12 6 月, 2024
EP 54 – Zen and the Art of CISO Leadership
In this episode of the Trust Issues podcast, we explore the nexus of mindfulness, identity security and leadership with Jitender Arora, Partner and Chief Information Security Officer (CISO) for Deloitte North and South Europe, and Deloitte’s Global Deputy CISO. Arora discusses with host David Puner how a Zen-like mindset can be influential in helping to bolster organizational cyber defenses, sharing his wisdom on the critical role of emotional intelligence, empathy and the human touch within the cyber realm. This episode offers a glimpse into innovative strategies for navigating the intricate cybersecurity landscape, emphasizing the significance of maintaining a Zen-like composure for effective decision-making and risk management. Listeners will gain insights into the evolving role of CISOs and the transformative impact of integrating Zen principles into leadership and cybersecurity practices. Tune in for a fresh perspective on leading with tranquility amid an ever-expanding threat landscape and about the pivotal role of identity security in protecting both human and non-human identities.
[00:02:41] Jitender Arora: Thank you, David. Thanks for having me.
[00:02:43] David Puner: Yeah, thank you very much. I appreciate it. I know this is getting toward the end of your day in England. You’ve been with Deloitte for around six years, and a few months ago, your responsibilities expanded when you took on the role of Deloitte’s Global Deputy CISO in February of 2024. In addition to your existing partner and CISO for Deloitte North and South Europe duties at that time, what’s the scope of your relatively new role, and what’s the most significant change you’ve experienced since taking on the new role?
[00:03:21] Jitender Arora: I think, first of all, it’s such a privilege and honor to be given the responsibility to now support Deloitte at the global level. So, other than just serving North and South Europe, which is my member firm, which is around 28 countries, this means I have to work and support Deloitte globally. The most important part of the role is to make sure that I’m able to support our global CISO effectively to do their job. Deloitte is a massive organization. We are operating in 150-plus countries, with 500,000-plus people. It’s a very complex landscape. This is about making sure our people can be successful in the marketplace and defending the brand that we all love.
[00:04:01] David Puner: Does your current role involve interacting with Deloitte customers or Deloitte clients and the internal organization, or both?
[00:04:10] Jitender Arora: Like any other CISO, my job is to defend the organization—to take care of our security, take care of our perimeter, and make sure that we meet all of the various regulatory and client requirements we have. But sometimes, I do have to speak to clients. For example, some of our advisory partners will come and ask, “Jit, our clients would like to understand how we are tackling that challenge inside.” So, it’s about sharing our own practices, sharing our knowledge on how we are tackling some complex problems because we are also a very big, global, and complex organization.
[00:04:46] David Puner: Since taking on the additional duties as global deputy CISO in February, what’s been the biggest surprise or challenge that you’ve encountered thus far?
[00:04:57] Jitender Arora: I don’t think there’s been any surprise or challenge because I was still part of the global leadership as a North and South Europe CISO. It’s about having a much wider view, but also it’s very pleasant because now I can spend time with global colleagues and different teams. It’s just such an immense pleasure to see the type of talent we have, the impact we are making, and how we are working collectively together as one organization to defend such a massive and complex organization. So, I would say rather than challenge, because security is a challenging job, sometimes people ask me, “Jit, how are you handling all the responsibilities?” I always say that it’s not a job, it’s a mission. I think there is a sense of pride and honor associated with everything I do because you’re not just safeguarding the organization, you’re safeguarding the people, the families connected with us, the clients, and also our society in general. We do quite a lot of work contributing to other societal matters. So, I think of it as a privilege and honor.
[00:05:58] David Puner: You’ve got a really interesting life perspective, which we’ll get into a little bit later in the conversation. You think a lot about both work and life, how they intertwine, and how they don’t intertwine as well. We will get to that in a bit, but before that, it’d be interesting to talk about your career trajectory. You’ve worked in the technology and security industry for over 20 years, and you’ve got a really interesting career path. What has that path been, and how has the scale of the security challenge evolved throughout your career?
