Global CISO Forum Podcast – Awards Series: Syed Azher

In this Podcast:
Welcome to a special series of the Global CISO Forum Podcast honoring the EC-Council Foundation Infosec Tech & Exec Awards Finalist! For the next three weeks we will be interviewing the best and brightest in infosec who have been named finalists for the CISO of the Year, Certified CISO of the Year, Most Improved Security Program of the Year, and Most Innovative Security Project of the Year. Learn more about our finalists here.

Listen

Download this Podcast

Transcript

Amber:
Welcome to a special series of the Global CISO Forum Podcast honoring the EC-Council Foundation Infosec Tech & Exec Awards finalists. For the next three weeks, we will be interviewing the best and brightest in InfoSec who have been named finalists for the CISO of year, certified CISO of the year, most improved security program of the year, and most innovative security project of the year.

Male Announcer:
Welcome to the Global CISO Forum. The podcast for information security executives.

Amber:
With me today is Mr. Syed Azher. He is the CISO of the Impact Group. I’m actually calling him. He’s in Bahrain.
I think you’re the first interview from Bahrain. Welcome. You’re also on the show because you’re a finalist for the CISO of the year award, so congratulations on that. We’re very excited to have your name on our list.

Syed:
Thank you, Amber. It is a great opportunity you have given to join me on this beautiful podcast. Thank you for confirming the nomination for the award. I think it is a very prestigious award in the industry. We have the finest security professionals which are part of the nomination. I wish all the best. Even I wish myself the best. May the best person win.

Amber:
I have to say, you’re in a very tough category. We have four categories of awards, but CISO of the year had the most finalists named and, I believe, has one of the most robust groups of professionals. Being named as a finalist is actually a pretty big deal. There were a lot people who nominated themselves, or were nominated, that were not named finalists. Again, congratulations.

Syed:
Thank you.
I think it’s a good opportunity for even the upcoming CEO’s to realize that there is a recognition for them in the industry for the effort they are inputting for their organization. Sometimes it gives a boost to an individual to strive achieving a higher level in their career. I think that EC-Council is doing a great job in recognizing those individuals.

Amber:
We hope so. That’s what this is all about. We want to inspire the next generation. We want to recognize the people that are really making a difference where they are.

I think one of the reasons that you were selected is that you represented a region that we didn’t have very much representation from. They really wanted to shine a light on people outside the US, for sure, people in the Middle East, and look at the efforts in that region.

Another thing, you’re nomination was great, is you’ve given some talks about efforts to curtail cyber crime, hacktivism, cyber terrorist activity, and cyber warfare. That’s really reaching outside of just your role as a CISO. I think that the nominating panel really enjoyed seeing that. You’re educating the community and bringing a spotlight on some things that most everyday CISO’s aren’t talking about.

Can you tell me a little bit about your presentations and your work in those areas?

Syed:
One of the things which I have highlighted as part of the presentation is to look at the challenges which we have in cyber security. We tend to talk more about technology and forgetting about what’s going on. We tend to talk more about our organization and forget about what is going around the organization.

You need to understand these are the new threat levels which is emerging in the industry. That’s where I have highlighted what the challenges hacktivism is creating. The cyberwarfare, revolutionizing the country, is basically thinking that the next war we will not have people going for war. We will have an online war. It’s more like a competitive as playing games.

If you look at from the external threat aspect, if we are able to understand that I guess that we are able to control our internal threats easily. Majority of time if you are focusing purely on technology then you will never get an understanding from outside what is happening in the society. That’s where one of the aspects which I have put it down as making sure that people understand what hacktivism is, what cyberwarfare is. How does the ransomware work and what impact they’re going to have towards the organization and as a whole for the society.

Amber:
It’s nice to see a CISO looking outside his own organization. Also, it seems like there is some tie in there.

Tell us a little bit about the Impact Group and what your company does.

Syed:
The Impact Group of companies is a very large group of companies based in Bahrain. We have operations in real estate, interior designing, we provide end-to-end consulting to a lot of major banks within the region in terms of understanding their strategy for writing consultation from strategy aspect to implementation, project management.

