Secret CSO: Paul Calatayud, Aqua Security

Name: Paul Calatayud

Organisation: Aqua Security

Job title: Chief Information Security Officer

Date started current role: January 2022

Location: Minnesota

Cybersecurity veteran Paul Calatayud is the Chief Information Security Officer (CISO) at Aqua Security. Calatayud has spent more than two decades leading product and security teams for companies across industries ranging from Fortune 500 companies to startups. Most recently, Calatayud served for over four years as Chief Security Officer at Palo Alto Networks and prior to that, he held various security, privacy and risk roles at SANS, FireMon, and Code42 among others.

What was your first job? I enlisted in the army straight out of high school. We’d been learning computer science in software development at school, but I didn’t want to follow the traditional career path. I told the recruiters I’d like to do something with computers, but something a bit more hands-on than software development.

How did you get involved in cybersecurity? The army put me in network security, which was my entry into the cybersecurity world. I spent two years training full time with them, and then I got an IT job outside of the military whilst I continued working part-time with the National Guard. It opened my eyes to how crucial cybersecurity is on a national and international level. I’ve now been in cyber for more than 20 years - and I've never looked back

What was your education? Do you hold any certifications? What are they? I hold several military certifications, equivalent to a Cisco Certified Internetwork Expert certification (a more standard networking qualification). I also have five certifications from the SANS Institute, where I used to be an instructor. In terms of education, I have an undergraduate degree, an MBA, a Master's degree and I’m currently working on getting my PhD. I’ve always valued education and I’m always learning.

Explain your career path. Did you take any detours? If so, discuss. Some people would probably say the army was a detour, although I don’t think so. It was certainly an unusual introduction to the industry.

Over the past twenty years, I’ve held security roles in a variety of companies, from Fortune 500 businesses to startups. The great thing about cybersecurity is that it changes so fast that you can do lots of different things whilst staying in the same industry. I tend to look for work that allows me to tackle the newest challenges. That’s what attracted me to CISO roles. It’s also what attracted me to Aqua Security - I like to work for companies that are tackling the newest challenges in interesting ways.

Was there anyone who has inspired or mentored you in your career? Lots of people! Being curious about the people around you and learning about what they do can be hugely inspiring, and very helpful for your career.

In terms of specific people, Mark Mclaughlin, the prior CEO of Palo Alto Networks, was an amazing leader and role model. Watching how he balanced his time between the company and his family was something that really impacted how I manage my own time. He was also extremely accessible to his team, which I try to emulate in my own leadership style.

What do you feel is the most important aspect of your job? To me, the most important aspect of my job is building trust. To be successful, CISOs need to embrace innovation, but that requires trust from the rest of the C-suite. You need to be able to bring ideas and plans to the table without opposition.

Furthermore, the role has really expanded in recent years. CISOs are becoming more involved in educating customers, building trust and gaining confidence. In such a competitive market, trust is the big differentiator for customers. Honestly, I could even see the role evolving to become “Chief Trust Officer”.

What metrics or KPIs do you use to measure security effectiveness? I used to do something that is very common amongst CISOs, which is only focus on technology-based metrics. The problem with this approach is that these numbers often don’t mean anything to the people on the board. Instead, you have to speak their language.

Now that I have experience on boards myself, I’ve learnt that they all communicate similarly, with a clear focus on revenue. As such, I concentrate on metrics that can be presented in terms of the cost to the business. For example, focusing on the average time to close vulnerabilities, rather than reporting on the overall number of them. Working in this way allows me to build trends, baselines and demonstrate risk appetites in a way that demonstrates the impact on the organisation.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? The skills shortage is affecting almost every organisation, particularly in roles with very specific skill sets, such as those in application security, or working with machine learning. In order to find the talent you need, organisations need to identify who they want on their teams and ensure they can offer an attractive offering to entice them onboard. Most top talent is already employed, and companies need to create a ​​reputation as somewhere candidates want to work in order to attract and retain skilled professionals.

As a fast-growth firm that’s doing exciting things in cloud security, Aqua Security has an advantage when it comes to attracting talent. We’re ticking a lot of boxes for people wanting to make an impact  in the industry. In short, Aqua Security stops cloud-native attacks. No-one else can claim that.

Cybersecurity is constantly changing – how do you keep learning? The most important thing is to have a general thirst for knowledge. I’ve continued my academic studies throughout my whole career, which has really helped me keep my knowledge up to date. The role of the CISO also helps as you need to maintain a strong understanding of the latest industry developments, as well as every aspect of the business you work for. Successful CISOs have to make sure they learn all the weaknesses of any new company products - if you’re not constantly learning, you’re not doing your job properly.

I ensure my appetite for knowledge is at the forefront throughout my day-to-day, and I try to instil this mindset in my team too. Natural curiosity and motivation to learn more can only be an advantage and give professionals, and the companies they work for, a competitive edge. As they say, “knowledge is power.”

What conferences are on your must-attend list? RSA is a must-attend for me. Not just for the talks, which are always illuminating, but for the networking opportunities and connections you can build. With the distance that the pandemic has imposed over the past two years, it’s crucial we reconnect with people. Black Hat is another that I try to attend every year.

With my move to Aqua, I will also be attending more cloud and DevOps oriented conferences too, KubeCon and CloudNativeCon North America, for example. I’m looking forward to KubeCon Europe in Valencia this year too.

What is the best current trend in cybersecurity? The worst? One of the biggest trends at the moment is the focus on cloud security. As organisations have undergone digital transformations over the past few years, the cloud has become an integral part of the business. It’s no longer an option, it’s essential. Thankfully, this shift has been reflected in the security world, and businesses are starting to prioritise keeping the cloud secure. Cloud security has become the number one board-level initiative, with organisations spending billions on it.

Another trend of the past few years is the increased focus on trust. Technology can no longer become mainstream without trust. End-user confidence and trust is increasingly the determining factor in what takes off in the industry.

The worst trend that I see at present is a worrying mindset in some regions that they are “untouchable”. They feel isolated culturally or economically, so they think that they are less at risk digitally. It’s concerning because it doesn’t reflect reality. There are no borders on the internet - anyone can be a target.

What's the best career advice you ever received? Listen.

The best advice I’ve ever gotten was to listen and help others without the expectation of getting  anything in return. It’s not always as natural for me as I’d like it to be, but I’ve worked to mindfully apply it to my relationships over the course of my career. Not having an expectation of reciprocity really changes so much in regards to your success, because people warm to you. Working to build those relationships and paying it forwards has so many benefits. It’s been more than ten years now since I had to fill out job applications - it’s the relationships I’ve built that get me through the door now.

What advice would you give to aspiring security leaders? My advice would be to work on understanding the people around you. Empathy has become a buzzword, but its importance can’t be overstated. Knowing what motivates and challenges your team allows you to work better, and build relationships that will remain important throughout your career. Simultaneously, you need to understand the needs of your customers. That will allow you to develop strong connections and gain their support.

What has been your greatest career achievement? My greatest achievement is the amount of trust I have managed to earn from those I work with. I have been able to create a positive culture in which I no longer need to defend the plans or decisions I make. That culture has unified my team and given us an environment in which we can thrive and deliver the very best for our customers.

Looking back with 20:20 hindsight, what would you have done differently? This one is easy - I would go back to an experience I had working at a data centre in Chicago. I was asked to do some work on the cabling. I walked in confidently, immediately bumped into the servers and accidentally took down the entire network. That caused a lot of trouble! It’d be great to undo that…