ITSPmagazine Podcast Network

The Evolution of the CISO in Digital Enterprise | An Infosecurity Europe 2024 Conversation with Mun Valiji | On Location Coverage with Sean Martin and Marco Ciappelli

Episode Summary

Join Sean Martin and guest Mun Valiji, CISO at Trainline, as they explore the evolving role of CISOs and the innovative future of Managed Security Service Providers ahead of Infosecurity London. Discover how cybersecurity leaders are embedding security by design and fostering community collaboration to meet today's fast-paced digital challenges.

Episode Notes

Guest: Mun Valiji, CISO, Trainline

On LinkedIn | https://www.linkedin.com/in/munawar-v-b636802/

____________________________

Hosts:

Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/sean-martin

Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli

____________________________

Episode Notes

In this engaging episode of the "On Location with Sean and Marco Podcast," Sean Martin flies solo to dive into the upcoming Infosecurity London event, focusing on a series of critical topics in the cybersecurity landscape. While Marco is notably absent, Sean hosts an insightful conversation with Mun Valiji, the outgoing CISO at Trainline.

The episode opens with Sean introducing the main topics of the discussion, which include the evolution of the Chief Information Security Officer (CISO) role, as well as the current state and future of Managed Security Service Providers (MSSPs). Mun contributes a detailed overview of his role at Trainline, highlighting his extensive experience spanning over 20 years and emphasizing the importance of blending human and technical elements in cybersecurity.

Sean and Mun discuss the main objective of Mun’s keynote session, "The Evolution of the CISO and the Digital Enterprise," scheduled for Thursday, June 6th. Mun passionately describes the challenges CISOs face today, including regulatory requirements, commercial agility, and the necessity of embedding security by design. He underscores the evolving responsibilities CISOs hold, particularly in fostering a security-conscious culture within fast-paced, high-growth organizations.

The conversation then transitions to the MSSP landscape, where Mun highlights the hybrid model's role in modern security strategies. Scheduled for Tuesday, June 4th, Mun’s panel session on MSSP competitiveness explores how organizations can effectively leverage MSSPs to handle routine security tasks, allowing internal teams to focus on strategic aspects such as secure-by-design principles.

Mun stresses the importance of community and collaboration, shedding light on how peer-to-peer and cross-industry interactions enhance security practices. He also touches on the impact of advanced technologies like AI and natural language processing in shaping future security frameworks. Listeners are encouraged to join Mun and other industry leaders at InfoSecurity London, where they will share deeper insights and practical strategies. The episode wraps up with Sean expressing enthusiasm for the event and looking forward to further discussions and engagements.

This episode compellingly explores strategic innovations and practical challenges in cybersecurity, making it a must-listen for professionals eager to stay ahead in the ever-evolving digital security landscape.

Episode Transcription

The Evolution of the CISO in Digital Enterprise | An Infosecurity Europe 2024 Conversation with Mun Valiji | On Location Coverage with Sean Martin and Marco Ciappelli

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] And hello everybody, you're very welcome to a new On Location episode with Sean and Marco, and this is just Sean, that's not Marco, that's Moon. Moon and I are going to have a good chat about an upcoming session at InfoSecurity London. Or Europe, England, I should say, and, uh, we're actually look, look at two topics.

First, we'll be looking at the, kind of the evolution of the CISO role and responsibilities and challenges and all that fun stuff. And, uh, we might, might take a gander into MSSP land. We'll see, uh, see how things go. Um, yeah, so Marco and I are covering, covering infosecurity Europe in a great detail, a lot of conversations with some of the keynote speakers.

And panelists and lots of cool topics. Lots of great conversations. We're excited for a great week there in London. She's just around the corner and moon. I'm excited to, uh, to meet you in person there, but thrilled to have you on the show, uh, digitally today. Uh, thanks for [00:01:00] joining me.

Mun Valiji: Great to be here.

Thank you, Sean. I'm really excited about next week and all of the. Excitement in terms of the events and activities we've got lined up. So super pumped.

Sean Martin: Yep. Three, three days packed. Plus I'm sure there's stuff going on before and after.

Mun Valiji: So definitely

there's always a high level of activity either side of it.

Definitely.

Sean Martin: Yep, exactly. Exactly. So what we'll cover the two sessions and kind of what, what people can expect in those, uh, before we get there though, uh, moon, maybe a few words from you, your current role, what you're up to and, and, uh, how. How, uh, you got the keynote stage is a, it's a, it's a cool spot to get.

