A CISO’s perspective on relationships and UX

With over two decades of experience in IT and Information Security, Awwab Arif (CISO at Bank of Hope) was honoured with the Top Global CISO award at the 2023 Cyber Defence Conference in Orlando, USA.

He has a strong track record for establishing security programs that integrate seamlessly with an organisation’s strategic goals, and has become active as a thought leader in the field of cybersecurity – sharing his knowledge through lectures, round table discussions, and supporting emerging cybersecurity talent in collaboration with Cal Poly Pomona and Troy High School Cybersecurity Team. 

We asked Awwab how he began his career in cybersecurity, and how he builds positive relationships with the partners and stakeholders he interacts with as a leading CISO. 

Here’s what he told us. 

Could you briefly share your career journey so far?  

“I was raised in a family of engineers. My father worked at a research institution creating technology to convert audio to text and vice versa, to aid the medical field. This innovative technology of the 80's is now commonplace on our mobile devices. 

“Visits to my dad's office often meant playing with computers and DOS games on a monochrome monitor. These experiences sparked my passion for electronics and computing. By the age of 8, I became the go-to tech support for relatives and family friends. During my teens, I supported my dad by teaching MCSE courses when it was essential for IT jobs. Technology naturally became not only second nature to me but also an enjoyable pastime.

“After finishing high school, I began working in technical support and as a system administrator for small companies, some of which were owned by my father's acquaintances. The introduction of HIPPA and PCI/DSS compliance posed challenges for these businesses, highlighting the need for robust cybersecurity – a realisation that marked a turning point in my career.

“Another defining moment came when I had just started at a new job and my manager left shortly thereafter. The CIO saw potential in me to lead the team – despite my initial self-doubt. With assurances that I could return to an engineering position if necessary, I accepted; and that decision turned out to be one of the best and most impactful in my professional life. 

“The takeaway is that with proper backing from management and team collaboration, any goal is achievable. Success is a collective effort, and one should consider the broader context instead of depending solely on individual talents.”

As a CISO, what kinds of partners and/or vendors do you interact with most often – and what advice would you give to other security professionals to help them build positive, productive relationships with those partners?  

“As a Chief Information Security Officer, staying abreast of emerging threats and advanced technologies is critical. This often involves extensive networking and the exploration of new vendor partnerships. 

“My advice would be to identify two or three local partners within your geolocation. You might consider engaging with a larger firm in addition to smaller boutique agencies. While larger firms tend to partner with well-established vendors offering consistent solutions, smaller specialists often collaborate with up-and-coming startups, potentially uncovering innovative technology gems geared towards resolving specific challenges. 

“I also find it beneficial to forge relationships with venture capitalists, communicating our company's particular issues. When a VC encounters an entrepreneur proposing a solution aligning with our needs, they can facilitate an introduction, allowing us to evaluate the concept further and contribute to the development of a robust product that addresses broader industry needs.”

Can you remember one thing that you learned very early in your career that you still use in your day-to-day work now?  

“Consider user experience when creating security measures. There are various approaches to achieve the objective. Make a control that is easy to use to encourage adoption, or risk making it so complex that people seek alternatives.”

If you could look five or ten years into the future to find the answer to one question that cybersecurity is facing right now, what would that question be? 

“It's crucial for government enforcement agencies and ISPs to strengthen their control over the internet and assume more accountability for monitoring and constraining criminal networks. Given that threat actors exhibit certain patterns and predictive technologies exist to track and disable their networks, we must address how to ensure law enforcement and ISPs are held accountable for permitting these threat actors to operate unchallenged online. “

Finally, why are events like Black Hat MEA valuable to you?  

“Networking and continuous learning are crucial for the development of a CISO. Engaging with peers, vendors, and partners is essential to remain informed, exchange knowledge, and learn from past experiences to avoid repeating mistakes.”

Thanks to Awwab Arif at Bank of Hope. If you want to be in a room with the world’s leading cybersecurity experts, register now to attend Black Hat MEA 2024.