Yaron Slutzky, CISO for online travel agency Agoda, shares his thoughts on what it takes to be a CISO in this day and age
Agoda CISO Yaron Slutzky has more than 15 years of experience in the cybersecurity domain. Prior to joining the online travel agency, Slutzky has been CISO for different companies across multiple sectors, such as telecoms, e-commerce and manufacturing.
Slutzky also lectures at universities and conferences around the world. His primary focuses are on emerging technologies and transforming organisations’ information and cybersecurity programs by bringing fresh new approaches and methodologies.
When asked how he got started in the field, Slutzky says that he “started as an IT guy”.
“I gathered a lot of knowledge in that field, like networking operation systems, which gave me a good basis,” he says. “When information security started to grow, I went to the offensive side and after a couple of years moved to the defensive side. From there I’ve done all kinds of security roles in different industries.”
Ahead of speaking at CISO Singapore 2022, Slutzky shares more information on how security leadership roles are changing and some key organisational challenges.
What Drives a CISO Today?
Delving further into what drives him as CISO of a large hospitality organisation, Slutzky stresses that security is an irrefutable business priority.
“What makes me get up in the morning is the fact that my job is to keep the company and the data safe. That our customers will trust our company and will want to do business with us. And that security is #2 of companies’ risks these days,” he says.
Touching on the current security landscape in 2022 and what we can expect to arise in 2023, Slutzky was honest about the rising threats.
“The 2023 threat landscape is growing, as we are moving more and more to the cloud and more data is being shared. It’s a digital world, so with that comes risks like ransomware, which we hear about all the time, or data leakages leading to misconfigurations within our infrastructure, supply chain attacks and more,” he says.
Slutzky highlights that passwords are still an ongoing risk, that will continue to be a big challenge.
Blending Culture and Organisational Needs
Getting culture right when it comes to information security has proven to be a key feature of a strong organisational stance against threats.
When asked for his thoughts on cultivating a strong information security culture, Slutzky focuses on finding the right balance between security and organisational culture.
“It’s a good question. Culture in a company is very important and security needs to be aligned internally as well. Agoda is big on culture and we definitely emphasize the importance of balancing between what needs to be done and what is just a blocker to the business,” he says.
Slutzky believes that organisations need to look at what the risks are, particularly what is important and cannot be compromised versus risks that have low chances of occurring. The reason is that some issues may not be worth the investment or change.
“You have to optimise our time and resources as a team and work together with key stakeholders to balance security with their corresponding risks,” he says.
Succeeding in Tough Terrain
Working in a high-pressure and dynamic environment like information security creates a unique type of leader. When asked about the qualities that the CISOs of tomorrow need to possess to succeed, Slutzky had a few tips of the trade to share.
The first is the leadership of the team, to motivate team members to lead with autonomy and confidence towards a unified vision. Next is the need to understand the security landscape globally, identifying and evaluating various risks at hand, and to constantly think up creative and innovative solutions to manage them effectively.
Another key trait is to be exceptionally knowledgeable about the security solutions that exist at a market level and to empower each market manager to own their geographies while keeping in line with an overall global vision. A successful organisation is the sum of its parts and having a robust system in place can help with the maturity of security within an organisation.
Finally, Slutzky adds the ability to adapt and respond new threats in a timely and efficient manner is critical.
“Act fast and efficiently, and be ready for anything. Security incidents are best addressed with a skilful team who are creative thinkers with strong troubleshooting capabilities,” he says.