Arun DeSouza: Becoming a Transformation CISO Artwork

Kitecast

Kitecast features interviews with security, IT, compliance, and risk management leaders and influencers, highlighting best practices, trends, and strategic analysis and insights.

All Episodes

Kitecast

Arun DeSouza: Becoming a Transformation CISO

February 27, 2025 • Tim Freestone and Patrick Spencer • Season 3 • Episode 41

Arun DeSouza, the Managing Director at Profortis Solutions, brings over two decades of experience as a CISO, having developed and implemented award-winning programs in identity lifecycle management and IoT security. His impressive career includes induction into the CISO Hall of Fame by the Global Cyber Startup Observatory and recognition as a top CISO by Cyber Defense Magazine. Arun’s expertise, combined with his academic background—a Ph.D. in Chemical Engineering from Vanderbilt—offers listeners a unique perspective on navigating today’s complex cybersecurity landscape.

From Chemical Engineering to Cybersecurity Leadership
Arun’s journey into cybersecurity is as unconventional as it is inspiring. Initially trained as a chemical engineer, he transitioned to cybersecurity through hands-on experience and a fearless approach to problem-solving. Faced with the challenge of managing global security for a French company, Arun built a strategic plan that not only upgraded systems but also delivered significant savings. His approach, which he calls the “power of federation,” involved collaborating with partners for discounted pricing and consolidating resources.

Navigating Cybersecurity Threats: IoT, Ransomware, and AI
Arun sheds light on the evolving cybersecurity threat landscape, particularly the rapid proliferation of IoT devices. With an estimated 75 billion IoT devices by 2025, the risks associated with insecure software, vulnerable cloud communications, and expanded attack surfaces are more significant than ever. He highlights specific challenges in manufacturing and OT security, where ransomware and supply chain attacks can cripple operations. Arun also warns of the impending threat of AI-powered supply chain attacks, which could amplify the scale and sophistication of breaches. His insights reinforce the need for robust data governance and the adoption of Zero Trust security models to mitigate these risks effectively.

Critical Role of Identity Management and Leadership
Central to Arun’s security philosophy is the concept of identity access management (IAM) as a strategic cornerstone. He introduces the idea of the “identity coin,” which blends physical security (person, device, location) with logical security (attributes, behavior, context). Arun emphasizes that security is not just about technology but also about strong leadership and communication. He advises CISOs to build relationships with senior leaders, use storytelling to convey risks, and align security initiatives with business objectives. His analogy of the CISO as the “captain of the good ship cyber” encapsulates his forward-thinking approach to navigating cybersecurity challenges.

Technical Acumen and Strategic Vision
Arun’s expertise and leadership offer actionable insights for anyone looking to strengthen their cybersecurity strategy. His forward-thinking approach to risk management, identity governance, and embracing change provides a valuable blueprint for both cybersecurity professionals and business leaders.

LinkedIn: https://www.linkedin.com/in/arundesouza/

Profotis Solutions: https://profortissolutions.com/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Patrick Spencer (00:00.974)
Hey everyone, welcome back to another Kitecast episode. I'm your host Patrick Spencer. We're in for a real treat today. Joining me today is Arun D'Souza. He is a renowned CISO and global security executive, the managing director at Profort Solutions. Had previously held the title of CISO for over two decades at various organizations during which he developed and implemented award-winning programs for identity lifecycle management.

and IOT security. Arun was inducted into the CISO Hall of Fame. We have a Hall of Famer with us by the Global Cyber Startup Observatory. He was also named a top CISO by Cyber Defense Magazine and a top 10 InfoSec professional by OnCon along with numerous other accolades. When you check out his LinkedIn profile, which we have included with today's podcast, you'll discover

that that's just scratching the surface in terms of his accomplishments. So Arun, we usually say the academic accomplishments and endeavors that you had until later on in the podcast typically, but your background piqued my interest, a PhD in chemical engineering. I worked for a guy who had a master's in chemical engineering way back about 10, 15 years ago who had...

spent time on rigs off the shore of Ecuador. had an interesting background, obviously, and somehow had gotten into high tech marketing. It shows that anyone can do marketing, including myself, I guess. So how in the world did you go from Vanderbilt PhD to CSO?

