Secret CSO: Peter Romano, eSentire

Name: Peter Romano

Organisation: eSentire

Job title: Chief Information Security Officer

Date started current role: January 2019

Location: Waterloo Ontario, Canada

As Chief Information Security Officer, Peter Romano is responsible for the enterprise security and compliance vision, strategy, and roadmap to ensure eSentire information assets are protected and compliant with various privacy and statutory requirements. He is a security officer and people leader with expertise in the areas of mobile and cloud computing in high growth technical organisations. Over the course of 20+ years in security, he has overseen the creation of organisational capability that dramatically increased the confidentiality, integrity, and availability of internal IT and cloud service offerings. 

What was your first job? As a student, I worked in fast food, and learned how to perfect the French fry through an elaborate three step process. A couple of other key take-aways include the importance of being thorough and having a customer-first mentality. 

My first “real job” was in Desktop Support at what was then known as Research in Motion (RIM). I had spent two of my University Co-op terms at RIM and was then hired full time after graduating. Tending to everyone with computer issues, this role allowed me access to everyone across the company. This was my earliest exposure to senior management and really opened my eyes to all areas of a business. 

How did you get involved in cybersecurity? As part of my 15 years at RIM/BlackBerry, the culture of security was defined by RIM’s security conscious founder and then CEO Mike Lazaridis, the visionary of the product which embodied a security culture across the organisation. 

Also, my interest and involvement in cybersecurity was a natural progression from my early roles in IT where security and awareness played a key role in my everyday operations.

What was your education? Do you hold any certifications? What are they? Civil Engineering BASc, University of Waterloo. MSc Information Security, Royal Holloway, University of London. CISM from ISACA.

The sport of golf has also been an important educator in my life when it comes to the concept of risk management. Don’t lose the ball in a hazard and avoid sand traps. These learnings also apply to security. 

Explain your career path. Did you take any detours? If so, discuss. I have remained on track within my career, but I did take a detour from what I originally went to university for as part of my undergraduate degree. As a student, I dreamt of designing and building bridges, choosing to go to school for Civil Engineering. Upon graduation, it was a slow time for construction and the entire sector which then led me into d into the field of IT.

Was there anyone who has inspired or mentored you in your career? I have been fortunate throughout my career to cross paths with a number of respected security professionals, most notably during my time at BlackBerry through our partners at AT&T and Cisco. During this time, I was especially influenced by how they managed through various scenarios, and I was able to learn from their lessons learned. Over the years, I have made sure to keep those learned elements in my back pocket.

What do you feel is the most important aspect of your job? Communicating is the most important aspect of my role, making sure requirements of individuals and business units are understood. While a lot of security people are born out of technology, the ability to communicate effectively is key. You want everyone in the organisation to be a part of the extended security team. To achieve that, everyone needs to be aligned, influenced and on board.

What metrics or KPIs do you use to measure security effectiveness? Since we can only be as strong as our weakest link, it’s imperative to know how well prepared our team is. The main measurables I pay attention to are the phishing stats coming from the simulations we perform. I like to see these conducted on a quarterly basis to gauge how the organisation is doing, and make sure we’re doing our part to be prepared. 

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? One high demand skill is analysts who can interpret what an adversary is doing by looking at the ones and zeros. To help with this, we address any gaps through a farm system - bring people in, build them, grow them, and bring them up through the system. Because of this system, we can proactively train up and fill the roles through internal expertise.

Cybersecurity is constantly changing – how do you keep learning? I find it valuable to have friends in the industry and communicate with them regularly. Having a group of like-minded peers who share similar interests and worries and exchanging experiences and perspectives with them, has been a tremendous source of my learnings.

What conferences are on your must-attend list? RSA is one I especially enjoy attending. I’ve seen some great content tracks, but also have found RSA to be a valuable networking opportunity to gain some real-life intelligence through the swapping of stories and experiences with peers.

What is the best current trend in cybersecurity? The worst?  It was not that long ago that IT professionals had the frustrating job of educating the leadership team on why investments in cybersecurity needed to be made. Thankfully in many organisations today, executive leadership and board members understand that cyber security risk is a business risk. The discussions are now centered on reducing risk, not whether the risk even exists.

It probably goes without saying that the pandemic has brought out both the best in people and the worst. As a cyber security company, we have witnessed a wide range of lures being used and sadly the adversary's techniques will be most effective with those who are already experiencing financial hardship.

What's the best career advice you ever received? I learned to always map decisions back to risk => risk tolerance and risk acceptance.

You want to take emotions out of the decisions you make and be able to provide guidance on what works best for the company to protect the business.

What advice would you give to aspiring security leaders? Don’t be shy - put yourself out there. We all have problems we deal with and need to lean on one another to get through them. Also, engaging the business is a must. We’re all in this together learning from one another’s problems and perspectives.

What has been your greatest career achievement? My greatest career achievement was getting into RIM, the company that invented the BlackBerry, at the right time and watching the company grow from 40 employees to almost 20,000 employees. It has been my greatest achievement to not only witness the growth, but also to be a part of that growth.

Looking back with 20:20 hindsight, what would you have done differently? Many people regret the career steps that go backwards and those that take a zig zag route. For me, every one of these steps have been a learning opportunity and in the long game, a bigger step forward for me. Would have been nice to know that earlier in my career!