A: I am Arun DeSouza, the chief information security and privacy officer CIS, so and CPO and common parlance at next year automotive corporation, here at pioneer and integrated normal InfoSec and privacy program. Develop the long range, strategic roadmap, linked to business objectives and build a strong team from the ground up. I am responsible for a wide variety of services, including, but not limited to strategic planning, identity and access management in certain management, privacy management, risk management, governance, and standards, security, operations, and training and awareness. 
J: That's great, Arun, thanks so much for being with us today on Natty podcast. Tell us a little bit about your background. We're where do you come from prior to this? You have a very extensive technology background. Can you tell us a little bit more about that. 
A: Yes, absolutely. This is not my first CSO gig. I actually was a CSO at, next year, automotive proceeding that at energy automotive systems, since 2003 to 2012, and those were the days when security was desirable, but it wasn't as topical and timely as it is now. So I will, long background as a CSO, but also I've got about over 20 years of experience in IT executive management, in a variety of areas, but it's exclusively almost in global roles, spanning, Americas, Asia, Europe. So I'm very strong in collaboration, communication and working in multicultural menus. Also I've been fortunate to win a multiple industry awards, a couple of being the first global cyber ops over three inducted in the hall of fame for CSOs last year. And then also the premium 100 IT leaders evolved a few years ago. From the computer world. So I've got a pretty eclectic, diverse background. And, you asked me the one thing that makes me tick is I like working with people across all areas of the company, but also across the enterprise ecosystem of vendors and partners as well. 
J: Wow. That's exciting. And congratulations on all of your accomplishments, to shift gears a little bit, I want to talk to you about the best technology such as artificial intelligence, machine learning, RPA, and so forth, which are reinventing, information technology as a whole, for you as an information security thought leader. How do you think these trends will impact your industry from an innovation standpoint and what are your thoughts? Thoughts on the best strategies toadopt such technologies securely because I talked to a lot of executives, so almost on a daily basis and, yes, these are buzz words, these words everywhere, but they've been around for quite some time, just been labeled differently. it's great to talk about this, but implementing such technologies is a completely different game. Curious to get your take on that, especially from that security standpoint. 
A: Yeah, absolutely. So just a little sidebar. AI ML RPA, for me, three of the many charter technologies have what's today called the fourth industrial revolution or industry 4.0. There's others of course, like cloud computing and mobile technologies, whatnot. And together, all these technologies really. Make this time in ID and security, very, very fascinating, for both professionals and the business as well, because they're all game changers in their own way. And of course we are still awaiting quantum computing. Now that being said, AIML and RPA first, from a manufacturing perspective. They can help answer efficiency and productivity by re-engineering and automating business processes and the manufacturing floor. So for example, on the factory floor in support of digital manufacturing, they can help reduce cycle time and deliver predictive analytics to enhance equipment reliability, in the cybersecurity arena in particular, AI and ML can help strengthen cybersecurity defenses by adding a new embedded layer to the security architecture, right. Which can enact real-time adaptive control strategies. Now at a macro level, obviously in any security program, we talk all the time about the three main dimensions people process and technology. Right? Let's start with technology. It's important to put in place a coalition of technologies that are able to close the risk for print and, actually drive the business forward at the same time. And acting the balance between value, protection and value creation. So along with that earlier security architecture's important training and awareness is huge and so on. So it's really a business process re-engineering is also important. Having said that I think the following guiding principles can help CSOs balance security and innovation resulting from AIML, RPA and other game-changing technologies. Like the cloud. First business partnership, right? It's important for the seesaw to work. Would the CIO to proactively align priorities between IT security and also the business, and then assess the risk and implement appropriate administrative physical and technical safeguards. The second principle is convergence: deploy a layered security architecture, integrating data and applications. You've got to unify data management with identity and access management to foster innovation and protect security and privacy. Third change management, drive and manage change in concert with it and business leaders to leverage synergy in a wide gap in the stakeholder expectation. Adopt a proactive approach to it, change to foster innovation while yet balancing security and privacy, and last, but not the least strategic planning and build a cybersecurity strategic plan with clear targets and strategic goals, supporting business objectives. And from time to time, be able to show progress, to plan with key metrics and even executive dashboards. Does that resonate to Don? 
