CTO Sessions: Paul Kohler, Strategic Security Solutions (S3)

Do you have any trouble matching product/service strategy with tech strategy? “If you view technology as an enabler and not as the objective, matching the product/service strategy to tech strategy becomes seamless.”

Strategic Security Solutions (S3)

Name: Paul Kohler

Company: Strategic Security Solutions (S3)

Job title: CTO

Date started current role: January 2018

Location: Atlanta Metro Area, Georgia, USA

Paul Kohler, CISA, has over 25 years of professional experience in identity governance, security, privacy, systems administration and programming. He has focused his career on providing technical solutions for complex client initiatives and has advanced technical solutions in heavily regulated environments and managed global teams deploying a variety of privacy, security, and identity related solutions both in industry and as a consultant. For the past 5 years, Kohler has been the CTO at Strategic Security Solutions (S3) Consulting, a leading provider of identity and access management, governance, risk and compliance, and SAP security advisory services.

What was your first job? My very first job was actually very entrepreneurial, I was around and spent the summer cutting grass for several of my neighbours. I would drive a mower with one hand and hang on to the push mower with the other. I got paid $15 to cut an acre of grass. I saved my money and bought a go-cart at the end of the summer. According to my dad, my business was heavily subsidized, and he spent more money fixing the lawn mower than I actually made.

Did you always want to work in IT? No, to be honest IT was not even a consideration early on in my education. It happened to be very coincidental that I ended up in IT. My first full-time job following college was working for an insurance company in their accounts receivable department. I processed all the payments and prepared the daily deposit. During that time, I built a spreadsheet (I’m not sure it was even in Excel) that tracked the company’s bond portfolio. After a short period one of the programmers resigned, and the offer was made to give programming a shot. My first project was to convert an application from DOS to Windows 3.11. During that project, I found I enjoyed the challenge and from there I was off in a new direction.

What was your education? Do you hold any certifications? What are they? My education was a little circuitous. My freshmen year was typical to many and lacked one specific direction. After that, I buckled down and ended up with a Bachelor’s of Business Administration and Master’s of Science in Finance. Even though I didn’t end up on the business side, that education gave me invaluable knowledge regarding the operation of a business. I hold a CISA (Certified Information Systems Auditor) from ISACA. I think in many cases certifications are a bit overrated, I’ve seen many people with certifications where I think to myself, “this person is certified?”.  And just as many where I think “this is one smart person; I can’t believe there are no certifications”

Explain your career path. Did you take any detours? If so, discuss. My career path was not a straight line by any means. From working in accounting to transitioning to programming in clinical research and developing programs to “clean” clinical study data in preparation for FDA approval, I have had several different paths that have led me to today. Earlier on in my career I was presented the option to work in a fairly new product called SAP. I was given the responsibility for application security and system administration. I spent many years deploying and maintaining SAP systems around the world, both as an employee and a consultant. It was there that I learned some important lessons about technology and how it can both benefit and detract from a business.

What type of CTO are you? Any effective CTO must wear the hat of all the CTO types.  I am primarily a business enabler. Strategic Security Solutions (S3) is a consulting company and as such we are driven to provide solutions and enable our customers to overcome their challenges. We utilise a people first approach, where technology is not nearly as important as the people and process side of the equation. In most cases there are many technologies that will solve a problem, but unless we are solving the right problem none of them will ultimately be successful and achieve the objective it was intended to. 

Which emerging technology are you most excited about the prospect of? This is probably pre-emerging technology, but I find the science fascinating. I just read an article about a new CPU developed by the University of Michigan that shows promise for being unhackable. The idea behind the chip is to make it an incredibly complex puzzle. The puzzle must be solved before any vulnerabilities could be exploited. The piece that makes this chip different is, the underlying puzzle gets changed every few milliseconds. Using this method any vulnerabilities become obsolete before any exploitation can take place. Recently, a team of white hat hackers spent a total of 13,000 hours trying to beat the chip’s defences. It’s exciting to see advances like this. But with all technology it is the application that makes it a force for good or not.

Are there any technologies which you think are overhyped? Why? Personally, I think artificial intelligence (AI) is overhyped. This is the second go round for AI, after it failed to deliver in the 1990’s. AI uses algorithms to solve well-defined problems like playing chess. This type of intelligence does translate well to solving problems that are not well defined or already well understood. While it is true that AI is used to solve these problems faster, this does not equate to “general” intelligence. There are huge differences between machine intelligence and intelligence as it is applied to humans. Machines require massive amounts of data to “learn”, while humans require much less data to learn.

