Go Phish: Tom Lowndes, Director, Middle East, CyberArk

On the lighter side of things, we Go Phishing with Tom Lowndes, Director, Middle East, CyberArk, to discuss what makes him tick.

What would you describe as your most memorable achievement in the cybersecurity industry?

Back in 2017 I was part of a team that helped restore a major global client’s business back to full operations within 24 hours after being taken offline by the WannaCry attack. This was my first experience of the level of severe impact a major breach can cause; not just the downtime or the business impact but living through the resulting crisis management employed by highly trained teams. Let’s just say this is where I caught the cyber bug.

More recently I am super proud to have launched the CyberArk Identity Security platform in the cloud – right here in the UAE. This is the first holistic identity security platform available from any vendor that offers full capability through Identity and Access management, endpoint privilege management, focus upon machine privileges, operational technology privileges – and all based upon our strong foundation of intelligent privilege controls.

The goal is now to deliver this to the other markets across the Middle East and help our clients to consolidate their toolsets, set free their resources and reduce their cyber debt.

What first made you think of a career in cybersecurity?

I started listening to a podcast called ‘The Darknet Diaries,’ which is still in production now. Truthfully, this was the first time where I had felt that the stories I was listening to made a link between my work environment and sci-fi style challenges with an outcome that is a real threat to everyday life and business. Today, jumping out of bed in the morning knowing that I’m contributing to help protect the businesses and jobs that we all work hard to build gives me all the belief and motivation I need to do my part to help win this battle.

What style of management philosophy do you employ with your current position?

A very human one, because the boundary of work and life is now a blur for all of us. I see it as my responsibility to empower an open and authentic working environment to ensure the switch between home and work is a seamless one. I am also laser focused on strategic planning – reviewing where we are, targeting where we need to be and executing plans for how we succeed on that journey. In my experience this builds the foundation for a hard working, outcome driven, growth minded and fun working environment. Ultimately, we are all here because we are people wanting to do business and have valuable interactions with other people.

What do you think is the current hot cybersecurity talking point?

For me it is the area of managing machine identity and privileges. At CyberArk we think about it as ‘The Rise of the Machines’. For every one human identity there are an average of 45 machine identities – and organisations expect the total number to triple in the next 12 months. With Digital Transformation, hybrid cloud platforms and application development teams driving this explosion it is imperative that organisations across the region gain a view and build a plan for how they will manage these unsecured processes that are by nature privileged and have access to critical data. My team is helping a number of banks, telcos and government departments prepare for this.

How do you deal with stress and unwind outside the office?

Working in cyber is like surfing a wave and I use the same analogy for stress. Its fun to be on the edge but you must stay on the board, focus and surf the wave to the beach without letting the wave go over you. Rather than letting it feel negative I channel it to positive energy to drive through and overcome challenges. There is no better way to do this than spending time with my family and friends: they are my lighthouse that steers me into shore.

If you could go back and change one career decision, what would it be?

I really would not, I am a big believer in no regrets and no wrong turns. Even in the most challenging times in my life and career when I question this philosophy it has always proven true – those experiences help shape us, build resilience and are a platform for advancing to the next level of performance. Of course, it goes without saying that I wish I’d been in a rock band and stuck at learning the drums when I was a teenager!

What do you currently identify as the major areas of investment in the cybersecurity industry?

I am a big fan of Ponemon’s Cost of a Data Breach study which comes out annually with keen insights globally but also for the Middle East region. This year the average cost of a data breach for the Middle East rose to second spot behind the US to US$8.75m per breach but also showed that US$2.22m is the average cost saved if you invested in AI and automation to help defend and reduce the time to detect. This reflects the conversations I have with our clients who are looking to see how they can use AI to empower their teams, relieve some of their workload away from manual and intensive tasks and focus instead on proactive defence. It’s no surprise to me that investments in identity are in the fourth highest investment priority with 42% of CISOs focusing upon this area – if you can secure any type of identity, at any place and any time you give yourself the best chance of preventing privileged access from being escalated and causing a major breach.

Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?

Ultimately no. This is a battle and the main goal is to ensure that your teams are trained to proactively defend against the evolving threats whilst you continue the journey to raising your overall security posture through governance, skills and technology. Local market policies and regulations can then determine how you build this strong foundation and can then decide upon the delivery model. Across industries however the threat type can change drastically – operational technology gaps in critical national infrastructure, personal data within governments, machine secrets within cloud-based start-ups and transaction and fraud across banking all need specific approaches and prioritisation.

What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?

The last year has been a real ride, it started by building out our channel model across META and finished with leadership across our Middle East business. I think the major change has been transitioning from the focus on CyberArk pioneering the privileged access management market and, in recent years, building out our capabilities and driving the identity security market and in fact becoming the region’s only holistic identity security platform. With this change comes a total expansion of our capability and the value our clients can extract – we can now look at reducing cyber debt, consolidating platforms, providing greater visibility and automating operations across the identity space and it’s had a fantastic reaction since the launch of our SaaS platform in April.

What advice would you offer somebody aspiring to obtain a C-level position in the security industry?

Stay humble, stay focused, stay enthusiastic, stay hungry to learn and stay authentic. Never make enemies and cultivate friends. Always do the first task for someone quickly and with quality. Always meet with someone for the first time face to face. Expect to fail many more times than you succeed. Apply the 80/20 rule to your time management and work priorities. Surround yourself with positivity and a solid foundation of family and friends. Oh….and forget the imposter syndrome tapping you on the shoulder everyday!