Hello, and welcome to another episode of Cyber
Speak with Infosec Institute. Today on the show we’re talking to Joshua Knight, cyber
security business leader with Dimension Data. Joshua has 30 years experience in security,
including national security experience. Today, we’re going to talk about his security career
journey, as well as the steps that you can take today to move your career toward the
path of Chief Information Security Officer, or CISO.
Based in Dallas, Texas, Joshua Knight currently utilizes 30 plus years of security consulting,
professional services, and managed security service experience, serving as Vice President
and General Manager responsible for the Dimension Data Security Services practice. Before joining
Dimension Data, Joshua served as Global Vice President over Cognizant Security Solutions
business, 2016-2018, Partner inside IBM’s Professional Services Organization, 2013-2016,
the Executive Director of Ernst & Young’s IT Transformation business, 2012-2013, and
is a Director responsible for AT&T Managed Security Service businesses between 2006 and
2012. Starting in 1999, Joshua built the Sprint
Security Services business, where he was responsible for constructing and the implementation, advisory
and managed security service teams. Joshua also served in two start-up companies, where
he served as GM of North American sales and Chief Information Security Officer, or CISO,
between 1993 and ’99. This includes significant hands-on new venture experience with Angel
and Series A and B funding. During his career, Joshua has enjoyed using
life-changing technology to transform businesses, cultures and societies. He currently holds
a Masters in business administrations from Friends University and an undergraduate degree
in physics, mathematics and chemistry from Friends University. Joshua, thank you for
being here today. Good, great. Thanks for having me.
We’ll start out with something from the bio there. It says you enjoy using life-changing
technologies to transform businesses, cultures, and societies. What do you mean by that?
So as the evolution of technology has occurred, some of the things that I’ve enjoyed the last
15 years especially is through virtualization – when I went through GSX, ESX – and that’s
moot now – everyone’s cloud today. And also through mobility, using tools such as Handspring,
Pocket PC, and then watching that transform as we went into the Kyocera device – as the
palm evolved into what is the phone today around iPhone, Android. And then also artificial
intelligence and the work that I do through IBM and many of the others, as we also … the
pieces coming from analytics and so on and so forth, so that digital transformation journey.
So I’ve enjoyed using those aspects of technology, and of course that stems all the way back
from when I began in technology years ago as just a little kid and playing around inside
computer labs. Yeah, so let’s talk about that. What got you
excited about computers eventually, or originally, and also how did that transition into security
interests? Sure. So for some people, they started their
technology, they would tinker around with computers at an early age or they moved into
it through college or university, what have you. For me, as a kid, I was in trouble, like
any other little kid, who couldn’t keep his nose clean. So my father the college professor,
asked me to come into the computer labs. With that request, I was able to access into DARPANET,
into the World Wide Web 2, BBCs, and BBSs. So because of all of those opportunities,
I was only 10 or 11 years old, my breadth of understanding and knowledge around how
hacking takes place inside of the Ixis, and I was playing around with MUNIX and of course,
as Linux evolved and moved into Windows later on in my career, I was able to really get
my arms around what most folks don’t have an opportunity because I had those technologies
at my fingertips through the university. Yeah, you were putting your hours in very,
very early it seems. I was. I was. I wasn’t getting the grades
in junior high and high school. I did in college for sure. Even then, I was always playing
around, and there were books that were out there that made it easy. It was all around
trial and error, and of course, the university professors who were there with PhDs always
were helping and really peeling back the layers of the onion. I always had a resource I could
go back to talk with. As people of our age who have grown up with
computers but also had a time when computers really weren’t a thing, obviously that means
that you’ve been there since the beginning of what’s now known as cybersecurity. That
wasn’t always part of it. So how has the cybersecurity landscape changed or evolved since you first
got involved? So, it’s interesting – with security, you’re
right. In the very beginning when I entered my career and I moved, eventually, into government,
even then they didn’t have a GS system set up in order to arrest hackers that were coming
in, and I was considered white hat hacker. I worked through a contract vehicle called
MTS 2001 that opened that door inside of Sprint. Now at that point, the evolution of security
took place. I can remember sitting down with the head of the FBI inside the Midwest up
at the Kansas City office back in ’97, ’98, and he began to really open my eyes to what
this evolution might look like. And that’s where network security started. Now in my
career over the last 27 years I’ll say, before it became the commodity it is today, we moved
from network security, and eventually moved into what was internet security and then of
course, that went into what is information security and now that evolution into what
is digital security. So the transformation through four major phases
or paradigm shifts, they’ve each built on each other and been very relevant to each
other, but it’s become that new way or new focus in security as we move to that tomorrow.
Yeah, how did you get involved with – you said you have national security experience
– how did you get involved with that aspect of cyber security?
Sure! So, back when I was in the startup space, we had a parental control product that was
housed inside the network and not at the end point. It did well for us, but it came to
a place where Microsoft gave that away in MSN 9.0. When they gave that away for free,
although the end user didn’t understand the real differences, they were like, “Why would
I pay for your service, although far better, when I can get it for free? ”
So I came to that place where I was out of a career and needed to find a next level.
So I sent my resumes out to the FBI, the DOJ, and the NSA. And from there, they then contacted
me through Sprint, asking me to come work for Sprint through this contract vehicle.
So I didn’t work directly for those agencies, but I did do a fantastic amount of work for
those agencies through Sprint and the contract vehicle. So that’s how I ended up inside
of the national security space. Are you able to say what you did in that role?
Yes, so in the beginning of that role as a white hat hacker, I was actually hacking into
the FBI, into the DOJ, into those different websites from the outside in, finding vulnerabilities
as a penetration tester or a vulnerability assessment expert, and then eventually that
evolved into an example during the Olympics. They wanted me to break into the Winter Olympics
to make sure that we couldn’t get to the data around the US Olympians. One of my highlights
of my career was I actually broke in and got to all the Olympic data for everybody across
the world. Now today that wouldn’t happen, right? We would hope things have, we would
have hope things have changed, right? Then of course, I did work for the DOD and
some of the other agencies around breaking into foreign governments and so on and so
forth. And from there I pretty much put an end to … I can’t say anymore (laughs).
Sure, no, I figured there would be a hard out on that question. So we brought you to
the show today to talk about one of many roles you’ve had, but namely you’ve had several
times, it seems, you’ve been an information security officer or CISO. Infosec is all about
boot camp security information, training, and we want people to not only take classes
and get certifications, but understand what it takes to get into certain career tracks,
certain industries, and so forth. So what were some of the major steps along
the way, and what were the progression of skillsets that got you to the point of being
a CISO? Sure, sure. So for me, because I started out
as an information security or security expert, you’d say, around technology, I started out
as a CISO right, very early in my career, right, and during college. They needed it,
there was really no such thing out there, it was hit and miss. And because of my security
expertise and my opportunities that I’d seen in the marketplace, and expanding my own knowledge
set, it was a good shoo in. Because it can also help expand the products that we were
selling, which was a very security-focused product around certain controls and helping
protect the individuals from the misuse or the malware or what have you on the outside.
I was that guy that understood that, so not only did I drive internal security, but also
the external products. And then the evolution of that was, eventually,
when I ended up working for Sprint, I worked for a chief security officer who was, and
there’s a vast difference between a CSO and a CISO in many organizations. In working for
that CSO, he was a retired FBI agent and he helped me understand. I was very full of myself,
I’d say, or arrogant, because I knew technology very well. But he came to me early and said,
“You know, you may know technology, but you do not know governance and you do not know
physical security.” And so he opened my eyes in understanding, this is how governance works.
This is how it applies across HR, legal, into audit, into the board of directors, how you
work with a CFO. How a CIO is different from a CTO. He began to really open my eyes in
understanding as he opened his own eyes, because he had spent years in the FBI and it was this
real new experience. The first major role he had taken from the FBI over into that sector,
into the Fortune 500 was Sprint. He helped me open my perspective from that
point of view. Then I moved over and worked for a CISO inside of AT&T. That CISO Ed Amoroso,
was one of my greatest mentors as well. He helped then me dig deeper into the technology.
He’s a PhD, he’s published like 12 books at this point, and really began to help me understand
okay, now that you know governance, you know physical, you definitely know technology,
let me show you how to meld this together and how it applies to the national security
space. How it applies into the federal space, how it applies into big business, small, medium-sized
businesses, enterprise, and so on and so forth. So those are the knowledges and experiences
I recommend back to many and how you get into the CISO space.