Arun DeSouza (06:47.599)
Yes, absolutely. you know, I'll try to summarize the journey, you know, so when I was appointed to see so we had issues with the global security because when you integrate two inches without a proper plan, you know, the network would go up and down and nobody said what happened. Everyone said they did nothing. You've heard these stories before. Right. So when they entrusted me with this

important role, the first thing I did was I sat down. I had actually achieved the MCSE plus internet certification, not because I had to work technically, but I could manage my team better. So I a very strong understanding of Windows and OSes, cetera. So it really helped me and it's really germane to the step one in the journey, which I'm about to describe. So what I actually did was I built a strat plan, a two-phase strat plan. In phase one,

I envisioned that we would actually upgrade from Windows NT to Windows 2000 because those NT was end of life, Consolidate servers, consolidate backup systems, put in active directory management tools and all that. And phase two was actually taking charge of the network, installing quality of service technology, Now, you know, I learned a lot as I grew and the story is quite interesting. It starts like this, so I built a business case.

It was to be submitted to the upper management. And then I didn't speak French. worked for French company. was taken by my boss at the time. You heard this phrase, lost in translation, right? So that's pretty much what happened. So I mean, he did a great job, I'm sure. But I wasn't there. So they said, well, tell Dr. D'Souza that he can accomplish phase one in half the budget he requested. Now, I will tell you, Patrick.

Patrick Spencer (08:22.862)
you

Arun DeSouza (08:44.975)
The truth of the matter is I'm not a padder. I put the usual 10 to 20%. And so I had two choices, either accept the challenge or run. And somehow running is not in my DNA. So I sat down and I thought about what could I do. And I talk a lot about something called the power of federation or better together. Let me explain. So I reached out to different partners and say, guys, look.

There's a story at the end of this big achievement. Can you give me discounted pricing? So we had tiered pricing, professional services, other people gave good prices. In other cases, actually, I consolidated software purchases in the States to get the benefit of the euro exchange rate. And I did a lot of those things. And we built a 20-member team and finished phase one truthfully.

45,000 euros under budget, right? And that's quite amazing. And I say that because you asked me what I learned. I learned to ask for help, to embrace change fearlessly, you know, and, you know, drive change forward. And the second phase, we tamed the network and I had to go to a field I knew nothing about and then learn very fast as well. And I think the fact of the matter is,

Nowadays, if you look at it, Patrick, depending on which statistic you read, there's about three or four million open cyber jobs worldwide, right? And I think hiring managers in HR department have to be very open in the way they recruit people, not looking for unicorn candidates because I'm living proof of what can happen Kiteworks if you are willing to take some risks and embrace change and learn. mean, it's not going to happen overnight, mind you.

I think the, and then over span of years, I got into risk management. learned a lot. And actually we were talking about earlier before we started the official part, you know, I just joined various communities. spoke to people. I mentored people. I took every chance I could to write a white paper, a thought literacy article, whatever, and just kind of forced myself to stretch, right? Because at the end of the day, here we are, you know, 20 years later, right?

Arun DeSouza (11:11.151)
fortunate to be, as you noted, admitted in Hall of Fame, which is a success for everyone who helped me on my journey, the partners, my friends, my teams, the company. Does that help?

Patrick Spencer (11:23.254)
Yeah, that's fascinating. That's really interesting. And great tips for folks who want to get into cybersecurity. We have a general contractor who's doing some work on a house of ours and his degree is actually in cybersecurity. And he decided he didn't want to be in cybersecurity, he wanted to work on houses. So there is a path outside of cybersecurity. That's the initial direction that you had academically.

Arun DeSouza (11:39.466)
Yeah.

Arun DeSouza (11:47.641)
Now, you know, I have to walk into the door you left open for me, Patrick, in the sense that hopefully he's not building a smart home. He can't run from cyber security anymore, can he?

