Secret CSO: Sohail Iqbal, Veracode

What advice would you give to aspiring security leaders? "Think risk... If you’re able to understand risk, you’ll be able to come up with a solution to address, mitigate, or manage risks appropriately."


Name: Sohail Iqbal

Organisation: Veracode

Job title: CISO

Date started current role: August 2020

Location: Boston, MA, USA

Sohail Iqbal is a distinctive cybersecurity leader and practitioner. He has led to successful security practices and developed effective security programs. Iqbal has been instrumental in developing and maturing security practices as Head of Cybersecurity Operations at Dow Jones / WSJ, CISO at J2 Global, and recently Head of Information Security at CarGurus. He has also served as a Director for MediaISSF (Media Industry Security Sharing Forum), a CISO-led board to share cybersecurity challenges faced by the media industry and has served on the Cybersecurity Advisory Council for Rutgers University.

What was your first job? My first job was with IBM as a Customer Engineer in New York City. It was an interesting experience; I was responsible for Point of Sale (POS) systems. This required visits to many retail giants. I learned the importance of customer service and professionalism.

How did you get involved in cybersecurity? My professional career has been mostly driven by curiosity, passion and proactive thinking. It’s quite interesting how I switched my career focus from core technologist to cybersecurity professional. At Quest Diagnostics, I was responsible for active directory, messaging and platform architecture. There used to be periodic internal audits, and in every audit, we saw risk findings. This inspired me to see the Information Systems from the same lens internal auditors do. I wanted to be proactive and limit the number of risk findings, and was motivated to pursue a Certified Information Systems Auditor (CISA) certification. I found phenomenal support from Quest Diagnostics management to transition temporarily into the internal audit team, and I was given the chance to perform an audit for the Mexico Business Unit. I noticed at the end of audit that the majority of findings pointed towards security risks. The rest is history. I feel lucky and blessed to be in this profession--it challenges my proactive and risk-conscious personality and allows me to deliver on an area I am very passionate about.

What was your education? Do you hold any certifications? What are they? I attended City University of New York - College of Staten Island and have a B.Sc in Engineering. I hold the following certifications: CISSP, CISA, ITIL.

Explain your career path. Did you take any detours? If so, discuss. When I was at Dow Jones, I was handpicked by our CIO to join a four-person team to kick off Dow Jones’ cloud journey to AWS.  I won’t call it a complete detour, as the AWS migration aspect really helped me to understand the cloud platforms, have a view into the SaaS world, and understand the challenges of modern workloads and the risks associated with them from the ground up.

Was there anyone who has inspired or mentored you in your career? There are many mentors who have helped me throughout my career. I would certainly like to name several whose contributions stand out significantly in my career. Russell Gibson, Director, Infrastructure Architecture-Systems Engineering at Quest Diagnostics was an early mentor that helped me to pursue my goals. I was a core technologist and stepped out of that role to pursue auditing and security. Russell was the manager that gave me confidence and provided me with opportunities to test my skills and pursue a career in cybersecurity.

I am also fortunate enough to have been mentored by Justine Bone, CISO at Dow Jones. She is a visionary leader. It was always encouraging to bounce ideas of her. She would hear them passionately and encourage me to further refine them. She helped me tremendously with prototyping my first security product idea.

In personal life, my role model has been the legendary Imran Khan, a brilliant sportsman, a fearless leader, an upright politician and a great environmentalist. I am an avid cricket player and grew up watching Imran playing cricket, so I was naturally a fan of him. What really impressed me though is how he managed to plant one billion trees in war-torn Pakistan within a one-year span. To me, this shows dedication and commitment that never fail.

I am very thankful to all those who have supported me throughout my career and enabled my accomplishments. It has been a very fun journey.

What do you feel is the most important aspect of your job? What I love about my job is establishing a personal connection with people and building a deep understanding of the business. It’s imperative in cybersecurity that you establish a good partnership with your workforce. Humans are the weakest link in security, and your programs are only as good as the weakest link in your organisation. There was a time when cybersecurity was seen as a backend operation, and I have made the upmost effort to turn cybersecurity into a customer service operation. Each member of the workforce is my customer, and navigating their way through on a user-friendly path with the least friction and risks is my responsibility.

What metrics or KPIs do you use to measure security effectiveness? It’s imperative to ensure that all metrics and KPIs are attached to business goals and aligned with the company vision.

I relate the success of any security program with three metrics. The program must be continuous, automated, and measured.

The continuous nature of a program tells me that it’s repeated with some set cadence, outcomes are analysed, and improvements are introduced. An automated program reduces configuration and user-related issues. The measured metric helps me see trends and assess if we are heading in the right direction. Measurement also shows me how much of our risk has been lowered since the program has been launched.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? There is no doubt that there is an acute shortage of cybersecurity skills. One of the ways I’ve tackled this issue in the past is by establishing a good pipeline within the industry and educational institutions. For example, I’m on the advisory board for Cybersecurity Council at Rutgers University. I have gone on recruiting trips to Carnegie Mellon University, Michigan State University, and other institutions to identify and recruit upcoming talent. The hardest part is finding the right talent that can grow along with you. Once you identify someone who is passionate and has the right chemistry for your team, you can mentor them. Tech can be taught, but the key is to find interns and employees with the right chemistry who are eager to learn and improve their value.

