Illuminating your path to impact
April 30, 2024

Leadership, AI, and Continuing Education with Chirag Shah

Leadership, AI, and Continuing Education with Chirag Shah

In this episode, Steve has a conversation with Chirag Shah. Chirag is the Global Security Officer and Data Privacy Officer at Model N, a publicly traded software company in San Mateo, California. Chirag is a security and technology leader with...

Season 1 Data Security AI MBA Leadership Ethics Continuing Education
In this episode, Steve has a conversation with Chirag Shah. Chirag is the Global Security Officer and Data Privacy Officer at Model N, a publicly traded software company in San Mateo, California. Chirag is a security and technology leader with over 24 years experience building leading-edge information security, security compliance, IT & network initiatives from the ground up. He is an inclusive leader with a passion for information security management, cooking, and continuous learning.
 
Steve and Chirag discuss his career journey and the evolving role of the CISO. He emphasizes the importance of integrating the security program with the business and providing value beyond technical aspects. Chirag also highlights the role of the CISO in the boardroom, particularly in mergers and acquisitions, and the need for transparency and accountability. He discusses the expanding responsibilities of CISOs, including AI, DEI, and privacy regulations. Chirag also touches on the role of a chief identity officer and the importance of ethics in cybersecurity.
 

TrustLogix is a sponsor of the Candid CISO podcast. Visit their website at: https://www.trustlogix.io/candidciso

IdRamp is a sponsor of the Candid CISO podcast. Visit their website at: https://www.idramp.com/candidciso

Takeaways

  • Integrating the security program with the business and providing value beyond technical aspects is crucial for the role of the CISO.
  • CISOs play an important role in the boardroom, particularly in mergers and acquisitions, providing guidance on security risks and compliance.
  • The role of the CISO is evolving with the rapid adoption of AI and the need to balance it with requirements like DEI and privacy regulations.
  • The expanding responsibilities of CISOs include overseeing ethics, privacy, and identity management.
  • Transparency, accountability, and a risk-based approach are essential for effective cybersecurity leadership.
  • Ethics plays a crucial role in cybersecurity, and organizations should prioritize awareness, training, and the integration of ethical considerations into decision-making processes.
  • AI can significantly enhance data security strategies by automating routine security tasks, improving threat detection and response, and providing predictive analysis and behavioral analytics.
  • Monitoring and auditability are essential in AI-driven tools to ensure fairness, credibility, and accountability.
  • An MBA in cybersecurity leadership can provide a comprehensive understanding of various business functions, enhance business acumen, and facilitate collaboration with other departments.
  • Continuous learning is vital in both cybersecurity and business landscapes to stay current with emerging trends and develop expertise in areas such as privacy, compliance, and regulatory matters.

Timestamps

09:07 The Role of the CISO in the Boardroom
23:55 The Evolving Role of the CISO
33:25 Enhancing Data Security Strategies with AI
43:06 The Value of an MBA in Cybersecurity Leadership
52:49 The Need for Continuous Learning in Cybersecurity

 

Transcript

Steve (00:00):
Rag, welcome to the Candid CISO podcast. I'm so grateful for you to take some time today to chat with us about your experience and your wisdom and insights with the CISO community. So with that out of the way, thanks for joining.

Chirag (00:14):
Thank you for this opportunity. Appreciate it. Thank you for the time.

Steve (00:17):
I got to learn about you that like me and my family during the covid years, a lot of us spent time around our kitchens and some of us taught ourselves how to cook, and I learned that you like to cook too. So I'm wondering lately, what is it that you're trying out? Have you learned any new recipes or what's your favorite thing to cook in the kitchen?

Chirag (00:39):
I cook a lot of Indian food actually, and it's little complex recipes that Indian food have a lot of masalas. You probably have curries, so there's a dish called panier bater masala. It's like a masala with the different spices together and there's a tofu that we call it panier. It's made out of milk. I prepared that and I learned to actually cook it better over the time. Of course, there's other food preparations that I made for the family and my kid loves this tofu dish that I make, so it's more a Chinese Indian fusion dish and that has worked out pretty well. I learned a lot during the Covid time actually being at home. Yeah, there's a lot more to learn. Of course. I'm not a chef yet, but I'm learning and that's a journey. It's a great opportunity when you're at home and you are near kitchen, but then you're putting up a lot of weight also.