Interesting, so do you feel like you say, you became a CISO or CSO, in part, because
it was just starting and you were there when it started and so forth, do you feel like
these milestones are still applicable to the present day? What are some of the sort of
higher bars that have happened now that CISO is kind of an established field that would
not have applied to you? Absolutely. You know what’s interesting is
I spent a great deal of time with many CISOs and CSOs across multiple verticals, right,
and part of the reason I made that major career shift into the PNL space is because I could
help them rethink and retool their business while giving information sharing across other
verticals and global industries. Because a vertical inside the United States is many
times very different from a vertical inside of EU, and inside of the APAC or CEUK, it
just depends on where you’re at. So for me, the most interesting part about
the CISOs today is if you want to break into this field, there’s a way you have to view
it. So many CISOs didn’t know what the security story really was just a few years ago. We
may have been in security for years, but the security story, we helped paint that. And
so I spell out like this, It’s around governance, technology, physical. But then, it’s not just
around cyber, many people go, “Oh, security’s all about cyber.” No. All the CISOs, what
I tell them is, you want to find your way out of IT if possible, rather than technology,
and find your way into HR or into legal, or some other part of the organization, even
directly into the CEO. Because the relevance is, cyber is only one
of four major areas or towers of ordinance. Cyber being application, infrastructure, databases,
so on and so forth. We also have identity access management, governance risk and compliance,
and then digital. And digital is a mixture of cloud, IOT, analytics, social media, artificial
intelligence. And all those other, IIOT as we move into operational technologies. All
those components. Now I realize there’s bleed over among all of it, but if you spell it
out in four distinct towers, you find your way into the way a security professional really
thinks. And how you address that in the new world.
And I tell folks, “CIFOS are the old world. The CTO, being the chief trust officer, is
the new world.” The chief trust officer has security, privacy, and risk. Three major components.
And we’re going to begin to see over the next three to five years the evolution of that
role as the CISO steps into the chief trust officer and has security folks, and has privacy,
and has risk. So that’s how I’m viewing the today and the landscape to come.
So it’s really shifting a lot in the last couple of years it sounds like?
Yes. The chief trust officer is going to become the go-to focal point that drives the budget
and works as a peer to the head of HR, a peer to the head of audit, a peer to the head of
legal, a peer to the head of CTO that works in the lines of business, CIOs, and has a
seat on the board of directors. And has the budget concerns in the real inter- workings.
The thing is that’s most important that people forget is that we need to be NIST and ISO
aligned, so it’s all around baseline policies first, then your deep dive standards around
those, then the procedures themselves. And that applies back out to all areas of the
business. And having that focal, okay, it’s not just around security, it’s not just that
technology, it’s governance first, and then into these other areas. The one who knows
that is the one that wins, and those are in the big Fortune 500, those are going to be
the multi-multimillion dollar a year jobs. That’s that evolution, where the security
expert becomes the real powerhouse. It’s also a place where you can get yourselves into
a lot of trouble, right? So much exposure, it’s up to you to solve the challenge.
You. The buck literally stops with you. So we’re coming right toward my next question
here, so you’ve sort of described the strata of responsibilities of a CISO and so forth,
could you sort of walk me through the day-to-day activities of a CISO? What types of jobs and
responsibilities are you actually doing with your fellow CTOs, CIOs, the board of directors,
what are you doing on a daily basis with HR and so forth?
Sure, so the day-to-day piece around is pretty much the same when it comes to security. You’ve
got your operational pieces, you’ve got your relationship pieces, you have your technology
pieces, and then you have your government pieces. And it’s about steering committees
and ensuring you have the right senior executives on the steering committees so that we know
where budget allocation goes, and then it’s working back with all the key go-to executives
in the organization. So an example, if you go into CISO today,
many of them will work up and through IT and they’ll drive the functions that are there,
but then the challenge is the network is something that ends up separate, or it’s not a part
of it. So they have to see, how do I work back into the CNO, chief network office? Or
work back into the lines of business that now have CTOs? So if you look into operational
technologies, CTOs are driving that with IOT or IIOT. And so they have to have those relationships
in their day-to-day business. And at the same time, if you look at it, you’ve
got compliance, you have regulatory, you have vulnerability assessment, vulnerability management,
threat management. You have enterprise security management, you have device management. You
just go down the stack of all these pieces that are very, very, very important to the
bigger picture. And them in their day to day role is to integrate and cooperate and ensure
there is a cohesiveness across all those areas of business. And so that’s the real CISO today
is doing that. Or the real security czar is doing that in order to drive business.