Patrick Spencer (11:58.734)
Very true. So, I you've spent a long time in the security and you've seen an evolution when it comes to the cyber attacks that are taking place. You know, in the last few years, obviously, there's been an increasing interest by cyber criminals and nation states on supply chain because they hack one tool, they don't simply hack one organization, they hack into hundreds or even in some instances, thousands.

What are you seeing from that standpoint of cyber attacks? And maybe you have a lot of experience in the automotive industry, but you have experience in other industries as well. Are you seeing some specific things industry-wise?

Arun DeSouza (12:41.231)
Yeah, absolutely. So let me compose myself for a minute. There's an organization called Stadista that published a factoid that by 2025, there'll be 75 billion IoT devices worldwide. That's a mind boggling number, isn't it? And so this exponential rise of IoT devices has me concerned as it naturally increases the risk

due to the numerous vulnerabilities in IoT devices, because we know that it's an open secret. People don't get the best up-to-date software, it's free software, and it can be hacked, and so many other things. The communications between the device and the cloud are not secure, all that stuff, So naturally, it expands the attack surface of enterprises, but also, at a personal level, you're wearing your smartwatch, you're connected, afraid, it's everywhere, right? So there's so many.

Something that is in my mind is the fact that I'm also a privacy officer, is the security and privacy risk nexus of the IoT is a matter of concern. At a personal level, you must have heard of the TV that recorded and snoped or device that recorded the conversation, email, or the ring camera that did that. So the personal level, that's where the security and the privacy meet. But also,

You let's, mentioned manufacturing, so let's consider a situation where there's a vision system on the line and, you know, there's a big wake from European countries walking down the line. And, you know, the operator says, this is a, you know, very important person that's come and he presses the button to take a picture of the VIP and then decides, well, I'm so happy. I'm going to post it on Twitter or something, right? And

what may happen is you might be exposed to a GDPR complaint. It's quite possible, right? Because the consent was not given. So, and now here we have a CCPA. So I think people start needing to think about the risk nexus. Now, definitely for global companies, right? All the different regulations, especially the GDPR, which is widely considered as the gold standard, really comes on very heavily. The minimum fine is 20 million euros, right? To focus under the review.

Arun DeSouza (15:03.501)
And by the way, that's not just enough. They can also be civil suits after the class action suit, so it never ends. And on top of that, there could be significant reputation, brand impact, and diverted management focus. Now, we mentioned manufacturing. So in the manufacturing arena, operational technology security, or OT security, is an additional area of focus because of

Another trend that I'm going to mention again in a minute, ransomware is out there, right? And especially with the fact that not all the time there's a close collaboration between IT and OT. There can be suppliers that connect to insecure systems or to insecure connections, especially with 5G connections or insecure networks or whatever. OT security is something in manufacturing that can have really heavy, heavy

impacts. mean, I know that it was Honda a few years ago. had two successive huge problems and they were, if I remember, through fishing that were introduced and clicks that took down the line for days, if not weeks and so on. In addition to that, third party risks and exploits increasing, like you noted earlier, right? Whether it's a solar wind or anything like that, they don't stop.

And what I expect is that AI-powered supply chain attacks are on the horizon. That's something that I've not read a lot about. It's coming for sure. Because today what happens is, I wouldn't say it's low tech by any means, but it's like the typical click bait, right? They either impersonate you or hack you or something and get you to click. But when AI comes and if you're able to weaponize AI for supply chain attack, my goodness, it's pretty scary to me, right?

Ransomware attacks do not show any sign of abatement. I think it just keeps coming and coming and coming and you know there is a particular organization called Octopus that you know is just targeting a particular company. You can guess which one it is and I don't know them all but there's so much money there so they're not going to stop. Now the dawn of the new digital era or the digital economy has API economy right?

Arun DeSouza (17:26.861)
And the API economy, people, we all know that mobile apps and some of these apps, they go to market or launch faster than sometimes they should be just to serve the business need. And that's where there could be chinks in the arm of API security. And one needs to look about that. I think in general, lack of data hygiene and governance can lead to exploits and breaches, right? Because you don't always have the proper...

data classification and characterization and controls and collaboration with internal control and internal audit all the time. And companies need to focus on that because people talk about the fact that data is gold, data is currency, and it is. But because of what I noted earlier, if you're not careful, you can have a significant breach as well. You noted nation-state attacks. I agree with you, especially with the world being what it is. One can't avoid that.

and whether it's because actual physical warfare transmuting with a layer of cyber warfare or even without a war. There are nation states that attack other entities and we know the anti-virus manufacturer that has been banned in the United States because they used it to attack the US government, an example, right, or so on. And then last but not least, social engineering.