Steve (01:58):
But it's good to have cooking skills to get us by in life. I appreciate that. The complexities of Indian food. I've enjoyed that too. My goal for this show and of our conversation, I'd like to just learn a little bit more about your background, your career journey and how that prepared you for your current role as the global security officer at Model N and then how would your 19-year-old self feel about where you're at in your career, in your accomplishments at this point?

Chirag (02:28):
Absolutely. It's a very interesting question. Very good question. The 19-year-old part, but I'll start with the academics and give you some highlights of where I come from. So in around 19 92, 93, around that time, I actually immigrated from India and started learning about the system here, academic system, educational system. So I got into a computer engineering program at the University of Illinois in Chicago doing my bachelor's there in engineering, software engineering, information technology, network engineering. I started my journey, academic journey there to get into the first job ever as a network engineer. This was in Chicago and doing networks and systems engineering. From there on, I worked for an organization that actually required compliance. They required the regulation or standard compliance. So there were auditors who would come and ask the questions about network engineering and provide the evidence and provide this controls. So that's where I had an interest of getting into the compliance audit, world security compliance, why the frameworks are required, why the best practices are put together.

(04:01):
This is around the time it was early time for security and compliance. If you really look at it Noel time, and it was just starting. People were realizing how important security is and the audit world was just getting established. So from that time I got into a compliance audit world, so changing the seat, sitting on the other side and being an auditor, I worked for financial institutions and did the audit for NCUA National Credit Union regulation and worked for many different credit unions as a compliance auditor. And from there on I gained experience into security side of the house architecture and how the data protection world worked and what the requirements were for meeting the compliance technical requirements. So overall, my background and career journey have prepared me for the role of global information security officer, but it was never an intent actually to get to this. And I'm very fortunate enough to have an opportunity to work with some real great mentors guide academically as well as professionally in my career where they gave me insights into what it looks like, how this world looks like and what to expect and all that. My 19-year-old self would probably be amazed and be a little intimidated by the idea of becoming a GSO or a cso. I

Steve (06:00):
Love it. I love that. That's an honest answer.

Chirag (06:06):
At that age, I was just beginning to explore my interest in technology and cybersecurity. It was just a new thing. Specifically technology itself was a new thing to me coming out of academics and a bit overwhelmed by the responsibility and level of expertise required for such a role. I would've been overwhelmed for that and I think my younger self would feel a mix of pride and disbelief also for achieving such a significant career milestone. I never thought that I would be information security professional. I was always a software engineer by heart. That's awesome. Worked in the engineering field and I was always a guy who would code and fix networks and from there on to this journey, it's really, I respect, of course you have to give respect and honor to my guidance, my academic guidance, my mentors, my people who I look up to and they gave me the right path and I'm really thankful that I'm here.

Steve (07:23):
Well, this is your opportunity to give back and I think I'm appreciative. I'm not a ciso, but I love supporting them and hearing from them. And I think one of the things that was interesting about your profile rag is that you provide security leadership, global security leadership for a public company. We don't need to go into the details of the recent acquisition unless that's part of your story, but I had like to dig in a little bit on your responsibilities beyond the stereotypical red teaming and cybersecurity, most people trying to break into cybersecurity might do so because they like the technical part of it or the blocking and tackling or they're very technical, but they might not have a full appreciation for all of the other things that you do. So I'd like to hear from you about that.

Chirag (08:14):
This is very interesting overall when it comes, goes to a public, when company is working towards quarterly goals and you have a checkpoint and that's where compliance and regulatory oversight becomes very important. Risk management becomes very important. How you build the relationship upwards, making sure that there's a cross-functional collaboration and you're not just a security guy, you're not just a technical guy, now you're actually bringing the enablement for business. You are providing the value to the business ROI metrics and reporting risk-based approach showcasing how you are moving the needle, right? You are moving the score of security to the next level. So enhanced oversight and governance is very important. Board level advocacy for cybersecurity investments is very important. You are speaking the right amount of information, what they like to hear, what you are speaking about risk. You are giving the transparency about the program and how to mature that security program because security is kind of like a journey and you are always getting there and faster response to cybersecurity incidents.

