Secret CSO: Steve Tcherchian, XYPRO Technology

What advice would you give to aspiring security leaders? “My best advice for career trajectory is no amount of formal education can substitute for hands on hard work and real-life experience.”

IDGConnect_secretcso_suppliedart_stevetcherchianxyprotechnology_1200x800
XYPRO Technology

Name: Steve Tcherchian

Organisation: XYPRO Technology

Job title: CISO and Chief Product Officer

Date started current role: February 2017

Location: Los Angeles, CA

Steve Tcherchian, CISSP, PCI-ISA, PCIP is the Chief Product Officer and Chief Information Security Officer for XYPRO Technology. He is a member of the Forbes Technology Council, the NonStop Under 40 executive board and part of the ANSI X9 Security Standards Committee. With over 20 years in the cybersecurity field, Tcherchian is responsible for global strategy and innovation of XYPRO’s security product line as well as overseeing XYPRO’s risk, compliance, and security to ensure the best experience to customers in the Mission-Critical computing marketplace.

What was your first job? At 15 years old, I was a data entry intern. Repetitive tasks have never been appealing for me. I quickly figured out a way to automate my data entry work which allowed me to come in late, leave early and take 3-hour lunch breaks, all while getting my work done. Unfortunately, the company I was working for didn’t really see the benefit in my automation and decided to let me go. Oh well. At 17, I was in my senior year of high school and had a full-time job. I would often start my days very early and not finish until 2am — 6 days a week. I didn’t have a mentor at that age, so I had to decide for myself what was right and wrong.

How did you get involved in cybersecurity? I was always good with technology. I was always curious, and I always enjoyed taking risks. I still do.  At a very young age, I would break things just to see how they worked and tried to put them back together. I wasn’t always successful and would often get in trouble for it.

This translated over to when I got my first computer at 9 years old – a Packard Bell 286. I would constantly take it apart and put it back together — again, not always successfully.

Once I got bored with that, I began writing programs. I spent a lot of time on iRC, AOL and Usenet groups sharing programs, or Warez and meeting other like-minded people.

I would run home from school, sign on using my dial up modem and continue writing programs, until my mother would yell at me because the phone didn’t work.

This allowed me to realise my capabilities — both good and bad. I started joining “groups”. As the internet started gaining more popularity, we would have fun online, we would be annoying, sometimes disruptive, but we didn’t see it as harming anyone. Social engineering wasn’t really a thing back then, but it existed and those who knew how to use it, used it to their advantage. We were kids in our early teens and didn’t really know any better.

As time went on, some of my friends delved deeper into this type of lifestyle and started getting attention. I saw some of my friends getting into trouble with the law. I had to decide: Is this a path I wanted to follow?

I have a lot of family and friends in law enforcement. I remember one conversation where a Sherriff’s Department friend of mine said “You know, the best criminals can make the best cops, because you already think like that.” The statement had a massive effect on me, and I consider it a turning point in inspiring my career. I knew most of the tactics, most of the strategies. After this conversation, I made a conscious decision to educate and help rather than damage and disrupt. I have had no regrets.

What was your education? Do you hold any certifications? What are they? I majored in Computer Science at California State University Northridge. I have a CISSP Certification, I am PCI-ISA and PCI-P certified. I have multiple Cisco and Microsoft Certifications and a couple of CompTIA certifications. When I was younger, I would often study and experiment on my own and challenge myself by taking certification exams.

Explain your career path. Did you take any detours? If so, discuss. I was always interested at breaking things and pushing boundaries. I started by writing a distributing random “program” and “warez” at a very early age which also got me to interact with other likeminded individuals. Hacking, data privacy, social engineering and general security wasn’t really a thing back in the early 90s, so those of us who understood that and how the internet worked had a real advantage.

I worked for 3 years for a company called EarthLink running their High Speed Internet support department. Once I left EarthLink I started my own technology company called ComputerNine providing technology and security services with clients in US, Canada, Australia, Hong Kong, Korea and Costa Rica. Clients included IGE, Wowhead, Tencent, Breitbart, various celebrities, politicians, movie production companies etc.

At 22 I was strongly advised to formalise my education with a college degree, so I graduated Los Angeles Pierce College then went on to Cal State University Northridge focusing on computer science. Code, Development and technology always came natural to me, so school was a breeze. Eventually ComputerNine’s success and being adaptable in some uncomfortable situations allowed me to grow in areas I didn’t realise I had within me – mainly leadership and communication. I found this also came naturally to me.

Ultimately, I saw a huge opportunity with one of my long-term clients, XYPRO, and decided to take a fulltime role. I seized all the opportunities presented to me. I worked 20-hour days. I stayed up all night studying, researching, experimenting, learning knowing I may not see a return then – but all of that got me to where I am now.

Was there anyone who has inspired or mentored you in your career? This most influential mentor in my life both professionally and personally has been the CEO of XYPRO Technology, Lisa Partridge. I’ve known Lisa for the entire length of my professional career. When I first started my career, I was impressed by her knowledge, accomplishments, work ethic, style, empathy — How she commanded the respect of the room. I said: “I want to be that way,” I want to exhibit all those traits as a leader. I was fortunate to have the opportunity to work closely with her on some very important projects — Projects that threw me in the deep end of the pool. I never said no and I did everything in my power to make sure we exceled at everything we did. Part of it was my ego, part of it was for my own success, but a large part of what drove me was not disappointing her. That drive helped us get results. Because of this, she gave me bigger and bigger opportunities.

