise level.
  • Money: Resources are the biggest challenge to most CISOs when it comes to technical solutioning and implementation. The issue comes down to organisations who may only recently have accepted that they need a CISO (or some manager for InfoSec) but look at their activities purely as a “cost centre”—unless you’re selling those security services as well. One of the best career moves I ever made was choosing my current organisation because I specifically sought an employer that looked at security as a “business enabler”, as something that allows our organisation to create and release cutting edge platform capabilities to our customers while protecting their data and our corporate environment.

When security value is determined by the amount of lost business it saves versus the cost of building the operation to save that business, then you know you’re on the right track.

When asked how CISOs can overcome the challenges faced, he said, have a solid vision for what you’re trying to achieve—your future state “mountain top”. Recognize where you are now, at your current plateau. Map out the critical components of what you need to achieve to get to the mountain top, relative to where you are now. Once you understand what you need to achieve, then plan it down on paper and begin identifying the necessary corporate stakeholders and champions whose buy-in you need to achieve in order to get the necessary resources and support to accomplish your program.

When asked about best practices, industry trends, or advice he would like to suggest to fellow CISOs for their successful professional journeys, he said, if you’re looking for specific models or influencers to follow, look at John Doerr’s “OKR” model (“Objectives as Determined by Key Results”) and pick up just about anything written by Simon Sinek or Brene Brown. The biggest thing I’ve realised about career success in security isn’t about technical knowledge or operational experience—it’s about emotional intelligence; developing it as a main tool in your leadership box.

CISOs ultimately succeed by using the right soft skills to enable the achievement of hard goals.

He highlighted:

“Great leaders don’t see themselves as great; Great leaders see themselves as human.” (Sinek)

You’re not better than or above any other engineer, analyst, account executive, or customer service rep. Your job as a leader is to serve your organisation and your people—not the other way around. By adopting a “servant-leader” approach, your attitude and mindset will always be about enabling the best employment experience for your people. As a CISO, your job shouldn’t be answering alerts and running correlations, but rather ensuring that the teams you have conducting those activities are cared for and empowered to be able to perform at the fullest of their abilities. If you aren’t motivated by seeing your people grow to their professional best, then I question your very motivation for the job.

Also readCIO News interviews Shri Wangki Lowang, Minister (IT) of Arunachal Pradesh

Do FollowCIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter

About us:

CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics