As the incoming chair of the ISACA® Board of Directors, how do you see ISACA growing and adapting to the constantly changing workplace and needs of its constituents over the next year?
The careers we have chosen have placed us in the center of a relentless and dizzying whirlwind of innovation and creativity. Every day we learn of some new technological breakthrough—new gadgets, new applications, new infrastructure models and new tools. Physical borders are artificial constructs that mean nothing in a cloud-based world. Cars are Internet-connected and have dozens of microprocessors managing their performance. Software programs are diagnosing our health, customer service is delivered by intelligent bots, your calendar is optimized by algorithms, news services have become real-time data analysts and deliver content services meant to entertain rather than inform. If unburdened by principles, these new things can do harm either by intent or by omission.
I see the work of ISACA as the rock, the true north, in this whirlwind. We have to work diligently and curiously to first understand these new ideas, thoughtfully predict and prepare for their implications, and then apply timeless principles and frameworks to help our enterprises, our innovators, and our government agencies ensure outcomes that are good and trustworthy.
What in your past experience has best prepared you for this position on the ISACA Board?
I have held senior positions in companies and on boards since the early 2000s at for-profit and not-for-profit organizations, both small and large, in a wide variety of domains including technology, education, sports and religious organizations. Board roles have been a great source of personal satisfaction for me providing opportunities for strategic thinking, collaboration with very smart people, big problem solving, and learning how to ask important probing questions with grace, tact, and respect. I pride myself on being able to influence direction and action by not being directive or prescriptive, but by asking thoughtfully crafted questions and letting the listener learn from the question and find the right path forward themselves. Some call it the Socratic method—my wife calls it nonintrusive brain surgery. I have had some great board mentors along the way, and I have seen some very bad board members too, and both have been helpful in shaping and preparing me for this role.
What do you see as the biggest risk factors being addressed by ISACA constituents? How can organizations protect themselves?
New technologies, tools and applications are exciting and fun to build, implement and use. Sometimes, their usage can lead to unintended consequences (e.g., compromised privacy, data leakage, compliance violations, back doors left open), and for me, not being able to discern between good and bad is the biggest risk. For many, it is easier to just say no to these innovations, but opportunities may be missed. I believe ISACA has a role to play to quickly identify both the benefits and risk of using these new things, and then quickly suggest or recommend ways to respond to the risk while allowing the benefits of innovation to be harvested. And then do it again and again, because technology does not stand still.
How do you see the role of executives changing to meet the challenges of information and cybersecurity?
It starts with good systems hygiene maintained by continuous monitoring and remediation, and when (not if) something bad happens, being prepared to respond quickly and effectively. Much like building a home, one needs to budget not only for good foundations, insulation, doors, windows, and locks, but also for their upkeep—to set aside reserves for unknown new challenges and opportunities, and to plan what to do when something threatens the house (i.e., weather, infrastructure services interruptions, and so on).
Systems are the same way. Ample thought should be given to analysis of not only how the system is built, but also how it is maintained, how threats may find their way in, how teams can respond to those threats, and how, eventually, the system may be decommissioned and data transferred to inform the next technological wave. Executives should have the wisdom and foresight to challenge their teams’ thinking throughout this life cycle, develop plans and fight for budgets supporting those plans.
What do you think are the most effective ways to address the skills and gender gaps in the technology space?
I believe, in the short term, that addressing the skills and gender gaps starts with anticipating where and what the jobs will be in the near future, offering easy on-ramps to professional educational opportunities to address those needs, generating enthusiasm and excitement to participate, and helping younger and returning workers identify if they have an aptitude and inclination to enjoy that type of work. We should encourage and motivate employers to invest in their people’s skill development to adapt to rapidly changing technologies.
Regarding gender—and even race—gaps, I find it incredibly frustrating that in 2023, we still have cultural speed bumps, roadblocks and income disparities. We should celebrate and hold up as exemplars leaders who have overcome those challenges. More important, we should be good colleagues and mentors who “pull up” those who show interest, enthusiasm and ambition, and help them find their unique paths to success.
