Secret CSO: Jacob Ansari, Schellman Compliance

What advice would you give to aspiring security leaders? “Learn the right mix of courtesy and relentlessness. A lot of the job of information security is getting into other people’s business, and you want to do so respectfully and with minimal disruption.”

Schellman Compliance

Name: Jacob Ansari

Organisation: Schellman Compliance, LLC

Job title: CISO

Date started current role: January 2021

Location: Racine, WI

Jacob Ansari is the CISO for Schellman & Company, LLC, where he oversees the information security program. Ansari was previously a Senior Manager with Schellman and the technical for the PCI practice where he managed assessments, provided technical and standards expertise, mentored and trained other assessors, and provided strategic leadership for the practice. Ansari’s information security career spans 20 years, with deep expertise in information security assessment, consulting, and compliance services.

What was your first job? In high school, I had a summer job as a sysadmin’s lackey, configuring Windows workstations (mostly Windows 3.1), installing engineering software, running backup processes, and the like. My first real job out of college was as a consultant in an information security practice for primarily financial institutions.

How did you get involved in cybersecurity? In college, working as system admin in our computing centre cultivated my interest in information security, and I started with reading about the topic, doing basic tasks like patch management on a variety of Unix machines, and learning how to read log files.

What was your education? Do you hold any certifications? What are they? My BS is in Computer Engineering, which has served me very well. Even twenty-odd years later, I still make use of knowledge I learned in computer architecture, networking, and programming courses. I have an MS in Information Assurance, which has taught me how to articulate complex security concepts to nontechnical audiences very well. I have a CISSP and several PCI-related credentials. I also recently obtained a CPA.

Explain your career path. Did you take any detours? If so, discuss. In some respects, becoming a CISO has been the detour. I’ve been working in professional services performing security assessments for my entire career until the beginning of 2021. But in late 2020, an opportunity to become our company’s first CISO arose, and I discovered that I was more ready than I realised to reinvent myself and do something new.

Was there anyone who has inspired or mentored you in your career? I’ve had a few good mentors along the way. My first manager at my first consulting job was an excellent mentor remains my friend and someone I look up to even as he and I have moved through our careers on very different trajectories.

What do you feel is the most important aspect of your job? For our organisation, it’s getting in front of new initiatives and making sure we implement good underlying security practice that coheres with the rest of the organisation. Many of our service delivery and our operations people have a lot of infosec knowledge and act conscientiously, but very often independently of one another. Applying consistent practices and thinking is the tricky part.

What metrics or KPIs do you use to measure security effectiveness? A lot of the security role is completing tasks on schedule: review of policies, management of vulnerabilities, conducting risk assessments, meeting audit schedules. Those are more-or-less quantitative and comparatively easy to track. Measuring qualitative elements, like the effectiveness of security awareness training or of incident response plans is much harder.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I’m currently looking for people with very specific audit and technology know-how and those would be hard to find in any market.

Cybersecurity is constantly changing – how do you keep learning? It’s important to stay constantly curious about new attacks or technologies and keep reading about them. Some days, I have a hard time keeping that part of my brain sharp, when there are suppliers to onboard and vulnerability reports to review and nonstop meetings all day, but having a wide reading list of sites and publications and staying interested in relevant events remains essential.

What conferences are on your must-attend list? I used to attend the hacker cons that ran over weekends, but those are very unpopular with everyone else that lives in my house. Right now, RSAC is top of my list, but I’d like to explore a few others.

What is the best current trend in cybersecurity? The worst? The recent Microsoft threat report, in its conclusion section reiterated the idea of doing the basics well. So many organisations struggle with patch management, secure remote access, good design patterns in software security, and meaningful incident response. Focusing on those will go a long way to mitigating even sophisticated modern attacks. The worst maybe doesn’t seem like a trend but is some version of despair that usually frames itself as “if an attacker can do x, then you’re already in bad shape and what’s the point of anything else?” and then sort of giving up on the problem.

What's the best career advice you ever received? I think this is an amalgam of different advice accreted over the years, but it boils down to “just because something is a security product or service doesn’t mean it lacks security flaws or issues.” Reminding myself of that has saved my hide too many times to count.

What advice would you give to aspiring security leaders? Learn the right mix of courtesy and relentlessness. A lot of the job of information security is getting into other people’s business, and you want to do so respectfully and with minimal disruption. That said, don’t settle for “stay in your lane” pushback. As a security officer your lane is everyone else’s lane. Insist on understanding how other teams handle data and manage risk and insist on having them follow good security practice.

What has been your greatest career achievement? Advocating for the creation of a CISO role where none existed before and then leveraging my experience as a security assessor to assume that role might be it, but I hope I’m not done just yet.

Looking back with 20:20 hindsight, what would you have done differently? If anything, I would have advocated for a CISO role at my current organisation earlier and made this move a little sooner.

What is your favourite quote? It’s hard to pick a favourite, but one I hold on to is Polonius’s famous line in Hamlet: “This above all: to thine own self be true. And it must follow, as the night the day. Thou canst not then be false to any man.”

What are you reading now? Apart from the usual spread of news and blogs, I’ve been rereading one of my favourite novels, Umberto Eco’s The Name of the Rose. It gets better every time I read it.

In my spare time, I like to… Take my kids on adventures, practice Chinese martial arts, play tabletop games, explore new places, try to take pictures of the night sky with or without our telescope.

Most people don't know that I… Drink more tea than coffee (although I drink plenty of both).

Ask me to do anything but… Sign up for a Facebook account.