Secret CSO: James Arlen, Aiven

What is the best current trend in cybersecurity? “The best current trend is probably the focus on people-scale problems - not focusing as much on blinky-lights and shiny-things product solutions to security problems.”


Name: James Arlen

Organisation: Aiven

Job title: CISO

Date started current role: October 2020

Location: Canada

James Arlen is Chief Information Security Officer at Aiven, a next-generation managed cloud services company offering the best Open Source data technologies to empower businesses around the world and make developers’ lives better. With more than two decades of experience delivering information security solutions to Fortune 500, TSE 100 and major public-sector companies, Arlen has held key roles in publicly traded financial companies, large-scale power utilities and internationally-recognised manufacturing and financial organisations. Arlen’s expertise, which includes security certifications in CISSP, CISA and CRISC, has led him to be a known voice in the industry as a blogger, podcaster, speaker and a prolific contributor to media and standards including a lead author contribution to the Cloud Security Alliance Security Guidance for Critical Areas of Cloud Computing V4.

What was your first job? First job at all? Newspaper delivery when I was 7 years old! First job doing security-related work? Accounting and Audit Technician at an Accounting Firm. First job doing full time security work? Consultant at FSC Internet Corp. in Toronto - spent most of my time doing the technical side of security - architecture and assessment.

How did you get involved in cybersecurity? Through a series of accidents (this is probably true of most people from my generation of security professionals) - auditing, working with businesses on their information systems in the mid-90s which naturally turned to securing those systems, and then continuing to fall upwards in the industry to bigger and bolder things.

What was your education? Do you hold any certifications? What are they? Oh, I have a decidedly non-traditional education! I have a Diploma in Media Arts (film / television / corporate communications). I do use many of those skills as part of my day job now, but it is certainly not the focus. I hold the CISA, CISSP, and CRISC certifications. And since I was one of the people who contributed to the CCSK certification, I can’t get it :)

Explain your career path. Did you take any detours? If so, discuss. The usual tagline I use is “I’ve had every job from log-reviewing SOC monkey all the way to CISO in both staff and consulting roles.” The only significant detours I’ve taken were a short stint as a CTO and the time that I’ve spent doing SRE/Production Engineering management while I was at Heroku. I think that there are a lot of people who spend long periods of time doing the same sort of work and I’m not one of those people. I like doing something new as often as possible - new challenges are what keep me doing my best work.

Was there anyone who has inspired or mentored you in your career? I don’t think I would be nearly as successful as I am without the influence of Dr. Richard Reiner - a true security mensch. I’ve had the good fortune to become friends with many of the people who have influenced the entire industry - in part because I’ve been bold enough to seek them out and ask for their time and in part because I’ve spent a fair amount of time working on the conference speaking circuit. I’m doing my very best to provide that same kind of lift to others who are starting out in their careers and have a few astonishingly successful mentees.

What do you feel is the most important aspect of your job? Ensuring customer trust. It really starts and ends with that. I’m ultimately responsible for taking care of their information because Aiven is a Database as a Service provider. There are interesting side aspects too that relate to taking care of our staff and taking care of the world generally. Information security is not a zero sum game - any contribution I can make does make things better.

What metrics or KPIs do you use to measure security effectiveness? <Insert heavy sigh> It’s really difficult to have effective and functional metrics and KPIs related to the effectiveness of security in an organisation. So difficult that it’s usually a problem that creates perverse incentives. Every metric I’ve seen is one that I can game one way or another.

I would like to reframe the question a bit - “How do you assure the Board of Directors that they shouldn’t be worried?”

This goes back to the most basic question that you should be asking yourself as a CISO - what’s keeping me awake at night? And whatever that answer is - expressed in business terminology - is what you need to report to the Board. They don’t care about the percentage of vulnerable systems and how that was 0.237% last quarter and is now 0.236% this quarter. Think about what’s actually important.  

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I think the skills shortage affects everyone to a greater or lesser degree. In my case, finding people who already have multi-substrate, hyper-scale, hyper-growth cloud environment knowledge and expertise is really difficult. This affects primarily senior roles where I don’t really have the time to teach or provide learn-while-you-work opportunities. In response to this, I’m trying hard to hire a few very senior people to spend a significant part of their time mentoring more junior staff. The only way to meaningfully solve the skills gap is to find a way to add more skills. Remember that we have a dedication to improving the security of our individual organisations but that any upskilling/training that we do for a staff member who then moves on to another organisation raises the skill level against all adversaries - security on the Internet is not a zero-sum game!

