S26 Ep1: Erik Avakian - Fuelling Business Growth with Modern Security Leadership

Today, Steve is speaking with Erik Avakian, who served as CISO for the Commonwealth of Pennsylvania in the United States for more than twelve years before moving into the private sector, where he currently works as the technical counselor at Info-Tech Research Group. Erik brings his passion and experience to a lively conversation in which he and Steve discuss coping with change through multiple leadership turnovers, practical examples of how security leaders can demonstrate their department’s value to an organization beyond theoretical breach prevention, and overcoming challenges in the public and private sectors.

Key Takeaways:
1. Embracing change in state/local government requires technical architecture and common architecture.
2. Public sector security faces unique challenges, including political considerations.
3. It’s critical for public funds to be used efficiently while also reducing duplication of work and building knowledge sharing across agencies.
4. Security testing and phishing simulations can demonstrate return on security investment, saving time and money in the long run.

Tune in to hear more about:
1. Embracing change in security leadership in the public sector (0:00)
2. Building security foundations in public sector organizations (4:45)
3. Funding challenges in security, with tips for effective resource utilization, building strong teams, and collaboration (8:48)
4. Demonstrating security value to business leaders through cost-benefit analysis and service metrics (14:02)
5. Demonstrating security value to non-technical stakeholders through practical examples (18:33)


Standout Quotes:

1. One of the reasons I love the industry and I loved the position of CISO is you're constantly trying to just improve, right? You're not trying to rebuild every, all the time. You know that the business might want to rebuild, but you're there to constantly improve that foundation, continuingly building your team, and continually building your capabilities. So regardless of who comes and goes, you have that foundation, and you continue to grow it. - Erik Avakian

2. It's really about enabling the business. How can we say yes, but do things more securely and put a positive spin on it? Whereas, you know, in the past, you know, security is looked at oh, these are the guys that say no. So really, a CISO's a partner to the business, a collaborator building relationships, and really, that's been the change, right? It's gone from less of a technical kind of a thing to being a coach, being a leader, and really working and building those relationships at the business level. - Erik Avakian

3. I look at it as almost like a baseball team. So in the baseball world, you have a catcher, you have a pitcher, you have all these people on the field. And it's identifying what are the strengths of your team, and letting those players — if we look at it from that perspective — letting them thrive, letting them grow in the position that they're passionate about. And then you can just grow in that passion, give them the training, give them extra training, helping them build where they're really good at and what they really like to do. And then the baseball world is that example. We wouldn't necessarily make the pitcher catch — they might not be comfortable with that — or the catcher pitch, and all sorts of other things. Because they do what they do well, that's their position on the field. And what I've found is that if we can do that, we can build our teams and build rock stars out of them in the places where they really are passionate about, then we have retention.

I think my retention throughout my tenure was almost 99%, because I looked at people as to what drives them. - Erik Avakian

Mentioned in this episode:

• ISF Analyst Insight Podcast
  
  

Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.