Cybersecurity Leaders – Dr. Mansur Hasib
Dr. Mansur Hasib, CISSP, PMP, CPHIMS
- Global Award Winning Cybersecurity and Healthcare Leader, Author, and Media Commentator
2017 Cybersecurity People’s Choice Award and 2017 Information Governance Expert of the Year Award winner, Dr. Mansur Hasib is the only cybersecurity and healthcare leader, author, speaker, and media commentator in the world with 12 years’ experience as Chief Information Officer, a Doctor of Science in Cybersecurity (IA), and the prestigious CISSP, PMP, and CPHIMS certifications.
In September 2017, at a ceremony in Austin, Texas, (ISC)2 named Dr. Hasib a “Rock Star” of cybersecurity and presented him an electric guitar along with the (ISC)2 Americas Information Security Leadership Award trophy for leading the implementation of the Master of Science in Cybersecurity Technology degree program at a major university. His independently published book Cybersecurity Leadership has been widely acclaimed by practitioners and scholars alike and is listed among the best IT and cybersecurity books of all time. Dr. Hasib has 30 years of experience in leading organizational transformations through digital leadership and cybersecurity strategy in healthcare, biotechnology, education, and energy. Within the Life Sciences field, Dr. Hasib served as Chief Information Officer at the University of Maryland Biotechnology Institute and the Baltimore City Health Department for 12 years.
In 2013, Dr. Hasib conducted a national study of US healthcare cybersecurity and published the book Impact of Security Culture on Security Compliance in Healthcare in the USA. This book extensively covers the HIPAA privacy law and subsequent updates as well as issues of cybersecurity culture and compliance.
Additionally, with a Bachelor’s degree in Economics and Politics and a Master’s degree in Political Science, Dr. Hasib has a unique interdisciplinary perspective in digital strategy, business innovation, and cybersecurity. Dr. Hasib enjoys table tennis, comedy, and travel and has been to all 50 states of the USA.
To access more content or to contact Dr. Hasib, visit: www.cybersecurityleadership.com
How did you get into the field of cybersecurity? What training and education did you have and where did you get it?
When I got into the field I had no idea I was getting into the field since the field did not exist and the word “cybersecurity” had not yet been coined. I had completed a Bachelor’s degree in Economics and Politics from Brandeis University and then joined a doctoral program in Political Science at Emory University.
We had to analyze large data sets using mainframe computers and statistical software such as SAS, SPSS, and BMDP. I became very adept in this analysis and started to help others. Finally, over a weekend bridge game, one of the senior students asked me if I knew any graduate student who would want to work in the data center part time. The following Monday, I started working at the data center. I still joke that if I did not play bridge, I would probably never have entered the field.
While I was working at the data center, IBM and Novell donated us hardware and software to build small lab networks to teach word processing and statistical analysis on these cheaper and more accessible platforms. I started to recognize the power and business potential of computer networks. So when my doctoral dissertation advisor was denied tenure and had to leave Emory, I also recognized this might be life telling me I need to do something different. I abandoned the doctoral program in Political Science and took a job at a medical school in Fort Worth, Texas where I built my first enterprise network and transformed the organization.
This is also where I recognized early that implementing technology was not enough to unleash its power. We had to train the people to use it effectively. So I personally trained 400 of the 500 people in the organization and dramatically increased the productivity and innovation in the organization. That is what also led me to recognize that digital strategy must be viewed as a revenue driver and innovation engine. We were not simply automating functions. Our strategy had organizational transformation power.
Life is full of pivot points and opportunities. We should never continue to pursue a closed door. We should always look around and seek other open doors. I have always embraced such cues from life and in the last chapter of my book Cybersecurity Leadership, I urge people to recognize and positively embrace pivot points that life sends our way.
What is the difference between security and cybersecurity? Can we use these words interchangeably?
Security is a state. Cybersecurity is a process and a culture of perpetual innovation. They should not be used interchangeably. People need to stop and think what these words really mean. The sole focus of security is access control. Cybersecurity has a much wider set of goals. Cybersecurity professionals focus on the organizational mission, risks, and culture to govern behavior in such a manner that productivity, innovation, and profits are increased while risks are reduced. A lot of information and intellectual assets reside within the people of an organization. So cybersecurity professionals have to retain and invest in people as assets. Since innovation is done by people, cybersecurity professionals also embrace people as the most important aspect of a digital strategy. Security professionals, on the other hand, may focus on controls to limit the access and use of technology and systems. This control mentality is anathema to business executives.
Cybersecurity is also an academic discipline with an academic definition which embraces several decades of learning in the field. In my book Cybersecurity Leadership and at various conferences, I have provided this definition as the following: Cybersecurity is the mission-focused and risk-optimized governance of information, which maximizes confidentiality, integrity, and availability using a balanced mix of people, policy, and technology, while perennially improving over time. Every word in this definition has been carefully chosen and the definition builds on the collective body of knowledge in the field produced by previous scholars. No one can create a definition out of thin air. They must acknowledge prior scholarly work and build upon or adapt these works with solid scholarly arguments and evidence.
