Don’t try to master it all – just try to understand how to NOT be the low hanging fruit – Interview with Christopher Hadnagy, CEO of Social-Engineer, LLC.
Dear Readers, today we would like to introduce to you Christopher...
[Saqib Chaudhry]: Hi Marta, I am doing well. I consider myself a technology enthusiast and a futurist with leadership experience in Information Technology, Cyber Security, Enterprise Risk Management, Business Resilience, and IT Internal Audit & Compliance.
Most of my career has been spent working as a consultant, with firms such as Deloitte & Touché and Grant Thornton. These firms provided me with a strong business and technical foundation while also giving me the opportunity to develop and implement comprehensive operational strategies and solutions for numerous organizations across North America and the Middle East, spanning across various industries including Healthcare, Telecom, Energy, Oil & Gas, Manufacturing, Pharmaceutical, Financial, Law Enforcement and Government.
[SC]: I would divide my responsibilities into the following three areas:
1 – Operations: Managing Information Security, Network, Unified Communications, and the IT Planning & Development teams; ensuring that the related Key Performance Indicators (KPIs) are met and Key Risk Indicator (KRIs) are managed and improved.
2 – Regulatory Compliance: Identifying and rationalizing applicable (global/regional) regulatory requirements related to Information Security. Developing approaches to achieve compliance in a manner amicable with the organizational goals and objectives.
3 – Strategy and Governance: Formulating an Information Security strategy that is inline with our organizational strategy of becoming a fully digital hospital. Developing and executing an Information Security Management System (ISMS) that governs the overall Information Security program.
[SC]: The most challenging, yet equally rewarding, areas include:
[SC]: CCAD is an Abu Dhabi government-owned hospital that was established as a result of an agreement between Mubadala Development Company and the US-based Cleveland Clinic in support of Abu Dhabi’s Economic Vision of 2030 to develop a robust, world-class healthcare sector in the emirate.
From a perspective of excellence in terms of technology, expertise, and the delivery of care, the hospital follows the US-based Cleveland Clinic model of care. The difference lies in the local culture, people’s economic and social norms, and general awareness related to health related lifestyle practices.
[SC]: The two main reasons why the healthcare industry is becoming the key target of cyber-attacks are as follows:
Medical records, in general, contain much more Personally Identifiable Information than records maintained by other industries. A typical healthcare record may include information such as credit card data, email addresses, insurance, social security numbers, employment information and medical history, much of which remains valid for years, if not decades. Cyber-criminals are using this data to launch spear-phishing attacks, commit fraud and steal medical identities.
As per Robert Gregg, Chief Executive of ID Experts, “A financial identity can be worth $5 to $10 if you have all the info. A medical identity can be five to 10 times that amount just because how easy it is to monetize that information once the bad guys get it.”
[SC]: I believe CISOs should rethink their overall Information Security strategy to keep up with the pace of digitalization. With the growing use of Cloud, Social Media, Big Data Analytics, Mobile Computing, Robotics, telemedicine, etc., it will be beneficial to drift away from the traditional Device-Centric strategy and start moving towards a Data-Centric approach. Ideally, if you are able to implement appropriate data security & privacy controls at the source, then depending on where that data flows the overall risk will be manageable.
Additionally, to better protect IT networks against Zero Days/APTs, a CISO should consider investing time and resources into:
[SC]: I certainly wouldn’t preclude the possibility that since CCAD is an extension of a US-based globally renowned hospital; it is on the radar of cyber-criminals globally. However, there are a couple more compelling reasons including:
[SC]: I have completed an Executive Education course on Cybersecurity from Harvard University and am currently pursuing a graduate (Masters) degree in Information Management Systems with a focus on Cybersecurity.
I would consider a Harvard education as state-of-the-art and enabler of critical thinking. I certainly have benefited from the education that I have received thus far, and would recommend it to any cyber security professional.
[SC]: The real differentiator, I believe, is the learning from faculty who are regarded as thought leaders in their respective areas providing both strategic and tactical perspective in tackling real life business problems. This also goes hand-in-hand with the competence of my fellow-classmates, as they are also leaders in their respective fields and have real world experiences to share.
I believe passion and education are equally important for professional growth in any field. Education can help you discover an area for which you may develop a passion. Similarly, education may help you in discovering ways to excel in a field that you may be passionate about.
[SC]: As the Information Security field becomes more competitive, the right mix of formal university education and certification will be needed to keep an edge over the competition. From a certification point of view, I would recommend the following certifications:
Additionally, I would recommend attending Information Security related conferences such as Black Hat, DEF CON, SANS, RSA, etc., to stay abreast of the leading and bleeding edge technologies and solutions.
[SC]: To gain global experience, especially in an emerging economy.
[SC]: In 2015, I was selected as one of the 28 U.S. Chief Information Security Officers for the inaugural FBI CISO Academy course at Quantico, Virginia. The course provided useful insights into:
[SC]: There are some inherent challenges related to being a state of the art Greenfield organization and due to the fact that our goal is to become a fully digitalized hospital.
Nothing unique to our organization per se and nothing that cannot be overcome with time and resources.
[SC]: I like to travel and read about history, philosophy, current affairs, and future technologies.
[SC]: Don’t be afraid of failure. Remember that “Best Practices” are derived from lessons learned, which are accumulations of both failures and successes. Should you fail, quickly conduct a ‘lessons learned’ and move on to pursuing your goals.
A thought leader and futurist with over 17 years of experience in Cyber Security, IT Infrastructure, Enterprise Risk Management, Business Resilience, Data Privacy, Internal Audit and Compliance. In his current role as the Chief Information Security Officer (CISO) at Cleveland Clinic Abu Dhabi (CCAD), Saqib is responsible for the implementation and management of the overall Information Security program. In addition, Saqib is also tasked with managing the IT Network Infrastructure, Unified Communications, and Infrastructure Planning & Development functions at CCAD.
Prior to joining CCAD, Saqib had worked with Deloitte & Touche Middle East as the MENA regional leader for Business Resilience and for Deloitte & Touche US as a Security & Privacy Practitioner. Throughout his career, Saqib has led the design & implementation of numerous Technology, Cyber Security, Privacy, and Risk projects for clients based in North America, Europe, Middle East, and South Asia. Saqib has a breadth of experience in designing innovative strategic solutions for organizations across various industries including Healthcare, Telecom, Oil & Gas, Nuclear, Law Enforcement, Financial, & Government.
Saqib is currently pursuing a Master’s degree in Information Management Systems with focus on Cyber Security from Harvard University, USA and is an Alumni of US Federal Bureau of Investigation (FBI)’s CISO Academy.
Linkedin Profile: Saqib
Link to my latest podcast on Cyber Security Awareness is as follows: brighttalk