Secret CSO: Daniel Chechik, WalkMe

What conferences are on your must-attend list? “RSA and Blackhat, OWasp.”

IDGConnect_secretcso_suppliedart_danielchechikwalkme_1200x800
WalkMe

Name: Daniel Chechik

Organisation: WalkMe

Job title: CISO

Date started current role: July 2016

Location: Tel Aviv, Israel

Daniel Chechik has been WalkMe's CISO for almost four years, joining after a long stint as a Security Researcher specialising in researching new exploitation methodologies/ techniques, zero-day attacks, malware analysis.

What was your first job? My first job was actually at a small local hosting company, named DRP, that I co-founded. It was a real challenge, where we had to learn everything from scratch, and we had to cover all the aspects of the company from managing and running the servers and applications to working with customers, and operating the business.

How did you get involved in cybersecurity? I actually was very interested in security since I was a teenager and I mostly self-learned. When I joined the Israel Defense Forces (IDF), I was assigned to the intelligence force in the security team. Also, as part of running a hosting company, we were dealing a lot with cyber attacks, which motivated me to learn more on how cyber criminals act, their motivation, and attack methods.

What was your education? Do you hold any certifications? What are they? I have BSc in Computer Science; CIPPE, CEH. I also participated in technical courses, CIPPE, CISSP, Windows internals, PKI, Firewall (Checkpoint) and more.

Explain your career path. Did you take any detours? If so, discuss. In Israel, typically after finishing high school, it is mandatory for Israeli citizens to volunteer to serve in the IDF.  Due to my background, I was able to take the exams to join the IDF developer program also known as MAMRAM, and afterwards I was assigned to the intelligence force in the security department. Volunteering in such a unit gives a huge advantage afterwards in your post-army life, and makes it much easier to be hired in one of the many top-tier companies in Israel.

After the army, I joined Trustwave, and I really loved doing research work, and for the 8 years that I was working in Trustwave, I had the freedom to branch out and develop in the company, like doing interesting research (which led to an approved patent) or by writing blogs, and presenting in conferences. During that time, WalkMe was born, and I watched as the company proved that it was on the path to becoming the next big thing.

Still at the early stages of the company, I spoke with Dan Adika, WalkMe’s CEO (who I first met at the IDF) was looking to add a technical security person that could lead the security aspects of the organisation, in addition to having a good technical knowledge in cyber security that could fit a hyper growth startup company. Even though it was a real shift from the role I had at the time, I found it as an exciting and challenging opportunity. Definitely, an existing challenging role.

Was there anyone who has inspired or mentored you in your career? In the course of my career path I have been inspired by and have learned from many people, mostly by those that worked close to me.

What do you feel is the most important aspect of your job? Position the security to support the business, taking the right path to improve the security controls while showing a direct ROI for every decision that I take. A good example could be using SSO in the organisation, a tool that improves the access control aspect, reduces user frustration while increasing productivity and reduces IT cost.

Another example would be to implement security controls according to a specific security framework which is a core requirement to close an opportunity with a prospect. Now that we are heading into the Next Normal post-COVID-19 era, ensuring that our employees are secure while they work from home has become an essential aspect of my business.

What metrics or KPIs do you use to measure security effectiveness? Cyber security as a whole is a completely multifaceted space, and each aspect is measured. One key example is product security. The annual penetration testing is one KPI that presents a high-level overview of the product security. With our annual penetration test, we define the target for next year and compare it with the previous year, and the goal is to meet the criterias that were defined during the senior management meeting. We analyse the results, and define the roadmap.

For each control we decide to implement, we define a plan and expectations results. For example, using an open source scanner, today we have placed the tool as part of the build process. Even though it’s security effective, it’s less productive, simply because the developer will need to update the library and wait for the next build, so it’s in our interest to ensure we are meeting the goals and still keep the same productivity. Showing the ROI is fairly simple, the overhead of managing a case where a vulnerability has been identified by a customer or in production is much more expensive for the organisation.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I joined WalkMe in its early stages approximately 4 years ago, when we were less than 200 employees. At that time, we were just 2 members in the security team, with a limited budget, and it was essential that the new CISO had the technical knowledge to implement the security controls and test it. Since my previous roles were only technical, I was able to focus on those technical aspects of the role, but fairly quickly, I had to adjust my way of thinking, understanding that having the best security is worth nothing if it fails the business. Taking the right decision in every point of time is the challenge.

Cybersecurity is constantly changing – how do you keep learning? We are still a fairly small team, today we are only eight members in the security team, and I work closely with the technical team. We constantly seek to learn about new attack vectors, new trends, technology and security solutions. We participate in security groups, conferences and reading blogs.

What conferences are on your must-attend list? RSA and Blackhat, OWasp.

What is the best current trend in cybersecurity? The worst? From what we are seeing, scam / phishing / social engineering attacks are still one of the most common and effective methods to intrude both the organisation’s and individual’s data. Unfortunately, cyber criminals take advantage of interesting topics (e.g. COVID) and use it against us. Another example is the learning the structure of the organisation and the relationship between employees in order to perform more sophisticated scam campaigns.

What's the best career advice you ever received? You must be a business enabler. At the end of the day, the CISO is a resource to protect the organisation and drive it forward, so being creative and open minded to understand and accept the business need is a core value that a CISO should have.

What advice would you give to aspiring security leaders? To become the top security experts you should just never give up.

What has been your greatest career achievement? Presenting on a new attacker vector in Defcon conference.

Looking back with 20:20 hindsight, what would you have done differently? From what I have learned, it’s way harder to implement security controls after deployment. If it is not possible prior to going live, it’s highly recommended to define a clear and approved plan to implement the desired security controls.

What is your favourite quote? God, grant me the serenity to accept the things I cannot change, courage to change the things I can, and wisdom to know the difference.

What are you reading now? I wish I had the time...

In my spare time, I like to… play poker with friends.

Most people don't know that I… was a professional swimmer.

Ask me to do anything but… go shopping.