I mean, it seems very low tech, but it's out there. And it's not only phishing by email, it's what I'm wishing, even by phone calls. Sometimes you are smishing, it's out there. And we live in the era of the cloud. The cloud is the de facto cornerstone of the modern digital era and cloud vulnerabilities and misconfigurations, because again, people spin things up very fast.

The advantage you get with scalability and workload orchestration is great, but are the proper governance mechanism in place. So thoughts, Patrick?

Patrick Spencer (19:33.262)
Well, there's a number of things that you kind of got me thinking about. On the last point, when you're talking about cloud, are you finding that organizations are moving more in the direction of single tendency because multi-tenancy does have its risk, particularly when you're talking about sensitive content that's stored and being transmitted in and out of the cloud environment?

You see more and more organizations thinking about single tendency. You see that with FedRAMP, right? That's one of the stipulations with FedRAMP that more organizations are looking for tools. FedRAMP certified. What trends do you see on that front?

Arun DeSouza (20:13.743)
Well, think I would say sectorly, by sector, it might happen. The classic example is health care, right? Because of HIPAA, the regulation may require them to be more careful. So there are HIPAA certified data centers, they may go that way because they have no choice. And FedRAM. But in other cases, the reason people go to the cloud is,

flexibility, scale, and economy, right? OPEX. Now you start asking for single tenancy, what's going to happen? Your costs are going to go up. So I see that that's going to be sort of the blocker. But I think in certain cases, companies will make the choice. But I don't anticipate it will be widespread trend because no one wants to pay more. They want to pay less, right? It's always two more and more with less. So I think sectorally, yes. Regulation driven, yes. But not widely, no. I don't think so.

Because it defeats the purpose of having the cloud, right?

Patrick Spencer (21:14.454)
Well, no, that's true. You also brought up that, know, phishing and social engineering and other types of attacks, they're not going down for sure. They seem to be getting worse. You know, the humans are sort of the weakest link when it comes to cybersecurity. Typically, sensitive data, confidential data, whether it's PII or PHI or intellectual property.

financial documents, &A documents, and so forth, are the target of many of these cyber attacks, and they go after those weakest links. Do you think there's an opportunity to improve access privileges to those documents so you can control who within your organization as well as third parties have access to view those documents, to send and share those documents, to edit those documents? We obviously...

or biased on that front. But what's your perspective?

Arun DeSouza (22:15.023)
So I think it's, I'm going to give, in my words, nuanced answer. So if you really want to protect your data, step one is you need to classify your data and you've got to build governance mechanisms that correct data stuff. Now, I'll be happy to share with you my article that I wrote recently. It's called The Rise of Data Sovereignty and the Privacy Era, where I go in lot more detail than what I've

speed through. But basically, companies need to say, OK, well, I need to be able to either on-prem or in the cloud classify data and then identify the gaps through a dashboard and resolve it. Now, the fact of the matter is it also has to start with the data classification policy. But you and I know that no one can manually go and map the data. So at scale, you need a tool that can actually

go in and whether on-prem or cloud automatically characterize the data and identify the risks so they can be fixed. But that being said, I think it's not just the data itself. It's fit for purpose data usage. What I mean by that, in any company, the biggest risk is what I call the very attacked people, the executives or people who are doing financial transactions. So putting firewalls around the

the data that they would use, in a sense, physical file or good access control privileges and schemes, additional multi-factors, higher level of authentication, the coming remotely. That's something that by nature needs to be done. So it's, I'll talk about more in my article that I'll share with you, can include in the podcast, but I think it's nuanced. It's not just data classification and governance, it's identity enablement and identity governance as well.