(09:47):
You are tackling the risk, the most severe and the highest priority risk you're tackling improved risk management program and showcasing what they've invested is giving them the return, whether they're resources or tools or technologies and giving them, sometimes you have to give them a culture of compliance. Also showcasing the expertise on regulatory requirements and telling them that this is what we need to go because compliance is also your regulated by let's say SOC one, SOC two, E-I-C-P-A compliance. But then you want to move that also. You want to move the compliance and the maturity of that. It brings the business. It's not just about regulatory requirements, it's also a sale or business or product sell, right?

Steve (10:47):
Once you layer in all of these other responsibilities that you have above and beyond red teaming or cybersecurity technology, I hope it is to some because compliance is almost kind of a boring subject who grows up wanting to get into compliance or wanting to be an accountant. It's either an acquired taste or it's something that you just take on either accidentally in your case you landed there from your role going from networking into compliance, but then you have these other areas, right? Metrics and reporting like who wants to spend their time tracking metrics and doing reporting and being measured on improvement.

(11:36):
And the point of this series of questions is around highlighting the level of discipline and focus and more of a generalist in cyber and business. And we're going to get to the business aspect of this a little bit later too as it, there's some interesting things in your academic background where this became a bit more intentional and less accidental. But before we go there, you've seen this firsthand because I think human nature has a way of limiting their visibility to not much beyond their current surroundings. So you end up in working in silos, which doesn't always result in great security. So given the longstanding siloed nature of cybersecurity security, how can the role of the CISO evolve to better integrate more broadly with organizational strategies and objectives?

Chirag (12:41):
Yeah, I think very first and most important I think for a CISO or a security leader is to integrate the program with the business, not become a silo. That's the very important thing because you need to be able to provide the value to the business and not become just a tech team or compliance team or security team. That's the very first thing. The second is how the leadership and management of it showcasing the requirements and also not being police all the time, right? Traditional security is all about policing and we want to come out of it, giving them an opportunity to talk about what are the ways to partner with them, right? With different teams. Consider organizational needs and balance business with the technical skills. You can't solve all the problems at all time, but what are the top most important things that we can solve together and how do you manage those in alignment with budget, with regulatory requirements as well as risk for the business.

(14:10):
Sometimes business need to adopt certain set of risk because that's how they do the business, but that's how they conduct the business. So how do you actually align the risk and prioritize your items? It's very important. Innovation kicks in. Also automation and innovation in security world. Also, there are a lot of practices that we do. It can make things a little bit more lengthier for other teams like application security and DevOps and areas of designing vendor security assessment work. People want to onboard business, want to onboard vendors right away because they want to progress far. So how do you automate that? How do you make sure that you are running with them and not just walking and provide that transparency. The requirement transparency is very important. Accountability and liability and figure out under responsibility, accountability, liability, and showcase the privacy and ethics. You have to be very honest to the core of what you're doing and also showcasing what if you don't do this? This is what the risk is. Let's identify the risk and put it out there and see how business can take that risk or rather approach it with the different angle altogether.

Steve (15:47):
One of the prerequisites to being on this podcast was you had to answer the question, what does being a candid CISO mean to you? And I was just reviewing my notes. You talk about transparency, the need for transparency and acknowledging both strengths and weaknesses. And as an observer and having talked with and worked with alongside multiple CISOs, I get a sense of that too, where if you have visibility into weaknesses, it's not something that you sweep under the rug. I think that you nailed it, right? You have to have a radical honesty or candor about it and freedom to openly discuss it because on one hand it's about compliance, and then the other hand it is about innovation and enablement. The hard parts. The easy parts are, hey, we can buy the vendor stuff, we can automate the things, but what if there are anomalies or what if there are things that are we just don't know about?

