Secret CSO: Igor Kvrgic, Revuto

What advice would you give to aspiring security leaders? “Try to be flexible when it comes to ideas, but diligent about the rules that come out of those ideas.”


Name: Igor Kvrgic

Organisation: Revuto

Job title: CISO

Date started current role: June 2019

Location: Dubai

Working as CISO at Revuto, Igor plays an integral role in ensuring the security of Revuto, an intuitive app that allows consumers and small businesses to easily manage their subscriptions all on one platform. Igor is responsible for making sure that Revuto excels in cybersecurity. This means ensuring the company achieves the highest standards when it comes to encryption and authentication, along with continuous diligence towards the protection of customer data.

What was your first job? My first real job was during college; I was a chauffeur for a local football manager. After a decent amount of driving and watching football games, I graduated and got a job in IT, as IBM Solutions Consultant, based on WebSphere and Tivoli portfolio.

How did you get involved in cybersecurity? While I was in college, I remember a friend of mine started an online forum, and soon afterwards it got hacked. I was really intrigued by how someone had managed to bypass the security, and so from there, I got acquainted with injection attacks and encryption.

This is ultimately what sparked the first step in my considering a career in cybersecurity, and the initial interest in how it works, alongside how to protect systems.

What was your education? Do you hold any certifications? What are they? In 2011, I graduated with a bachelor’s degree in IT engineering. I have a couple of IBM WebSphere certificates and a Pentaho Business Intelligence certificate too.

Explain your career path. Did you take any detours? If so, discuss. As a fresh graduate of IT Engineering, I landed an opportunity to work with IBM and their WebSphere portfolio, which evolved into a five-year journey as an IBM consultant. Here, I covered a wide spectrum of technology mostly within the IBM portfolio but also spread out across MS, RedHat, and open-source solutions. After spending two years in Seattle, I was ready for something different, and to expand my knowledge beyond the IBM sandbox. I felt the need for greater IT “freedom” in terms of exploring other solutions and how they would help me to diversify and keep on top of the latest trends. I had outgrown my role within the IBM portfolio, and craved something more exciting.

I then got involved in high-profile eGovernment solutions that use a wide range of tech, from Oracle, VMWare, and Microsoft to machine learning. After working on projects like PKI authentication across Sultanate of Oman (which then became a full government initiative, and expanded to UAE and Qatar), and designing a system that consumes the sensitive data of government institutions, I joined the Revuto team, which felt like a step in the right direction. Revuto fueled my passion for IT security further with the way it combines crypto with existing payment systems. This is where we are aiming for; to offer an innovative solution to the influx of subscription-based services, while also making sure consumers have full confidence in our security policies.

Was there anyone who has inspired or mentored you in your career? Not to sound pretentious, but I never really had a role model or a mentor. I always admired certain skills and qualities within people, so I would try to reach certain goals with self-analysis and lots of reading and implementing a trial-and-error method.

What do you feel is the most important aspect of your job? Transparency. Generating trust and openness within a team is crucial for success and motivates people to give their best.

What metrics or KPIs do you use to measure security effectiveness? In order to always be on guard, we follow a list which I co-created with the Revuto team, which consists of regular checks like readiness levels and penetration testing scores. In the event of a security breach attempt, Revuto’s procedures start with ‘Time to Detect’, which identifies how long it takes to notice an intrusion. The next point is ‘Severity Classification’, where we measure the impact of the incident and the level of threat we face. And then this is where ‘Time to Resolve’ becomes our main focus.

The list follows best-practice scenarios, but we modified it to suit our company needs and the needs of our consumers.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I’m aware that a lot of companies struggle with the security skills shortage, but Revuto is lucky - when I started, I made sure that I had the best people in my team. The team is made up of highly skilled individuals which have allowed us to build and design the company on strong foundations. However, we do have growth and expansion plans, so I might have a different answer one year from now.

The industry is of course moving fast, and it’s likely that we’ll need to consider people who possess unique and specialised cybersecurity skillset and who align with our overarching business strategy.

Cybersecurity is constantly changing – how do you keep learning?  We are all aware of how fast the industry evolves and, although it may seem odd, one thing that helps me quite a lot is social media. It lets me feel the heartbeat of new ideas because good ideas spread like fire. After something catches my eye, I usually do some extensive reading and discuss the ideas with the team, because - particularly whilst working remotely - collaboration and communication are instrumental in thriving and staying abreast of everything.

What conferences are on your must-attend list? Finovate Europe would be my first pick, mainly because it’s just a good mixture of fresh ideas and great presenters, but nothing too flashy. This sets the attendees’ mood open for discussion and collaborations, which is great.

What is the best current trend in cybersecurity? The worst? With COVID-19 orchestrating 2020, we witnessed a rise of AI in security. More and more biometrics are being used in correlation to machine learning to avoid (or improve) traditional security processes. I see this rapidly increasing throughout the industry. Also, the cloud has seen incredible growth in the last decade, but I expect It to keep momentum in the coming years. SASE will also be something to look out for too.

What's the best career advice you ever received? Ironically, the best advice I ever received was also the biggest risk I ever took. At that time, I was living in Seattle and we just completed one of the last milestones on the project, so you could say we were finally out in the clear. But instead of enjoying the stability I’ve earned, a good friend of mine and a former colleague advised me to move from the USA to the Middle East. He pointed out that, in order to grow, I shouldn’t get comfortable and stay “battle-ready”. He cited the famous saying; “do not to wait to strike till the iron is hot, but make it hot by striking”.

It was such a big change. I went from having a big organisation behind me to moving to an unknown region in the USA for a smaller company, to partake in a much more complicated project. It was a shot in the dark, but it opened so many opportunities for career growth.

What advice would you give to aspiring security leaders? For aspiring security leaders, the first step is being in a good position to invest in yourself, both as a leader and an expert. This includes getting the training that you need and building on your own insight and values. Try to be flexible when it comes to ideas, but diligent about the rules that come out of those ideas. Then you can think about building a good team around you who share the same vision. And this is a team you should guide, help, and listen to. A good team is the core of every successful project. Also, don’t forget to keep in mind the audience your solution is aiming for and try to envision their perspective.

What has been your greatest career achievement? Seeing recognition from the people within the industry when we showcased some of the final builds of Revuto. So many challenges leading up to that moment, but seeing their feedback was extremely satisfying.

Looking back with 20:20 hindsight, what would you have done differently? If I am being honest, I would push myself more to take initiative at the very beginning of my career. Being vocal about improvements and risks should happen regardless of your experience. Presence and sharing ideas with juniors should be more encouraged and this is something I am doing with my team as well.

What is your favourite quote? I have always been a fan of Greek mythology and I loved the story about Icarus and Daedalus, so this one always comes up first – “But I’ve never seen the Icarus story as a lesson about the limitations of humans. I see it as a lesson about the limitations of wax as an adhesive.” - Randall Munroe.

What are you reading now? World Atlas of Coffee by James Hoffman.

In my spare time, I like to… You can’t really beat riding down a coastal road on a motorcycle. Although, I do love to go camping or trekking in the mountains.

Most people don't know that I… Don’t like watching football. I have played basketball since I was six, so running for 90 minutes without scoring a goal is something I don’t find amusing.

Ask me to do anything but… Light a cigarette. I can’t find anything pleasing about it!