Alex "Jay" Bălan is the Chief Information Security Officer (CISO) for Happening.xyz and the Superbet Group. His career is focused on Information Security, Innovation and Product Strategy, fields in which he has accumulated over 20 years of experience and during which he was a speaker multiple times at the major international security conferences (DEFCON, RSAC, DefCamp, ISC China, DerbyCon).
His forward-thinking way of designing and implementing strategies for research, security and privacy resulted in policy and mindset changes (for the better and more in tone with today's reality) across many groups and companies worldwide.
In this chapter of #SuperChats, Jay explains the fundamentals of his work, the importance of attending events dedicated to cybersecurity and how he unlocks the potential of the people in his team.
Being the CISO of a tech & entertainment company, which is present in more than 10 countries, means great responsibility and versatility in dealing with challenges across multiple regions. Can you share some insights about the strategic vision and structure you have put in place to make this work proficiently?
If you want to keep your sanity while managing tens of thousands of assets, key words are automation and process. This is a topic that could fit in a book (if not more) but if I was to narrow things down, I'd say:
1. Use a strong identity provider and enforce any authentication through it. Staging, production, some new test apps, corporate resources – every asset where people have access is authenticated through one identity provider. Besides eliminating the risk of weak passwords being shared among employees, you have one central point where you can monitor and manage access control.
2. Be cloud first and eliminate everything on premise. Move the responsibility for managing your assets to trusted service providers who will be significantly more diligent in this since they must do it for all their users, not just you. JIRA? Atlassian Cloud! AD? Azure! Printers? Cloud! Code? Github! You get the picture. It may seem to be more expensive at first, but you will save a lot more in maintenance, risk and even people satisfaction since cloud versions will have more modern interfaces and features.
3. A red team and a bug bounty program to continuously monitor your entire attack surface. It's just one of the ways to effectively detect shadow IT, detect blind spots and identify and fix vulnerabilities before attackers have a chance to exploit them.
4. Use proper communication as a key element to ensure everyone is aware of any changes in policies.
5. Sensors and centralized visibility on all activity of all assets in the organization.
Almost two years ago, you made the shift from a cybersecurity technology company to a business in tech & entertainment. What are the most interesting and thought-provoking situations that came with the CISO role in a new industry?
To be perfectly honest, securing an organization follows pretty much the same principles if you're a hotel chain or a high-tech company. Principles which I tried to outline in the previous answer. Differences lie with technologies being used, architecture of the infrastructure, compliance with regulators and priorities.
On 23 - 24 November Superbet and Happening will host a hacking event at DefCamp, a conference you attend every year, sharing cybersecurity insights and best practices. What do you value most about this type of community gatherings and what should we expect this year?
I have taken part, both as a speaker as well as attendee, in close to a hundred security events over the years and I cannot stress enough the importance of participating. And just to be clear, you should go even if you don't work in security.
You have an almost unique opportunity to learn about how hackers think, how easy it is to defeat the most hardcore security systems and how to develop a certain way of thinking that can benefit your daily life. All from the actual experts in the field.
On a personal level, I developed a close friendship with many researchers in the security community. DefCamp is the biggest and most important security conference in Eastern Europe, and I'd like to take this opportunity to thank and congratulate everyone working hard to make it such an incredible place to hang out with friends and learn.
You are leading a highly performing team of cybersecurity professionals, which means skilled and driven individuals, with strong personalities and a natural curiosity. On a human level, how do you nurture a good environment for the entire group and what are the personal values that define your leadership style?
I'm a strong believer in the famous "hire A+ people" principle and I expect everyone working with me to have experience and know-how far superior to mine in their respective fields. I don't believe in hierarchy, or a chain of command and I fundamentally believe in a flat organization where absolutely everyone has responsibilities and competencies. Virtually everyone in the cybersecurity team is a natural born leader with initiative and vision. This type of empowerment enables them and me to constantly grow and be better.