(16:41):
Right? And you made some interesting comments about boardroom participation in CISO's presence in the boardroom and from leadership. We're going to talk about CISO's in the boardroom, your experience in your opinions about that, and maybe your guidance about that, what works, what doesn't, and then from there, begin our dissent into AI and data security, which I know you're an expert at, but for a few minutes, let's explore this, right? How does a CISO's presence in the boardroom strengthen a public company's capabilities, whether it's managing and escalating cyber threats or preparing for or executing on breach response?

Chirag (17:20):
I advocate that, and I think many of my CSO friends and also the professional network do advocate this, right? So if you look at the boardroom, boardroom has multiple different cross-functional leaders. If you look at it, sometimes you will find marketing leaders or finance leaders of some organization as well as A CEO, and some are innovative leaders who actually provide the advising role for the board as well. A security leader is important in a boardroom, I believe, is because it provides them the guidance on what the next thing that we need to look at. Let's see, for an example, you have a merger and acquisition and you are doing a merger or acquisition. You want to make sure that what your debt is, if you're merging, if you're acquiring a company, you want to figure out what that company's security risk is and what they've gone through, whether they have gone through a breach, whether they've gone through their risk assessment, what are the compliance regulations that they've gone through and are they certified with any regulations?

Steve (18:30):
I could see that working both ways, whether you're acquiring companies or whether you're the acquiree

Chirag (18:35):
Both ways. Absolutely. And that helps organization both ways also because now you are acquiring a company that already has the standards where you don't need to invest more into it, so you have a mature security program. If you are just going through that acquisition, you will learn that you have or that what you're claiming and what the money has been put together on the table is appropriate or not for that acquisition and mergers also, you need to figure out if you're merging with the company, understand what their requirements are and how are you going to align your security program with their security program eventually, it's all about governing and providing the best business value. We are all here for business, and that's what the company wants to do. They want to progress with acquisition or merger. And I do think that cybersecurity related leadership or governance or guidance is important for board to consider as one of the voice in the boardroom.

Steve (19:41):
CISOs more or less exist in boardrooms today. There is often bemoaning of the fact of maybe they don't have as much presence there or they don't have a direct line of sight there. They come in underneath the CIO and their voice can be diminished, but with increasing pressures and responsibilities from programs like AI or digital and privacy, ESG, can you predict and or recommend how the role of the CISO will need to evolve over the next several years with the rapid adoption of AI and balancing that with requirements like DEI and privacy regulations, everything's changing all the time. It's a complex calculus. How do you decipher all that and is life going to get easier or harder for CISOs in the next couple of years?

Chirag (20:31):
This is, again, very good question in a way because it's an expanded scope of responsibility if you really look at it. We do overlap in certain areas when it comes to privacy, when it comes to integrated ESG initiatives and particularly in addressing cybersecurity risks related to environmental sustainability and social responsibility and corporate governance. We come in handy in many different ways in that area where emphasis on diversity and inclusion also goes into place and ethics and responsibility of ai. AI has been a huge new, of course, gen AI has been a new subject for many organizations. They're either launching it or they're building their own or they're acquiring tools and technologies that focus on ai and it's all about emerging technologies within the organization and addressing concerns related to more of a bias, transparency, accountability and privacy of data of information. And this could be not just business data, right?

(21:42):
This could be employee data also. Now you're talking about employees who give out the information to you when you are doing background screening and when you are actually giving them paychecks. And when you are sending out 10 90 nines or any IRS forms, I do think we've been overlapping with privacy for a long time, since the privacy has been there in my organization. I manage privacy in alignment with the legal requirements, legal teams requirements, but I think overseeing aspects of privacy, data governance and digital ethics is very important piece. And I do believe that the expanded scope of responsibilities is going to come in a very near future and many CSOs will actually have those responsibilities in there.

Steve (22:41):
So now we have data privacy officers and you're the DPO for your company. And you touched upon ethics, identity and access management is also an expanding area for most organizations, and there's been some chatter in the conferences that I attend for a call for or a need for a chief identity officer. Can you weigh in on would that provide some relief to partner with the chief identity officer or do you see that as extra weight in the leadership for that expanded role?