What is one unique initiative that you’ve employed over the last 12 months that you’re really proud of? In many respects surviving the last 12 months has been a unique initiative for nearly everyone. It’s still a work in progress, but at S3 we’ve implemented some unique approaches to onboarding and developing fresh out of college resources. It has been challenging to develop these resources outside of the office setting, where so much is learned through immersion. I won’t say it was always 100 percent successful, but we were able to keep moving the ball forward.

Are you leading a digital transformation? If so, does it emphasise customer experience and revenue growth or operational efficiency? If both, how do you balance the two? Our business is on the cutting edge of helping our clients lead digital transformation. Every one of our engagements with our customers addresses some aspect of digital transformation. S3’s transformation focus is operational efficiency, but certainly helps support revenue growth. We help our customers transition their cybersecurity posture to a modern and defensive stance.

What is the biggest issue that you’re helping customers with at the moment? As an organisation we are solving our customers’ identity challenges. Because of the COVID-19 pandemic, the last year has pushed the identity challenge along with other cybersecurity challenges to the forefront. Organisations were forced to enable entirely remote workforces on what turned out to be a wing and prayer. Now we are seeing some of the fallout from that. The first priority was staying in business through the pandemic, now we have to take a step back to remedy the challenges of that cataclysmic shift.

How do you align your technology use to meet business goals? Technology is purely an enabler for business goals. It should never be a case of IT being “so preoccupied with whether or not they could, they didn’t stop to ask if they should.” Business goals drive technology choices and not the other way around. So my challenge is to implement technologies that integrate well with each other. This approach provides the most utility to organisation and drives the most value from our technology investments.

Do you have any trouble matching product/service strategy with tech strategy? For me, I got back to building blocks which makes the process much easier. If you view technology as an enabler and not as the objective, matching the product/service strategy to tech strategy becomes seamless. We do see a lot of cases where the “tail is wagging the dog”. This is a recipe for failure and a guarantee that you will not get the most out of your strategy.

What makes an effective tech strategy? Alignment is the most critical component of the tech strategy. In cases where the tech strategy is not aligned with the business objectives you will always be less than fully successful. Technology does not drive the business. There are countless technologies that have fallen by the wayside because they solved a problem that no one, or very few people had.

What predictions do you have for the role of the CTO in the future? I think an additional lens will be added to nearly every decision that a CTO will make. Every decision will have to address the question “how does this impact or affect my security posture.” The playing field has tilted toward the adversary. The adversary is not bound by social norms which gives them a tremendous advantage. The CTO must use their position to ensure that basic cyber blocking and tackling is being performed. A vast majority of recent cyber incidents are the result of failing at the fundamentals.

What has been your greatest career achievement? It is difficult for me to pinpoint one specific achievement, but I might holistically consider the career itself as the achievement. For me, the sum total of my career is a great achievement. The journey has been incredible. My career has taken me around the world implementing some of the most complex systems for some of the largest companies out there. I’ve also helped some small companies no one has ever heard of improve and implement systems. Each end of the spectrum has brought its own rewards. I think it really is about the journey not the destination.

Looking back with 20:20 hindsight, what would you have done differently? There are two things that I would have done differently. Going way back to my college days, I missed a huge networking opportunity. I didn’t take the opportunity to get involved with any of the organisations there. It was much later in my career that I realised what an incredible opportunity that was missed. As the old saying goes “it’s not what you know.”  The second thing is I would have put much more effort into becoming a better speaker. You can be the smartest guy in the room (you could also be in the wrong room) but if you can’t express your ideas, it makes no difference. The speaking skill could be one of the most important skills to have, it adds instant credibility.

What are you reading now? I just finished Applied Ballistics for Long Range Shooting by Bryan Litz. Like I said earlier, science fascinates me. Physics was one of my favorite college subjects and the application to ballistics is interesting.

Most people don't know that I… have completed two Tough Mudder events. Both courses were between ten and twelve miles of obstacles. While it is not technically a race and contestants are encouraged to help their neighbors complete the obstacles, it is a physically challenging event.

In my spare time, I like to…shoot. I’ve recently started shooting in the Precision Rifle Series (PRS). Under no definition would I be considered competitive but I’m enjoying the challenge and what has proven to be a very humbling experience. I also enjoy the process and science behind reloading the ammunition for competition.

Ask me to do anything but… terminate an employee. This has to be my least favorite activity. There are some really nice people that I’ve had to let go. In most cases the termination is the result of a misalignment of strengths and weaknesses. Ultimately both parties are better off after the termination, but it doesn’t make the process any easier.