J: Yeah, absolutely. And thanks for categorizing that in the different areas, it's easier to comprehend from that standpoint. So that's very exciting. You mentioned a little bit the different strategies and initiatives to foster this culture of innovation. And when we take that a little bit further, I want to talk to you a little bit about the culture of Federation. Tell us a little bit more about that concept and what strategies help you to foster such culture within your organization? 
A: Yes. Thank you, Jahn. Federation, as a subject, very close to my heart. And let me explain how I came upon it. This principle many years ago, it was around 2003, 2004, when I was very new to the CSO role after a joint venture, had the opportunity to actually lead UN security and infrastructure global transformation. So a multi year project, and what's interesting and fascinating about it. Then I've worked really hard to put a business case in place. And without a nice presentation for the board, in Paris, France. And, it was presented by at the time the DVP of it there. And, he presented to the board, but times were tough and they essentially. Said you can do this whole project two years. They're going to cut your budget in half. So from 2 million euros to 1 million euros, you can imagine my flight here. I'm like trying to sort of make my mark on the program and my budget has been cut by half. And so I thought to myself, and then I went out across the vendor ecosystem, whether it was software professional services and so on and had conversations with them and said, Hey guys, I need your help. And poor man, and to an organization they all came forward and they cut their prices,in relation to providing some concessions for costing, I would do white papers or case studies or even speak for them or take reference calls or whatever. And I honestly, I was able to finish that project in two years. It was a very successful project, on the network world enterprise, all storyboards as well as, it was a baseline magazine case study and so on. And what I realized from that experience was the fact Federation is huge because. uniting for a common cause benefits everyone when the synergies and the payoff are really huge. And that's when I came up with the Karma Federation. So Lydia, and I'll talk more about that for a minute. Does that make sense? The backdrop. Because I didn't want to just throw it out there as to what is talking about it. 
J: Absolutely. It definitely does make sense. And thanks for providing some examples, especially when your budget was cut and you had to think on the spot and try to figure out a strategy to adapt to that. I mean, that definitely can resonate with a lot of other executives in this space. 
A: Yeah, absolutely. And so now moving on along that premise. Federation has become one of the. Key principles are, which I worked in my career across the enterprise ecosystem. And some of the guiding principles there are, first and foremost focused on relationship management, one relationship at a time, one business department at a time all across the globe, because at the end of the day, you can have the best vision and the best strategy. But if you're not able to rally people to the vision and the cause. It's not going to be easy and a way to sort of oil that particular engine of collaboration is to drive it with one-on-one relationships has made a big difference in my career. Right? The next thing of course is a notion of air cover, right? One can design a comprehensive strategic plan, with all kinds of technologies, roadmap, and everything. But if you don't have the air cover the business is going to be difficult to sell. Right? So therefore it's important to establish an information security and privacy council with business executives. Because then they can take it. The common message and the goals agreed with you to their organizations. And then when the Cecil speaks to the departments or functional leaders, it's not the Cecil speaking where it's the business coalition, the management Federation in this example to speak right. And then of course, I stayed in passes as you build up the program, which is very important to build out a real Federation and a network of cross-functional agents across ID in the business. And then one of the things we do here at next year is meeting by weekly to review key initiatives, progress, to plan and resolve issues with the Federation. Right? So this way you're being very proactive and checking the state of the union. If you will, every two weeks and then course-correcting or adding new initiatives on the fly as needed. And last, but not the least. It's very important for the CSO as an ambassador and at then business department to meetings, to share priorities. And when one goes through all these different channels, one trade that I found very useful is a notion of storytelling, right. To influence people and try to get them to understand where you're coming from. Just kind of the example, I just started this particular deal on Federation. 
J: Thank you. Oh, that was great. Thanks for those examples. You've mentioned a little bit about the kind of the evolution of the role of the CSO as part of, kind of the whole culture of Federation. And when we talk about that makes me think about from the, like the overall CIO CTO standpoint, anything that's technology related, those roles have definitely evolved in the last decade being more not so much of an order-taker and the supportive role to an actual business partner. Tell us a little bit more about, with an emphasis on the CSO, how did that role evolve and what do you see as the role of the modern day CSO and the organization? 