And now, I jumped earlier to a point I was going to make. For me, zero trust, right? Zero trust is really seminal and very, fundamental. I know the US Cyber Security Executive Order brought it more into the limelight a few years ago. And why do I mention that? Because see, back in the day, when John Kindevaugh came up with it,

Arun DeSouza (24:42.105)
We used to say, we're only in the office most of the time anyway. There's hardly any VPNs. And so you can say, all right, I'm in this office. We've put all these firewalls. We've done everything. And we are safe, right? The old Castle and Moat approach. And you would say, if the network packets are inside the company, they're safe. And network packets outside the company are unsafe. But truth of the matter is, John Kindervaugh postulated that it doesn't matter.

where the network packets are, they inherently cannot be trusted. So what did it do actually? It changed the focus of security from the network to users, applications, and data. And that's what you introduced. I think, and therefore, the fact is, wherever you are accessing digital services, every connection you make should be based on identity.

Patrick Spencer (25:25.111)
Yep. Yep.

Arun DeSouza (25:40.179)
device posture and session risk dynamically, right? And that's where things which I attribute called identity coin become important. So identity coin to me is two parts, right? The physical side, person, device, location, the logical part, which is attribute, behavior, context and role, and using those inputs into the system dynamically to mitigate the risk because it's not just like a one-stop-shop where you say, okay, I've given the prop access privileges, but it's

sort of related where data characterization governance platform and automatic remediation tool can remediate it. But even then, it could also be user's behavior. For example, OK, I'm a financial person, and I normally work 8 to 5, and suddenly at 3 PM, sorry, 3 AM in the morning, I downloaded 15 gigabytes of file. What should the system do? They should block me immediately, right? So Zero Trust can do that.

when well implemented. And I know it's not a one solution. It's orchestration of people, process technology, a wide variety of tools. But Zero Trust is here to stay. And I think we really want to protect data. It's something that needs to be done. Any thoughts?

Patrick Spencer (26:52.974)
But let's well one, let's include that article as a link on the podcast page. So our listeners can go and access it. So I'll get that link after after our podcast is finished up.

Arun DeSouza (27:01.647)
Yeah, and I'll send you another as well that I forgot to mention. I've also written an article that talks a lot about the evolution of identity in access management where I go into two sides of the coin and how identity is central to protecting the digital perimeter today. And those two are complementary articles. I'll send you both.

Patrick Spencer (27:27.81)
That'd be great. You brought up an interesting point. Identity access management is certainly a fundamental starting point, or should be a fundamental starting point when it comes to controlling access to those critical applications and the content that's stored within them. There was a breach, I won't name which one, a week or two ago where it appears they had SFTP, they had MFT.

solution deployed, probably multi-factor authentication bare minimum was available with both of the tools and it seems that neither were turned on. They got into the system and access the data through SFTP and then they use the MFT solution to actually exfiltrate the data out of the environment after they probably sounds like a fairly sophisticated attack where they unencrypted the data and that's how then after they encrypted the data within the environment, then they exfiltrated it.

In both instances, those tools, it looks like multi-factor was not turned on. Why do organizations miss things that would seemingly be so obvious in terms of a security checklist?

Arun DeSouza (28:43.351)
I'm going to be very blunt. I don't say they miss it. They make the choice not to use it because the user community might complain or rebel or whatever. But that's where you need to take a stand. And when I implemented with my team the identity management

solution which was the second technology you did because I always consider identity as a strategic cornerstone of the security program. I said guys you want to use app you have no choice you've got to use multifactor we give you these choices and you've got to pick one or two of them at least as a backup and in fact if the riskier the application you know certain instances would have to if you're administrator you cannot use your text message you're not allowed right. So just draw a hard line there to see so you can't allow that because

It's very, very dangerous, right? So I think it starts from the top and then the season needs to go to the board. And if people are rebelling, say, guys, look, here are the beaches, here are the examples. Do you want to be the next headline? And I've never been one to scare people, Patrick. But hey, sometimes you just got to do it,

Patrick Spencer (29:56.558)
Yeah. And it's just not the users as you can scare the users. You can even scare department heads. But when it comes to the, the staff or even the board near on, you know, when folks check out your LinkedIn profile, you'll see that Arun is on a number of different boards. He's an advisor for a different number of different organizations. It's impressive list. You know, one, how do you enlist the support of those folks, you know, raise cybersecurity.

in compliance for that matter to their level, articulated in a framework that they understand and then actually track it on an ongoing basis.

