TechTalk CXO Edition: Advice From a CISO to Embrace Change Fearlessly
Q&A With Arun DeSouza, CISO and CPO, Nexteer Automotive
By Insight Editor / 28 Oct 2021 / Topics: Backup & recovery Cloud Modern infrastructure Cybersecurity
By Insight Editor / 28 Oct 2021 / Topics: Backup & recovery Cloud Modern infrastructure Cybersecurity
In this week’s special CXO edition of #InsightTechTalk, we interview Chief Information Security and Privacy Officer (CISO & CPO) of Nexteer Automotive, Arun DeSouza. After nearly 20 years in the InfoSec industry, Arun’s seen his share of disruption. He tells us about his career journey and security advancements he’s lead at Nexteer, the changing role of the CISO, and the surprising impact being a good storyteller can make to drum up support behind your vision for IT.
Read more about Arun in his CXO Corner, featured in the fall issue of the Insight Tech Journal.
To experience this week’s episode, listen on the player above, watch the conversation below, or scroll down to read a complete transcript. You can also subscribe to Insight TechTalk on Apple Podcasts, Pandora, and Spotify.
Audio transcript:
Z
Welcome everybody, and welcome to this special edition of CXO with Insight TechTalk. My name is Z Tinoco, a Senior Diversity, Leadership and Organizational Specialist at Insight. I'm joined today by Arun DeSouza, CSO and CPO for Nexteer Automotive, or, CISO, correction. Just to make sure, Arun. I do not want to butcher that for you. And here's a quick thing, here's to set the stage. The migration to remote work has redefined the Threadscape for cyber security leaders everywhere. Now more than a year later, many are still trying to identify, and close that potential security gap, while staying one step ahead of the cyber criminals. We want to know what role does a Chief Information Security Officer play in this space? And also at the same time as the evolving cat and mouse game of threat detection and prevention is? We are sitting with Arun DeSouza, CSO, CISO, and CPO with Nexteer Automotive to find out. Arun, thank you for joining us today, and thank you for spending some time with our teammates.
Arun
It's absolutely my pleasure Z. I'm looking forward to a nice conversation today.
Z
Yeah, me too. I think once I get past the title of CISO or CSO, I will be okay (laughs). (Arun laughs) But, to set the stage Arun, I think it's important for us to really just, if you don't mind, tell us a little bit about yourself, especially the role that you play today in this road, and then maybe, how has it evolved over the years?
Arun
Absolutely. I'm the Chief Information Security and Privacy Officer at Nexteer Automotive. I've been here six years. I pioneered and integrated Global InfoSec and Privacy program, developed a long range, strategic roadmap linked to business objectives and build a strong team from the ground up. Interesting factoid is my team is 50 percent men and 50 percent women. So quite diverse and brings a lot of synergy and creativity due to that well-rounded balance. We are responsible for delivery of many services, including but not limited to strategic planning, identity and access management, interim management, privacy management, all the way to creating an awareness. Now, the CISO role or the C-I-S-O role has evolved significantly in this decade, depending on the risk appetite and scale of digital transformation in organizations. The CISO role now spans across somewhere of the following personas. Technical, business aligned, risk focused and transformational. When I started my career in 2003, I spent most of my time in persona number one, pure technical CISO, but nowadays as the role is evolved at Nexteer, I spend my time in personas two to four. So, spend time with the business, focus on risk, and quite a bit of time in transformation. So the convergence of security, privacy and enterprise risk, the first potential for CISOs to become Chief Risk Officers, organizations going forward. Thank you.
Z
Wow, that's amazing Arun. Just the evolution of alone, the thing that stood out to me for example was the 50 percent male and female and the diversity in your team. Was that always the case when you started with the organization, or is that something that you worked to develop? Cause that's something that definitely is interesting.
Arun
Well, I started alone because, I was hired to start the first security program, but I also pioneered the InfoSec and privacy program, and I built the team up over a span of time, and I would like to say, I was smart enough to build it like that, but it's purely serendipity and good luck, and ability to find good people and really quite blessed and fortunate, myself, and Nexteer's also to have such nice team.
Z
That is amazing, Arun. And where do you see the role moving in the future, now that we're kind of, still in this two year span of the pandemic, and transitioning to a whole hopefully a new stage in this world. What's the future for a CISO?
