On the lighter side of things, we Go Phishing with Sandeep Johri, CEO, Checkmarx, to discuss what makes him tick.
What would you describe as your most memorable achievement in the cybersecurity industry?
I founded Oblix, one of the first Identity management companies in the industry back in 1996. We were ideally positioned in the market as identity started to climb up the security agenda, and in 2005 Oblix was acquired by Oracle as they sought to build up their identity provision. It’s still the foundation of their IDM solution today.
What first made you think of a career in cybersecurity?
I stumbled upon it as the founder of Oblix and loved taking on the unique challenges that the field presents. As a result, I went on to found two other companies specialising in different aspects of network security. Blue Lane Technologies designed network security platforms for physical and virtual server infrastructure and Determina secured hypervisors and virtualised workloads. The two companies were both acquired by VMware as their capabilities were a strong fit for its virtualisation offering.
What style of management philosophy do you employ with your current position?
I always want to see high-performing teams where everyone is really pushing themselves. As part of that, I’ve always liked to lead by example – never expect your teams to do something you can’t or won’t do yourself. I also have a strong customer focus, making sure everything we do is centred around their needs rather than just shifting product.
What do you think is the current hot cybersecurity talking point?
Code to Cloud is getting a lot of attention right now – the approach of securing applications from the point of writing code, all the way through to runtime in the cloud. Having secure coding practices in place helps identify and stop issues right at the source and reduces the chances of them making it into the live environment.
How do you deal with stress and unwind outside the office?
I like to get out in the fresh air when I can. A combination of hiking, biking and other exercise does wonders. Inside, I also enjoy woodwork and catching up on some reading.
If you could go back and change one career decision, what would it be?
I’d go convince my past self to join Google when I had the opportunity back in 2000. There would have been some very interesting experiences ahead for sure.
What do you currently identify as the major areas of investment in the cybersecurity industry?
Integration is a major focus right now. We’re seeing a big drive in companies investing to bring application security into DevOps and cloud security processes. More companies are realising that getting all these activities integrated together reduces the chances of vulnerabilities slipping through.
This also feeds into the ‘shift left’ approach that’s been on the software development agenda for some time now. At Checkmarx we’re pushing for a ‘shift everywhere’ ethos that, as with ‘code to cloud,’ takes that even further, with security issues being detected and addressed all the way through the lifecycle. The more integrated different systems and processes are, the easier that is for teams to achieve.
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?
Cybersecurity challenges are pretty homogeneous. Companies have the same issues to tackle around vulnerability management, identity security, and so on. And threat actors are attacking targets around the world.
I’d say compliance is the biggest regional factor as we’re seeing quite different levels of requirements in different areas now.
Europe has a lot going on right now for example with NIS2 coming in for critical sectors and DORA for the finance industry. The US landscape looks quite different but does have the Securities and Exchange Commission as well as Executive Order 14028 recently bringing in stricter rules about disclosing breaches and sharing threat intelligence.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
I’ve been doing more remote work and I think that will continue into the next year. It’s one of the benefits of working in a very digital field, and something Checkmarx has embraced for some time.
What advice would you offer somebody aspiring to obtain a C-level position in the security industry?
I’d say aspiring CISOs need to be aware of how broad the security landscape is, given the complexity of the threats and technological challenges. It includes everything from network security, endpoint security and application security – all of which blends into cloud security.
So, it can be a very different experience for anyone looking to move up from more specialised IT security fields where there’s an emphasis on being an expert in one area. In addition, while boards and senior executives tend to understand the critical nature of endpoint and network security, application security is now just as critical, with code vulnerabilities representing targeted points of entry for threat groups of all kinds.
Therefore, it’s important to understand and gain experience in a wide range of security domains. You need to see the forest as well as the trees. It’s also important to note that different industries, businesses and government agencies have a wide variety of needs, so it’s critical to become exposed to as many as possible.