Andres Andreu, CISO at 2U Inc, says the role is a lonely one. This loneliness makes one tough. As a leader, it's always my fault, no one else’s. I promote accountability as a security leader. Trustworthy security promotes morale for mission success and Cybersecurity leaders need to operate with integrity; otherwise confidence in us will waiver and result in failure. A good CISO must have a strong personality and that draws adversaries. As Paul Newman said, "A man with no enemies is a man with no character." That strength of personality must be balanced with a humanitarian approach though. This requires that leaders share success. Andres says leaders are critiqued unavoidably. Negative feedback should be ignored. My leadership is proven when someone criticizes it he states. A quote, whose source is arguable, that Andres appreciates is “To avoid criticism, Do Nothing, say Nothing, and be Nothing."
My beliefs inspire a results-oriented, relentless approach to solving problems. I overcome obstacles. This boosts the growth of any organization I belong to. If necessary, I'll change things up without fear. My job involves facing difficult topics. Andres says to use reasoning, not emotion. Businesses need vision and confidence. He states, I like being challenged. It keeps me humble, aware of issues, and supports the growth of new leaders. Positive energy is essential because sometimes business is not positive. Andres appreciates one of Colin Powell’s lessons, “Perpetual optimism is a force multiplier.” This enables small teams to tackle massive challenges.
Andres has lived the startup-to-exit journey at Bayshore Networks and is supportive of entrepreneurs. The team at Forgepoint Capital helped him build deep awareness in this journey, leading to his joining their Cybersecurity Advisory Council. My volunteer work there helps me meet cybersecurity founders and technical teams. I can add value to them because I've been in their shoes but I also live on the consumer side, says Andres.
Andres is a participant in the NY CISO Community (Evanta), Cybersecurity Collaboration Forum, and the CISO Society. This improves his chances of meeting entrepreneurs. He adds value by offering ideas, suggestions and providing real-world feedback on their products. Cybersecurity requires teamwork, Andres says. Security leaders need mutually beneficial alliances. Most modern partnerships involve the Board of Directors, C-Suite, Privacy, Site Reliability Engineering, IT, Legal, and Internal Audit departments.
Andres adds that agile and automated enterprises are mature. Cybersecurity requires holistic strategies and mature companies use automation and advanced technologies to execute on some of these strategies. Mature companies value customer and user experience, with security driven confidence being a key component.
Before being a CISO I was deeply hands-on and played on both offensive and defensive sides. For example working with outdated and undocumented network protocols that control critical infrastructure equipment. I reverse-engineered and constructed a software-based simulation environment to facilitate modifications and attack tests without physical impact.
I was an IGO consultant, and we worked with international law enforcement. Our tasks included acquiring digital proof of criminal behavior and conducting geo-location exercises to pinpoint targets.This involved dark web work and it was satisfying to see technology assist in enforcement exercises targeting human traffickers and terrorists.
Another client created critical infrastructure equipment. We found resource-limited, attackable devices that needed protection. I wrote Linux-native packet-analysis software. It determines if a device is being port-scanned or brute-force attacked (i.e. SSH, etc) and acts accordingly.
I've created many cybersecurity solutions, some are open sourced. My last invention combines Moving Target Defense (MTD) and active Deception to natively protect data.
According to Andres, stress can be beneficial. Feedback loops help us monitor our progress, facilitating realistic decision-making.
Cybersecurity is often neglected until something bad happens, says Andres. User-centric features generally take precedence. I advocate integrating security into solution creation, software engineering, and deployment so that there is protection regardless of infrastructure or network solutions. Progress is being made, though it's difficult. Companies that implement this approach rigorously will have better security.
I help establish IT capabilities outside of my full-time job. Sadly, a talented portion of the population is ignored. CIOs Without Borders uses technology to help underserved communities. As a volunteer board member and CISO, our clients are the local people we help. Technology must aid civilization and future generations.
The next generation needs help and the technology industry must assist. Money can’t be the only motivator in technology. Knowing the struggle of the less fortunate, I contribute where I can. I volunteer for CIOs Without Borders and A.R.K. Foundation USA because I appreciate their missions.
In a changing, Cyber-everywhere world, we must constantly adapt and overcome. Conflict, cybercrime, and other global challenges complicate Cybersecurity leadership. This role isn't for the timid and takes persistence, adds Andres.