Chirag (23:14):
Absolutely. I think it matters on to how big the organization is and what the requirements are, right? You become, as you larger the organization, you need more leaders to govern certain areas, and identity has been identity management and access control in cybersecurity is a huge actually piece. Some organizations may choose to establish a dedicated chief identity officer role or towards the identity and access management initiatives. That includes the authentication, authorization and governance of identity. I believe that it matters into how big the organization is, what your scope is, and how can you navigate with another officer When you have a leader, now you're working with the team and when you are working with the different teams, the strategy and alignment of your strategy with their strategy and their work streams do change, and that's where challenge may come.

Steve (24:28):
Where is the threshold do you think is the threshold? Does when a company becomes global or when a company becomes public, what is the threshold at which a company within the realm of cybersecurity and governance becomes so big that they either need to expand into having, well, for a data privacy officer, that's a requirement for GDPR. Yes. And then privacy and identity. Where is the breaking point and where's the inflection that a company could bring on that role?

Chirag (25:01):
Right, so ethics officer and identity officer, these are two different roles, right? If you talk about them. Ethics officer is a role about the ethical behavior, values and principles, and particularly it aligns with the culture of the company also like how you're driving that culture. And I think it is a very, very important role if you really look at it from security side of the house because we want awareness, we want the training, we want that ethics and honest people working, ethical people working in organization where they're doing the right thing. Insider threat has been a bigger problem for many organizations and that just solves that problem. If you have the right strategy in managing ethics in the organization, data privacy, algorithm fairness and responsible AI deployment comes shadow IT itself is an example where companies have a little bit of silos and then now they're doing their own little thing and you don't know where the data is going or where the data is moving through the organization or that department. So I think some organization may appoint an ethics officer to ensure that ethical considerations are integrated into decision making processes. I've seen that role more than the chief identity officer role

Steve (26:36):
Really

Chirag (26:36):
In my career. I've been at eBay where we had an ethics officer, but not chief identity officer, although the identity management and access control was part of the cybersecurity, and we did have a leader but not a c-level leader.

Steve (26:55):
Well, it is said, I've heard it said that ethics is a better form of security and if you can solve that problem high enough in the value chain that you can address a number of problems before they occur. So I guess I shouldn't be too surprised about that. Yeah,

Chirag (27:10):
No, you're correct on that one. It solves ethics is we are dealing with humans, right? These are not robots. These are not program people. So now you are actually dealing with the culture and how you are spreading that awareness. And that's why specifically I believe in awareness program that actually touches people on day-to-day basis, like multifactor authentication is important. And why is it important? Because you banking and your bank also forces that. So there's a reason because no one wants to intercept that traffic. Same concept goes in the workplace. So now you're actually touching them personally and you're saying they understand why it's needed. Of course, you're not always dealing with the tech team. Tech would understand, but you're dealing with other teams who are in a different role, then their learning and their awareness is a little different.

Steve (28:10):
And the podcast that preceded this one, it's called the Non-Conformance Innovation podcast. I had Rob Chesnut, he was the chief ethics officer at Airbnb for a time. I had a good conversation with him. And this exploration for me occurred when I had interviewed Davi Heimer and I first he mentioned, and I heard that that saying that ethics is a better form of security, and that was about 2019, maybe 2020. And my mind is if Davey ever listens to this, thank you, Davey, because I think this idea is so big for me that if you can solve these problems high enough in the value chain that it's a better prescriptive formula than playing police all the time. Absolutely.

Chirag (28:52):
Absolutely.

Steve (28:52):
You do need those things, but you just need to hire the right people and decide doing the right thing is important as well. So I mean there are other podcasts on that. There's other conversations we could have, but it wouldn't be a podcast episode if we didn't talk about ai. And I want to combine that with data security and governance, which I know is an area of expertise for you and something that's near and dear to you. So AI is anything and everything to anybody. It could replace jobs, it could be a copilot, it can accelerate, it can create confusion. I'm wondering from right now, your perspective, how do you see AI enhancing data security strategies and what governance challenges might arise from their adoption and integration?