Mun Valiji: Yeah, sure. So, so I'm presently the outgoing CISO at Trainline. So Trainline is UK and Europe's largest leading independent trail, uh, train and platform company. I've been there for just under four years, delivered significant change in that time. I'm a 20 plus years, you know, 40 [00:02:00] to 50 C. So that's kind of like my DNA.

And I've learned most of my stripes across, you know, engineering and investment banking, and then more recently in media. So getting to the keynote stage is a massive privilege, right? And it comes with a hell of a lot of responsibility and, you know, accountability. I also, I think for full transparency, I've been a member of the.

InfoSec advisory advisory council for the last 10 years. And I think that that's a really important part in terms of my role to be able to give something back from an experience from a perspective, but also make sure it's an engaging, exciting event for everybody, you know, sellers, buyers, you know, new to industry.

So keynote. Super privileged and also an opportunity to join a number of panels, you know, so massively excited to be there, but also to be able to share and engage and bring some insight and perspective from all of the, I guess, experience that I've gained over 20 years. Yeah. You've seen some stuff. Yeah.

The stuff that I can clearly talk about, [00:03:00] there's a lot more that I can't talk about, but I think let's keep it relevant and personal and bring some of that experience and insight to the table. Definitely. Yeah.

Sean Martin: Well, first, let me say thanks for, uh, thanks for being on the advisory council for them. It's a great event every year and, and we, we look forward to being part of it.

Um, of course there's a lot of, a lot of stuff happening in the UK and Europe, and, uh, it's good to bring that perspective to the rest of the world. So the folks know what's going on there and some of the trends are and some of the challenges organizations and, and regulators face trying to. Bring all this stuff together and then the, the poor schmoes like, I don't want to say you're a schmoe, but the poor security folks that have to do all this stuff to, uh, to protect the business and the customers.

Um, it's a lot of hardware. I've often, I'm not saying anything people haven't heard. It's a role that I don't think I could take. So I, uh, I, I, uh, Thank you for doing that role. So [00:04:00] speaking of the role, um, the session you're, you're, uh, presenting is on Thursday, the 6th of June, 1225 keynote stage local time there.

Of course. Um, it's called the evolution of the CISO and the digital enterprise. So let's start off with that. What, what's your objective with the session? And then we'll kind of take, take a dive into the role based on, on what you say there in terms of, and maybe we can look at it from. The industries you've had experience in the The geo regional view, perhaps, um, as I'm sure you talk to folks outside of, outside of the UK and Europe, um, we'll start off with a session and we'll, we'll see where we go from there.

Well, what's the, what's the main objective with, with folks that listen to you?

Mun Valiji: Sure. So, so I think for me, honestly, this is. This is a passion of mine, um, having had a lot of experience working for some high growth, you [00:05:00] know, the biggest brands, you know, internationally throughout the world, you know, when we were planning the agenda for, for, for the conference eight months ago.

This was something that I brought to the table. So it was something that I personally thought is going to be hugely relevant. And the idea being we have so much experience, insight, capability, and perspective, you know, within the council and wider about what is it that we can bring to help shape some of the thinking around today's strategy and approaches that the CISO has in terms of the tools of the trade, what they're dealing with, the changing state of the role.

If you think about it, you know, in the last 10, 20 years, there's been so much change around what the CSO does. And you talked about it, Sean, you know, there's been regulatory challenges that we're battling with. There's been commercial agility that we have to wrestle with. And then we get to a stage where we're dealing with so much constant change, and we have to be [00:06:00] ambassadors of that change.

So I think for me, simply it's about a couple of things. It's about saying it's not just strategy and setting, you know, cultural change programs and, you know, contractual and regulatory, which are all necessary, but it's about bringing to life that actually the human element of the role is just as important as the technical smarts and credibility and tooling that you have.

to be defenders, you know, of the realm. Yeah. So it's very much around saying, how do you bring some of that change to businesses that are going at such relentless pace today, whether it be through adoption of AI, chat, whatever is current and topical. And then still be ambassadors of good hygiene, risk management, cadence, and be the interpretation, you know, of generally what is a dark art to most parts of the business and unfathomable, and get it to a place where people get excited about it and can engage with it.

And it makes a difference, right? So that's kind of like really the scene set for [00:07:00] it. It's largely not technical. It's a human and emotional, you know, discussion more than anything else. Yeah.