A: Yes. I started my CSO career in 2003. And in those days I think the CSO worked as a pure technical Seesaw. And it's pretty much like, we're not seeing you will not hurt you took care of stuff. And that was that right. But then that was 2003 to 2007, roughly, but in the 2007 timeframe, I think that came the year of the business aligned Seesaw. We started to work with the business and so on, and that has gone on for quite many years, but lately the evolution of CSO has gone on towards the risk focus Seesaw, where you're really thinking of enterprise risk, right across all dimensions, actually partnering with the enterprise risk organization to make a difference, right? Because depending on the risk appetite and scale of digital transformation, various organizations are very important to pivot around risk. And the last evolution of the CSO is I would say the transformational seesaw, where you're even a peer of the CIO and the ability to drive change at the macro level. Now, the reality of it is, I talk about those foci areas, but you're never going to be able to specialize. You might be actually operating on all four channels at once because you've got to be able to drive change, manage risks, support the business, and yet drive your teams and act technical change. But in my opinion, those are the four key pillars by which CSOs are measured today. 
J: Right. Absolutely. Couldn't agree more with you on that. And to elaborate on that further, tell us a little bit more from your perspective, what are the different leadership traits that every CSO, every successful Cesar shouldn't have, based on kind of that evolution of that particular role.
A: In my opinion, I think, our day to day, the winds of change in business, like the fourth industrial revolution and privacy challenges, connected cards and everything, are really allowing the seesaw tremendous opportunity in my opinion, to lead change. So therefore the CSO, the change leader and a business leader has arrived to stay, and will continue to stay. And almost going in the area of transformational leadership, all the time, every day. And in order to see, to be effective in this role as a business leader and a change agent, I would say that the following guiding principles are very important: collaboration and communication and visioning and storytelling, relationship management, program management, negotiation, and vendor management, and last but not the least, strategic cost optimization. And that's huge, especially in these tough times with the COVID, et cetera, the ability to go out and partner with our vendors, et cetera, to get costing concessions, to be able to fund your program and protect your team and drive the business forward. 
J: Right. Absolutely. I especially like the last one that you've mentioned, strategic cost optimization is not necessarily what always comes to mind when we talk about information security or technology in general, but that definitely makes sense. So thanks for clarifying that. I asked that all of my guests and it's something that I'm very passionate about, the different trends and ideas in various industries and very entrepreneurial in nature. So, the question that I love, we can probably talk for the rest of the podcast episode about this, but from your standpoint, what are the different ideas and trends that excite you the most these days? What do you think is the next big thing from your industry standpoint? What are you observing? What are you researching? 
A: The winds of change are blowing to the world of work today, right? Macro trends, such as industry 4.0 and distributed work require that companies enact and accelerate digital transformation. Powered by the cloud. The cloud is almost like the hub and the whole enterprise on the spokes or the really fever. Right? So along with the cloud technology, such as artificial intelligence, machine learning, we talked about that earlier, robotic process automation, of course, but then blockchain it's computing, the internet of things. Autonomous vehicles, connected cars are all helping foster innovation and competitive advantage. Right? So at the end of the day, what does this all mean? I see the convergence of the fields of information, security, privacy, and enterprise risk. Right? So these areas of conversion, I think in some cases, the CSO, the leader reporters. Chief risk officer or the chief risk officer along with these three fields. But that's coming for sure. So knowing that this convergence is coming either at an organizational level or the federated level, this will establish identity as a cornerstone for secure delivery of digital applications services, right? The notion of any time, anywhere authorized access, because in order to drive the business forward, especially in the seat of remote work, identity is huge. But also of zero trust and software-defined perimeter to compliment identity is very, very important as well. Right. and the last thing that I think really fascinates me, Jahn, and you may have heard of it is the notion of self-sovereign identity, the ability for each individual to own and control their identity without the intervening administrative authorities. And this is also powered by blockchain. So there's so much going out there. And so, all of these technologies really sing out to me and I think can help companies make a big difference. 
J: Right. Absolutely. No, that's exciting. And those are definitely the trends what I'm seeing just as a general in it or in technology in general. So that's so great, exciting, and we're all excited to see what's going to transpire special ed this year with 2020 behind us. And it's almost like the last year 2.0 that we get to relive that all over again. But with the kind of, with a different outlook outlook onto answer. So thanks for clarifying that to shift gears a little bit. I want to talk to you about something that I'm very passionate about and something that we at our company, we specialize in, where we partner with organizations, to help not only with very complex projects from, software development or information technology consulting standpoint, but also to help find the very niche talent, whether that's, in cloud engineering or data science or information security. So from your standpoint, tell us about your strategies that really help you attract and retain the top talent in your field. 