[00:06:32] Jitender Arora: I’m a computer science and engineering graduate, and I was always a science and mathematics student. I fell in love with computers when I got a chance and when I got my hands on them. I realized I’m good at it, and that’s where my career trajectory went. I wasn’t a security professional to begin with. I started my career in what we call technology infrastructure services. I’m a UNIX administrator by trade. When security was evolving at that time, we were looking at firewalls, DNS capabilities, proxy servers, certificate servers, and iPlanet capabilities from Sun Microsystems. I started playing around with that. When the organization was looking at who would like to move to security, which was kind of IT security or infrastructure security, I said, “Yeah, I’m going to do it because I love playing with technology and learning new things.” That’s where my journey began. Initially, it was very much about the perimeter, infrastructure, DMZ, firewalls, keeping bad things out, and making sure people could do their job effectively, antivirus and all that stuff. But over the years, the perimeter has diminished. People are working from anywhere. When we started working, the concept of working from home was kind of alien. Now, people can work from anywhere. Technology has changed a lot in size, scale, and complexity. When you start operating at a global level, it becomes even more interesting. At that time, there were no targeted, sophisticated attacks. It was more scripted and people doing it for fun. Now, we are competing with adversaries with a financial business model. They rely on making money using cyber and offensive capabilities. The landscape has become very complex compared to when we started, and that keeps it interesting.
[00:08:25] David Puner: Identity, of course, is a new perimeter.
[00:08:28] Jitender Arora: Oh, absolutely.
[00:08:29] David Puner: How does identity security figure into what you do and how you look at the cybersecurity big picture?
[00:08:37] Jitender Arora: My personal view is identity access management is kind of a foundational security problem. As we were just talking about, the concept of network perimeter has almost diminished. Every attacker or adversary trying to compromise something needs a foothold in the organization, which means they have to compromise an identity somehow, whether via phishing or something else. Identity is not just human accounts. When you think about identity, people often think it’s a human identity. It’s a digital identity. What that means is it’s the human account, service accounts, robotic RPA accounts, OTA devices connected to the network may have digital identity. We need to protect all kinds of digital identity because it’s not just to get the initial foothold, but attackers always look to elevate their privileges and gain administrative access, which they need to execute their objectives. Protecting digital identity is fundamental to any security program as much as a network perimeter or running EDRs and other capabilities on your systems.
[00:09:53] David Puner: Those non-human identities, as you mentioned, greatly outnumber human identities. So they obviously both need to be protected and accommodated for. That being said, how do you navigate the complexities of varying cyber risk and risk appetite for such a wide variety of businesses and industries?
[00:10:12] Jitender Arora: Context is important. Every business you’re trying to protect has different applicable threats. For example, the risk appetite and needs of a healthcare business are very different from financial services to an organization like ours. Understanding your adversary is very important. And that’s where the risk appetite comes in, in terms of what risk appetite the board or shareholders or executives are willing to sign up to. There’s no limit to how much you can invest in cyber, but your cost curve cannot outrun or outgrow your profit or revenue growth. It’s important to understand the risk appetite, apply sensible, practical, pragmatic controls, and manage the risk within that appetite. It’s not always about excessive preventative controls, but a combination and balance. I always say security is like an equilateral triangle. Security is one side, cost is another, and user experience is the third. Excessive security becomes costly, and user experience suffers. Reducing costs significantly might improve user experience, but security takes a hit. It’s about finding the fine balance between these three dimensions to provide the right and optimal level of security, good from the practitioner experience perspective, but also affordable.
[00:12:08] David Puner: What are the top challenges you face as a CISO in 2024, and how has that shifted or evolved since, say, last year?