Chirag (29:37):
Ai? It has been an amazing topic. I've been following this AI data security strategies for a while now. It has a potential to significantly enhance data security strategies by enabling organizations to detect and respond threats effectively. Now, that's one of the thing that I always tell my team here as well. Automate routine security tasks and do the best. This is something that we come up with and if the tools have the AI built in and if tool can do automate routine security tasks and improve overall cybersecurity posture, nothing like it, you are actually knocking out complete process. And if that process is knocked out and given to AI and then now you have supervision on ai it, you are doing other complex things and better things to some ways in which AI can enhance data security strategies. I believe that threat detection and response is one area. AI powered tools can analyze large amount of data in real time to detect anomalies behavior and identify potential security threats.

(31:03):
I've seen some tools, actually some concepts not yet a hundred percent working tool, but the concept is by using machine learning algorithms, these tools can learn from historical data to continuously improve on the threat detection capabilities and respond to emerging threats proactively. And that is one of the big thing actually in our world. Incident response and monitoring aspect is a big deal because you're getting tons of data terabytes worth of data and how do you par as a human? It's next to impossible to do it, and now you have these tools that can actually look at historical data, also figure out what's new coming in and learn from that threat to educate the world that this is the new threat that's coming in.

Steve (31:58):
Are you saying that, do you have folks in your SOC right now? Is this the most logical way to start within cybersecurity governance as hey, let's provide these tools to the SOC team to help them navigate alerts or triage or filtered data? Is that the high value use case right now within the security team or within automations?

Chirag (32:21):
I do believe that automation is not just limited to security team, right? You have applications development team and you've got integration teams. You've got deployment teams. There are many different ways to actually achieve a faster business outcome. If you just ask about the security, I do believe that it's going to help. Am I investing in IT or investing more time and effort in figuring out the automation of security operations? Absolutely, because it gives me a predictive analysis, right? It also gives me a behavioral analytics and AI can predict what the future security incidents are by analyzing historical data, what's going to come to you if you're in certain type of business, and if you continue to get targeted by certain risks and now you know that this is repeated, and how do you tackle that repeated risk? How do you block that historical data as well as identifying trends and patents that may indicate potential threats? I think that's important. And automation is always important in streamlined security operations day-to-day tasks, threat triage, incident response and policy enforcement looking at policies. Now you have built set of policies. How do you look at those policies and say, okay, AI align this with my execution. Let's say change management. Change management applies throughout the organization. Now if you have a tool that can actually learn about your change management practice, now you know where to put the blocks or a second set of eyes to make sure that people are not doing wrong things.

Steve (34:10):
If you have automated access decisions, do you require auditability or explainability or visibility into how access decisions were made? Is that germane to what you're trying to achieve in a balance?

Chirag (34:24):
No, absolutely. It is one of the most important thing. You can't just give something to ai, and it's not just about business outcome, but you have to have monitoring aspect of it as well, which is the logging and auditability and bringing the best business value out of it. And that's where I was actually going into the bias and fairness of you have to be very truthful to yourself about does it really work for me? Sometimes it may not work, depending upon size of the SOC and your business, it may not work if you have a global presence and if you have direct exposure to the world, like sites like amazon.com and Google, they have direct exposure to the world. Now, your threats are probably multiplying in that sense that companies who are doing domestic work or something that is not international or not global,

Steve (35:35):
Do you have metrics in place and if so, what kind of metrics are monitoring do either have in place or are you thinking about in terms of achieving the fairness and to make sure that AI doesn't get too far out of bounds on the kinds of automated decisioning it's making on behalf of your team and your policies?

Chirag (35:57):
Yeah, so it's about measuring, identifying and mitigating biases in AI driven tools sometimes to ensure fair and credibly treatment of individuals is important. Now dealing with the machine that actually spits out the information. And for that, when you are looking at a particular tool or technology, looking at it and providing that supervision and taking accountability of what you have put together, sometimes you have to create boundaries for this AI to go into certain areas and not cross that boundary. That's why wall of garden is very important and that wall of garden needs auditability, that needs recording, that needs metrics and how much is it trained and does it really require that much of training or is it going beyond what you have actually given to this tool? And that's what we all need to look at.

