Secret CSO: James Karimi, GTT Communications

Name: James Karimi

Organisation: GTT Communications

Job title: CIO and CISO

Date started current role: August 2021

Location: New York

James Karimi serves as the CIO/CISO at GTT Communications and is a seasoned engineering veteran in both telecommunications and enterprise networks and systems. In a career spanning 27 years at various companies, he has focused on multiple areas of technology and has been involved in architecting several carrier networks; managing vast enterprise networks, systems and applications; integrating network and systems; and managing consolidation due to M&A activities. He has also participated in and had oversight of many network-based projects, including network monitoring and management with an emphasis on software-driven network automation. Currently, Karimi is focused on the transformation and automation of the GTT systems platforms as well as continually evolving the GTT security program to limit risk and to stay current with the evolving threat landscape. Previously, he was the CTO and founder of IPNetZone Communications, the first company to build an MPLS exchange platform in 2006.

What was your first job? I started out my career with computers already back in 1987. That came to be as my father owned a computer repair company, so I was always helping him. I went along on jobs every weekend, installing memory upgrades and replacing bad power supplies. This gave me a lot of hands-on training, teaching me what most people were only learning in college.

How did you get involved in cybersecurity? It started over 30 years ago when I worked at Universal Music/Universal Studios and landed a role in the Network Engineering group. There, I managed LAN/WAN and firewalls which was exciting at that point in time.

I eventually gravitated towards focusing on firewalling as web grew in popularity and as every label under the company wanted a web presence. The act of being able to block or allow specific types of traffic was extremely interesting to me and it got me thinking a lot about what malicious traffic looked like.

What was your education? Do you hold any certifications? What are they? I attended one semester of college at Skidmore College up in Saratoga Springs, New York before leaving to support my family and help run my father’s business.

One of the early companies I worked for guided me to pursue Cisco and Linux certifications which have helped me throughout my career.

Explain your career path. Did you take any detours? If so, discuss. My father eventually sold his company to Microage which then merged with Key Systems. I decided to hang up my tool belt to give computers a try again and went through the assessment tests. I did well in the tests and was hired within a week. I did a lot of NT 3.51 to NT 4.0 upgrades over at Bankers Trust, now known as Deutsche Bank, before the company went through a series of mergers and acquisitions that landed my role at Universal.

I spent the next few years working in the industry running all facets of technology before I took on my first senior level management position as the Chief Technology Officer for Press One in 2006. I eventually founded IPNetZone Communications, which was the first company to build an MPLS exchange platform, and spent nearly five years there before selling it.

I decided to joined GTT Communications in 2014 as GTT made me an offer to stay on post-acquisition as SVP of Engineering. I took the position as my primary role revolved around the integration of network and corporate systems which was an area I was passionate about and I was up for the challenge. I formally became GTT’s CIO and CISO last year.

Was there anyone who has inspired or mentored you in your career? It is my manager back at Universal, Clint Woodward. He eventually became the director of local area and wide area networking and actually built the entire polygram of network covering 252 offices by himself. That had over 550 points of presence in almost 62 countries – we were basically larger than the internet at that time. It was inspiring working with him and he gave me loads of great advice during my time there.

What do you feel is the most important aspect of your job? It’s really about evaluating and mitigating risks to protect the organisation. When problems arise, you could go down the route of being draconian and locking everything down to the point where the business can’t function, but it’s about understanding the business impact and to see what risks you can afford to take or not.

What metrics or KPIs do you use to measure security effectiveness? I look at the KPIs in two buckets. The first contains the tangible KPIs, such as the data from firewall, Endpoint Detection & Response (EDR), Managed Detection & Response (MDR) and email statistics. These numbers can help us evaluate what is being blocked and then to retrospectively look at what didn’t get caught. The second bucket contains the more intangible KPIs, which would be employee-based statistics such as the take-up rate for awareness trainings, phishing campaign results, content filtering attempts and more. It’s important to look at both to successfully measure the company’s security effectiveness.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? That is fortunately not the case here as we are a global operation and can always identify the right talents across our organisation to plug the gaps. We are also supportive of helping our staff move across departments and have done so in particular for our cyber engineers. Another area which has helped us is our active hiring in tertiary markets such as Nottingham and Pune. While they are not traditional locations for security operations, these towns have big universities which helps us to hire budding talent and train them quickly.

Cybersecurity is constantly changing – how do you keep learning? Reading – and it’s not just reading books. It’s also reading news and keeping track of conversations on forums and board rooms. The online chatter is sometimes where you can pick up on news before it goes mainstream.

What conferences are on your must-attend list? The International Conference on Cyber Security (ICCS) is a big one for me because there’s a multitude of government agencies attending for you to learn from, including the FBI, Homeland Security, and even MI6 from the UK. Black Hat Briefings is another great one as it’s one of the biggest annual security events in Las Vegas. Both events present a lot of real-world fundamentals and issues and are also a great networking opportunity.

What is the best current trend in cybersecurity? The worst? The best trend is probably the use of AI, ML and automation around threat detection. Information is not shrinking, and there’s only so much you can do with the human eye. The use of tech like these ensures that organisations can scale and can cut through the noise to find out what matters. It makes life a lot easier, but above all, it makes organistions more secure and efficient.

The worst one shouldn’t come as a surprise – and that’s remote working. Organisations had to go from managing a handful of offices around the world to managing tens of thousands of offices since every home is now an office. We have no control over the land or firewall or the other computers that are on the same network in those houses, so it’s really about moving security and wide area networking functionality up the stack and into endpoint. I do think everyone has done a decent job at adjusting to this phenomenon, but we haven’t done enough because we continue to find different types of breaches – often things we have never even thought of could happen. I think that will continue being the case over the next couple of years as we continue to learn and adapt. 

What's the best career advice you ever received? It’s from Clint Woodward, and he says that not everyone can troubleshoot, so if you want to be effective, be the packet. Pretend that you’re that packet of information traversing the network from a source to destination, figure out what that path is, then log into every single device no matter how miniscule it may seem and check everything on every interface in that path and you’ll always find the problem. To this day it’s held true for me so I always passed that down to anyone who works withme.

What advice would you give to aspiring security leaders? Stay the course, be diligent about preventative measures but be mindful of business needs and find a balance that works.

What has been your greatest career achievement? It’ll have to be when I developed the first MPLS Exchange platform with my partners at IPNetZone Communications. We were working with companies like Level 3 Communications and Verizon at the time and were able to relabel to agnostically resell, helping us to grow up to $10 million in revenue in under four years.

Looking back with 20:20 hindsight, what would you have done differently? I would have held out a little longer on selling my company, IPNetZone. It may have been good to have had it for another year.