Secret CSO: Juan Morales, Anywhere Real Estate

What do you feel is the most important aspect of your job? “Besides the fundamental responsibility of risk management that comes with the role... to ensure I can provide the tools and resources necessary for my teams to function at their highest potentials…”

Headshot of Juan Morales, VP & CISO at Anywhere Real Estate
Anywhere Real Estate

Name: Juan Morales

Organisation: Anywhere Real Estate

Job title: VP and Chief Information Security Officer

Date started current role: October 2020

Location: New York

Juan Morales is a Cyber Security and Information Technology professional with 20+ years of industry experience and proven success leading a broad range of initiatives while participating in the planning, design and implementation of technology and information security solutions. As VP, CISO, Morales leads Anywhere Real Estate’s Global Information Security program including SOC, Incident Response, Forensics and eDiscovery, Vulnerability Management, Data Privacy & Regulatory Compliance, Data Governance, Product Security, Information Risk Management, and User Awareness and Training. Morales is also an adjunct professor at Sacred Heart University, teaching graduate level Cyber Security management courses.

What was your first job? I believe I was about 11 years old. It was at small grocery store in town. I nagged the owner for about 2 months to give me any kind of work. He finally gave in, and I did everything from taking out the trash, working the deli slicer, to stocking shelves. 

How did you get involved in cybersecurity? My technical career began in information technology as a consultant doing technical support type work. I landed a job with Bank of Montreal where I spent 13 years in various technical roles of increasing scope and responsibility. In the later part of my time at the bank, I took an interest in learning more about security controls and frameworks. I joined a local information security chapter to take in as much as could about the field, and I ultimately transitioned to an internal opportunity as a business information security officer. I never looked back.

What was your education? Do you hold any certifications? What are they? I initially attended The Chubb Institute where I received a certificate in IT Technical Support. Many years later, I completed my Bachelor of Science in information technology 100 percent online at University of Phoenix. This was at a time when online learning was unheard of and not taken very seriously. (Who would ever think the world would eventually go remote for learning?)

Finally, I received a Master of Science in Cyber Security from Fordham University. I also hold a CISSP, CCSP, ISSMP and CEH certifications.

Explain your career path. Did you take any detours? If so, discuss. After high school, I never thought about a career in technology; I didn’t get my first computer until senior year of high school, so you could say I was self-taught. What I was really interested at the time was culinary arts; however, a family member attended technical school and was doing some great things with technology that got me more interested in the field. Looking back, I realised I was faced with two paths and chose the technology route. I’ve been on this path since.

Was there anyone who has inspired or mentored you in your career? One of my early managers, Wing Chan. Many of my management qualities I learned from reflecting on his leadership style.  Most importantly, he taught me to be transparent, open minded and humble.

What do you feel is the most important aspect of your job? Besides the fundamental responsibility of risk management that comes with the role, the most important aspect to me is to ensure I can provide the tools and resources necessary for my teams to function at their highest potentials—to foster their professional development and identify opportunities and challenges that will keep them engaged. Ultimately, their satisfaction and their contributions will result in wins for the organisation.

What metrics or KPIs do you use to measure security effectiveness? We are in the process of reimagining how we measure the effectiveness of our program. While we have performed 3rd party assessments measuring our maturity to control frameworks, to me, this doesn’t tell the full story. Metrics and KPIs we are developing will help us to measure ROI against our security spend, appropriate resource allocations, identify opportunities for improvement and provide assurance where the program is working properly.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We have been fortunate to not have been impacted by the skills shortage. Our staffing levels remain unchanged, and we continue to operate successfully with the current group.

Cybersecurity is constantly changing – how do you keep learning? It’s certainly challenging. On top of the million things that vie for my limited time, I work hard to find a way to stay current. I commit to reading at least one article per day on the latest security developments. I also listen to security podcasts as much as I can…while cutting the grass or running on the treadmill. I try to squeeze in as much as I can.

What conferences are on your must-attend list? Blackhat/Defcon. Blackhat for the business aspect and the opportunity to visit with current and new potential vendors. It’s a great time to look at the latest and greatest since they all converge in one place. Defcon is a must-attend for the deep technical talks and the atmosphere.  Everyone in security should experience Defcon at least once.

What is the best current trend in cybersecurity? The worst? Best? The continuous rise in automation and orchestration. The speed in which attacks unfold now adays calls for machine speed response to meet the challenge. Automation is a great enhancement to our current toolsets and processed. It should never be thought of as a replacement for the human analyst, but certainly as a force multiplier.

The worst trend is the ongoing scourge of ransomware and its impact on all kinds of organisations. Attackers continue to get creative. The days of a simple locker ransomware are long gone.  We must be prepared to respond to extortion, and now double-extortion type of incidents.

What's the best career advice you ever received? Embrace failure as a lesson learned. It is okay to fail, but it is not okay to not learn from the experience. Also, truly embrace getting out of your comfort zone to grow.

What advice would you give to aspiring security leaders? Don’t let perfection get in the way of progress. Embrace opportunities to try out new ideas and methods but have a plan to fail fast and pivot. Be bold! You’ll never know what you are capable of unless you try.

Spend time forging relationships. Building your network is just as equally important and honing your technical skills. You’ll never know when you will need to call on your network to help validate an idea or help make the next connection.

What has been your greatest career achievement? Gaining enough experience to be able to give back to the community. I felt I finally achieved this when I was an adjunct professor teaching graduate courses on cyber security program management. To be able to share over 20 years’ worth of experience allowed me to reflect on how far I’ve come, what I have been able to achieve and what more remains ahead of me.

Looking back with 20:20 hindsight, what would you have done differently? I don’t know that I would change anything. I’m fortunate for the success I’ve had, the connections I’ve made and the experiences along the way that have helped me arrive to where I am today. The only thing I would have done differently is set more time aside to tinker—heads down on the keyboard, trying/testing new tools, techniques, methods.

What is your favourite quote? “It is better to be alone than to be in bad company” – George Washington.

What are you reading now? Think Again by Adam Grant.

In my spare time, I like to… Exercise, hike, play guitar, spend time with my wife and kids.

Most people don't know that I… Played in a band, play ice hockey; that I’m a triathlete and volunteer fire fighter.

Ask me to do anything but… Sleep in….I’m an early riser.