Want to know how to go from working as a software tester and release engineering to the CSO for Colorado’s largest employer? Read on to see how Sameer Sait has become CSO for Arrow Electronics, with stops along the way at Fannie Mae, The World Bank, and Mass Mutual. The biggest challenges in building a world-class security program at scale, and where he will focus his efforts in 2017.
My passion is to organize and energize the Colorado information security community as the mecca for information security. As I’ve worked in the community, I’ve been continually surprised at just how many fantastic individuals we have in the area and the wide variety of ways they contribute to the industry. So I set out to start meeting those people, and writing up those interviews for you to enjoy along with me. I am hopeful that one of these stories will inspire you to throw your own hat in the ring and take a chance by trying something new. Click the links below to read previous interviews in the series.
- Dave Navetta – Information Security Lawyer
- Chris Petersen – Co-founder of Boulder-based Log Rhythm
- Johan Hybinette – CISO for Hosting.com
- Jericho – Founder Attrition.org
- Dan Wilson – Co-founder of Denver-based Accuvant
- Mike Kalac – CISO for Western Union
- Brian Krebs – Investigative Security Journalist
- Debbi Blyth – CISO for the state of Colorado
- Rob Eggebrecht – Founder of Intelisecure
- Alex Wood – ISSA International Board of Directors
- Andre Durand – CEO and Founder of Denver’s Ping Identity
- Lance Miller – Infosec entrepreneur
Sameer and I ate lunch at the restaurant within the Inverness Hotel. While I have had the pleasure of a number of previous conversations with Sameer, during this interview I had the opportunity to learn a lot more.
My questions are in bold, with Sameer’s responses paraphrased below.
As a starting point, how did you get into security?
I didn’t take a direct path to security. When I graduated college, I got into software development and testing working for a medium-sized product company called Remedy Corporation that is known for their helpdesk, change & asset management software.
It was during my master’s program that Sarbanes Oxley (SOX) compliance become a hot topic. This got me interested in the whole IT audit, risk & security field. I started to focus on IT audit, risk & security and decided to pursue a Master’s in information security. After graduation, I ended up as an IT auditor working on auditing corporate IT systems, including but not limited to, ERP, Mainframe, Web applications. What we quickly realized is that there’s a lot of detailed technical controls that feed up into an auditor’s test plans. That got me really interested in risk management and security and I ended up working in an IT risk management role that reported into the CISO at my next few gigs.
Where were you doing that?
I worked first at a company called TRW Automotive, which is a Fortune 200 company in Michigan. After that, I went to HSBC as an IT risk management lead. I did that for a couple of years, and then my first true security gig was at Freddie Mac. This was right before the housing crisis in 2006.
Did you move for each of these jobs?
Yes, I did. I did my Master’s at Carnegie Mellon in Pittsburgh, went to Michigan for a couple of years, went to Chicago for HSBC, and then to DC for Freddie Mac. I got promoted once while at Freddie Mac to a director role within Information Security. I left Freddie Mac in 2010 to join the World Bank as a contractor in their growing IT Risk Management practice. My first executive leadership position in security was in 2013 at MassMutual, a Fortune 100 financial services firm.
How did you get that job, going from Freddie Mac as a director to MassMutual?
I think coming from core financial services, having worked in DC where there’s kind of a mecca for security thought leadership, participating in security meetups, being a member of OWASP, ISACA, etc. helped. With the increased emphasis on risk, compliance and security, I was lucky to be part of the increased investment and support from executive leadership. For example, Freddie Mac’s security team grew maybe twofold from 2006 to 2010.
An additional aspect that helped me was putting myself in situations where I could learn and grow as an Information Security professional. I left a cushy gig at Freddie Mac as a director to join the World Bank as a contractor. My wife thought I was crazy – but my reasoning was if you don’t continue to learn and grow in this dynamic field, you’ll get left behind. The steep learning curve for me was learning the core technical side of security and at least being able to speak the same language as our engineering & operations teams.
When I was pitched the job at MassMutual, the first thing they wanted me to do as the VP of Information Security was build out a Security Operations Center (SOC). It was less about the title for me. It could have been Senior Director of Security at that point. I’d never had the opportunity to build something from scratch. Freddie Mac was established. It grew, but its core security functions were established before I got there. World Bank was established, but MassMutual needed to build a SOC. So I got to build something and work in a domain of information security that I hadn’t worked in before.
So why the move to Arrow?
While MassMutual was great, and I had the chance to run most of the security capabilities there, Arrow Electronics offered a global CSO role with additional responsibilities like identity & access management, investigations, forensics & eDiscovery. In my 18 months at Arrow I’ve been able to build a solid team. Part of it is Denver. Denver has a much deeper and broader pool of talent compared to Western Mass, which makes finding talent in Denver much easier.