While at the same time, there’s only one reason that we’re there, it’s ensuring revenue. And
many of them lose sight of that, so I’ll tell folks, “You’ve got to make sure that whatever
you’re doing is driving, or helping to drive, revenue.” And that’s the new way of ISOs and
biz ISOs, tech ISOs is ensuring that they’re finding ways to that revenue. Being internal,
finding ways to revenue, or ensuring that the external business is enabled to find revenue.
Yep. Regarding CISO as a position, are you sort of the manager of the security department,
or do you work more closely with your fellow C suite people? Do you sort of work in the
upper strata, do you manage much day-to-day operation, or are you sort of working on a
more sort of … long-term plan level for the most part, or a bit of both?
Both. Both. So the CISO, they need to one, work with their peers and work with management
in order to development a long-term road map, 36 month road map around how their strategy
looks and how it aligns back into the business. While at the same time, going back into their
own organization and treating themselves as centers of excellence so that they’re easy
to do business with and they’re working out across CIOs and CTOs.
That’s their primary focus. Are we easy to do business with? Do we ensure the state of
security? And at the same time, do we drive revenue by getting out of the way, but at
the same time, enabling. So many times, we have to get in the way, but at the same time
that protects our brand. So it’s again a marketing thing and that again drives revenue. So it’s
a multifaceted, multi-tiered approach for the CISO. A proper CISO needs to do.
What are some of your favorite, best, most interesting parts of the job when you’re
a CISO, and what are the most difficult and repetitive? Like, what are the things you
like, and what are the things you don’t like? I would say the most important or the thing
that I enjoy the most is the community. The community at large outside of my organization,
the community at large inside my organization. And I call it GSIC, the global security intelligence
community, and working with those across the verticals of the business itself, inside the
United States, the regional sides and verticals inside Europe, same thing with APAC. And being
able to take knowledge added or knowledge learned, lessons learned, and apply those
back into what I do today. It’s interesting, one of the things people
say, “Well it’s very different how we do security here. It’s very different how we do security
in HVAC.” And I say, “No, it is not. Security is security.” It is very much the same. Now
you can pretend that it’s different, and you can isolate and silo yourself from the rest
of the greater community or the organization at large, but that thinking is very career
limiting and is guaranteed failure. The only way to guarantee success for yourself
in a bigger picture career move is to remove the doors, remove the windows, and in best
case, remove the walls to where you become a non-siloed thinking, non-siloed organization
that communicates back out. Yes. We are about information protection. We’re about certain
things we have to ensure safety are secure and that no one can get access to, but the
one thing that we have to maintain is constant communication and open dialogue with our peers,
with our employees, and with those we work for to ensure success.
I tell folks, with three-letter agencies and when you get into top secret, when you get
into national security, it’s easy to get a siloed thinking. That is not the right way
to do business. If you’re working at any type of enterprise or small, medium-sized business.
The only way to be successful is to remove the doors, remove the windows, and open all
dialogue. Level five leadership. I love that from Jim Collins: Good to Great. A great
CISO maintains level 5 leadership. That’s the answer to success. If you find that, you’re
guaranteed. One of the thing I’ve said to CISOs is a CISO’s
longevity can be cut very short. The reason being, an example, is ITO. IT outsourcing,
if you talked to a CISO 36-40 months ago, they’d say, “I will never outsource any of
my security. That’s crazy, I’m not sending it offshore, so on and so forth.” You know
what happened is the board of directors, the CFO, they stepped in and said, “I don’t care
what you don’t want to do. This is what we’re going to do.” And those who argued and fought
back lost their job. And I know many CISOs that said, “All right. I want to continue
to work, I did lose my job. I’m going to do it right the next time.”