Arun
The CISOs be, my words I guess, like a ship's captain, right? So, you're navigating a sea of risk on your ship, and your goal is to determine the strategies to minimize those risk, like if you're actually on a ship, avoiding the rocks, avoiding the storms. The same thing, it's to be proactive. But you can't do that alone. Hence, I think I predicted earlier that the fields of InfoSec, privacy and enterprises will converge so that you can put more people together in the battle against cyber threats, or something. I call the Power of Federation. By nature, then it allows the CISO to be the Chief Risk Officer. I've heard of CISOs becoming Chief Information Officers, and that really speaks very well to the ability of CISOs to be able to, as all saying goes, spread your wings and fly.
Z
Yeah. Yeah. Well, I mean your analogy of being on the ship, right? I mean that's a great analogy because like you said, it's really about being proactive, navigating and knowing where you want to go, but along the way, there's unexpected things that will come your way, right? Things that are out of your control. So, can you give us some examples of some of the proactive things that you've learned, that you implement to help you navigate those stretchy waters?
Arun
Yeah, I think one of the things that we started out, well I started out was, Annual Enterprise Risk Assessment Process, right? Because security is not a one-stop shop or once a year, it's a process. So essentially what we do is, we have the enterprise risk assessment that's been going on for a number of years now, where we track the maturity of the program, identify the risks. For example, could be the Internet of Things, as we embrace digital manufacturing and find measures and technologies to mitigate those risks, and it's about conversing with the business. So that's like a technical thing, but then privacy is also under the agreement of me and my team. So we came in touch and see what new regulations then are needed to be compliant with. So few years ago we worked on GDPR compliance. Currently we started to work with the legal team on China Personal Information Privacy Law, because you've got to be able to make sure that you have the people, process and technology safeguards properly aligned to meet the regulations, because the danger is, if you don't do it, there could be some unintended consequences, to use your words, Z, and that could be costly as a company from a reputation, brand impact, there could also be fine. So I guess essentially, it's just being proactive, like you noted earlier, but also working with the business in partnership so that we can all together do the best for the company.
Z
I like that, I like that. So instead of just, right, sitting around and allowing the tides and everything, the ship to take us where they want, you're leading the ship, right? You're you're moving ahead, you're having the communication, reaching out to the business. Why is this something that's difficult for some CISOs to navigate these stretchy waters? Is there a common thing of why it's hard for some to be proactive?
Arun
No, I would say that there's a lot of talented CISOs out there. Right? But I think like anything else, CISO is also part of a team. Not only the team under you, it's part of the leadership team, right? So, a lot of it is related to the organizational culture of the company and how they support you, what their vision is and how you work proactively, the CISO to build those business relationships, and align with the business so they can support you in your mission. I've been fortunate here at Nexteer. I have an InfoSec in Privacy Council, the senior business leaders that we have tapped to provide that air cover if you will, but a lot of it is driven by our own efforts, because you can have all the organizational cover, but I think relationship building and keeping in touch with the pulse of the community that you're serving, both at the executive level, as well as across length, depth and breadth of the business is very important. For example, we have something called the Federation Meeting. This we have every two weeks. Now it's once a month, where wide cross section of folks from IT and business join it so that they can know what the state of the union of the program is, get a chance to ask for help, or just share the successes and the path forward. So, I think, it's not just an individual effort. It really is a team sport, and not only you're airship's captain, you're also a coach, right? You really are a coach of the program. You are to pull together those resources, across the length, depth and breadth of the company, that work with you.
Z
That's amazing, it's amazing. So I really liked the shared knowledge, right? Within your community of CISOs and IT thought leaders to share those practices. Also the addition of being a coach, of course, right? When you're seeing some of your crew members struggling, or maybe something that they're not doing correctly, you can go and help them and coach them along the way. So, great example there. A follow up for that. There are some arguments out there from some IT leaders, that are saying that a lot of spending is being wasted on cybersecurity that supports remote work. Yet of course, we know with our current state in this world, the workforce is demanding, work from anywhere, anywhere work, flexibility. What are your thoughts about that argument?
