Many people are looking to break into cybersecurity, but without experience, it can be tough to get a foot in the door.
Arif Hameed, Chief Information Security Officer at C&R Software, advises looking into cyber-adjacent roles.
“My pathway started with software quality assurance, and that pivoted to IT audit, which was my springboard to cybersecurity,” Hameed said.
“Another path is through the help desk, which can get you into incident response. Or if you’re into quality assurance or software development, you can get into application security. A role as a site reliability engineer can lead to a position in cloud security. There are a lot of cybersecurity-adjacent roles that overlap and can pivot you into the cybersecurity role you want. Get yourself industry-recognized cyber certifications and in parallel try to build on your experiences.”
Serving business
Hameed’s current company develops software for credit risk management.
“Because we’re tied into banking customers, security is extremely important,” he said. “At the same time, we reached the conclusion that it’s not just a technologist role, but something that has to be in service of the business rather than in service of security per se.”
The transition from technologist to business enabler marks a major evolution in the CISO’s role as the job becomes more visible and elevated in an area of increasingly frequent and sophisticated breaches.
“You have to have the technical knowledge, but you have to understand along with the technology, what is the actual business risk?” said Hameed, who expects to see many more regulations as attacks mount, with a tighter push on security and privacy.
“As you move up the corporate ladder, the ability to communicate is vital. You need to avoid jargon, and business leaders don’t want to hear FUD – fear, uncertainty and doubt,” he said. “They want to be realistic. So you want to be a true risk manager. Look at the big picture of the war at hand and pick your battles. Win the war, not a few battles here and there. “
Evolving role
As the role of CISO evolves, Hameed sees many CISOs taking on the position of Chief Technology Officer, and others becoming Chief Privacy Officers.
“The role is evolving, but it depends on the organizational need,” he said. “What the CISO means for an organization that’s in technology is potentially very different from an organization that’s in health or finance or manufacturing.
Before joining C&R, Hameed was the inaugural CISO at Munich Re New Ventures and Senior Director of Client Cybersecurity at Equifax. Previously he held security roles at TD Bank, and worked in information technology audit and IT risk at Royal Bank of Canada (RBC).
Customer-focused
“I’m very much a customer-focused CISO dealing with external customers, so my experience in the financial services and managing external, internal and customer audits was invaluable,” he said.
“Customer trust is a big component. There is a lot of focus on third party risk. We’ve had a vendor that assists us with questionnaire responses, and we use another vendor for our Customer Trust portal. But it’s critical to create a process of making customer due diligence efficient, especially if you’re a CISO who is very customer facing.”
A good CISO has to be calm under pressure, Hameed said.
“Security is a very challenging field because it’s constantly changing,” he said. “You’re responsible for other people’s livelihoods. If there’s a major breach, you’re not just worried about your own head rolling, you’re also responsible for revenue implications for your company.
“Unfortunately, a number of people have been burned out and moved on to different roles, or even downgraded themselves. They still want to be in cybersecurity, but they don’t want to take that responsibility.”
Time off
Hameed encourages people on his team to take time off as needed, and ensures that he does at least semi-monthly in-person meetings, as well as team lunches.
“I want to have an informal and collaborative environment,” Hameed said. “I’m approachable. If anyone wants to speak to me, it doesn’t matter if you’re not my direct report. Culture is important.”
To relieve the immense pressure that comes with the job, Hameed walks and has recently taken up squash and pickleball.
“I get a lot more out of it than doing the treadmill or some other exercise, and it’s fun,” he said.