So thrilled to share this interview with Jitender Arora, Partner and Chief Information Security Officer (CISO) for Deloitte North and South Europe (NSE). In his role, he is responsible for establishing and maintaining the security vision, strategy, and program to ensure business and clients are protected against ever-growing threats. Recently, Jitender was recognised as #1 CISO at the CSO30 2021, award that recognises security executives who have demonstrated outstanding leadership and business value.
Jitender has worked in the technology and security industry for over 20 years. He has held a wide range of senior leadership roles in financial services, professional services and technology organisations. He has strong experience in cybersecurity, cyber resilience, technology risk, operational resilience and operational risk domains. Jitender is an expert with a proven track record of success in strategy definition and execution, leading business transformation initiatives, managing efficient operations, and building and managing CxO and board-level relationships.
He is very passionate about diversity and inclusion. He is a member of the diversity and inclusion steering committee and executive sponsor of the diversity & inclusion initiatives to support the ambition of making our society and workplace more inclusive.
In this interview, Jitender shares his experience in the security industry, the crucial decisions he takes for his company and employees, how he stays on top of the client’s and business’ expectations and requirements, and what his mantra to be a good leader is.
Having 20 years of experience in the technology and security industry, what have been your key takeaways and learnings in the field?
When I started my career, technology was a very specialised niche domain. Over time, almost all organisations have become technology organisations, whether it is a FinTech organisation or a retail organisation, everyone needs to have an online presence. Especially with COVID, business models have changed quite rapidly forcing organisations to move into remote and hybrid working models, trying to leverage technology as much as they can. As a society, we’re becoming a lot more digital.
My key takeaways when I think from the technology perspective, technology has transformed the way we connect, the way we work, where we work from, how we connect with people, and how we consumers interact with organisations. Consumer expectations have changed significantly and consumers are now expecting organisations to provide high quality rapid service, no one now wants to stand in a queue for a long time to get the service. These consumer patterns have changed, and increasing competition is pushing the organisations to think differently.
When I talk from a security standpoint, security was very different back when I started my career, it was mostly about protecting the network perimeter of the organisation. Now we have highly motivated, patient and financially driven attackers who are trying to go after organisations, making it a specific target. The scale of the challenge has become very big. Everything is now digital, everything is online. So the scope for attacking and attack surface has become very big for the attackers to leverage and security has become a very fundamental part of running the business. Securing the technology stack and making sure you’re safeguarding the customer data, employee data and their money, is a very big responsibility that’s become quite mainstream. Security is everyone’s responsibility. Just like in the physical world, like when I was growing up, my parents used to tell me to not talk to strangers and not take anything from strangers. Now, we are living most of our lives in the digital world so we need to know the right ways of operating in a digital world and hence digital security has become everyone’s responsibility.
What are the most strategic and crucial decisions you take for your company and employees and how do you approach it?
One thing about leading the security domain of your company is that you have to make some crucial decisions. Security is a pretty new profession. If you think about it, it was not mainstream a decade ago, whereas technology has been around for a long time. So there are a lot of organisations that have grown organically in the tech domain and hence there’s a lot of security debt that we have to cover. We need to focus on strategy, that is, where we are today in our security capability and where we need to get to to be able to p[erate within the risk appetite. Similarly for cyber risk, the cyber risk for a construction company, which has no online presence is minimal compared to health and safety risk but say for a business that sells everything online or provides services online, the cyber risk is significant, because if you’re not available online and the customers do not trust the platform to buy something because of a cyber breach then nobody is going to interact with your business. So the strategy is very important to say what kind of business we are, what kind of threats we face, and what level of security maturity we need to build and maintain the trust of customers and in some cases regulators if you are a regulated business.
In addition to this, you need to have one part of your team focusing on what I call firefighting, your SWAT team, which is addressing the current pain points, and immediately responding to vulnerabilities and issues quickly. So whenever something goes wrong, they can come into action, take control and contain the problem. So it’s a bit of a fine balance between strategy, operations and firefighting.
In today’s ever-evolving industry, how do you ensure staying on top of the client’s and business’ expectations and requirements, protecting them from the ever-growing threats?
It’s very challenging. If we just look at the last two years, the threat landscape has changed very significantly, and attackers have become smart. Just like we are maturing our defences, attackers are also maturing their capabilities — if we have access to cloud computing, for doing our work, the attackers too have access to cloud computing to be able to meet their objectives. So while we’re innovating, they’re also innovating and improving their offensive capabilities. It has become a continuous cycle, where you’re trying to keep up your defences with what innovation is happening on the attacker side, build more secure systems and manage the attack surface efficiently.
Attackers are patient, persistent and becoming smarter and agile. They’re becoming more sophisticated and investing part of their earnings in their business i.e. hiring staff and acquiring better offensive capabilities. So for example, instead of going after multiple organisations, attackers went after SolarWinds, compromising every company that used them and had their software deployed.
What would be the one piece of advice that you would give to the upcoming leaders to succeed in tech-first organisations?
So you could be pursuing technology or have a more cyber-oriented interest. For those pursuing technology, be curious, and be hungry to learn. Because technology is evolving very rapidly and you have to keep up. You also have to have the ability to pivot quickly.
For anyone pursuing a career in cyber, it’s a demanding job. With the evolving technology landscape and worsening threat landscape, you will need to learn and adapt quickly. You have to provide advice, guidance and sign-off to the business on security matters. You are accountable for a number of big decisions at some point in your career, especially if you’re going into leadership roles. As a leader, you have to be resilient and confident, because you will be in situations where you have to make tough choices with limited information and you will be under immense pressure. And you need to handle those situations confidently, know how to cope and lead successfully. Personal resilience is key to being successful.
What is the one activity you do outside of work?
Tennis! It’s the thing that creates the balance that I need in my life, with work and family, it helps me with my mental balance and my well-being. And it’s fun! And I love watching F1 and movies too!
What is the top book that you would recommend to everyone?
The book that changed the way I look at life and work is called Start With Why by Simon Sinek. I once listened to his TED Talk and I was very fascinated, it resonated and connected with me at a very deep level. So that’s when I went to read his books. I always say this to people: listen to the TED Talk, folks, and if you connect with it, go and buy the book!