Sean Martin: So talk to me about community. I know there's a great community that comes to the conference as well. I'm fortunate to get invited to a few CSO community groups where they talk about all kinds of cool stuff, which I'm not going to repeat here, but it What it reminds me of when I think about those groups and the conversations they have is kind of the point I made earlier that there's all this stuff and we can, we can think big about what the right thing to do is, what a nice strategy would be, and then then reality strikes, how do I implement that technology, which vendor do I select?

Is it going to meet my operating requirements, my risk requirements, my regulatory, and that list goes on and on. And, and. Pulling a team and then guiding a [00:08:00] team to do that successfully with some budget, probably not enough, right? And maybe not enough training for all the folks involved with the new platform you're moving to or whatever it is, it can get really complicated really quickly.

And so I think over the years we've seen business models change, business platforms change, security platforms change, threats change, the influx of data and the amount of data we have to. Use and secure and all that. So how, how do you, back to the community part, how do you and your peers collaborate? And, and we, do you expect to bring some of that experience and knowledge to the, to the session as well?

Mun Valiji: Yeah, definitely. I mean, that's probably the biggest part of the change that I've seen maybe in the last five, seven years where you're dealing with such relentless adversary. That your [00:09:00] common goal is a shared goal. And that shared goal is about not just community in terms of the peers and your contemporaries, but also, you know, the vendors and suppliers, the third parties that you transact with, that you engage with, that you bring into confidence to be able to help you do what you need to do.

So community is a massive part of it. And I think that goes back to. My first point, which is, this is about a human. This is about a relationship. This is about an emotional connection. This is about my ability to appeal to organizations who generally I would have seen as competition. Yeah. And there would have been Chinese walls going up or little or no communication because we wouldn't want to share with them information that put us at a less advantage or them at a more advantage.

So for that, no longer is the case because I think the single. of having so much attack activity and sophistication that the power of unison is absolutely the [00:10:00] greater force and bringing that together. So that that is a big part of it. And I think for us, you know, we share a lot better, you know, as an industry, you know, cross industry, cross sector, cross community.

A lot of that is clearly forged by the work that we do with government organizations. You know, there's some brilliant endeavors that the NCSC, National Cyber Center in the UK, the national, uh, you know, criminal agencies are doing as directives. But also, I think to your point earlier, because we're having to wrangle with quite a lot of regulatory change, there are people now in positions where This has become so challenging, you know, at pace, that they've had to learn very quickly.

And that product of learning is You know, engaging, collaborating, sharing insight and perspective and delivering the right outcome. So we all learn and become better together. And I think the role evolved from being as a CISO, just implementing a set of technical controls, putting up a perimeter, locking things down to, [00:11:00] you kind of like still have to do that, but the boundaries are nebulous, right?

There's a massive gray area. Everybody's working from home. Your third parties are becoming far more critical to your supply chain. How do you bring all of that together with a very, very finite and generally small resource space and a commercial agility? That means you continue to be a non revenue generating part of the business.

So there's massive focus around what you do. And your ability to do more from a lot less.

Sean Martin: Yeah, yeah. We have, we have to balance agility and resilience and longevity and sustainability and all that stuff. Um, how I say we, I feel like I'm one of you, but I don't have the responsibility. So let me, I use that word responsibility yet.

It's, it's been a hot topic here in the States. And I want your perspective from the UK and the EU. Um, So the SEC [00:12:00] and some of the rules there, personal liability has become an issue. It's enough to take the weight of the business, but when, when you're one's livelihood and, and assets, right. And perhaps, perhaps a new set of clothing that's orange or striped comes into play, that changes the game quite a bit.

So are you seeing any of, any of that coming your way? And if so, how do you, how do you find folks are preparing to manage that?

Mun Valiji: So I think there is still sufficient separation in terms of how we in the UK and European markets receive and process that in terms of, you know, that accountability. I certainly in the conversations I have with my peers, you know, with colleagues in the industry.

There's a sense of awareness, there's a sense of nervousness and importantly heightened awareness across boards, you know, executives [00:13:00] and audit committees. So there's nobody that I speak to today that isn't aware of, you know, what is going on internationally and the potential impact of that. How that is then immediately translated into your local jurisdiction.

It's a little bit more removed, right? So it's a bit of a, you know, further strained, estranged, whatever, you know, terminology you want to use. So it remains front and center because it is a front and center issue. No, no question whatsoever. And I mean, generally data security, privacy, landscape, regulatory challenges, doing more from less.

But I think the accountability element and the responsibility as it lays, you know, on the feet of the CISO is perhaps not Interpreted in the same way locally as it is within, you know, North America and the changes taking place, but that's going to change. I think that that will change. I think it's just a matter of time.