[00:12:22] Jitender Arora: One challenge is the sophistication of technology. Compute power is becoming easier, and attackers are making more money. There’s professionalization happening on the offensive side, creating a different level of attack surface. The number of vulnerabilities coming out regularly is significant, and zero days have increased. We can’t go off the grid; practitioners are everywhere, working in a hybrid setup, with many vulnerabilities and different adversaries targeting us. The geopolitical tensions are rising, and budget pressures are there. Every business has finite money to spend on sales, marketing, security, technology, etc. The generative AI capability is creating interesting challenges for the community, as offensive capabilities are shrinking lead times. Balancing the attack surface expansion while not compromising business experience and maintaining affordable costs is challenging. Security teams are under heavy stress, with wellbeing a concern as they have to do more with less and constantly upskill while keeping the lights on. It’s a technology, process, cost, and human dimension balance. Keeping teams set up correctly for success and defending the organization with the constraints in the emerging threat landscape is critical.
[00:14:58] David Puner: You’ve touched upon a bunch of really meaty things there, and I definitely want to go back to talking about team wellbeing in a few minutes. But first, what about generative AI? What does Gen AI mean for organizations, and how can organizations mitigate their risk?
[00:15:16] Jitender Arora: Like any other technology, generative AI has a lot of potential. It has sparked interest and curiosity, similar to when smartphones were introduced, making technology very accessible and intuitive. Generative AI is easy for anyone to use, which is a key factor. Organizations need to focus on use cases. There is excitement, but investing without clear ROI can happen. Use cases should be clear, and it’s about using it securely, safely, ethically, and responsibly to deliver business outcomes. Legal risks, confidentiality risks, and privacy considerations are crucial. It’s interesting technology, changing how we operate, live, and interact, but also creates offensive challenges. Offensive capabilities shrink lead times, and attackers use generative AI. A blog post I wrote using generative AI translated into Italian was surprisingly accurate. Phishing emails can now be written smartly in local languages, making it easier to execute. Like any technology, generative AI has pros and cons, and businesses need clear use cases and guardrails for safe, secure use.
[00:18:11] David Puner: When it comes to attacker innovation, Gen AI helps attackers innovate quickly. How do you stay ahead of the curve when anticipating and defending against new attack methods, new identities, and new environments?
[00:18:32] Jitender Arora: Our line of work is interesting and exciting. There’s no end goal, no finishing line. A three-year strategy might change as new vulnerabilities emerge. A good security program focuses on security basics. If your organization’s culture and shared responsibility are strong, developers know they must be responsible, whether developing code or sharing something. Knowing your assets, maintaining security hygiene, and having a comprehensive security operation center with threat hunting, detection, and response capabilities are crucial. Focusing on operational excellence, getting security basics right, and continuous innovation in a three to four-year roadmap is key. This approach creates a solid, defensible position.
[00:20:02] David Puner: So, keeping it simple and going back to basics.
[00:20:06] Jitender Arora: Yeah, focus on operational excellence. BAU can be boring, but it’s essential. New technology is fun, but not doing basics right is problematic.
[00:20:24] David Puner: How do you prioritize how and where to invest in cyber?
[00:20:28] Jitender Arora: How much time do we have?
[00:20:30] David Puner: As much as you’ve got.
[00:20:33] Jitender Arora: Prioritization comes from business strategy input. If the business strategy changes, like adopting a hybrid model, we need to focus on the right compute environment and security program. External landscape changes, including threat and regulatory landscapes, are significant. Regulatory obligations are like your license to operate. Meeting these requirements is non-negotiable. Balancing preventative and detective measures, defense in depth, and aligning with business needs is crucial. Combining a well-defined cyber capability maturity program with red team assessments helps track ROI and prioritization. This approach ensures informed investment decisions and supports business goals.
[00:23:19] David Puner: CISOs often seem calm, and you are no different. You have a zen mindset. You started as a door-to-door salesman. How did that lead to your security journey, and how has it shaped your approach to this pressure cooker situation?
[00:24:01] Jitender Arora: I come from a modest background and was the only one in my family to attend university. After the dot-com bubble burst, I struggled to find a job, worrying my parents. I secretly took a job selling shirts and trousers door-to-door. It was hard but taught me empathy, respect, and not judging others. It also taught me that being human is a strength. My zen mindset comes from life experiences, controlling my mind, and staying positive. This mindset helps me lead effectively, impacting everyone around me positively. Staying calm, composed, and reflecting on situations keeps me centered and able to serve others.