The other piece is that Arrow truly wants to eat our own dog food. If we’re going to sell and distribute all these security products, we’re going to use them as well. We want to show the world, “Look how well that product works for Fortune 150.”
I knew Arrow is Colorado’s largest employer but I didn’t realize you are that large.
From an employee population perspective, Arrow is about 18,500 employees.What I didn’t realize was how global Arrow really is because of our broad coverage in distribution and value added services. What makes my job interesting is 2 aspects:
- We have talented sales/solution engineers embedded in our business teams that can go toe to toe with our corporate security folks on product/solution capabilities. What is better than getting validation on our program strategy and roadmap from security product experts down the hallway?
- We have a number of small offices across the globe. How do we protect that 20 person office in country XYZ where unique data privacy laws may apply?
What are your responsibilities at Arrow?
My responsibilities include IT risk management (policies, standards, vendor, partner, application risk assessments), security training & awareness, security engineering & architecture, security operation center (SOC), investigations & physical security. We don’t have an internal application security practice yet. Currently, we outsource a lot of this work but are looking to build that capability internally next year.
Does your organizational structure align with those functions? How does your team look?
I have seven direct reports:
- Director of security operations
- Director of investigations & physical security
- Director of IT risk management
- Manager of security engineering and architecture
- Manager of identity & access management
- Manager of training and awareness
- Manager of EMEA information security
How big is the security team overall?
29 people. We are distributed globally and are aligned with our business lines. For example, I have a security architect aligned with our global components business, one aligned with enterprise computing solutions etc.
Yeah, business unit IT. Some of your security team members are embedded into the business units.
Yes, which I think is good.
Considering the size of the organization, 29 appears a bit low. How do you keep up with the security needs of a Fortune 150 company?
The challenge is to not only keep up, but to be customer focused, think usability, and be on top of everything everywhere in a global company in 50+ countries. The truth is the only way that I’ve been able to succeed at Arrow is because we are embedding security knowledge into different functional IT teams, empowering them, training them, including them in the same conversations when we define requirements, develop solutions and implement capabilities. For example, our desktop engineering team is actually quite strong from a security capability perspective when they look at Windows 10’s offerings compared to one-off vendors. They’ve done a number of proof of concepts with end point security providers and have given us feedback on what they think is more usable, less intrusive for the user, more capable in terms of protecting against next generation threats. We’ve been lucky to have that partnership.
The future of security teams isn’t getting larger, it’s creating champions outside security
I believe the future of security is going to be where the security team doesn’t need to get a lot larger to be able to accomplish their objectives. Instead, the push will be to create security champions across corporate IT.
Does that mean you don’t plan to grow the team from 29?
We are taking a slow approach to maturity. We want to hire the right people, show the value, and then grow where there is a need. We will mature from our current state of providing security services 8 hours a day five days a week (8 by 5) to 12 by 5, to 18 by 6, and eventually 24 by 7. The key is that we will do it by providing increasing value to justify the cost.
So, what is your team focused on?
Right now, and this is an apt interview with the CISO of Ping Identity, the two major initiatives for my team are implementing global standards around identity & access management and building a global security operations center.
The way I look at it, the future of Arrow security is going to be a reduction in some of the repeatable manual tasks and getting better visibility into employee, data and system behavior. For that to happen, we need to make sure we are spending based on risk to the company. Reducing manual tasks and improving automation is top of mind for me so that the security team can spend time on discovery, analysis and response activities.
What are you most proud about in 2016 that you’ve accomplished?
Number one was the initial setup of a security operations center, realigning the responsibilities where we were a very reactive company where every single alert from any system would have VPs, directors and staff jumping on because of the fear around information security.
Number two was getting a handle on our global standards and minimizing the number of silos between divisions and locations.
Looking to the future. What are your 2017 goals?
- ENABLING COLLABORATION SECURITY (Cloud & Mobility)
- ACCESS CONTROL OPTIMIZATION
- ENHANCING SECURITY OPERATIONS
First in 2017 is around collaboration security, so enabling users to work securely whether that is better controls in terms of protecting email, protecting documents in the cloud. Moving employees from their own favorite cloud solution, to use the approved corporate choice. Mobility is a big deal because we’re a global company with a lot of people who are working around the globe. They’re traveling. They’re meeting customers. Our laptops need to be managed as a mobile device, so we should start thinking about how do we protect that holistically in a global standard manner across Arrow.
Do you have thoughts about the continuous drive to replace the old perimeter security paradigm with something new?