And so, here we are again, the next level, around moving everything to the cloud, and
moving into a software-defined world. Many have said, “All right, I learned my lesson
from the first time in the ITO outsourcing. “We’re still seeing ITO outsourcing. We’re
even seeing total lift and shift where even the CISO themselves are being outsourced into
India-based outsourcing, or to some type of outsourcing organization. I know for a fact
because I’ve done that with Cognizant. I’ve done that with IBM. I’ve done that now inside
of DD with NTT. And the interesting part as we move into software
defined, 29% of the budget inside CISOs is moving toward software-defined or cloud-based
security. So here we are again, I say to the CISOs, move with it, do the right things.
We have next-gen CASB, we have all these solutions, we’ll see this continue to evolve and grow.
Be a thought leader, a forward thinker, and you can drive change. But if you dig your
heels into the ground, you’re going to become a dinosaur.
And so that’s my greatest gift and suggestion to many of the CISOs, and I have a lot of
friends in this space. So we talk about it regularly.
All right. Everybody write that down. This is the key takeaway right here, so everyone
listening. So what sorts of activities should you really be interested in or enjoy doing
if you’re thinking about becoming a CISO, what’s the thing that you do every day? It
sounds like communication is a big part of it.
Communication is my primary. The one thing I tell people is if we get hit by the biggest
HERF gun in the world and all technologies cease to exist, the one thing we have today,
we’ll have in 100 years, 1,000 years from now, and 10,000 years ago is relationships.
The answer to all things is build a cohesive network of relationships. Not just within
the security community, which is very important, but build those relationships outside the
organization. There’s nothing worse than when I hear a CISO
who’s at odds with audit. That should never happen. They should be best friends with audit.
Or a CISO who’s at odds with HR because of the way policies are designed and driven out
to the organization. That should never happen. Legal, e-discovery, all these things, it’s
important to have key critical relationships, and if you’re not good at building relationships,
I suggest you find a way to get good at it. Because your career will come to a dead halt,
but if you master those relationships, and that’s of course what I love about what I
do, you’re going to make sure your career flourishes because people love you. And it’s
not that we need to be loved, it’s that we must be loved. It’s the only way we can make
this successful. So what role do you feel that professional
certifications play in the enhancement of a security career? You obviously have a couple
of degrees there, do you feel that getting cybersecurity degrees or sort of upper level
degrees is a beneficial thing in this particular position? And what certifications do you think
are going to be most important to CISO aspirants in 2019?
Absolutely. So to young folks who are coming in, I say, “Get a degree in cybersecurity
if you think that’s the right move” Especially one that’s NSA-aligned, because there’s many
programs that the NSA has funded and are backing, and there’s guaranteed that you’ll find many
of those avenues that are relevant to getting you into the market space quickly.
For those who don’t have those degrees, not a problem. My degrees weren’t in security
as well, and I did that on purpose because I wanted to learn to think outside the box.
However, I say to those folks, the fastest way, and I’ve taught this to many people who
want to take this path, and I’m not an advocate for any one of the certifications, but I will
say one of the fastest ways is, you want to know the technology? Learn the Security+ and
if you want to know the governments learn the CSSP.
People have an opinion about both of those, that’s fine. I’m just giving an example of
a road to take. When you take those, then getting out into the greater community, ensuring
that you’re a part of those working groups. Those monthly working groups, biweekly working
groups, the CISO working groups and your local community, local chapters.
And the more you dig into that, within 12 to 24 months, you’ll have a job as a CISO,
because not only can you then talk to security in a way that most people could never comprehend,
you’ll then know how to have those conversations in ways that other people know how to communicate
with you. Then you can show, “I’ve been doing security my entire career.”
Because reality of it is, we all do security to some degree. And if you know the ins and
outs of security, you’ll find that many people are afraid of what we do. Because they just
don’t understand how it’s applicable. But the reality of it is, if you know the foundation
around Security+, CSSP, you’re guaranteed success. You will find your way into a role
that makes good sense to you. Of course, the key there is you’ve got to
get outside the box, right? Get outside, travel, go to know people, know their business, expand
your horizons. And the every time you think you’ve hit the, “Oh, I’ve made it”, no. Expand
it. Build your box bigger. Know more. Go, go go! Drive, drive, drive! Never stop learning!
Meet everybody. Absolutely. So I guess to that end, what type of companies require a
CISO? It sounds like it’s pretty much every level of business shy of local mom and pop
probably needs one, you know, of any certain size. What types of professional companies
should you be trying to be employed at to make yourself desirable as a future CISO?
