Omar Khawaja is the Chief Information Security Officer for Highmark Health, and guest of Episode #76 of Task Force 7 Radio. He recently talked about the biggest challenges for CISO's in the industry today, what keeps him up at night, and how he deals with what has become one of the most stressful jobs in the country.
Khawaja joined Host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies, and Co-hosts Tom Pageler Chief Security Officer of BitGo, Inc. and Andy Bonillo, Global Head of Information Security for AIG, on Monday night.
Khawaja talks about the importance of leadership, how he manages his time as the chief executive of his organization, and how important it is to balance both tactical and strategic objectives with the limited amount of time he has every day.
Path To Becoming A CISO
But first Rettas asked how Khawaja got into cyber security. As he traced back his steps, Khawaja said he never once in his career stopped to say he wanted to get into cyber security, nor did he ever imagine running a security program for a sizeable organization. He got his BS in electrical engineering and had some classes in telecom, where he decided to focus on the side of electrical engineering — ending up at Sprint, then a start up, then getting into the networking space. It was exciting at the time, but he figured “there’s got to be more to learn.” He looked at the first intrusion detection system and figured “this will take me some time to figure out,” then a new technology came out, then the next technology came out, then the next.
See Related: “What CISOs are Sharing With Their Boards”
Khawaja finally left technology and went onto the business side doing technical marketing and consulting services. Every couple years, they were going through acquiring security startups, etc., but eventually he saw the opportunity with Highmark which sounded exciting. So, more simply put, “I get bored and want to try something different,” Khawaja explained.
There’s never really a straight line to the pinnacle, there’s always a lot of pivoting according to Rettas. Khawaja agreed saying there’s no set path that says first you do a, b, then c and eventually CISO. It’s a series of “s” curves: “Our CEO says when you’re trying to get to something meaningful, there’s no straight point to get there.”
Bonillo said that you have to find that person that can help mentor you and give you different perspective and, “Omar was always that person for me.”
“Diversity is such a big part of being successful,” added Pageler. Whether you’re trying to be a CISO someday, or have a strong influence in any area, you want to find people of different perspectives. “The whole has to be significantly greater than just some of the parts.”
Bonillo explained that when you’re rolling out global projects especially, you need representation from different areas of the world.
Highmark Health has hospitals, physician offices, financial services, and it’s also a retail company with retail locations. So, Khawaja said that when they think about how to solve problems – they can’t just say “let’s look at what healthcare or retail is doing.” Each industry has different problems.
A Day In The Life Of A CISO
With the CISO role becoming one of the most stressful positions you can have in America (it used to be law enforcement), Rettas asked, “What does your typical day look like?”
Khawaja decided to start with his evening and then move to the rest of the day. In the evening, he is home by 6:30/7:00 to catch the tail end of dinner and puts his daughters to bed. “When I step from garage into the home, I have to switch it off (and not just electronics).” To do that, “I actually come home and the first thing I do, is yell happy birthday, every day.” Khawaja explained that it puts everyone in a different mood.
“At that point, I’ve forgotten about every email, employee issue, tech issue,” Khawaja said and he will not go check email at night. “I learned that was huge. If I went on email before sleep, I wouldn’t sleep.” If the boss or anyone needs him, they have to send a text.
If Khawaja really needs to do something, he gets up at 5AM and does it … or 4AM, or 3AM. “But the moment I put my head down, I have to forget about everything.” Some other tips Khawaja does to avoid the ‘CISO burnout’:
- You need discipline to turn things off.
- If something is pressing, you can always start your day earlier.
- Take a meeting on the commute to the office. If there are no meetings, sit in silence, or listen to a podcast/learn something.
Once Khawaja gets to work, his day is pretty much packed with meetings. His team is now focused on one-on-ones. His direct reports have ‘ask the CISO sessions,’ where he meets with individual contributors. Last year Khawaja did 42 of those sessions. Why? “I thought things were going one way, my team felt a different way and there was a big disconnect. I needed to figure out what was happening at the ground level,” Khawaja said.