Sean Martin: Yeah. Well, it's evolving the role.

Mun Valiji: And there's, there you are. Absolutely. On the fly. It is evolving. [00:14:00]

Sean Martin: Let me ask you this. It's something that I ask on my show, redefining cybersecurity. Often that's not part of the name. Often it's not part of the name, but anyway, one of the things I ask is. We hear a lot of business transformation and that comes in the form of increased cloud, leave some more data, platform engineering, whatever, pick your favorite thing, whatever is going to help transform, right?

Moving to mobile, whatever it is, um, distributed network, has security been left behind in terms of its own. Transformation, and I'm not talking just about taking on prem security technologies and move them to the cloud, right? That's to me, that's not a transformation. It's maybe part of one, but as security been left behind, or if it hasn't, can you point to where maybe you've seen [00:15:00] some transformation where security programs have been overhauled to really meet the needs of the points we talked about earlier, agility, resilience and sustainability and those other things.

Mun Valiji: Yeah, it's a really good question. So I think on the face of it, generally security is always playing catch up, right, to the organizational change programs and the fabric of industry. Right. No question. And again, that's from my experience of working in tier one banking through to, you know, practice, TMT, and now more recently in high frequency, high change business, I think the, the point of difference in some of the businesses The state of engagement with security and.

Realizing efficiency is more a product of organizational maturity. And by that, I mean, simply, you know, there are different kinds of organizations on a journey from a [00:16:00] security transformation, from a change, from, you know, modernization, whatever you want to call it. Most businesses now are in a position where security has to be part of that change.

It has to be embedded in. So no question whatsoever. We talked about it a few minutes ago in terms of it's top three from a risk, from a, you know, concern for any business, for any CEO, it will continue to be that way. What I've seen, and this is where the pivot has come for me, certainly in the last 10 years of working for some high chain businesses is there's a massive focus around.

Embedding security by design into, you know, large business to customer consumer businesses. Yep. So this is all about, you know, whether it's in app, you know, customization in app, you know, delivering security or trust and privacy by design that's almost been woven into the fabric of building security, you know, [00:17:00] capability to where previously.

Changes would have been pushed, you know, into production and security would have been your last consideration because that's generally the impediment. They're the people who are going to drag their heels and stop things going live. Actually, what I've seen over the last four years in my current role is, We flipped that on its head, you know, you've had security and threat modeling and integration by design because you're dealing with, you know, engineering teams and developers who are much more savvy and have security compliance and privacy almost as part of their DNA, as much as they do around building brilliant code at delight customers.

So I think that's been the change. And that's been a psychological and cultural change because you've got a new. you know, contingent of engineering and developers that actually do care deeply and passionately about doing the right thing first time and keeping security front and center of mind, because they look at that as a business enabler, as a real change versus just producing the code at pace [00:18:00] and then going into, you know, correction mode, that's where I think certainly security has been part of that journey, but it is very much, you know, to what we talked about, Sean.

It's an organizational maturity. It's how, as a CISO you go in and position and vocalize and articulate what that journey of change is versus being prescribed to.

Sean Martin: Yeah. Uh, great point. And, and, uh, yeah, I'm glad you brought that up because I think Yeah, secure by design and, and the building and in the, the development and the operations of the organization for sure.

Um, I, I have a dream that, that, uh, security not only is by design, but. That's a fair point. Yeah. So I think, I think, and I've said this before and I'm not going to repeat all this stuff I've said, but I believe security has knowledge and data and experience to help to say, if we create a business [00:19:00] like this, we can, we can do it.

Do it more efficiently, more effectively, more securely and what have you. And so I'm going to use this point to kind of pivot to the other session that you're part of. Um, I don't know if there's a connection. I'm going to make one anyway. If we can MSSP, I'll just go there. So security service providers, I think have been selected because of a lack of.

staff, lack of skills and training, maybe a lack of budget, um, to do a lot of things well versus doing one thing well. But I think there may be a reason to re evaluate why NMSSP is selected. Such that some of the more run of the mill activities can be handled and, and transformed by an organization that touches many [00:20:00] such that you and your team then can focus on more of the secure by design and also.

design, right? Do, do, do design. Security does design. So your thoughts on that, maybe how that connects to the MSSP session you're, you're, uh, holding on, on, uh, Tuesday, the 4th. That's being competitive as an SMS. MSSP is the topic of that one.

Mun Valiji: Yeah. I mean, look, great, great pivot and segue into this. So I think there's a couple of points there.