Arun
Well, in my humble opinion, remote or distributed work is here to stay, and there is essentially a paradigm shift underway due to a few factors. Number one is the flexibility and work-life balance, right? Many employees enjoy this feature, especially the daily commute is significant by myself. Whenever (indistinct) sometimes walk my dog during lunch, and just to get some fresh air. That's very important to a lot of people these days, right? They don't want to be working around the clock, because at the end of the day, people are committed to get the job done. So, it's important to have that balance. Then another macro driver in my opinion is talent acquisition, because companies can leverage distributed talent and hire the best people, irrespective of where they are, because they don't have to all come to the same office. Then you can assemble the best virtual team, if you will, right? So, in this case, in many instances, this allows both parties, the employee and the company to make a win-win arrangement. And then executive buy-in is also coming along. For example, companies like Twitter have embraced the notion of work-life balance and this growing trend and are enabling the employees to work remotely indefinitely. Basically, get the job done, we'll support you, right? So as a CISO then, I believe, I and my team, we should enable the business, given these above trends, it's now par for the cost, right? Further, if you look at the trifecta of identity, Zero Trust and software-defined perimeter, they can power seamless access to anytime, anywhere authorized access to digital application services. So, you can work effectively and collaborate from anywhere, you know?
Z
Yeah.
Arun
And that's a powerful thing.
Z
I hundred percent agree with you. I mean, it's not going anywhere, right? Even more, it's just going to become more and more prevalent. I mean, it's already prevalent, but it's good. It's here to stay, but I love that you're saying, we're going to go ahead and make sure that we do go back to the proactive, right? Be proactive in, make sure that we can anticipate or do the best we can to mitigate, but also you did mention a few things around communications, and I've seen in a couple of interviews that you've done and some articles, and I love one thing that you talked about. In order to minimize any threats, you mentioned the word storytelling a few times. Can you tell us how storytelling plays into your role as a CISO, and why you implement that strategy? 'Cause I find it fascinating.
Arun
Well, I think, I did a book a number of years ago, and it was about the art of story storytelling by a lady called Annette and I forgot her last name, and that made a big impression for me, because it was just a couple of years after I'd joined as a CISO or taken up the CISO mantle. And the thing is as a CISO, how do you make what's important to you and the company resonate with the rank and file of the company, right? And you can't talk them to sleep by saying, oh, I want to implement this firewall, I want to implement you know, some sort of micro-segmentation or whatever. They're just going to look at you, what's he talking about, right? So, what you want to do is A, like I said, build a relationship. Will we be able to tell this a success story that can be a rallying cry for people to understand and follow what you're trying to do in simple English, and that's why, to the extent you can, if you can tell stories from your professional career or even in your personal life with principles that can translate, get you to connect with people. These stories can help foster that connection and build a relationship, because people see you making the effort, and they'll rally behind you. So that's why I think storytelling is important, but the storytelling is only part of some other things. Communication's key like you talk about, and reasoning is very important, because you have to be able to paint the picture to folks. What is your vision? It's not just, I want to replace or upgrade security technology because it's cool or something. They need to understand there's business value, what you're doing, what risks you can mitigate, but as well as a CISO sometimes, you're not able to fund everything automatically, right? So, you got to really leverage strategic cost optimization and vendor management, because otherwise you'll paint a good picture, you'll have a good vision, but you may not always be able to fund your initiatives. So, I think it all is a collective set of skills that CISOs need to embrace these days.
Z
That's a great example, Arun. Thank you for sharing that. Yeah, I find it that as thought leaders, especially in the industry, we can be excellent in one of these skills, but as we know, right? There's things that we can improve on and work on. So whatever that is, whether it's a storytelling, risk mitigation, whether it's create clarity, maybe that in an area that I need to work on as a thought leader is to inspire people. Whatever that is, work on it, right? And let me ask you this question Arun. What are the skills that you've evolved over the years that you're saying, this is something that I need to develop as a CISO to get me to that next level?
Arun
I would point to strategic cost optimization and vendor management, because like I mentioned a minute ago, the important thing is not only to have a vision, but the ability to build a business case that can help fund your initiatives to mitigate risk. That's where the ability to build strategic partnerships, vendor management, negotiations, and finding a win-win is very, very important. More important than one would realize, because both in my previous automotive company I worked for, and Nexteer, we always have to have a keen focused on cost management, which is the right thing to do. So how do you find that? And that is an acquired skill. I didn't have that when I started my career. I sort of had a baptism by fire many years ago. I actually even took contract management training to get me started. So, I would say that among many of the skills I developed, or sort of born with the one related to building strategic partnerships, vendor management, strategic cost optimization, has been very, very helpful to me, and I can't say how fortunate I feel that I've been able to work with a bunch of partners over the years to find that win-win (indistinct).