Amber:
That’s a very diverse company.

Syed:
Absolutely. We tend to focus on the areas which … The majority of people enjoy having interiors, real estate, consulting which is our major area, and then we have professional service as well.

Amber:
Getting to your work within your company, your nomination points to some work you did as far as rebuilding the security policies based on ISO 27001 standards. Tell us how that went. That’s a huge undertaking.

Syed:
Yes. When I came in in Impact, because there was no CISO rule, and I had to come up with a strategy to make sure that I developed an enterprise program. My objective was to ensure that sensitive data is protected for cyber crime. Cyber crime, or the cyber threat, were the major challenge because we have a lot of business which is working online. The real estate company, which has over a hundred thousand users connecting from within the region.

We understood what was the requirement, and based on the ISO standard we said that ISO standard is going to actually fit our business need. Based on that we have outlined the key aspects we need to power from an incident management to business continuity. Basically looking at a standard in an open ended context and making sure that we have the basic security in the organization rather than concentrating on a high end technology threat intelligence system.

Amber:
That makes sense.

In order to get all that done though, you had to lead a lot of teams I would imagine and get a lot of different groups talking to each other. Especially in a company that’s so diverse. What was that like getting stakeholder buy-in, leading teams, et cetera?

Syed:
To start with, leading teams, I have worked diversely within the banks, so I had a very good structure in managing a lot of teams in terms of systems, network security, software development. For me it is first understanding myself, and it’s looking at the challenges. Usually when I look at the challenges from the team it’s sharing the common objectives. Making sure that they understand the business. Coming from a security aspect, they have to work [inaudible 00:08:51] with the team, and obviously with the different team.

To overcome all these things we operate more like a consulting service to the business and focus on right metrics. At the same time we get to involve in every aspect of business meetings to make sure that we add value for discretion from a business aspect.

Amber:
That’s really unique. I don’t think I’ve heard it put quite that way that you’re operating as a consulting service to the business. I like that idea. That’s very cool.

Syed:
Absolutely. Because if we don’t start operating as a consulting service then we will not be able to generate value to the organization. As an organization when they look information security as a consulting service, it’s much easier for me to get a buy-in from the management. I put my different business cases and highlight what is the risk associated with that and what it is actually going to cost. It’s become much easier.

Amber:
I see. Sort of running it like a business. That’s very cool.

That’s an interesting perspective you have. Obviously you’re very distinguished. You’ve done a lot in your career. Tell us how you got started in security.

Syed:
It’s a long story, but I’ll just put in a very precise way. When I finished my high school, I was actually a medical student. I was doing medicine back in New Zealand, and I got introduced to information technology by a very good friend of mine. In fact, just by reading a few books at the time, I got so curious to it I skipped a couple of my classes here and there. Then it got developed as a hobby.

Later I was able to market my skills because I could understand how the network works, systems work. One day I decided that I’m going to quit medical now, and I’m good at the technology. That passion actually made me more curious to understand systems, network components, application, and how they come together.

Security played a very vital role in that. At the end it was understanding all the technology. Security, I realized that it was the glue for everyone. It was the security where every component fits in properly. In order for you to understand technology, if you go through from a security angle you would get an opportunity to understand all of the technologies.

Amber:
Wow. That’s a good point.

You kind of got into it teaching yourself, but eventually you changed your major in school to focus on information technology. That’s very cool.

Syed:
Absolutely. Back in 2000 the Dot-Com Boom was there, and then there was a bust. At the same time security was emerging then you have the 2001 incident which came in. Security actually started a very wider role in the society. That’s where I thought, “Okay, that is going to add value.”

Obviously, coming from a medical background, one of the things when I joined medical background was the passion to always keep learning and understanding things better. When I went into technology I thought it is extremely deep. I couldn’t complete everything, but at the same time I was able to understand majority of stuff.

Amber:
That’s a very interesting story. I don’t think that we’ve had quite that path. We’re glad you’re here.