A: So the first step is to build out a detailed services and competency framework, with the skills needed for each role in the group. And also how to include that in a strategic hiring plan. And this framework sort of course, we reviewed and periodically updated as your. Service delivery model increases and expands. It can also be used for carrier partying and succession planning because the skills are skills, but at the framework and the basis for evaluation is very, very important. I have said that once you have that framework in place, then the following steps and strategies can be used to manage and develop talent first define an appropriate mix of in-house and outsource services. Right? One of the things I'll always say is if it's a core service, keep it in house or if it's an Encore service or the staff risk is very high. Also set an example, being firewall management, right? It's a goal service. However, it's very hard to get down to firewall. So maybe you can also then of course, with your own team conduct, cross screening across service tiers, right? Because you want to have each member of the team be able to support different services. We want generalists, not specialists, right? Utilizing managed services to the extent possible based on the budget and your ability for risk burbs of the provider services. And I can't speak enough about this leveraging training and development and succession plans because of it. Every quarter every month, you've got to look at your delivery profile and your Skittles framework to make sure where are the risks and make sure that you're covering them appropriately. And you've got a pipeline in place of talent, right? We spoke about this earlier, the notion of strategic cost optimization, especially when times are tough. Like now it's very hard to fund new roles. So the ability to negotiate cost savings to self-fund ketones and technologies, I think this is something that has to be front and center of a strong privacy and security program. And then developing a, what I call it, grassroots talent pipeline, leveraging students and cooperative folks who can come in the summers or, work for a semester, go back to school and groom them. Not everyone you invest in will join your company or maybe be a good fit. This allows the opportunity to catch them early and grow them in the career. In fact, I have already done that a couple of times in my team. So I'm pretty familiar with that. And then identifying talent totally in space within the pipeline. Right? So for example, I'm on the board of the cloud security Alliance, Detroit chapter, we have outreach towards universities, so on, and we try to invite students, seminars and webinars. Of course now it's webinars because of COVID. But especially when I was in Berkson, some of the students that come, they interact with, some of the executives there and are able to see some of these, the skids that have an interest in security of cloud security and able to tap them and assist them, in the career even be mentors for them. And then building affiliations with industry groups and universities to identify interested talent. So I would say it's a multi-dimensional approach, Jahn. 
J: Oh, that's great. And it definitely makes sense, especially in the latter part where you talk about partner with education providers then in the colleges and universities, because these days it's a war for talent, especially when we talk about information security, cybersecurity, and a lot of companies, a lot of clients of ours that we see a trend where organizations necessarily. Take a little bit of a it's an investment where they take someone who has less experience, less, maybe less qualified, but exhibits traits such as, willingness to learn and ability to Excel in this particular field. And they take on that investment and they foster and they develop those resources internally within their organization. So that definitely makes sense. Speaking of which, when you interview your candidates, when you talk to potential team members to join your groups, what are you looking for in some of their responses? When you talk to them, what is your outlook on that?
A:I would say just the handful. Of course, the notion that they have some level of technical fit to the role is important, but like we talked earlier, and you mentioned correctly, it's important to have people who can grow and learn and catch them young as I was saying. Right? So the four things that I would look for all the time, in addition to some sort of technical fit is to demonstrate a good attitude and people skills, a good attitude is something you can not teach you. They have it, or you don't. And then as you noted earlier, they've got to have the desire to learn, grow, and rise to challenges. They should possess some proactive approach to developing new skills. And so if they already have some certifications or pursuing certifications, this always helps me determine and identify candidates who already know that, especially in InfoSec law, learning and lifelong learning. And last but not the least, they've got to at least demonstrate. That they have embraced continuous improvement with integrity and passion.
J: Absolutely. And that makes sense, from a standpoint, especially when we talk about, highly, very niche, IT talents such as information security. I'm pretty sure, they go through various levels of assessments, technical assessments before the interview with you and for you to be able to make the interview almost like an interpersonal conversation and to get to know the person, more kind of a lot closer as a person versus the technical skills. I think that also makes sense. And sounds like some of the strategies that really help you is to be able to open up the forum for the candidate to interview you as well and ask the questions and to see who is at the top, who is the leadership of that particular division within the organization? I think that's also very important. So definitely thank you for sharing that. When we talk about the current state of the industry or the industry that you guys are serving, or even your particular domain, what are your thoughts on some of the most in demand skill sets that are very scarce these days? Which ones are the most challenging to find for you? 