Z
Excellent. So it sounds like a lot. I mean, let me know if I'm correct here, but a lot of it is definitely that partnership, and on the job you learn and develop it by just doing, but was there anything else that you also did to help with that skill or develop that competency?
Arun
I think what you're ought to do is, relationship management is something that were to make time to, right? So, that means, like for example, meeting people from time to time, whether it's for lunch or coffee, and keeping the relationship alive. It's quite important actually, and that's still true, both internal or external folks, right? 'Cause then you can build that stuff, but also I think sometimes it's good for strategic partners to know what your vision is and how they can support it. So it's basically to the extent you can share, obviously there's confidentiality constructs here to sometimes watch, but when they know what and how they can support you, people are more willing to embrace your mission and support you. 'Cause the end of the day, everyone wins from a successful initiative, whether it's an identity and access management, or it's a Zero Trust or whatever. So that's the key thing is to nurture those relationships, one relationship at a time, but also at an organizational level, both inside and outside the company., and that's something that I just try my best and sometimes not only just making it individually, but also being part of industry organization like the Cloud Security Alliance or so on. Then you can meet some of the folks there as well, because a lot of the people in security industry are very close together, and they attend the same sort of stuff, less so these days because of COVID, but in the past anyway, and we get back to in person. So, just trying to use all the channels you can to be able to build those relationships, foster them and nurture them.
Z
That's excellent, Arun. So, that actually leads to my next question, and actually first of all, before I even ask the question, congratulations. Nexteer Automotive has received the 2021 CSO50 award, awarded by IDG. So folks that are listening to us, the award recognizes security initiatives that demonstrate outstanding business value and thought leadership. And part of that was because of your project, NEXTINTRUST or NEXTINTRUST. Can you tell us a little bit about that, Arun?
Arun
Absolutely, Z. It would be my pleasure. So as Nexteer embraces digital manufacturing to increase efficiency and optimize operating cost, there've been an explosion of IoT devices on the plant floor like sensors, to help mitigate, minimize cycle time, to improve predictive analytics on the light, right? And so the thing is, as a CISO, you want to be able to see these devices, because you cannot control what you cannot see. So, our award for NEXTINTRUST, was for thought leadership and deployment of an IOT security platform in our manufacturing plants, that serve four principle dimensions. First, device visibility. The second, the ability to implement policies, the third to determine what the devices are doing, behavior and risk analysis, and then the ability to enforce standards, right? Now, we had seven key principles that we have used CISO guiding principles, and now I'll try to speak to them quickly. First is characterize, right? The ability to identify and classify assets and stratify them by business value and risk. Second is to demarcate and implement network zones between IT and OT networks. Third is to understand these devices, what threats and vulnerabilities there are? So, you can be proactive as we talked earlier.
Then fourth is unify, controlling access by users and devices across both secure wireless and wired access. The fifth is to be proactive and adapt, right? Leveraging Zero Trust to enact adaptive control schemes. Number six is converge. The ability to make sure that all channels have access, especially for people coming from outside the company, come through a secured pathway. The last is something, be aware always, because many IoT devices have a lot of chinks in the armor if you will. At the end of the day, this award-winning IoT security platform and project enables visibility to all devices on our manufacturing network. It allows us to identify device posture in real time, detect embedded threats, and drive proactive control strategies. And at the end of the day, this enables enterprise's management and strengthens cyber security.
Z
Wow, that's amazing, Arun. That sounds like a full solution or opportunity for the visibility, for being proactive, the clarity. I mean it's an amazing thing that you have worked on with your team. Now, when it comes to the word team, right? I mean imagine this was not done alone, and there's a lot of great teammates like you said, within your organization. You know it's really challenging out there for a lot of organizations to keep and retain and recruit talent. How has yourself and your team... What strategies have you done to implement the recruiting of top talent when it comes to your field?
Arun
So, I think the first thing like I noted earlier is to have a vision of what you want to do. So I built out a, as part of the strategic roadmap, a detailed services and competency framework with the skills needed for each role, that as I build the organization that, we need to be able to see, what are the kinds of people and roles that can support the program, right? Then this we periodically review and update the framework to make sure that we can fuel our career path in succession planning. But one of the things that I would say is that, not only do we have 50 percent men, 50 percent women, we've got a great mix between early career and mid career individuals, to also provide that rounded balance. So, along with this team what we try to do together is to define appropriate mix of in-house and outsource services, right? So for example, if it's a core service, we try to keep it in-house. We conduct cross training across service tiers, utilize managed services needed. As I mentioned earlier, training and succession plans are huge, because you allow people to grow, get them involved in their career path, right? Strategic cost optimization has been very helpful, not only to fund new platform, but also to self-fund certain key roles to grow the team.
