“Every day in information security is a winding road, with ups and downs. I guarantee you that it happens every day,” says Kevin O’Leary, this week’s Guest Speaker of our CyberWarrior Events.
Mr. O’Leary, who is Chief Information Security Officer (CISO) at Institutional Shareholder Services (ISS), one of the world’s leading providers of corporate governance solutions, started the talk by bringing up Murphy’s law: “Nothing is as easy as it looks. Everything takes longer than you expect. And if anything can go wrong, it will, at the worst possible moment.”
He emphasized that planning for the worst will allow you to achieve your goals and eliminate bumps that could cause you to give up if you are unprepared. “I think, in information security, if everybody keeps Murphy’s law in mind, you’ll do pretty well,” he said.
Words of advice
Through his presentation, he shared several pieces of advice that have allowed him to become a leader and translate his vision as a CISO into a reality.
- Try to get real-life experience through internships, live projects, or voluntary work.
- If you lack experience, do not try to brush over that fact. The theory is not enough. It is essential to get real-world experience by obtaining an internship or live projects, to get the attention of any potential employer.
- The harder you work, the luckier you’ll get.
- Cybersecurity is not an easy job, and it doesn’t come easy. You’ll have to work hard, and you’ll find that you get lucky precisely because of your hard work. For example, if you “get lucky” and do not get attacked by a hacker, that’s usually because of hard work.
- Keep a notebook and become a google expert.
- “When someone explains something, write it down. Do not ask the same question twice. If you need clarification, that is great. If you need help on something, that is great,” O’Leary said. “And when you get a problem, check with google first.”
- Volunteer.
- Once you have your work in good shape, ask how you can help in other areas. How can you free your manager, how can you help? Contribute to other people. Companies seek employees that are excellent at their jobs and help others. That is critical.
- Be a problem solver, not just a problem reporter.
- Own an issue until you solve it or transition it to someone that can. Maybe you do not know how to solve the problem right away – and that’s ok – but own the problem until you find someone who can and keep it on your plate until someone gets it off.
- Get to the root cause of the issues, so they do not happen again.
- You will run into big problems that sometimes feel like more than you can handle, but do not give up! Getting some help is key, do not just let it go and hope it doesn’t happen again.
- Break large problems down into manageable pieces to knock them off.
- “When you are faced with a big task, it helps if you break it down into smaller, more manageable parts,” O’Leary said. Setting priorities and breaking a big project into smaller tasks makes it easier to get the work done, and it’s less intimidating.
Every industry faces similar challenges.
Although Mr. O’Leary has worked in financial services for a long time, he believes that every industry faces similar problems whether you’re in healthcare, government, retail, etc. He noted a set of challenges that are common among industries:
- Protecting the confidentiality, integrity, and availability of confidential and personal data.
- “We all are trying to do the same things, although the roots are different. The good news is people in cybersecurity are playing with usually the same playbooks and regulations, so it’s not a surprise when companies ask you how to protect data or how to make a vulnerability test”.
- Balance of security and productivity. Enabling the business, not slowing it down.
- Part of Mr. O’leary’s job is to convince people that security doesn’t slow processes down. Security keeps the company safe, and the team should balance safety and productivity. “For example, emails should go through a filter to protect systems, but this will take two more seconds, not two hours,” he said.
- Balancing risks and financial resources.
- “Every day, a new vendor is trying to sell solutions,” Mr. O’Leary said. Knowing which risk elements have the most significant impact on your security strategy is essential. Undertaking the balancing act of managing risk and reward means understanding the basics and the role of risk within an organization.
- Make information security part of everyone’s job.
- He thinks everyone in a company should be inherently part of the information security team, and security would be part of their jobs too. That’s key. As we bring more internet-connected devices into our jobs, it is critical for everyone to understand and practice good cyber hygiene.
CyberWarrior’s top 3 questions
Our students are the real CyberWarriors! That is why we put all our effort into connecting them with important cybersecurity professionals, with memorable stories and experiences that can bring value to our students’ learning. To this end, they engage in conversations directly with the guest speakers and ask questions related to the fascinating cybersecurity world.
What can I do to make my team grow while I’m growing?
O’Leary: There’s an old saying, “you can lay a horse to water but still not make him drink,” but you need to do your best. Do not hoard information, provide documentation, and offer training. Those are key.
What two questions would I be able to ask a chief in the financial services industry to directly assess the status of their cybersecurity operations?
O’Leary: Good question! I’d like to think more about it, but one thing I would ask is what keeps him up at night? You know, what are the things that scare him, and what is he comfortable with. Another question would be, what is your biggest concern?
What happens when an employee is compromising the company? How does that information layer get blocked, so that sort of intrusion doesn’t affect anything critical?
O’Leary: It all depends. That’s why you need defense-in-depth, so if the password gets sniffed, you have multifactor authentication in the network. That’s one layer of protection. For people with access privileges, we have a second level of authentication, that’s another level of protection. It depends on the situation you have and the person who has access, how much access they have, and what other protections you have on that environment. I mean, if they don’t have access to critical data, it might not be an issue. If they do and you don’t have a network segmentation, it could be a big problem.
Final notes
Every CyberWarrior Event opens the door to knowledge. We, the CyberWarrior Academy, greatly enjoy seeing our students fueled with this passion for cybersecurity as they discover every new topic, industry, or piece of advice. Kevin O’Leary and his Long and Winding Road reminded us that everyone’s journey is worth sharing because you can go from an apprentice with “no experience necessary” to being the leader he is today.
These CyberWarrior Events are exclusively for the platform users who are subscribed to our Premium Plan. Are you interested in joining our Online Platform? Sign Up Here!