One year into his role as CSO, Yassir Abousselham sits down in Las Vegas with Eleanor Dallaway to talk about life as a chief security officer at enterprise identity provider, Okta
Tell me about your career path before you joined Okta
Prior to my appointment at Okta, I worked as CISO for the fintech company SoFi. Before that, I spent five years at Google working on corporate DLS security and in the security for payments vertical. Previously I worked in security at EY.
For a technology professional, working at Google is the Holy Grail. How did you manage to tear yourself away to pursue a new role?
Working at Google gave me great access and visibility into doing technology and security at scale. Google attracts a lot of sharp engineers, so I was exposed to a lot of good interaction and visibility. It was a fantastic experience. At some point however, for anyone in security, you want to take the next step and manage security from A to Z at one company. That wasn’t something I could do at Google and I felt ready to make that move.
So, how is your role as CSO for a technology vendor different to being a CSO at an end-user?
The scale of the challenge makes it more interesting. It takes a special mindset to do security for a security company.
In addition to successful authentication attempts, we also see attack attempts against our customers and our platforms. We don’t stop at analyzing traffic – we have to be able to harden the platform in a way that protects both Okta and Okta customers. Businesses are trusting us with their applications and their data and that is a great responsibility. We have to be ahead of the attacker to block those attacks.
At some point, you want to take the next step and manage security from A to Z at one company. That wasn’t something I could do at Google and I felt ready to make that move.
You mentioned a ‘special mindset’ that is required – what does that entail?
You need the evil bit – to be able to think like an attacker. This should be the whole security team and indeed the whole company. We have to instill the culture that we (and our customers) are targets. You have to stay on the cutting edge of those attacks and harden the platform.
You have to also understand the business and your customers’ expectations. You need to understand the investment that customers are making in you as a vendor and become the customer advocate. We have to protect Okta, but also our customers.
Your CEO, Todd McKinnon, talked about security whilst never sacrificing usability or customer experience. How do you manage to balance the two?
Historically people thought that increasing security meant changing or hindering the customer experience.
We are gradually changing that by providing a much better user experience. We are talking about lessening password authentication, using multiple technical components to consume the contextual signals to maintain a higher level of assurance that you are who you say you are. Moving forward, we can rely more on context and behavior. We want to establish normal and react to abnormal.
As an industry, are we doing better at improving the security bar?
There is a concerted effort to raise the bar. There’s absolutely no question about the importance of information security. But how it is done depends on the company, the industry, the compliance requirements. The will to raise the bar and make the change is always there, but the speed it takes to make changes is different – we’re getting faster, but sometimes it’s not fast enough.
Attackers can move faster – they don’t have to comply and are agile and persistent. As an industry, we need to continue trying to make these changes faster and streamline the processes standing in the way of raising the bar – compliance, governance and finding talent.
How hard is it to find great talent to hire in your security team?
We have to stay steps ahead of the attacker and that cutting-edge talent is very hard to find. Once you hire, you then have to be able to retain. To retain these highly-qualified engineers you have to give them highly complex cutting-edge problems. That’s the number one motivation for these types of individuals. They have to buy into your vision as a company and see a culture aligned with their beliefs and vision.
What do you consider your one main ambition within your role at Okta?
For now, automation is at the top of my agenda. Trying to automate as much as possible. I want to help customers get better at doing security. That’s what I want to keep doing - understanding how they use Okta products and how to make them more secure. I also want to continue to improve usability without impacting security.