You have served as a CIO for 12 years. What is a CIO really supposed to do? And what is the relationship between a CIO and a CISO? Who should these positions report to?
I have covered this extensively in my book. In summary both CIOs and CISOs have seven key functions: Team building is a key central function. In addition they must build relationships, do strategic planning, promote the value of the organization internally and externally, ensure systems are reliable and high quality, deliver on projects and services, and formulate and execute cybersecurity and digital strategy. Of these, the first three tend to be more strategic in nature and I think the CIO needs to personally focus on these. The last three tend to have a more operational engagement with all layers of an organization. This is what the CISO should focus on. The CIO and CISO must have a supporting relationship and should be able to cover for each other. This CIO/CISO should report directly to the CEO and be permanent members of the cabinet and be able to interface with the board so they are empowered to formulate and execute the digital strategy of the organization so that it can support the mission properly.
Modern organizations have no need for a CFO and this position should be eliminated to generate cost savings and to reduce the typical wastage of money on obsolete technology that I have seen CFOs typically spend on throughout my 30 year career. While we need accountants. We do not need them to run organizations. The era of finance is over. This is the digital era. Everything is digital and cybersecurity is everything.
In your work, writings, and conference presentations, you stress the role of people and leadership. Why do you think people and leadership are important?
People are the source of innovation. The human brain is simply amazing. The profits of a company come from the difference between what someone produces versus what they are paid. So the layoff culture in some organizations today has been very harmful for the retention of human capital, intellectual assets, and overall innovation in organizations.
Without ethical leadership people do not perform and innovate. If they are perpetually afraid of losing their jobs for no cause, they will perpetually be seeking opportunities outside the organization. Their focus will be on their own careers and safety and not the enhancement of the organization’s mission. If the leadership is unethical, can they really expect workers to be ethical? Without ethics and integrity the safety of the organization’s assets are in perpetual jeopardy. If you look around, you can see the stark and dire effects of this malaise.
You have won several awards. What did you do to win these awards?
I think the primary reason for my success in winning these awards has been my global people network. I value and nurture my relationships with people. I have also contributed to the body of knowledge extensively through writing books, articles, and conference presentations. I have also helped anyone I could. Sometimes I got paid for my work. Sometimes I did not get paid. I stayed true to my personal mission of helping people succeed while ensuring that I was able to earn an honest living. To give you a simple example, I released the first chapter of my book along with a 25 minute lecture on YouTube. Many organizations use this video for free to help people understand cybersecurity as a discipline. However, I did not release the entire book in this manner.
In return, my people network helped me with voting and urging passionately for their sphere of influence to vote for me. The whole experience made me realize the power of a personal brand compared to a corporate brand. Corporate brands are on a decline because of their treatment of people. A single layoff can ruin allegiance and the public goodwill of a corporate brand. There is no emotion attached to a corporation running in a contest. So when I ran against many powerful and well financed companies in several contests, I was able to win even though I did not spend any money in my campaigns. Marketing and brand promotion has changed. People networks are powerful.
You appear to have strong opinions about a CIO or a CISO never reporting to a CFO. Why?
I have shared my experiences with reporting to a CFO in my book. CFOs are not strategic in nature. Their sole focus is reducing expenses. They even view people as expenses. They are primarily accountants and the outdated accounting system prevalent in most organizations views people as the largest expense for an organization. The accounting system does not account for the value of goods and services that these workers produce, which far exceed what they are paid. The profits of any company is derived from this very gap – between what a worker is paid versus what they produce. However, CFOs never appreciate this. So when they layoff a bunch of people, they do not realize they may be dumping some of the most valuable intellectual assets of the company. From their accounting viewpoint, they have just reduced a lot of expenses! If an organization is having financial trouble, the first person to be laid off should be the CFO – for not doing their job! Instead, they layoff others and actually set up the organization for permanent long-term damage and atrophy.
CFOs also view technology as a cost center – never realizing that the largest cost center of any organization is typically the CFO organization itself. CFOs tend to be the highest paid executives in any company. Yet most CIOs are capable of managing large budgets and doing the job that a typical CFO does. However, I have never met a CFO who could do my job as a CIO.
Do you have any closing statements you would like to share?
Yes. My key messages are twofold:
1) Modern organizations are all digital organizations and every worker is a digital worker. Therefore organizations need to be led by digital strategists starting at the CEO level. In every organization I worked in, I could have served as the CEO. I know that my students will be better future CEOs of the world.
2) Finally, recognize that having a CFO run your IT and cybersecurity organizations is like having a bus driver flying an airplane without a flying license. Accidents are only a matter of time! Executives charged with leading anything must be qualified to do the job. The problem we have in our hands is not a technology problem. Rather it is a governance and leadership problem. We also cannot expect to hire purple squirrels at mouse pay. Quality people need to be paid ethical compensation and their compensation should be proportional to the value they produce. That is ethical leadership and the fundamental promise of capitalism. Compensation should not be determined by executive rank, power, and authority with no relationship to the value produced.
Cybersecurity Leaders – Dr. Mansur Hasib