Yeah, I see that change coming. Your storage is going to be online, your collaboration is going to be online, so you should be able to walk into an office, choose any desk, pick up any laptop, get your work done, sign off, wipe the device clean and walk away.
It goes away from, “Can I work from home once a month, or once a week?” to “Can I work from any building, any cafeteria, anywhere in the world?” Some companies are moving faster. Some obviously are not.
One of my favorite questions for everyone I interview: What do you see other folks, your peers doing that they should do better? Generally speaking, where do we need to be going that we’re not there yet?
I think my peers in healthcare and finance firms are getting a lot of support from their boards and their leadership, just because of all the recent security events around healthcare records, compliance regulations, finance obviously dealing with money. I think where my peers outside of those groups can probably do better is to sell the 3rd party risk related to vendors and partners., A number of us are getting more reliant on partners and vendors to do a lot of our core business operations.. Getting your executive leadership and board to understand the impact to the the company because of one incident in your ecosystem is important. Like what occurred very recently with DYN (the DNS provider). Making the dependencies clear to senior leadership is critical.
The other piece is, what I’ve learned coming out of financial services is we’ve got to really partner better with our auditors. A lot of good auditors understand the end-to-end business process you are trying to secure. I think once you demonstrate to your auditors that your team is focusing on securing the lifeblood of your company, (the data, money, and other critical assets) they will trust your technical controls to fix a business deficiency.
(Author’s note: I blogged on this topic a couple years ago)
What advice do you have for folks who are new, who want to get into the security industry?
What I’ve realized in security, very different from traditional business roles, is that it doesn’t really matter where you went to school. What matters is your passion for the field and that you are able to learn on the fly. A lot of coursework is about events and theories that we discovered two, three years ago. It’s a little bit behind the curve. Networking, learning from your peers, and using all the resources available online to figure out what really drives you is the secret to success. A lot of people come to me and say, “I want to get into security like you did, through risk management and audit.” I don’t know if that’s a path for everyone. If someone is a computer science major, very strong in development, very strong in technical skills, the right path might be appsec. The right path might be a vulnerability analyst or a SOC analyst.
Further, taking the initiative to not get pigeonholed is probably the second best advice I can give. The thing that I did was I put myself in situations where, even though I wasn’t technical, I became a valuable part of an appsec team. How did I do that? Appsec is not just all about scanning code. It’s also about researching and understanding the vulnerability and being able to speak intelligently to it, and project managing the remediation activities. It is important to not limit yourself just because you are not technical.
It’s not always about the 18 year old taking a class in security. It’s also about the mechanical engineer who’s thinking about securing an IOT device. It’s also about the developer, infrastructure analyst or desktop support analyst who wants to learn about security. I think we can leverage a lot of people who are moving sideways versus just moving up. It’s a lot easier, and you get paid better as well.
I know you just moved to Denver a couple months ago, but you’ve been somewhat involved in the CISO community here in town for over a year. So far, what do you think about Denver?
I think Denver’s got a lot of resources and talent to become a security hub. There is a push by the local universities to build specific majors around security. I think that the community is supportive.. What I like best about Denver is that I see a lot of humble leaders who realize that there’s a process to get to where they’ve gotten to, and they’ve never shied away from sharing information. I think we need to leverage that to become kind of, not just the Rocky Mountain security forum but maybe even the Midwestern security forum, to the West Coast security forum. I think there’s a lot of capability here we haven’t tapped into.
This has been fun. Anything else you want to say before we sign off? Do you have any catch phrases you want to make sure we include?
Empower your people to grow and be ready to take your job, or any job
I was listening to this leadership series on a podcast. A couple of things stuck with me. One was hire people smarter than you. Something I really like about Denver, going back again, I see leaders who are willing to hire people that will challenge them for their own jobs, pushing them to move on or move up or move away. That’s awesome!
The second thing is, when you hire those people, when they turn to you and say, “What should I do?” respond with, “Well, what do you think we should do?” Always turn the question back on them and empower and guide them, “It’s your decision. I support you.” When you have leaders reporting to you especially, that’s the single best thing you can do to give them confidence to take your job. Not just your job. Any job. Put their feet to the fire and say, “You make the decision. I’ll stand by you, but I want you to make the best decision based on the facts in front of you.”
Thanks so much to Sameer for taking the time to talk with me and share his story of becoming a CSO for a Fortune 150 company, and the Denver security scene. I look forward to continuing this series and shining a light on more interesting members of the Colorado security community. If there an individual or corner of the security spectrum you’d like to see spotlighted, drop me a note and I’ll see what I can do.