CISOs: Take every opportunity to expand your awareness

If you were at Black Hat MEA 2023, you might have heard Omar Khawaja (CISO at DataBricks) sharing his experience on the keynote stage. From leading a team of more than 200 cybersecurity professionals at Highmark Health to his current role at DataBricks, Khawaja has a broad scope of knowledge about the security landscape.

But he’s dedicated to expanding his awareness all the time. He serves on several boards and supports tech firms in an advisory role – and each of these engagements helps to shape (and reshape, and then reshape again) his perspective on security. 

We asked how this work influences his professional development, and what the biggest stumbling blocks are for tech firms trying to implement robust security operations. Here’s what he told us. 

Could you share any pivotal moments that helped shape your career?

“The moments that most shaped my career were the ones I did not have the requisite skills for, but went ahead anyway – sort of like jumping into the deep end of the pool.

“Those experiences gave me all the motivation I needed to figure things out – being responsible for security at a startup without any prior security experience, moving into a product management role as an engineer, and becoming a CISO with no prior operational and executive expertise.” 

As well as being CISO at Databricks, you serve on a number of boards and as an advisor to tech firms. How do these roles influence your own professional development?

“Each person is wired differently – for me, I learned years ago that I thrive when I have an abundance of stimuli – it gives me more dots to connect. Being on boards gives me exposure to both challenges and solutions in contexts that otherwise I would have never known about. It allows me to cross-pollinate solutions to challenges, sometimes in novel ways.”

How has your perspective on cybersecurity evolved over the course of your career? 

“My perspective on cyber is evolving fairly continuously. It is driven by three forces:

1. The inherent changes in the cyber risk landscape.

2. My personal vantage point (security engineer > security architect > security product manager > CISO > board member > CISO faculty at CMU).

3. Regularly re-synthesising my own learnings and those of others.

“One example: I used to think technical security controls were the most important part of a security program, then I realised it was important to not just have controls but for the controls to be part of some comprehensive framework (compliance!). Then I evolved my thinking to consider the business as the most important stakeholder (risk management). Along the way, I learned that in a complex organisation, people and process are immensely more important than technical controls.”

What's the biggest stumbling block you see in terms of tech firms building robust security systems? 

“I see a common failure caused by thinking that if we just buy and install the right technology we can solve our security challenges. The most impactful security challenges can rarely be solved by implementing tech on its own – they require changing people's mindset and behaviours.”

And finally, what did you gain from Black Hat MEA 2023? 

“By meeting a couple dozen CISOs (both global and regional), I gained some valuable insights on how security operations evolve in the unique organisations they support – particularly when they are trying to develop very fast.” 

Thanks to Omar Khawaja at DataBricks. Want to learn more? Join us at Black Hat MEA 2024.