Steve (37:08):
Well, I know one of the things that you mentioned in the planning for this episode is your belief in continuous learning. And so I want to, in one of the early episodes of this podcast, and maybe I'm biased because I'm just completing my MBA and I really believe in, I tell my daughter and everybody that entrepreneurial skills are life survival skills. I love them. And having spent quite a lot of time in the cyber and identity space myself, I just regret that I didn't do this 10 years ago. But you seem to have thought about that more opportunistically and strategically than me because you have an MBA, you did this much earlier in your career than I did. You have a master's degree in Cypher security leadership. Your undergrad was in computer engineering. So I'd like to hear from you. I mean I can assume and try to figure out, but I'd like to just hear directly from you, what has the MBA added to your career in cybersecurity and cybersecurity leadership and also in your current role as the global security officer and data privacy officer at Model

Chirag (38:23):
N? This has provided tremendous value to my, not just professional learning, but also my understanding of how the business works. Actually being an engineer is one thing. You are dealing with the technology and you're dealing with the security. You are trying to protect the data. You understand that world. Now, business acumen is very important. MBA gave me the comprehensive understanding of various business functions, including finance and marketing and how operations and strategy. Now, when you are doing MBA, you are not just a tech guy in one department. Now you're actually combining these departments together. Now you understand why finance is doing what they need to do, why accounting is doing they need, why people operations, and why marketing is doing this, right? Why business functions are put this way and why sales is important and what they're doing is important. So it's about broad knowledge base that enabled me to understand the business context in which cybersecurity operates. I exist in this context because the things around it need to function together and what alignment we need to put together along with other teams or other departments. Now, if you look at it, strategic thinking, leadership and management skills, these networking opportunities, that's another thing I learned a lot. And I actually have some mentors and guide who are giving me a path.

(40:07):
One of my professor in cybersecurity leadership, they host networking events. And I go there just to meet people and I learned a lot, great deal of information. I do believe that cybersecurity is different as per industry. Also, sometimes you're dealing with the pg and d, which is utility to e-commerce company to a company like life sciences and high tech company like US and hospitals, Kaiser. Now the cybersecurity practice is absolutely different. In a way, their strategy is different and how do you actually, but at the end of the day, your target and your goal is same to protect the data for the organization, protect the data of your employees and make sure that you are continuously driving or providing the business value. I learned a lot from the networking opportunities.

Steve (40:57):
Did you read the book called The Goal by LI Who? Gold Rat. That was one of our readings. I don't know if every MBA program requires it's a dramatization for ongoing improvement. The audio version of that was so amazing. But in terms of your agility, instead of speaking out finance or being the police to finance with an MBA, you can actually sit with finance and understand, hey, we're trying to do this because we need to show improvements quarter by quarter. And if their motives are incentives are aligned to show improvement, but they don't have it, are they going to cook the books? So ethics comes in compliance and integrity, data access control. So we don't end up with another Enron on our hands. And so I truly believe, but I'm biased, I'm the host of this show. So I wanted to hear from you, how would you advise upcoming CISOs, maybe deputies or first time CISOs to prioritize their education in business versus just following a traditional cyber securities and cybersecurity leadership?

Chirag (41:55):
Yeah. Now this is a loaded question actually. Yeah,

Steve (41:58):
It's a loaded question to be honest. I'm not naive about it, but I want to expand upon, go beyond the obvious if it's possible.