Cybersecurity is constantly changing – how do you keep learning? A voracious appetite for information. I constantly read. Not only within the industry (trade publications, blogs, twitter, podcasts, etc) but also in adjacent areas - general business/management, software development / engineering management, and more. Spend as much time as possible consuming information and allowing my subconscious to integrate all of it. Turns out that there are a lot of problems that occur in cybersecurity which are effectively solved in other areas of interest/expertise and opportunities to apply those learnings are constantly available.  

What conferences are on your must-attend list? There are conferences to attend to learn and conferences to attend to see and be seen. In a more normal time, the usual list of security conferences includes RSA, Blackhat / DEF CON, SecTor, and as many Bsides events as I can fit in. Outside of security conferences, I take the opportunities as they come.

What is the best current trend in cybersecurity? The worst? The best current trend is probably the focus on people-scale problems - not focusing as much on blinky-lights and shiny-things product solutions to security problems. The worst is probably the continued militarisation of the industry - the level of “tacticool”  

What's the best career advice you ever received? “Be deliberate and precise” - Trey Ford. Amazing how well this simple catchphrase works for lots of situations and is endlessly adaptable to the problem at hand. Too often security professionals let things happen because they do and “good enough is good enough”. Just stare at the phrase on the page and you’ll see it apply to a dozen things today alone.  

What advice would you give to aspiring security leaders? You need to spend far more time understanding the business that you are in than you think you should. If you work in the financial industry, you’re not “In Security”... you’re “In Banking”. Shadow the people that do the work and you’ll better understand how your work impacts their work and vice versa.

Also, know when to kick a hole in the wall (see next question!)

What has been your greatest career achievement? I think that the most important decision I’ve made or action I’ve taken related to a business risk as an information security professional was to literally kick a hole in a wall.

I should probably explain.

During the time period where I was working with control systems for the electrical power grid (yes, that means SCADA), I encountered some situations where the overlap of physical and cyber systems had some potentially significant impacts. I and a few others in the security department were working late. Walking out of the building, we noticed a large volume of water rushing out of a broken faucet in a janitorial closet. Recalling the floor plan of the building, we realised that we were on the floor above the data centre, and it was probably going to start raining on the racks soon. Other staff quickly ran to determine the situation downstairs and look for the water shut-off valve. I worked to redirect the water into the slop sink, but this wasn’t very effective. The janitorial closet was between the restrooms, and I knew that there was a floor drain only a few feet away that would effectively save the racks below from hundreds of gallons of water. So, I kicked a hole in the wall, giving the water a path of least resistance to the drain.

So, how in the heck is this related to the question? Business risk relates to availability. We’ve had it drilled into us as information security professionals that the CIA triad is what matters, and I think we unconsciously place the elements in that specific order. The business of “keeping the lights on” is much more about the availability of the control systems. It would not have been a reputational hit but rather a regulatory one. The paperwork for having to abandon the primary control centre and operate from the backup control centre would be significant, but more importantly, the resulting potential for a blackout would impact many individuals.

Early in my career, I learned that sometimes the only way to manage your availability risk is to kick a hole in the wall. I don’t know for sure if the work that we did that night prevented a blackout, but all of these years later the lesson of paying attention to the business is what has mattered most in my career.

Looking back with 20:20 hindsight, what would you have done differently? Over the entirety of my career, the thing I wish most I could change now would be to find a way to manage my impostor syndrome. I ended up having a great conversation with Jon Callas where he basically read me the Riot Act on that topic. I wish I could remember his exact words but effectively the quote was “You’ve earned your way here, start acting like you belong.” I still struggle with this at times and I just have to recall the intensity of the look on his face imploring me to get over my issue and see my own value.

We really don’t do a good job of discussing and supporting each other in the non-technical performance and skills parts of our profession. You probably know someone struggling with impostor syndrome - you should do them the favor of reading them the Riot Act the same way Jon did for me. (And yes, I’ve done this to more than just one or two people over the years since!)

1 2 Page 1
Page 1 of 2