Munawar Valiji is a career CISO who has spent most of his life securing FTSE 250 organizations in the UK, helping build and shape progressive cyber programs, and building teams. He has recently joined Harmonic as an advisor.
In this chat, we spoke about myths surrounding CISOs, what makes London a unique centre for cybersecurity, and how the millennium bug shaped his journey to CISO.
Question: What was your route to CISO?
It's an interesting one. I started my career as a systems engineer, having done a BSc(Hons) in Computer Systems Design. I'd never thought about going into security until I joined JP Morgan in 1999, where there were a lot of security programs in preparation for the millennium which everybody was frightened of.
That's when I was given the reins to run a security improvement program for the investment bank in London and EMEA. Shortly after this and post Y2K JP Morgan was bought by Chase Manhattan Bank and took on the Global Threat and Vulnerability Management function. So I stepped up, moved away from a generalist networking and computer controls role into a pure play security engineering and product focus.
In the last 15 years, I have dedicated my time as a FTSE 250 CISO. I earned the technical credibility to have the conversation in the first half of career, with the accompanying scars and war wounds to now advise boards, work with startups, and make a real difference.
It's been a massive privilege to do something I feel passionate about and I have loved every minute of it.
Question: What makes the London cybersecurity scene unique?
I've lived here all my life. This is home for me – and I absolutely love it.
At it’s heart London is so fulfilling in many ways and a cultural melting pot; you are spoilt by the depth and breadth of world-leading technology, commercial and financial opportunity coupled with rich history and cultural diversity. Where else in the world are you going to get such an opportunity where you get a cataclysm of capability, young and old, different cultures, engagements, and experiences all coming together?
We’ve also seen a lot of investment in London. You think about the sprawl from the city to the Docklands and then now out through Shoreditch and parts of East London. You're seeing a lot of digital tech hub innovation and investment going in there that is driving and fueling a lot of the appetite for startups to come in.
We’re also seeing a decoupling of financial institutions that used to be at the heart of the city.
They're being priced out and then moving out to less prestigious locations that are a bit more gentrified and more accessible.
This has huge opportunities. In a post-pandemic world where people are mindful of the choices they make, where they go, and where they travel. To have a destination where you go to work and socialize makes a massive difference.
Question: What are the biggest myths about CISOs?
There are miss-told stories and ideas about what the role and expectations of a CISO are. For example, many people think the CISO's job is constantly 100%. You're working flat out. You're foot to the pedal all the time.
Naturally, there will be situations where you need to be able to respond and to manage often complex and challenging incidents. But that is not an omnipresent challenge for a CISO. It's very much around having the team around them to be able to support and deliver surety and assurance. So, gone are the days where a CISO is seen as that person to throw out in front of the lions when the unfathomable transpires. It just doesn't work like that. It is all part of a well-oiled team effort.
The other side is that CISOs are generally deemed to be people who are technical through and through and don't have a modicum of business assertiveness and commercial acumen. That is a complete and utter anathema.
To operate as CISOs today, you must have commercial acuity and your business smarts. I've got to assure technical teams that we're going to get through this, we're going to navigate a path which is often paved with uncertainty, but I've also got to be able to articulate in business terms, what I'm doing, why I'm doing, and when I might need Exec support.
So the myth that you just need to be a technically credible individual, is just not true.
Question: How do you balance cost savings with investing in innovation?
There is always an opportunity to find a single partner ecosystem or work with a partner that's best in class. Naturally, people are going to lean into these conversations because of promises of cost savings and efficiencies; but also consider the depth and breadth of research, investment, and engineering that comes with this terrain.
Some of it will depend on the size and shape and maturity of the organization. My experience tells me different organizations have different risk appetites. That's a really big part of the context and the conversation.
For example, the last business I worked there was a heavy bias towards experimenting and having the mindset to fail fast and often. It’s about having a balance and doing that with certain control constraints and mindset of red lines.
You're vying for conflicting priorities and a generally reducing allocation of budget, fundamentally. So it's about having the right level of conversation, being assertive, and recognizing that you're not always going to get the investment and ultimately outcome to be able to drive and push through.
But I would always go back to this. Get the basics right. Put your fundamentals in, run your patching and vulnerability cadence, get your secure authentication under control, lockdown the internal network and that nails 98% of the journey. If you do that, you are absolutely putting yourself in the best position that you can.
A lot of the most sophisticated breaches, compromises, and failures have fundamentally been a result of a basic misconfiguration or a failure of one of those basic checks.
Question: Who are the most important business stakeholders CISOs need to think about?
Your most important stakeholder will generally be your line manager, often the CTO or CIO. They will be your partner and your ally.
But just as important is your CFO. The CFO will generally be the most senior officer within the business who will take accountability for any data breach or compliance challenges.
So your CFO and your CIO/CTO will be the most senior allies that you will have. You will invest in and nurture those relationships because they will help drive the conversation with you to assure the Audit Committee, the board, and across the wider business.
Question: Where can CISOs find the best insights?
All security professionals are generally time-poor. They're often poor at context switching and efficient time allocation. You generally don’t have the time to go through 25 pages of your technical papers.
I sit on many WhatsApp communities and groups where people are having the most amazing conversations. They can ask very direct questions and get instant responses from practitioners. It's brilliant.
Conversations cover a myriad of subjects. It could be people are talking about a colleague who's been recently made redundant and connecting them with an opportunity all the way through to the latest exploit before it hits the mainstream wire.
You've got so much rich capability and variety of experience on those channels. And people are in a trusted community, operating under Chatham House rules which creates a safe and respectful space for open conversation.
But it's all been done in a virtual world. I’d love to see that transferred into in-person meetups more. It’s harder now in a post-pandemic world, but if we take the time to create opportunities in the right venues that are interesting and applicable to many people it will help. People aren’t going to do it for the sake of it; it's got to be something that's socially or economically appropriate and relevant.