Arun DeSouza (30:36.493)
Yeah, I think it's a very good question, really, right? So getting buy-in from the board and convincing leaders and executives outside cybersecurity department can prove challenging. It's not easy. It's not a zero-sum game by no means. So because I've been a CISO for 20 years, let me tell you what I did and we can talk further about my comments. The first step for a CISO when you come on board is to...

conduct an enterprise risk assessment, to identify threats and risks, local to your company. And then the next step is to identify key initiatives and operational goals to address these risks. But here's the key part. You need to link those goals and those initiatives to the company mission and vision and how we are going to enable business. So for example, you say you want to...

expand your company emerges and acquisition. So identity access management is a key initiative that can help further that one. If you say you want to become a borderless enterprise, zero trust can. This is example. So they can understand, you're not doing it because the school mitigating the risk. Of course you have to mitigate the risk, but it has to drive the company forward, right? So, and so this should be a dynamic, cyclical process. You can't just do it once. So every year,

you should do it, or if business conditions change or about to change, need to do it. So having done that, so now you have a strategic plan. So now what are you going to do? So you're going to report to the board. They're going to go first time. And you've got to leverage something they used to like, mean, some combination of visual scorecards, risk quadrants, and KPIs, balance scorecard. But once you use tech jargon and talk about,

It's okay to mention zero trust, but you can't just say zero trust. You can't explain in simple terms what it means and what it gives them. So use plain language and storytelling in a sense, right? mean, it's okay sometimes to say, okay, back in your career in another company, there was an incident and what you learned from it. And so they can understand why you're going to the extent you can or what makes sense. Now.

Arun DeSouza (32:51.991)
During board updates, I would say use current events to make the case for a strong security posture. You have to utilize news from the headlines to reinforce the strength of the program. Because if you know in the example you gave, a company didn't use a multifactor, you say, look, we are always using the multifactor. No options. That'll make them happy. But as well, if the breaches are identified in certain areas that lessons learned for that company and your company has not yet invested, say, look,

we don't want to be next headline, please help me with these resources or this, you because at the end of the day, what they want. know, boards and executives, they want to help, right? Because they're relying on you to tell them how they can help, right? And sometimes they just can't do it or they'll defer it, but they are. But in my opinion, the most important and effective way to secure cybersecurity by and from the top is simply by forging relationships with senior leadership, whether it's,

going for coffee or just having the impromptu lunch or whatever, right? These things make a big difference. The secret sauce is building relationships with key stakeholders. It's not just the top, it's like the department heads and it's even people that can be with your program. And I used to have this thing called the Federation call, every, initially every two weeks and every month. It was an open call every month, people across.

length and depth of the business would come, we have a conversation, can know what we are doing, ask question and support. And relationships are everything to enact a successful security program, right? So in a sense, they see us to be storyteller, you know, an ally, a trusted ally to everyone and a trusted advisor as well. Now board support can be the wind beneath the wings of what I call air cyber and help accelerate and continuously improve the security program.

Patrick Spencer (34:50.678)
Yep. That's a good, good analogy. Good, good way to describe it. So you've been the CISO for 20 years, Hall of Fame CISO. How has this role of the CISO evolved over the last 20 years? know, where are we at in that, the continuum, you know, on the continuum of transformation, you know, where are we at today and where do you foresee that we're headed in the role of the CISO?

Arun DeSouza (35:18.569)
absolutely. I started my first security program 20 years ago. And in fact, I told you the story of the first two initiatives and everything, right? At the end of it all, there was Network World All-Star Award, and there were various white papers and whatnot. And the CEO came to my desk one day from France, and he patted me on the back. says, you are doing a great job.

I don't hear anything about you. I'm very happy.

Patrick Spencer (35:50.402)
Ha ha ha ha!

