Arun DeSouza is currently Chief Information Security & Privacy Officer at Nexteer Automotive Corporation. He has extensive global IT and security leadership and organizational transformation experience including as CISO and CIO. Arun’s areas of expertise include strategic planning, risk management, identity management, cloud computing and privacy. His current interests include the Internet of Things (IoT), Blockchain, Zero Trust, Software Defined Perimeter & Self-Sovereign Identity.
Arun earned Master’s and PhD degrees from Vanderbilt University. He is a Certified Information Systems Security professional (CISSP) and has earned the Certificate of Cloud Security Knowledge (CCSK) certification. He was honored by the 1st Global Cyber Observatory by induction into the CISO Hall of Fame in September 2019. He has won multiple other industry honors including CISO of the Week, CSO50 Award, Computerworld Premier 100 IT Leaders Award, CIO Ones to Watch Award and the Network World Enterprise All Star Award. He is a member of the Society for Information Management and the International Association of Privacy Professionals.
Episode transcription:
Can you please tell us about yourself and your role within the organization?
I am the Chief Information Security & Privacy Officer (CISO & CPO in common parlance). I pioneered an integrated global InfoSec & Privacy program, developed a long-range strategic roadmap linked to business objectives and built a strong team from the ground-up. I am responsible for delivery of a wide variety of services including but not limited to:
- Strategic Planning
- Identity & Access Management
- Incident Management
- Privacy Management
- Risk Management
- Governance & Standards
- Security Operations
- Training & Awareness
AI, ML, RPA and other advanced technologies are reinventing Information Technology as a whole. How do you think these trends will impact your industry from innovation standpoint and what are your thoughts on best strategies to adopt such technologies securely?
These technologies can help enhance efficiency and productivity by reengineering and automating business processes on the manufacturing floor. For example, on factory floor in support of the digital factory, they can help reduce cycle time and deliver predictive analytics to enhance equipment reliability. In the cybersecurity arena, AI & ML can help strengthen cybersecurity defenses by adding a new embedded layer to the security architecture, which can enact real time adaptive, control strategies.
The following guiding principles can help CISOs balance security and innovation resultant from these game changing technologies:
- Business Partnership: Work with the business and the CIO to pro-actively align priorities, assess risk and implement appropriate administrative, physical and technical safeguards.
- Convergence: Deploy a layered security architecture integrating data and applications. Unify data management with identity and access management to foster innovation and protect security and privacy.
- Change Management: Drive and manage change in concert with IT and business leaders to leverage synergy and avoid gaps in stakeholder expectation. Adopt a proactive approach to IT change to foster innovation while balancing security and privacy.
- Strategic Planning: Build a cybersecurity strategic plan with clear targets and strategic goals supporting business objectives.
What initiatives/strategies that you have implemented that contribute to building and fostering a culture of federation at your company?
- Focus on relationship management
- Establish an Information Security & Privacy Council with business executives
- Build out a federation / network of cross-functional agents across IT and the business
- Meet bi-weekly to review key initiatives, progress to plan and resolve issues
- Serve as an ambassador and attend business departmental meetings to share priorities
What ideas and trends that excite you the most from your industry standpoint? Which ones are you looking to implement/invest in?
The Winds of Change are blowing through the world of work today. Macro trends such as Industry 4.0 and Distributed Work require that companies enact and accelerate digital transformation powered by the cloud. Technologies such as Artificial Intelligence, Blockchain, Edge Computing, Internet of Things, Autonomous Vehicles, Robotic Process Automation etc. are helping foster innovation and competitive advantage.
The Convergence of Security, Privacy and Enterprise Risk will Establish Identity as the Cornerstone for Secure Delivery of Digital Applications and Services along with Zero Trust and Software Defined Perimeter. I am fascinated by the concept of Self Sovereign Identity (SSI) which is a digital movement that recognizes that an individual should own and control their identity without the intervening administrative authorities and is powered by blockchain.
Tell us about your strategies to attract and retain top talent for your teams?
The first step is to build out a detailed services and competency framework with the skills needed for each role in the group and should also include the strategic hiring plan. This framework should be reviewed and periodically updated. It can also be used for career pathing and succession planning.
Further, the following steps and strategies can be used to manage and develop talent:
- Define an appropriate mix of in-house and out-sourced services
- Conduct cross training across service tiers
- Utilize managed services
- Leverage training & development and succession plans
- Negotiate cost savings to “self-fund” key roles
- Develop a “grass roots” talent pipeline (Students & Co-ops)
- Identify talent early and strengthen the pipeline
- Build affiliations with industry groups and universities to identify interested talent
What do you look for in candidates?