The world is changing, right? We're dealing with the need for more and more commercial agility, but the requirement to be defensively far more on our A game than we've ever been, right? And, and simply put, for me, that's about, to your point, There's much more of a hybrid, you know, blended, you know, model in organizations than there's ever been.

Traditionally, 20 years ago, you'd push out to an MSSP [00:21:00] because you have a set of SLAs, contractual arrangement, job done. You're not going to serve it internally. That's changed, right? And what's changed also is There's a whole array of complex and comprehensive services now being offered by MSSPs, which are generally not consumed by a lot of end user organizations because they're just not desired or relevant.

But most end user organizations don't really appreciate the finer detail that's being brought by their MSSP because they are just generally, I think, Under so much pressure to deliver against the commitments that they have because they haven't perhaps stepped back and I was having a conversation with a colleague the other day.

And they were telling me actually, we've got so much contractual, you know, organizational malaise that we don't even really understand the provisions within the SLAs and the contracts that we have. So there's, there's kind of like what we're dealing with here. And I think the other perspective for us is vendors, MSSPs, value [00:22:00] added resellers are almost, Blending into, you know, one entity.

Now you're moving away from a pure play MSSP into responding to changing customer needs and demands. And those are the lens of commercial agility, pragmatism and just being able to deliver at pace. Uh, the change in the business. So I think that's a little bit of a teaser of what we'll talk through.

We've got some, you know, pretty strong, you know, conversations, but also some controversial controversial perspectives. To talk through what the future might look like from an SSP and where and how we can bring some of that insight and engagement to make it realistic for users, for, for people who are engaging.

Definitely.

Sean Martin: Yeah. Yeah. Cause I, I, I see a lot of opportunity for innovation. I know VARs and VADs and managed service providers either offer a bunch of stuff and say, go for it or wrap some, wrap some service around it and maybe [00:23:00] build some, some connecting technology. Some do it more than others. Um, But I, I think we see so many vendors, right.

And so many different environments, um, that you, it's hard to abstract them all right in a, in a meaningful way. And so I, I think specifically with the MSSPs, I think I'm a huge fan of platform engineering. I think I mentioned that earlier where if you can build. A base where you can take the two, the two sides of that base and really deep dive deep into the organization and map directly to what their challenges are, requirements are, and then also support the, the, uh, nice complex ecosystem of stuff, right.

To, uh, to thwart against and manage all the incidents that come from, from the attackers. Um, so I don't know if you're going to get in there, what kind of conversation we'll get into in that, that panel. But, um, we've been looking [00:24:00] at. Service innovation, tech innovation, operations. And what are some of the things you plan to

Mun Valiji: definitely all of the above and more, you know, we, we, myself and a colleague who's one of the panelists from the MSP side, we'll bring a wealth of that insight and perspective, you know, to say about what's purposeful and impactful today, but actually what, what does the future hold, you know, from.

Changing ways of working, development, evolution, technology, and clearly, you know, the presence and eminence of, you know, chat and AI and, you know, natural language and evolution. So I think that innovation piece is going to be core, but it will also be just keeping a firm handle on what we're dealing with today, which is quite a lot of complexity and change.

I think making it hugely relevant.

Sean Martin: And I'll connect it back to the CISO, right, who ultimately still owns this stuff, and that role is evolving along alongside it. Well, Moon, uh, clearly, I think we kind of touched on this before [00:25:00] we started recording, we could talk for hours. You'll fall asleep. I'll keep going.

Uh, we won't do that to folks. Instead, we'll invite them to join you for both of your sessions. First is, uh, Thursday, uh, June 4th, 1330. So half one there local time. That's the, uh, staying competitive as an MSSP and an evolving cybersecurity landscape. And then on Thursday, the 6th, that's, uh, 1225 local time keynote stage there, uh, the evolution of the CISO digital enterprise, two great sessions.

For me, Moon, I think we, I think we tease this one, both of them out, uh, quite well, if I do say so myself, and I'm excited to meet you there in London and, uh, the rest of the team, and maybe even some of the other advisors, uh, get their perspective on, uh, how these conversations come together. It's always a great event.

So thank you for your time today, Moon.

Mun Valiji: Thank you. Nice to talk to you.

Sean Martin: Yep. Likewise. And thanks everybody for listening and watching and, uh, please do stay tuned. We I think a few [00:26:00] more episodes coming to you, uh, prior to the event. And Marco and I have a ton of stuff planned for the week of, so, uh, the booths out, uh, near the river, all over, all over London, you'll see us roaming around.

So thanks everybody for listening, watching. See you all next week. Thanks.