You’ve been doing this for a little while. How have you seen the role of the CISO, or the information security executive, change over the years?

Syed:
Information security role has changed completely in terms of previously information security used to concentrate more on technology aspect whereas people came from information security from a background of pure security or just configuring firewalls or network. They were good at that, but it did not add value to the business.

What I have seen as the revolution, as a CISO, is that CISOs are coming with a very distinguished ability to define division and secure support for the division from the board as well as from the sea level. Marshaling the resources and the talent, and translate them to vision into reality.

The CISO role now, it has become more towards business acumen. Concentrating too much on analytics, becoming creative, innovative, and understanding business to business communication. Legal also, they’re becoming an excellent player at managing legal aspects. And having a PR capability.

Amber:
How do you interact with your legal department? Is that a big part of your job?

Syed:
It is actually a big part of my job. One of the reason I interact is to make sure when we sign an SLA, I always make sure I go through the SLA myself and highlight what are the technical aspect of the SLA before forwarding to the legal department.

Legal department comes from law. They are not going to sit and see what is cloud computing or what is a SAT service. They are just going to look at from a technical legal capability that, “Okay, it is fulfilling my SLA. What is the term of SLA? What are the conditions of SLA?”

I have to provide that input. I’ll give them the white and black picture of the highlights which is available on the SLA. Based on that interaction from a legal aspect what the legal department wants to amend then we add it and then continue having a negotiation or discussion with the legal department.

I think one of the important things which is coming for a lot of CEO’s is to have the legal challenges because one of the thing is you have the compliance challenge. In order to understand compliance much better, you need to understand the legal aspect of it.

Amber:
That’s a good point. Have you been learning more about the law, or do you rely on your legal team to take care of it?

Syed:
I have recently enrolled for a law degree.

Amber:
Are you serious?

Syed:
Yes.

Amber:
You’re going to do a little bit of medicine, some cyber security, and now you’re going to be a lawyer for a little bit? What’s the plan?

Syed:
The industry is revolutionizing. Things are changing, and it’s becoming dynamic. If you don’t understand the legal aspect of the business you are in, the contracts you are going to handle. Cloud is taking over everything, so we are more dependent on the paper where our data is residing somewhere else.

You need to understand that, so at least you have the first round of information cleared before it goes to actual legal department.

Amber:
That’s very cool that you’re actually going to law school. That’s impressive.

Syed:
Yes. Thank you.

Amber:
That’s your passion to keep learning all the time.

Syed:
Absolutely.

Amber:
EC-Council appreciates that. We support that as well.

I just want to tell you one more time congratulations on, not just your finalist spot, but also on your career and everything you’ve accomplished. Thank you for everything that you’ve done for the information security industry.

Syed:
Thank you, Amber. I think EC-Council is doing a really tremendous job.

One of the things which I wanted to highlight was promoting EC-Council in Middle East. That is something which I think EC-Council should look at because we need this kind of education, support from organizations like EC-Council to get awareness in the region. One of the important aspect is if you could in on roadshows or provide more interaction within this region it would add a tremendous value.

Amber:
We agree, and we are working on it. Maybe we need to partner up.

Syed:
Absolutely.

Amber:
Awesome.

Thank you so much for taking the time. Will I see you in Atlanta? Are you going to make the trip?

Syed:
Yes. I will definitely be making the trip.

Amber:
Awesome. I look forward to meeting you in person. Good luck with the award. Hopefully I get to hand you a big, shiny trophy in Atlanta.

Syed:
All right. Thank you, Amber.

Amber:
Have a great day.

Syed:
You too. Bye bye.

Amber:
That’ll do it for this episode of the Global CISO Forum Podcast.

The show is produced by Saba Mohammad, edited by Shandiin Tome. You can help the show by subscribing on iTunes or Stitcher. If you would leave a review for us that would help other people find the show.

Until next time, this is Amber Pedroncelli.

Speaker 2:
Thank you for tuning in to another edition of the Global CISO Forum. The podcast for information security executives.