- Demonstrate a good attitude and people skills
- Exhibit the desire to learn, grow and rise to challenges
- Possess a proactive approach to developing new skills (e.g. certifications)
- Embrace continuous improvement with integrity and passion
What are some of the most in-demand skillsets that are very scarce these days? What are the most challenging ones to find?
- Identity & Access Management
- Security Strategy and Governance
- Cloud Security
- Risk Management
- Application Development Security
- Threat Intelligence
- Incident Response
- Data Privacy and Security
Per CSO Online, “the Cybersecurity labor crunch to hit 3.5 million unfilled jobs by 2021”. Essentially all these skills are hard to find at present.
What are your sources for information and learning? Share with us any sites/people to follow etc.
- Use LinkedIn and Twitter to share with and learn from others
- Enlist in various peer groups like the Cloud Security Alliance
- Attend seminars and conferences when possible on industry trends and technologies
What is one book that you always recommend to others?
I actually have two favorite books:
- Fearless Change: Patterns for Introducing New Ideas (by Linda Rising and Mary Lynn Manns). This book illustrates many patterns or methods, for implementing change in organizations or teams of all sizes and provide great advice on how to use them successfully to enact change successfully.
- The Story Factor: Inspiration, Influence, and Persuasion through the Art of Storytelling Paperback (by Annette Simmons). This seminal books inspires to use the art of storytelling to persuade, motivate, and inspire others across all aspects of life and work
How do you see the role of the CISO evolving?
The CISO role has evolved significantly in this decade. Depending on the risk appetite and scale of digital transformation in organizations, the CISO role now spans across some or all of the following personas:
- Technical CISO
- Business Aligned CISO
- Risk Focused CISO
- Transformational CISO
Which leadership trait should CISOs develop and leverage? What does it entail?
CISO’s should embrace and develop the following skills to Lead Change which will serve them well to serve the business and digital transformation. The Age of “CISO as Business Leader” has arrived to stay.
Embrace the following guiding principles:
- Collaboration & communication
- Envisioning and storytelling
- Relationship management
- Program management
- Negotiation & vendor management
- Strategic cost optimization
What are key pieces of advice you would offer other leaders?
- Embrace Change fearlessly
- Build and maintain trusted partnerships
- Manage priorities effectively
- Foster a culture of respect and trust
- Leverage communication and relationship management
The traits I have found instrumental are:
- Vision
- Collaboration
- Execution
- Results
How do we ensure that we are having a fair balance between promoting innovation from data and managing the risk and compliance aspect of it?
- Business Partnership: Understand regulatory impact on the IT Department. Work with Legal pro-actively to align priorities and support an IT business case.
- Strategic IT Roadmap: Build a strategic plan with clear targets and strategic goals.
- Convergence: Converge architectures and data. Centralize data for ease of management and compliance. This adds value and fosters innovation.
- Portfolio Management: Maintain tight portfolio management. Understand the whole IT change agenda to avoid gaps and overlaps and remain benefit focused.
- Third Party Services: Make appropriate use of third parties, using them where they can add maximum value, such as providing insight or specialist skills.
- Proactive Approach: Take a proactive approach to IT change encourages, rather than stifles, innovation in an increasingly regulated climate.
How do you ensure that there is an effective use of data in an AI-enabled world?
- Calibrate and vet the system to minimize / eliminate bias
- Implement Privacy by Design and Privacy by Default (e.g. data minimization)
- Conduct a Data Privacy Impact Assessment (DPIA)
- “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.”
- Accordingly, most AI systems would require a DPIA before carrying out any personal data processing. This will require a detailed assessment of AI systems under a data protection perspective, also with regard to the relevant security measures which are applied.
- Review AI vs. principles of Fairness, Purpose limitation, Data minimization and Transparency
Welcome to Ivy Podcast! On this Executive Leadership Podcast we interview top executives from Fortune 500 with a focus on strategy, innovation, negotiation and everything about leadership.
Our Podcast for Executives features Thought Leaders who share practical insights for effective leadership, continuous innovation and strategy execution.
Ivy Podcast is a rapidly growing Executive Podcast, which covers topics like Hiring and Retention Strategies, Talent Acquisition, Innovation, Digital Transformation and much more.
On this Leadership Podcast, you will find conversations with the most accomplished executives from Fortune 100 companies. We aim to cover a broad range of industries and create a learning platform for the most ambitious and high potential professionals who are looking to learn from the most accomplished Executives on this Business Leadership Podcast.