Absolutely! So, I would say any one of the small-medium-sized businesses would need a
CISO. They might not need it full time, and they might need it as a manager or director
of security. They might also just work through a consulting firm to help provide that value
add back to you. Then you get into enterprise, Fortune 500,
global, all of them need CISOs to some degree, some will bring in as directors, many of them
don’t understand the value add. And an example is when I look at some of these manufacturing
companies, they have a director of security or something through the ISO and they want
to evolve and move into the IIOT space. It’s just happening through the manufacturing.
They’re a little bit behind the curve and I say to them, “Get ahead of the curve.”
Get a CISO who gets up to the board of directors, who has accessed, probably reports up into
HR and to legal, maybe directly to the CEO, that then works with the lines of this and
the CTOs. Each one of those, people go, “Oh, this company, this type of vertical is a dinosaur.”
No. It’s not a dinosaur. Security is becoming, it may appear to be a dinosaur, but they’re
still growing. That’s why they’re in business. And security is becoming the number one focal
point as the evolution occurs, as we move into this next space of everything connected.
So I would say all of those areas have outruns and for anyone who wants to get into the space,
I tell them, “If you go into consulting, you can find your way quickly into an organization
just by those small ones that need to know how security works.” And then you can move
your way up. So I have a great friend who works across
four major companies as a consultant. He built out full time into four companies and acts
on the board of directors because they don’t want to pay somebody, but they need his expertise.
And getting somebody who’s an expert like him is rare. So there’s all types of different
avenues around who needs a CISO. So realistically, you could get started in
almost sort of a freelancer consulting space as long as you have the knowledge and you
can sort of start low and build your way up. Absolutely! And outside the knowledge, have
the confidence. Yeah, and the communication skills.
Absolutely! With that, it’s easy, right? Because people don’t know, and if you know more than
they do, give them that knowledge, go figure it out as you go, and then suddenly, you’ll
become even better at it. But just have confidence in what you know and allow the rest to happen.
So what are some of the common pitfalls that CISO aspirants make along the way, and how
can you avoid them? Are there sort of unnecessary tasks or resume fillers that people think
that they’re helping, but they don’t really make a difference?
Yes. One pitfall, they do not listen to the board of directors. They do not listen to
the CFO, they do not listen to their peers. And with that not listening, they may think
they’re listening, but they’re listening through a lens, or watching through a lens in a way
that’s not relevant to one, security, not relevant to the business and driving additional
revenue, not relevant to everything that’s important to those in charge, right? And what’s
important to Wall Street. Just, they don’t remove the blinders. That’s the first thing.
Another one, they don’t fight for what’s relevant. They don’t fight for what’s important to their
business. They don’t use their voice so they grow their capacity in order to support the
rest of the organization. Then the next one, the third most important,
I say it over and over, is they somehow interfere with making revenue in a way that impedes
bigger business and that’s very career limiting. They’ll shut things down based on the STLC
at the wrong time because they didn’t inject themselves into the development cycle properly.
Or they interfere back into a connected device in a way that impedes progress. Instead of
saying, “All right, go to market, let’s figure out how to secure it as we go, we were a little
late to the business, that was my fault, or I wasn’t here. I didn’t understand the business
now that I’m getting it.” Again, if they were communicating, many of those are going to
come back to them in their right time and say, “Hey, we need you here.”
But if they’re not getting out there and building the relationships, and being relevant, they’re
not going to get injected at the right times. And then again, if you don’t shut it down
and they get hacked, who’s to blame? Well, suddenly you’re out of a job because they
say, “Why didn’t you get in the middle of it where you were needed, and why didn’t you
solve it when we needed you to solve it?” So those are three of the major things that
I say to people is one, you’re not communicating. Two, you’re not listening. And three, you
don’t find the relevance back to is how to make revenue in the business.
Okay, so a lot of the listeners we have on our show might not even be on a security track
or they’re very low on a security track, so what’s one thing that you would suggest you
could do in your current position that would move you one step closer to getting on the
path of being a CISO, even if you’re, you know, in a non-security position?
What would you say, get home from work tonight and do this thing? Start reading a thing,
start doing a thing, volunteer a thing? Get your Security+. Get the ISSP. Plug into
a mentor who’s a CISO or a head of security. Many of us would love to help people. Most
people don’t ask. And most importantly, and I see there’s three because this one’s on
the side, community. Plug into a community. Not only to a person as a mentor, but plug
into the community, local community, national community, everywhere and anywhere you can.