Essentially, it's about developing a grassroots talent pipeline by partnership with universities and so on, right? The ability to identify talent early. So I think there's a variety of things you can do. But at the end of the day, also in addition to all these check the box items, but again, it's about relationship management, being a good mentor to the team, knowing, that you always get having their back and that they recognize that. Because the end of the day, it's about trust. So building trust, maintaining trust, and that's the name of the game.
Z
No, Arun, that's exactly what I was picturing, as you walked over your strategy. A lot of folks or a lot of organizations, they can say they have a strategy, but overall if they're not living by it, they're not reflecting in their culture, which you mentioned that, that's going to build trust, right? Like actually delivering what you promise, right? Sticking to that development, investing in your in your team, internally, but then the external candidates will see that, oh, I want to work for a company like that, that will invest in me, that's amazing. So, we're getting close to the end here. So I'd like to ask you this question. Is there a profound, or actually you know what, let's go with advice. What advice would you give IT professionals, who want to advance their careers in this space?
Arun
(Arun laughs) Well, I think definitely, have a good technical grounding, right? And certainly if you can have some service security training, cyber security certification, these are very valuable, right? And there are certification like the CSSP, the CCSK, the CCSP sorry, it's too many acronyms.
Z
It's okay. I made that mistake earlier with the CISO. So it's okay, we're okay. (Arun and Z laughs loudly)
Arun
So, and that's for me the foundation. But, once you have all those things, right? Obviously joining the right company, that has a value and culture congruent to you, where you can be comfortable to grow is very important, having a good boss. But once you have those, all of the basic things that you can be there, then it's up to you. So, I would say certainly some guiding principles, right? Learn to embrace change fearlessly. If you're given a tough challenge, then try to put up a hand. You may fail, but you you may also succeed beyond your wildest dreams. So embrace the change, right? Build and maintain trusted partnership, 'cause partnerships are key, both inside and outside the company. Manage priorities effectively. You cannot do 10 things well, right, at the same time? You got to find two or three based on your bandwidth, the team's resources. It's better to, as you noted earlier, deliver what you promise, even sometimes not willfully doing it, but under promising and over delivering, that's really key, rather than the opposite. And then fostering a culture of respect and trust, because people see that, you are able to do that, they're more likely to work with you, and as you rise in your career, trust you, right? Leveraging communication and relationship as well, and I spoke about it a couple of times, but that's really huge, that's really the secret sauce if you will. Couple of other things is, in many a time in you career you start, you'll be asked to do so many things on a project, but this (indistinct) almost. Learn to differentiate requirements from desirements in project, 'cause if we let desirements drive the project, it will be always over budget, and you'll never finish it on time. So, priority management is key, and this is true of all situations. Manage stakeholder expectations. And then some ingredients that are key to success are collaboration and communication, envisioning and storytelling, we talked about that earlier, program management, negotiation and vendor management, and strategic cost optimizations. So, a lot of things that folks coming newly into the field can have as a load stone to grow the skillset to not just to be a CISO, but to be effective as you grow your career.
Z
Yeah, yeah. So really, I mean what you just mentioned is, what I always tell individuals. Whenever they're trying to go into a career, or figuring out what they want to pursue, for me I always say be a long time learner. Be a full-time learner, right? Because everything you just mentioned is that, we're never going to stop learning, right? Whether we got the technical skills and the certifications needed to get our foot in the door, but we need to continue to learn how to build relationships like you talked about. How to build that trust, how to work through treacherous waters and be proactive, and I mean, the list goes on. I imagine, Arun, you're still a full-time learner yourself, right?
Arun
It never does stop, right? Because the day you think you know everything, that's probably the time to retire. (Arun laughs)
Z
Yeah, oh my gosh. Well, Arun I know we are coming to the end here, so I want to thank you so much for your time. Thank you for your insight today, and I really appreciate it. So for the rest of us, if you want to know more details, we invite you to visit our TechTalk journal, and read the CXO corner article. Until next time, thank you Arun.
Arun
Thank you, Z. It's been a great pleasure, and thanks to Insight as well. Cheers.
Z
Bye.