I recall one project we had kicked off years ago. Someone else was responsible for the overall success. After several years and a lot of dollars spent, I knew something was wrong. I could not see the target we were aiming for, and every day we were getting further and further away from our goal. I was the only one who felt this way, but it wasn’t my place or responsibility to say anything. I knew getting people to see my point of view would be an uphill climb. As time went on, I could not keep quiet. I would need to describe my concerns without seeming like a complaint, but rather in a way where I influence change in mindset. Get them to see my point of view. I would often see Lisa take this approach and this situation and it gave me the perfect opportunity to apply those tactics.

In short, I had to convince a lot of people with stake in the game that the path we were currently on was not going to lead to success. I had to have an alternate solution for the problem. This was no easy task, but in the end, it worked out, the project turned around and we have seen incredible rewards to this day from it.

Lisa and I are almost always aligned in our approach, but don’t always see eye to eye and that I feel is a very important part of any relationship. If we always agreed, there would be no need for both of us. She pushes me when needed and will douse me with a sense of reality when necessary.

What do you feel is the most important aspect of your job? My role focuses heavily on innovation and advisory. We have very tight partnerships with our customers and they often rely on us in an advisory capacity for their mission critical business operations. As such, I always have to stay current, stay in the know and be available and approachable. But serving my staff is equally, if not, more important. Without the help of my team, we cannot achieve the level of success we strive for. That’s why I try to spend a lot of time investing in the team. Coaching, mentoring, and allowing their creativity to flourish.

What metrics or KPIs do you use to measure security effectiveness? I often seen KPI thrown around as a buzz word, but without lining it up to core business objectives, it won’t do much. Unfortunately, I can’t go into too much detail but I’m always looking to minimise risk and improve effectiveness. In my role, KPIs need to align with business risk which will allow us to measure effectiveness of our efforts and controls. All our tools and processes generate data critical for business decisions. We constantly review and reassess our KPIs to understand if we’re looking at the right metrics, what to add, what to remove and how to adjust. Decisions with data.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We’re always looking for strong resources. As is everyone else, we’re targeting Data Scientist and Cloud Engineers, but everyone in the industry is targeting these same folks. It is a candidate’s market. But also, it’s not necessarily the roles that are difficult to fill. Given our size and environment, the people that do the best here are the ones that can put their ego aside, wear multiple hats and not be afraid of rolling their sleeves up and doing whatever it takes to get the job done. We’re a fast-growing company with a blue-chip customer base.

Cybersecurity is constantly changing – how do you keep learning? This may sound a bit delusional, but I spend a lot of my free time reading, researching, experimenting, and discussing. With the current work from home situation, there is almost no line between work and home. My down time is spent working.

What conferences are on your must-attend list? Obviously, the big events like BlackHat, Defcon and RSA – but surprisingly I’ve gotten a lot of value attending smaller, more focused events like ISSA, various CISO Forums and vendor specific events like CyberArk and SailPoint. But for me, anywhere where true relationships and be forged.

What is the best current trend in cybersecurity? The worst? What most excites me is where it is heading. We’re turning the corner on how machine learning and artificial intelligence will be used. Thirty years ago, Terminator 2 and Skynet were just fantasy. Unfortunately, that is becoming more and more the reality. AI algorithms can adjust themselves and become smarter with more data they can evaluate. Over the next 3–5 years we’re going to see this area really take off and I’m thrilled to be a part of it.

Secondly, the internet is the Wild West, and the dark web even more. We’re going to see the modernisation of law enforcement. Over the next 5–10 years, law enforcement will have a significant amount of its resources dedicated to cyber and electronic crimes. Entire smart cities are already being created and there’s no shortage of bad people who will try to disrupt our way of life once that becomes the norm. If you’re interested in cybersecurity and serving the public, this is a great area to pay attention to.

Unfortunately/fortunately — almost everything a human can do will be automated. Cars will drive themselves, repairs will be handled by machines, even to the point where sensors will predict failures of certain devices and order replacement parts for themselves. Then those will get delivered by a drone. The military is already doing this, but almost everything will be handled through drones, from inspections to forest management. All of this will require security. This will force security to evolve.

What's the best career advice you ever received? There is an old African proverb — “if you want to run fast, run alone. If you want to run far, run together.” Earlier in my career, I thought I could do it all alone. I had some early successes and an ego to match. I felt I could conquer the world on my own. If others couldn’t keep it, then they were just in my way. Like I said, this did lead to some big wins but that quickly led to long hours, burnout and an overall dissatisfied and empty feeling. Where do I go from here? Later, I realised that once something was started, the experiences, workload and wins could and should be shared.

What advice would you give to aspiring security leaders? My best advice for career trajectory is no amount of formal education can substitute for hands on hard work and real-life experience. Education is critical but needs to be supplemented. Invest in yourself early. Put yourself in uncomfortable situations – force it. Learn from it. Be adaptable. Learn. Listen. Experience. Don’t let opportunities pass you by. When you’re young, say yes to everything and figure it out. Ask for help, show off what you can do. But most of all, don’t let ego and pride get in the way. Surround yourself with people you want to aspire to be, otherwise you will never move forward. Success will come to those who earn it – not to those who feel they deserve it.

1 2 Page 1
Page 1 of 2