Chirag (42:06):
Absolutely. So yeah, the very important thing is assess your career goals. Where do you want to be? That's most important. One, long-term career goals and type of roles that you aspire in cybersecurity field. If you envision yourself in a leadership position as a CSO or other executives, prioritizing that education in business and management may become beneficial. So it's important for you to assess your career goals, figure out what your current skills are, and take stock of your current skills and expertise in both business and cybersecurity domains. You can do that. Identify areas where you have strengths and weaknesses and where you can improve and prioritize education and training. And that's what I did from my example, my experience. I had no idea what actual finance and business and marketing team did before that. Of course, high level information. But when you're learning that subject academic, now you know how deep that subject is and how it actually helps the organization as a technical leader. Now you make sense that what if I'm asking for this tool, there's a value behind it, and that value is a dollar figure and finance team is going to look at this way and how do you present that, right? And how do you make sure that they understand where you're coming from? So it's very important role. It's balancing business with the technical skills and that balance between business and technical skills. They're essential for success, right? As a cybersecurity leader, you need to have understanding of how the business functions, how the departments function.

Steve (43:45):
I just hope that people think a bit more to challenge themselves and improving their agility and overall the breadth of their capabilities, which is don't be a one trick pony. You talk about, I have two more questions if you have just a couple minutes. Sure. You talk about several times having a mentor. I wonder how did you find this mentor? What has been the perfect or the ideal mentor for you in terms of are they a compliment to you or do they provide the business and something that you lack or are they just someone who's gone before you and has helped you along the way? What is that ideal mentor and how have they enhanced, provided value?

Chirag (44:24):
The ideal mentor to me who is honest with their opinion and they bring both side of the skills, technical skills and cybersecurity experience is important. But I do believe we are part of the business. We are not standalone cybersecurity as a department. I like to work with the mentors who are guide, give me that business side of the house information also on how to navigate that. So it's more of a collaboration. How do I communicate certain aspects of security? How do I bring in strategic partnerships within organization itself, inter-organization, partnership where I can have other leaders combine, they understand my vision, they understand the strategy. So all these aspects is not just about cybersecurity, it's about business acumen. It's about learning how to work with people and sometimes it's not even business. It's about learning how to work with people and navigating that and what is going to go well. And saying, giving that guidance of being flexible and being respectful and humble about you and honest about your opinion is very important

Steve (45:39):
To me. That's golden. That's brilliant. Thank you for sharing that. And last question, in terms of your continuous learning journey, what interests you over the next one to three years? What are you interested in learning more about? And maybe what other areas that we haven't touched upon would be vital for CISOs to learn and gain a mastery of as they wish to move ahead and move forward in their career?

Chirag (46:04):
Learning is an ongoing process for me. So when someone asks, what do you do? I say, I learn. And that's what I do. I'm learning continuous learning, whether it's a cybersecurity, business development, business management, being a leader, I learn. And both business and cybersecurity landscapes are constantly evolving. You see ai, AI getting into business, not just from the technical side, businesses using it, finance will use it, HR will use it. Many different business departments will use it. Learning and development opportunities to stay current with the emerging trends, business trends and technology is my most important priority. I want to continue to do that, be that leader who is respected for the skills, but then not just about cybersecurity skills, but about experience and being a regulatory expert in privacy and compliance and also cybersecurity, of course. So these are some areas where I do believe I want to continue practice and develop myself. Continuous learning and development opportunities are never ending actually in this world

Steve (47:14):
I appreciate you taking the time to talk with me on the candid ciso. I feel like I've learned just from hearing you, and I hope this is enriching and helpful to anyone who happens to listen. But thank you again for your time. Thank you so much, and thanks for coming on the show.

Chirag (47:30):
Appreciate the time. Thank you so much and opportunity. Have a nice one.

 

Chirag ShahProfile Photo

Chirag Shah

Global Information Security Officer & DPO

Global Security and Technology Leader with 24+ years of experience building leading-edge Information Security, Security Compliance, IT & Network Management initiatives from the ground up. An inclusive leader with a passion for directing innovative Information Security management that drives the bottom-line, saving companies time and money. Optimizes security investments, mitigate losses from security incidents, improves customer retention, and supports executive decision making that reduces corporate liability.
Proven ability to recruit, develop, and retain top talent.

My Skills include, but are not limited to:

● Executive Business Coaching
● Leadership Development
● Strategic Planning
● Sales & Business Development
● Performance Management
● Team Building
● Global Security & Technology Management
● Compliance & Privacy Management
● Global Threat & Risk Management