With those three things, you will be a CISO within 24 months.
Wow. So where do you see security practices going in 2019 and in the years to come? What
are some innovations and ideas you’re looking forward to seeing or driving yourself?
So the way I view it is strategic perspective. There are three towers. Three towers, the
first on is, first, you’re going to see most organizations break out into a multi-tiered,
multi-towered approach around cyber, GRC, identity access management and digital. And,
of course, national security is always there. Right?
A multi-towered approach is what’s leading into most importantly, digital transformation.
So of those four towers, you can look at this one as the middle tower. So this is today,
those towers GIC, cyber identity, access management. The journey to tomorrow’s around digital.
As we move into IOT, and we move into cloud, we move into analytics and so on and so forth.
And tomorrow, software defined and securing the software defined and putting security
into the software defined. I tell people that if you look at it from that, those are the
strategies of today, tomorrow, and the future. And if you can get behind that, you’ll realize
the answer to all of it is around platforms and advisory services.
If you’re using platforms to your advantage and advisory services to your advantage as
a current CISO, you’re going to address all of identity access management, GRC and cyber,
and you’re going to get that to help you feed across the transformation journey through
digital into software defined. And then if you create exploratory committees
and you have the right alliances with the business, you’re going to define multi cloud
and hybrid. And over here, which is going to feed right back across. Because both of
those are very important to melding it all together. If your strategy addresses those
properly with 36 months, if you need to bring in an outside consultant, or if you can do
it yourself, fantastic! Or work with your local community? That’s how you’re going to
ensure success for yourself and your business over 36 months.
So as we wrap up today, could you tell me a little bit about your current role with
Dimension Data? What type of data and security services does your company provide their customers
and what’s your company’s big initiatives for 2019?
Sure. So for myself, personally, I’m vice president and GM over all the Americas including
Latin America and Canada for all security. It’s a blend of DDNTT as we become NTT Inc
and with that, I currently, my nature initiative, which is driving from a global initiative,
is moving into what we call 60/40 split. And so 60/40 split means, sure, we sell technologies
today at 60% of our business, but 40% of that we drive as actual DDNTT-lead services. Those
services, of that, 50% of those are managed security services, 20% of those are consulting
services, being business consulting, and the other percentages of it is the professional
services or technology consulting. And my business today is going into clients,
helping them, many of them are buying Cisco, they’re buying Palo Alto, they’re buying all
these other type of vendors from us, so many different vendors we work with. But the most
important part is adding on the value add services that will help them as a CISO get
to that next level. Right? And helping them understand, we’re not just going to toss a
technology into your lap, we’re going to wrap around, more importantly, the consulting services
that help you address your 36 month road map around the strategy I talked to.
And we have the feet on the ground around professional services and delivering it, and
we can manage security services wrap around to help you deliver and maintain the monthly
recurring with what you need to get done. So we have that whole portfolio of services
and that’s the relevance to what we do today at DDNTT.
So how can people reach you if they want to find out more?
Absolutely! Getting a hold of me at a personal level. I’m, you can find me at [email protected]
Right. And do you have a social media at all, like Twitter or anything, if people want to
follow? I do, and I don’t have that on me, so I’ll
have to- All right. Look around for Joshua Knight.
Okay Joshua, thank you for being here with us today.
Great, thank you. I appreciate it. Okay, and thank you all today for listening
and watching. If you enjoyed today’s video, you can find many more of them on our YouTube
page. Just go to YouTube and type in, “InfoSec Institute.” Check out our collection of tutorials,
interviews, and past webinars. I If you’d rather have us in your ears during
your work day, all of our videos are also available as audio podcasts. Please visit
InfoSecInstitute.com/cyberspeak for the full list of episodes. If you’d like to qualify
for a free pair of headphones with a class signup, podcast listeners can go to InfoSecinstitute.com/podcast
to learn more. And if you’d like to try our free security IQ package which includes free
phishing simulators you can use to fake phish and then educate your colleagues and friends
in the ways of security awareness, visit InfoSecInstitute.com/securityIQ. Thank you again to Joshua Knight, and thank
you all for watching and listening. We’ll speak to you next week.