A: There are a few, let me take a breath here and think about it. So going forward, I think the following skillsets are going to be hard to find and already are. If we talk about in a minute identity and access management, security strategy and governance, cloud security, risk management, these what I would call the strategic skillset side, and then the technical skill sets really are the application development, security, threat intelligence incident response. And then of course, an overarching one, which is data privacy and security, and that's a pretty long list. But I think these are really very central to help enterprises, navigate and walk that tightrope between value, protection and value creation. Now for CEUs online, literally a quote I can remember as a cybersecurity labor Krantz is to hit three and a half million unfilled jobs by 2021, three and a half million. So therefore, essentially all of these skills are hard to find. There's just not enough people, Jahn. 
J: Right. Absolutely. I can definitely relate to that because we live and breathe that on a daily basis with a lot of our clients. And that's the biggest challenge when we talk about the very scarce talent, and a lot of the listeners who subscribe to Ivy Podcast are early stage career professionals also. And the questions that we get is, if you were to give a recommendation of what area, particular specialty fields in it to go into, information security usually is one of the top, along with, clouds and the data, those are the areas that offer extreme interest and very scarce these days for a lot of organizations, from a standpoint of you must stay up to date on a lot of the industry trends, a lot of the developments. You have to be almost ahead of the curve to be able to predict certain, particular threats or particular developments in this field. What are your sources of information? What are your sources for learning? What do you follow? What do you read? Whether that's a Twitter profile or a particular blog that you subscribe to share with us, your sources of information.
A: Sure, Jahn. So I do use LinkedIn primarily and Twitter also to share information with and learn from others. I also enlist in various peer groups like the cloud security Alliance. As I noted earlier, I'm on the board of the cloud security Alliance chapter. I attend seminars and conferences and possibly on industry trends and technologies. I volunteer my time and speak on panels or talks like this to also share information. And it's interesting because even when I do that, I meet people and fellow thought leaders as well. And I read like crazy and I've got Google alerts for various topics, et cetera. And of course I'm a full day job, but using all these different channels to try to engage directly with people, virtually or in person when we can and just keep up to date to the extent I can. And one thing is, I dig the notion of lifelong learning very seriously. So, I've been a CSSP now for a few years, a certified information security and systems professional, but IFC too. But just a few months ago, I actually went out and got an additional certification called the Certificate of cloud security knowledge or CCSK by the cloud security Alliance as well. And I think it's just the balancing sort of the, a softer way of doing it either through LinkedIn or through seminars, but also sometimes you just got to roll up the sleeves and they could deep dive into certification as well, because I've been working with the cloud for many years, but I can tell you, I learned so much studying for that certification, Jahn. I mean, it was really, really great for me. So all of that helps. 
J: Well, that's exciting and definitely congrats on that achievement. I'm pretty sure that wasn't very easy. And you've mentioned that you read a lot, you read like crazy. So share with us. What are you currently reading? And what is one book that you always recommend to others? And why is that for the forced down?
A: I'm going to cheat a little. I will tell you that I have two favorite books and these are not technical books. So this isn't an autumn of people, process and technology released, speaking of the people and process dimension. I've talked a lot about change earlier, and it's sort of a setup for my first favorite book and it's actually called Fearless Change: Patterns for Introducing New Ideas by Mary Lynn Manns and Linda Rising. So this book illustrates many patterns of methods for implementing change in the organization, organizational teams of all sizes, and it provides great advice on how to use them successfully to enact change and, like I mentioned earlier right now with the fourth industrial revolution and the winds of change blowing, these are skills that are really important to have. They've also written a sequel called Morpheus change as well. So I would say that's a companion pack. And the second favorite book that I have is The Story Factor: Inspiration, Influence, and Persuasion through the Art of Storytelling by Annette Simmons. I think it came out in 2006, many years ago, but this seminal book inspires to use artist storytelling, to persuade, motivate, and inspire others across all aspects of life in books.
J: Oh, that's good. That's very exciting and thanks for sharing that. And for our listeners, we'll make these titles of these books available in the episode notes. And I can't thank you enough for your time today. I know it was a very short, but very insightful conversation for your lent expertise to us today. I'll look forward to staying in touch with you and perhaps we could do another episode in about a year or so, and see how much has transpired and have changed so much. 
A: I appreciate it. I thank you for the opportunities. It’s an absolute pleasure, please keep in touch.