Internally, I also like to create an environment where people work in pairs, mentor each other, and address each other’s knowledge gap. Each individual has a primary function and secondary function in this partnership. They will increase their skills in their secondary function with assistance and instruction from their partner, and in turn they will mentor their partner on their primary function.

I stress to not lock people into certain tools area and limit their career opportunities by restricting their knowledge to only a handful of tools. I encourage them to view their job as risk manager. In cybersecurity our core profession is to be a risk manager, thus we need to be capable of using various tools, technologies and processes to better assess and mitigate risks.

Security Champion programs, which I tend to run in parallel, can also be helpful to fill critical gaps. This program inspires others within your organisation to take interest in the cybersecurity program. Employees nominate a team member as a Security Champion in their group. It helps to increase collaboration and partnerships between groups.

There is no easy fix for the cybersecurity skills gap; it is a journey and building a continuous pipeline is the key. Internship programs are great way to keep that pipeline alive and groom future talent.

Cybersecurity is constantly changing – how do you keep learning? The security market is dynamic and changes every day. Part of my job is to be aware of these changes, and to consider how we educate ourselves and motivate our team to look towards these new challenges and think about ways to address them.

I frequently participate in industry events as I find the collaboration with my peers-discussing problems and solutions across the industry-very valuable.

I keep a keen eye on new products and technologies, participate in vendor evaluations and forums, and keep myself aware by reading articles in industry publications and listening to relevant podcasts. There are also lots of great threat intel feeds from our partners and vendors which I keep at the top of my reading list. The publications I’m reading on any given day really relate to who has the content relevant to my current interests. I follow news and topics more closely than specific news outlets. I also pay attention to industry leaders, including our own Veracode founder Chris Wysopal and Chris Eng. They have tremendous experience and are abreast of modern-day challenges. Working with them and learning from them is a tremendous opportunity, and they’re a great resource for discussions on what’s transforming the cybersecurity market.

What conferences are on your must-attend list? When choosing events to attend, I focus on content more than brand. I look for an interesting agenda and news relevant to Veracode and my interests. That said, some of the events I attend regularly include RSA, Black Hat, AWS re:Invent, and Gartner events. 

What is the best current trend in cybersecurity? The worst?  There is a lot of chaos and confusion in the market. We have a lot of information which is advertised based on keywords. This market is fueled on fear and a compulsion to do what everyone else is doing.

Leaders should focus on the risk emanating out of their own environment. Every organisation has a different risk tolerance. Cybersecurity programs should be tailored to best suit the organisational risk tolerance. It’s important to not follow trends in the market blindly. It’s imperative that we understand and assess risks thoroughly. As a leader, our job is to differentiate from the noise and focus on what’s key to our organisation.

What's the best career advice you ever received? All my mentors have been instrumental in two ways--trust and confidence. They motivated me to fearlessly take on challenges and think outside of the box. It’s crucial to make sure that you are presenting and are vocal about your opinions and feedback. My mentors made me speak up and communicate my strategy, recommendations and my opinions.

They taught me-and I’ve found this to be true-that learning the technology is easy, but adoption, alignments and cultural shifts are the hardest tasks. It takes a while to understand that tools and technologies aren’t a solution in themselves. They need to be combined with  good process and the right skills in order to achieve an effective solution. We all make mistakes very often when we only look towards tools to deliver required results. It actually takes three to tango - the people, the process, and the technology.

What advice would you give to aspiring security leaders? Think risk. This is the number one thing that I tell my team. We’re not here to block, approve, or police things. If you’re able to understand risk, you’ll be able to come up with a solution to address, mitigate, or manage risks appropriately. It is critical to think strategically. A tactical action may be the need of the hour, but it does not help you to move forward. You need to think strategically to advance, otherwise one will remain stuck in that tactical loop.

What has been your greatest career achievement? Working at Veracode is honestly one of my greatest career achievements. I came from CarGurus - an amazing company with a phenomenal culture and people. I left CarGurus only because Veracode meant something to me. I had a great passion to work for a security product company. Working for accomplished security leaders like Chris Wysopal had a significant value to me.

I was first introduced to Veracode when I was at Dow Jones back in 2013. It was quite visionary of Veracode founders to bring Application Security to SaaS platform. Founders at Veracode predicted and sensed that cloud would be the next big thing for the enterprise market. I am inspired by folks who think outside the box, and Veracode’s founders very rightly predicted the SaaS market proliferation ahead of any other AppSec player in market at that time

Looking back with 20:20 hindsight, what would you have done differently? I love what I do. Even if I had the chance to go back in time and rewrite my career path, I would not choose anything other than what I am doing today. It’s been an honor and pleasure to work with so many talented folks.

1 2 Page 1
Page 1 of 2