What Keeps A CISO Up At Night
Khawaja explained that what keeps him up at night is probably true for most leaders. One definition of being a leader – “the way we lead is by making decisions.” So Khawaja revealed that he questions, “Am I making the right decisions?” When decisions are based on gut – it’s hard to tell if you’re making them right or wrong he said. So, he tries to shift to Excel and ask third parties, so those decisions aren’t based solely on the gut.
Khawaja also gave valuable insight into the most effective controls he has implemented in his environment, how the talent war is affecting his attrition rate, how he attracts and retains talent for his organization, and how he prioritizes risk when dealing with third party business partners.
“What is the strongest control you have?” asked Rettas.
The single strongest control Khawaja has is the control that says “we’re destroying data, or we’re archiving data.” Secure destruction of data that is no longer being used by the business is crucial.
See Related: “Celebrate International Data Privacy Day 2019 With This Expert Advice”
If you look at a lot of data breach investigations, health and human services breaches, etc., those reports identify the cause of the breach. “Human error is more often the root cause than any other, so it’s a fair conclusion that we need to address and solve for the people and that’s true,” said Khawaja. On the other hand, “if we invest in them and trust them – then we can turn them from biggest liability to our biggest asset on our cyber-risk balance sheet.”
Risk-Driven Vs. Compliance-Based
When it comes to regulations, Khawaja stressed, “Let’s be more risk-driven and not so much compliance-based.”
He explained that in all his years in working with regulators and customers – very seldom does he come across someone that’s unreasonable. “Almost always, we can arrive at what we’re doing and why it makes sense.” Every regulator now is starting to realize it’s all about risk and not “whether or not we have this control in place.”
Pageler said that we do compliance and regulatory because we have to, but we should think of it as a test to see if we have a good strategy from our core.
In spending time doing investigations, one thing Khawaja has found is, “the reason breaches happen is almost always because there was something simple or rudimentary that was missed.” Almost always there’s a compliance mandated control that could have prevented it from happening. Organizations are very seldom actually compliant the day the breach actually happened.
Pageler agreed, “We can’t rely on compliance to be secure.” Organizations have to be living and breathing security.
“If you think of being compliant every day, you’re fine, but if you think about it once a year, you’re in trouble,” added Khawaja.
Finding The Right Cyber Security Talent
When it comes to hiring the right talent, you “have to think about who is most excited to be there – they’re the biggest ambassadors.”
If you look at Khawaja’s calendar, he spends more time with employees than anyone else — “they are the single most important asset within our organization.” And you have to make sure you have the right talent and they’re in the right places.
Khawaja talked about how he reduced attrition:
- Focus on making sure you understood what drives people, and keeps them excited.
- Ask about what’s not working – most of the time, it’s not that difficult to fix.
- Ditch what’s not working.
Finally, Khawaja talked about his journey of the organization’s Information Security Risk Management transformation program, which won the FAIR Business Innovation Award.
They knew the goal was to be more risk-based, and not compliance-driven, but they weren’t sure how to get there. They looked at variety of different standards, approaches and frameworks, and came upon FAIR. It was easy to understand, but also had some rigorous math behind it. In the end it:
- Gave a common language and culture we could use to talk to each other across the security department in order to be risk-based.
- Gave a way to quantify risk.
Rettas closed by asking about third-party risk. “What level of scrutiny and oversight is appropriate?”
“Here, I have some pretty strong opinions, because I’ve seen a lot of different approaches and most fail,” said Khawaja. “One thing we have to accept as a security community – questionnaires have almost no utility – I would say no utility at all.”
He encourages everyone to wean off questionnaires. “They’re not even worth the paper they’re written on.”
See Related: “Security Control Gaps Are Not Risks”
The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub.
To listen to this and past episodes, click here.