[00:27:29] David Puner: How does your ability to think about different perspectives and put yourself in different people’s shoes come into play when it comes to adversaries?
[00:27:56] Jitender Arora: Reflection is key. I regularly reflect on work, life, and emotions. This principle applies to security, too. Staying curious, reading reports, engaging with CISOs, and having time to think helps anticipate and defend against threats. Creating headspace for reflection allows for better decision-making and staying ahead of adversaries.
[00:29:28] David Puner: How do you protect the wellbeing of your team?
[00:29:39] Jitender Arora: Wellbeing is about psychological safety and creating an environment where people can be themselves. Open conversations, sharing failures, checking on people, and fostering a sense of belonging are crucial. Regular all-hands calls focus on bonding, not work. Emotional antennas help pick up signals when someone isn’t their usual self. Following up with personal calls shows care. Wellbeing is a shared responsibility, and everyone needs to contribute. Creating a safe, happy space where people feel comfortable and supported fosters a positive environment. Virtual hallway calls and building relationships create a sense of family within the team.
[00:33:09] David Puner: You think about these subjects a lot. You frequently write on LinkedIn about life lessons, leadership, human connections, and positivity. Another passion is diversity and inclusion initiatives. How do these considerations factor into your leadership, and what are the biggest opportunities for diversity and inclusion in cybersecurity?
[00:33:52] Jitender Arora: I’m obsessed with the concept of being human. We come from different backgrounds but share common experiences. Bringing diverse backgrounds together creates a rich environment. Focusing on creating opportunities for people from challenging backgrounds, especially women in cyber, is key. Encouraging women to take up the subject and creating a talent pipeline for the future is fulfilling. Inclusivity is about creating opportunities for growth and support. Helping students and encouraging them to pay it forward creates a self-sustaining model. Giving back is profound and creates a positive impact on society.
[00:36:59] David Puner: How do diverse cybersecurity teams help strengthen cyber resilience? How can diversity and inclusion be a powerful tool for cyber defenders?
[00:37:12] Jitender Arora: Cybersecurity is a diverse domain requiring different skill sets. Neurodiverse colleagues bring unique abilities, like data analysis. Diversity of thoughts, backgrounds, and experiences creates a strong cyber team. Different perspectives help see things others might miss. Focusing on cultural diversity and complementing each other strengthens resilience.
[00:39:02] David Puner: You’re a huge fan of Formula One auto racing. You wrote a LinkedIn article about similarities between F1 and cybersecurity. How is F1 similar to cybersecurity?
[00:39:36] Jitender Arora: F1 is a team sport, not just about the driver. Similarly, cybersecurity is about a talented team working together. F1 cars are complex, and so is the cybersecurity ecosystem. One small thing can go wrong, similar to cybersecurity. Both require a team effort and everyone doing their best to win. The fast-paced, competitive environment of F1 mirrors cybersecurity. Adversaries are smart and well-funded, making it a catch-up game. The analogy of F1 and cybersecurity highlights the importance of teamwork and staying ahead.
[00:41:42] David Puner: I’m feeling so much better about everything right now after speaking with you. We’ll have to check in from time to time. I really appreciate your perspectives. I look forward to reading more of your LinkedIn musings. Jit Arora, thanks for coming on to Trust Issues.
[00:41:56] Jitender Arora: Thank you, David. Thanks for having me. I really enjoyed the conversation. All the best.
[00:42:09] David Puner: Thanks for listening to Trust Issues. If you liked this episode, please check out our back catalog for more conversations with cyber defenders and protectors. Don’t miss new episodes—make sure you’re following us wherever you get your podcasts. And, oh yeah, drop us a line if you feel so inclined. Questions, comments, suggestions—which come to think of it are kind of like comments—our email address is trustissues, all one word, @ cyberark.com. See you next time.