Arun DeSouza (35:51.791)
It was a compliment, right? Because in those days, it was considered very technical stuff. And even today, security is in dire need. So that was the phase one or era one, what I call the technical seesaw, right? But then the next one, so that was probably roughly the first decade of last year, and then of the first decade of the century. And then we came into the era of the business aligned seesaw and then

bigger companies like banks would have what's called the BISOs and things of that nature, is security embedded in the business, right? So that was the second era. The third era came, started around 15, 16 of last year, last decade, sorry. I need coffee, Patrick. we, you know, there was that and that's fine. And that sort of ties back to what I started to say a few minutes ago, you know, the security program should be tied to

business mission and objective. if the security folks are linked to the business, that's even better to, you know, and then risk-focused CSO connects where, you know, we started to collaborate with the enterprise risk organizations and, you know, try to make sure that security and security controls and initiatives are well-placed and progress is tracked. And then the fourth era, which we currently in is a transformational CSO, right?

I think we're going to stay there for long time, especially with the scale and pace of change of technology, including AI coming. But truth be told, it's easy for me to say that these four eras, we're depending on the size of the company and depending where you are on any given day even, you might have your foot in all those gaps. But I think fundamentally, those are the four different areas. Thoughts?

Patrick Spencer (37:47.254)
I think you need to write a book.

Arun DeSouza (37:50.255)
You know we should talk about that soon. I've been starting to flesh out certain ideas. That's my goal for next year. I yeah I've received the requests a lot and I think I would like to and I've been preparing myself with the articles couple which I'll share with you later. So get myself in the writing mode.

Patrick Spencer (38:10.732)
Well, no, I think there's a lot of interesting fodder there. The CISO role has evolved and it's going to continue to change, but certainly we're in a transformative era as you know that that's certainly the case. Your profiles we've talked about is very, very interesting when our listeners take a look at your LinkedIn profile.

Maybe just a few final thoughts here in terms of run out of time, but I wanted to make sure we touched on this point. How do you build a reputation in the industry as you have as an influencer, as a thought leader? There's some CISOs that like to play behind the scenes and they don't want to be seen or heard, like you just mentioned. But in other instances, there's CISOs who want to...

Arun DeSouza (38:55.439)
Thank

Patrick Spencer (39:01.73)
get out in front of audiences. They want to speak at conferences. They want to be followed on LinkedIn. What can you do to build a profile like you have?

Arun DeSouza (39:12.591)
It took a few years, right? And it started with a choice. I made the choice that I wanted to give back to the community, right? Not just do my work kind of thing. So that's the choice. And some people, you know, not comfortable or they shy or they're just don't have the time. That's OK. But it starts with making the choice that you want to do more and give something back. So that was the premise from which I started. So a few things that one can do once you make that choice. Number one is to participate actively on social media.

I mean, you can start with posting relevant content and annotating it, right? But if you just do that, it's going to be on the mind. But maybe follow some people you respect, or known influencers, or there's Brian Krebs or whoever. And if you feel comfortable, comment on them, et cetera, right? And sometimes in the beginning when you're not as well known, commenting on other people's posts can help give you some visibility as long as you take time to make really.

good comments, right? And this is I started. Literally, I posted something, I posted others and so on. So step one. I also author original content and I share that on social media, like the couple of articles and there's been others and I've written over the years, right? Because if all you're doing is reposting, you know, other people's things with comments, you know, you're going to wither on the mind fast because under the hood, if you want to be a cyber influencer, you've got to be a thought leader.

people need to understand it, you're not just recalcitrating stuff you found somewhere, but you're able to drive the conversation forward, you're ahead of the curve, right? And one thing I always say as a CISO is, you know, we talked about the air cyber analogy, but the other analogy I always give is I think the CISO is also like a captain on the good ship cyber, right? And if you visualize the ship, Patrick, especially a sailing ship back in the day, you know, you've got the periscope.

to the horizon trying to see where are the storms, where are the rocks, and you're trying to navigate around that. So the ability to look into the horizon and be ahead of the curve to the extent you can is very, important. And if people can see that you're a leader, like for example, one of the things I always talk about is the trend in identity and access management. And my article is self-sovereign identity. So people see their thinking ahead, they will embrace you.

