Governing Body Spotlight

Chirag Shah is a Global Information Security Leader with 24+ years of experience building leading-edge Information Security, Security Compliance, IT & Network Management initiatives from the ground up. Chirag is an inclusive leader with a passion for directing innovative Information Security management that drives the bottom-line, saving companies time and money. He has experience optimizing security investments, mitigating losses from security incidents, improving customer retention, and supporting executive decision making that reduces corporate liability.

Learn more about the San Francisco CISO community here.
 

Give us a brief overview of the path that led to your current role.

My journey to security began as a Networks & Systems engineer, where I was fascinated by auditing and managing network security rules. I pursued an MBA in information security to learn the business side of security, such as governance, risk management, compliance, and innovation. I also acquired the skills to align security goals with organizational objectives and values.

I enrolled in the master’s program in cyber security leadership and security operations at the University of San Diego to gain strategic security management skills. With my education, professional network, and over 24 years of work experience, I have acquired expertise and credibility in various information security domains, which I have validated with several industry certifications, such as CISSP, CISM, and CISA.

I advanced to leading a security team, handling multiple projects and budget management, directing security operations and audits, and coaching security staff. I also cultivated leadership and communication skills, as well as a strategic outlook for security.

My security leadership journey began with managing security teams for small and medium size companies. I also offered strategic consulting as a Virtual CISO to startups who needed help to establish security programs and gain customer trust. Now, I am the Global Information Security Officer & DPO at Model N, where I ensure the security and integrity of our data and systems. I collaborate with other executives, such as the IT Leader, Cloud Leader, CEO, CPO, and CLO, to advise and support them on security issues. I also supervise the corporate security, application security, security policies, and procedures, and lead the security team and culture.
 

What is one of your guiding leadership principles?

My guiding leadership principle is to empower my team members. I strive to empower my team members to own their work and to foster their creativity and innovation. I trust them to be autonomous and to deliver better outcomes. I respect the talents within my team and recognize their contributions, which enables them to solve complex problems in novel ways. I provide them with continuous feedback and support, and celebrate their successes, which helps them grow as leaders. I think this principle helps me to build a strong and cohesive security team and culture. I think respect and empowerment are essential leadership principles that can help you to create a positive and productive work environment.
 

With disruption being a key theme of the past few years, where do you see your role as a CISO going in the next 1-2 years?

Cybersecurity is a dynamic and demanding field that requires the CISO to constantly evolve and adapt to the changing threats and business needs. Some of the key drivers that will shape the CISO role in the next 1-2 years are: 

• The CISO role will be more aligned with the business strategy and vision, as CISOs will have to set clear and measurable security goals that support the organization’s mission and objectives. CISOs will also have to engage effectively with the board, the executive team, and other stakeholders, and show how their security efforts add value and impact to the business. 
• The CISO role will demand more diverse and versatile skills, as CISOs will face a range of challenges and opportunities, such as artificial intelligence, cloud migration, digital transformation, remote work, IoT, third-party vendors, regulatory compliance, and emerging threats. CISOs will have to master the technical, managerial, and leadership aspects of cybersecurity, as well as have a wide knowledge of the business, industry, and market dynamics. 
• The CISO role will be more collaborative and integrated, as CISOs will have to partner with other C-level executives, such as the CPO, CIO, the CDO, and the CFO, to ensure that security is embedded and aligned with other business functions and processes. CISOs will also have to cultivate a security-conscious and engaged culture across the organization and enable the employees to act as the first line of defense against cyberattacks. CISOs will also have to tap into external networks and alliances, such as industry peers, security vendors, and law enforcement agencies, to exchange best practices and intelligence. 
• The CISO role will be more proactive and innovative, as CISOs will have to predict and prevent cyberattacks, rather than just react and respond to them. CISOs will have to adopt a risk-based and data-driven approach to security, and use advanced tools and techniques, such as artificial intelligence, machine learning, automation, and analytics to improve their security capabilities and performance.
   

What advice would you give to someone just starting out in the role as a CISO?

As a CISO, you will face rewarding and challenging situations that require you to have technical, managerial, and leadership skills. Here are some tips to help you succeed in this C-level role:

• Create and communicate a clear security strategy that supports the organization’s vision, mission, and goals. Demonstrate to the board, the executive team, and other stakeholders how your security initiatives contribute to the business value and outcomes. 
• Keep up with the latest security trends, threats, and best practices, and leverage advanced tools and techniques, such as artificial intelligence, machine learning, automation, and analytics to improve your security capabilities and performance. 
• Develop a competent security team that can handle various challenges and opportunities, such as cloud migration, digital transformation, remote work, IoT, third-party vendors, regulatory compliance, and emerging threats. 
• Cultivate a security mindset across the organization and enable the employees to act as the first line of defense against cyberattacks. Provide ongoing training, education, and feedback to increase the security awareness and engagement of the staff. 
• Cooperate with other C-level executives, such as the CPO, CIO, the CDO, and the CFO to ensure that security is integrated and aligned with other business functions and processes. Utilize external partnerships and networks, such as industry peers, security vendors, and law enforcement agencies to share best practices and intelligence.
• Adopt a proactive and risk-based approach to security and prevent cyberattacks, rather than just react, and respond to them. Establish effective security policies, controls, and standards, and ensure compliance with relevant regulations and laws. 
• Handle security incidents and crises with professionalism and resilience and conduct in-depth investigations and forensics to identify the root cause, impact, and lessons learned. Report and disclose the incidents honestly and responsibly and take corrective and preventive actions to avoid repeats of the same mistakes.
   

Tell us 3 fun facts about yourself.

1. I enjoy solving puzzles and riddles, and I often participate in online or offline competitions, such as CTFs (Capture the Flag), hackathons, and escape rooms. I find these activities challenging and rewarding, and they help me sharpen my security skills and mindset.
2. I am passionate about educating and mentoring the next generation of security professionals, and I volunteer as a guest lecturer, a mentor, or a coach for various security courses, programs, and events, such as Cybersecurity Bootcamp.
3. I enjoy being in nature/outdoors, and I volunteer as a ranger at California national park. I love to travel and discover different places, culture, and food. I like to interact with different people and learn about their culture and their way of living. Some of the fascinating places I have visited are Tibet, East Africa, Cambodia, Laos, Mexico and South East Asia.
    

What is the value of joining an Evanta community?

It’s learning from the experts and peers in the field of security, and staying updated on the latest trends, threats, and best practices. I have been a member of the Evanta community since its inception, and I believe it has helped me learn about various security topics and technologies and build a strong network of professionals who help in providing insights into how they tackle security issues and security best practices. Here are two additional benefits I have observed during my experience:

1. Networking with other security professionals and enthusiasts and building relationships can help me advance my career, find opportunities, or solve problems. 
2. Contributing to the security community and the society at large, by sharing my skills, ideas, and feedback, and helping others who need my support or guidance.

Evanta Governing Body members share their insights and leadership perspectives to shape the agendas and topics that address the top priorities impacting business leaders today.
 

by CISOs, for CISOs
 

Join the conversation with peers in your local CISO community.