While some movers and shakers in the tech space find it hard to step out of their comfort zone and start mixing with the C-suite and the board, Jordan Avnaim has relished the opportunity. His two-decades-long journey through security and technical risk functions began with building a secure network for a government agency. Avnaim soon went on to join Deloitte & Touche in a consulting role, before enjoying a long stint at The Capital Group Companies, where Avnaim ran point on information security, technology risk and technology audit functions for the firm, which had more than $2.2tn in assets under management during his tenure.
At Entrust, he remains a key figure influencing change through digital transformation. Avnaim’s ultimate goal is to help reform the role of the CISO from a purely technical position to one that has a say in all aspects of the business and a clear voice in the boardroom.
“Boards can be seen as mythical in nature to the CISO community and are not well understood,” he told Tech Monitor during the interview below, edited for length and clarity. “CISOs can’t succeed unless they have a rounded view of the business. They can’t just come from a technical perspective.”
Tech Monitor: You’ve had many different roles since starting out in information security. How have they prepared you for your job at Entrust?
Jordan Avnaim: It has given me a rounded view of what is required as CISO. At The Capital Group, my job was to implement policies, standards and procedures to protect the firm’s data and allow transactions to be secure for its customers. Now, I am providing secure solutions for financial institutions. So, I went from the customer to the supplier. I know what each side needs to be successful.
I was very fortunate in that I went from one environment where the corporate culture was very close-knit to another that felt very similar. The movement from one enterprise to the next has been seamless. It was important for me to be successful from a cultural perspective, not just a technical perspective.
If you have the same job year after year, the world changes around you. The threats change, the geopolitical environment evolves, and so on. I am lucky that I have what I need to succeed here. When I joined, our security programme was already set up. I did not have a blank slate. I was picking up something strong and making it stronger.
What’s the cybersecurity issue everyone’s overlooking right now?
The most important issue right now is post-quantum cryptography. Existing algorithms will be broken by quantum computers soon, as early as a few years. These devices will operate at lightning speed and can instantly do work that would take classical computers decades. Our encryption algorithms are not ready for that. So, we advise customers to adopt post-quantum cryptography solutions to ensure security will be there for decades to come.
People always think they have plenty of time, but that is not the case. Governments, for example, are gathering and storing lots of encrypted data on a ‘collect now, protect later’ basis. That is a real problem. There are solutions available today, but bridging that gap is a process involving several steps.
The first step is inventory; knowing what assets you have, then prioritising and migrating the most valuable data with the longest shelf life. Those are the highest-risk items. Then you should test quantum-resistant algorithms across your network. Some vendors already offer access, so we need to figure out which ones work best. Then comes the planning phase to build a post-quantum security strategy.
I’ve had this discussion many times, and customers either get it, and say they are starting that process, or they ask me what post-quantum cryptography means. Even some CISOs still ask me that question, so there is still a knowledge gap. The good news is that there is no grey area; they either get it or they don’t understand, and when you explain why it is important, you see the lightbulb go on.
The top security person in an organisation was once just a trusted technical advisor, but must now translate the complex cybersecurity world into language the board will understand. How do you talk about information security using the language of risk?
When I think about effective board communication, I use a three-part model.
First, build trust. You need to get to know what makes board members tick. Demonstrate that you know what their priorities are, why they are on the board, and what has made them successful. Understand them both inside and outside the boardroom. Humanise the relationship, so the conversation is more natural. Spend time with them outside the boardroom – an email exchange, a coffee, maybe a meal. Build rapport, respect and trust. Understand their technical skill level, so you can talk with them, not at them.
Second, tailor the message. Get to know them so you can use the right level of detail. I use the acronym KICS – ‘Keep It Cybersecurity Simple’ – so I can tie the message to business outcomes. Avoid technical jargon. If we are explaining terms, then we are working at the wrong level.
Finally, incorporate the feedback loop so the conversation changes and matures with the business. Cybersecurity strategy must evolve to meet collective needs, so meet with board members and the C-suite to obtain feedback. I’m lucky that my board is rather technical, but in other enterprises, there have been very technical problems that I was trying to solve with people who were not technical.
What advice do you have for other security leaders or for companies hoping to forge greater links between the technical leadership and other senior decision-makers?
There is a nuance here. I apply a different approach when I talk to fellow C-suite executives. There is a slight but important difference between them and the board. You get to know the board members, and that applies to the C-suite too, but with one more caveat: you need to listen more. What is valuable to them? What are the concerns in finance, accounting, HR, and sales? Leaders of those functions may see you as prohibiting them from doing their jobs.
When you understand what they need, you can articulate your message in their terms. When the conversation does not work, the risks are business-critical. All of that discussion and getting to know people needs to happen before you reach the point where you need to solve a problem.
Read more: The good CTO helps define a company’s culture as much as its technology, says Checkatrade’s Gorden Pretorius