Arun DeSouza (41:37.995)
So there's, but there's step three then of course, know, there's only so many articles you can write, right? So, and you can't be just talking alone. I mean, the thing people want to see is, okay, you want to help others, that's obvious, but how do you interact and partner with others, it's, you know, other CISOs or get on panels at conferences, you know, that's very important. To the extent you can get a individual speaking, you do it by all means, but I think it's much easier to find gigs on panels.

So, you know, put a hand up anytime and just even volunteer or even write to it. Like, for example, I'm on the one thing I'm on the advisory board of SecureWall and the advisory board of FutureCon conference and a few others as well. And that's one way to do it because, you you can insert yourself into the community so that if...

they're building an agenda for the conference and they're looking for someone you can either nominate yourself if there's not opportunity or somebody you know. So that's something to be done as well. You know, one thing that I've also done and to the extent I can is mentor industry practitioners and some cases leaders as well to exchange insights and advice. I do that to give back, but also it's like the old adage, you

If you give an inch, they'll take a yard. But in fact, I'm going to flip. I'll say, if I gave a few inches, I got a lot of yards back. In a sense, I helped a few people or did what I could. And I made a lot of friends just through that, because what happens to me? They introduce you to their friends. because what then happens is they look to you for trusted advice, right? It's a wider community, right?

Patrick Spencer (43:03.276)
Yeah.

Arun DeSouza (43:21.007)
And then another thing you can do is engage actively in industry forums and communities such as the Cyber Risk Alliance, which I mean, I'm a member of others, that's one I like the best because I think the reason is, some of these groups, they only open their doors to CISOs or VPs. The Cyber Risk Alliance allows practitioners as well. And one the things we need to do is get people to come into the profession.

So that's something that's very, very helpful as well. And that's also good because by doing that, I do meet younger people that sometimes reach out to me and I can mentor them. And the last thing, of course, there are these organizations that have dinners with the executives, cetera, which I go there not to have a nice dinner or some glass of wine. But in fact, I've had some really, really good conversations at those dinners. So does any of that help?

Patrick Spencer (44:00.648)
That's a great question.

Arun DeSouza (44:20.281)
battery.

Patrick Spencer (44:20.622)
Absolutely. Those are really good suggestions for those who are trying to raise their profile. So, Rune, if someone in our audience, they want to engage with you, just have a conversation, maybe they're looking for some coaching from you and mentorship, they may want you to come in and do an assessment of their organization. Talk a bit about what you're doing and how organizations can get in touch with you.

Arun DeSouza (44:42.895)
Well, you can share my email address too, which you have in that actual post podcast. That's saroon.disuza at pro4dissolution.com. Or you can connect with me on LinkedIn as well and reach out. No problem. And I'll make time. As you noted earlier, I provide executive advisory services, some tech companies, also help startups as well.

reply to everybody, reaches out to me and we'll see where it leads. So yeah, that's the best way. think either you direct email or LinkedIn. LinkedIn I'll probably respond even faster.

Patrick Spencer (45:23.566)
That's typically the case with me as well. Well, Dr. Arun Desuza, this has been a fascinating conversation. We appreciate you making time to talk with us today and we'll have to do this again.

Arun DeSouza (45:37.699)
absolutely, really. And if I ever do write the book, we'll have a follow up about that. Patrick, that's a goal to have, isn't it?

Patrick Spencer (45:43.534)
I'll write the recommendation for the back cover. One of them.

Arun DeSouza (45:48.167)
good. I was wondering who to go to. Thanks a lot. And Patrick, thank you and Kiteworks for opportunity. I really appreciate it. And it's been great fun, absolute blast. And do share with me the LinkedIn recording or post or whatever. Whenever it's ready, I'll be happy to have it.

Patrick Spencer (46:08.526)
certainly, certainly. Well, thanks for your time today. We appreciate our audience as always. If you want to check out other KiteCast episodes, go to Kiteworks.com slash KiteCast.

People on this episode

Patrick Spencer

Co-host

Tim Freestone

Co-host