How do you view certifications and the impact they have on careers?
The certification world is a new one for me. ISACA has opened my eyes to the consummate professionalism of this community and the generosity of sharing time, talent and expertise to improve our world.
I must admit, in the past I was skeptical about folks who had too many acronyms after their names on their business cards, but I have come to realize how amazingly efficient and effective ISACA professionals are. When first approached to join the ISACA board, I became hungry to learn more. If the kind of training ISACA offers was provided to the software development teams I managed, how much time we would have saved building stronger products. And how helpful it would have been if my software developers had some inkling of the rigors needed to pass audits! I am a believer now.
What has been your biggest workplace or career challenge and how did you face it?
In my first CEO role, I was just closing a critical round of funding in early September of 2001 when we only had two weeks of cash left in the bank—just in time, right? In the short span of a few days, our competitors tried to stop the funding by suing us for patent infringement, my oldest son was diagnosed with cancer, the 9/11 tragedy happened in the United States, and my best friend was on the second plane to fly into the World Trade Center towers. The venture fund leading the round panicked and pulled out leaving us broke and almost broken. Frankly, I do not know how I got through it all.
Buckling down and ferociously compartmentalizing, I took money out of our home equity line of credit to make payroll—twice—and then told my wife. Fortunately, our marriage survived that lack of judgment on my part and the courage to fund the company myself attracted even better investors. Although my son eventually passed away, the ordeal did bring our family closer together. That loving bond—born of shared adversity and mutual comfort—holds us tight to this day. Our company fought back and our competitors eventually agreed to a settlement, which immediately triggered a very advantageous sale with an outstanding outcome for our employees and shareholders. I still grieve the loss of my friend, but his family and ours remain very connected, and we visit each other often, creating happy new memories.
1. What is the biggest information security challenge being faced in 2023 and how should it be addressed?
We are being inundated by real and imagined threats and countless solutions claiming to be silver bullets. Each of us must use our intellect, experience and wisdom—leveraging the amazing combined knowledge of the ISACA community—to determine what specific challenges to our organizations are probable, real and imminent, and what we should do about them.
2. What are your three goals for 2023?
- Help ISACA’s new CEO get oriented to understand the organization and assess how to move forward
- Help new board members gain a deep understanding of the opportunities, risk areas, strengths and weaknesses of the organization, and apply their experience and skills to help ISACA succeed
- Ensure and maintain ISACA’s well-established board governance hygiene and sound decision-making
3. What is on your desk right now?
A long list of to-do items. Also, a book: The VC Field Guide: Fundamentals of Venture Capital by William Lin, who provides an excellent framework for how to think about investing in innovative ideas and teams, and getting the timing right.
4. What is your number-one piece of advice for cybersecurity professionals?
Focus on discovering first principles—understand the fundamental assumptions underlying decisions or conclusions, and then build from there.
5. What do you do when you are not at work?
All my life, my hedge against technology has been agriculture. My brother and I share a home and olive orchards in Italy, and we make a little olive oil for our friends and extended family. Also, my wife and I are restoring an old family farm in the US State of Vermont close to the Canadian border. We make maple syrup, harvest timber, clear fields and put up fencing to prepare for raising beef cattle. And we are bringing a cozy little mid-1800s farmhouse and barn back to life. It is a wild and beautiful place that keeps me grounded, healthy, outside—and I get to drive a tractor!
JOHN DE SANTIS
Is a company builder with experience in the software, networking and information security domains. He has more than 40 years of international and US-based experience at venture-backed technology start-ups and large global public companies in the telecom and IT fields. He serves on the boards of directors in fiduciary or advisory capacities for organizations active in cybersecurity, artificial intelligence, professional development and learning innovation, including Paladin Cloud, Cequence Security and ValiMail, leading innovators in the cybersecurity space, and NoHold and Tweelin, early stage innovators in the application of artificial intelligence. De Santis is a dual citizen of Italy and the United States and maintains homes in both countries. He has lived and worked in Europe and the United Kingdom for more than 20 years.