On the lighter side of things, we ask Michael Kleck, CISO, Alchemer, what makes him tick.
What would you describe as your most memorable achievement?
The fact that I have effectively transitioned back and forth between being an individual contributor and being in leadership situations many times over the years is very satisfying for me. I have enjoyed a successful technical career that spans a wide variety of disciplines where I have been fortunate enough to contribute to a lot of successful companies.
What first made you think of a career in technology?
In high school, I really enjoyed electronics and the other industrial arts. I had a hard time focusing on college because I just wanted to be outdoors and be active all the time, so I dropped out and spent a few years teaching skiing, doing restaurant work and construction.
When I was 28, I finally felt like I needed a real career and asked myself ‘What am I best at?’ My answer was, ‘I was really good at the tech stuff.’ I enrolled in a tech school and nine months later had a job as a field technician for a software company working networks and servers.
What style of management philosophy do you employ with your current position?
I like to hire great people and let them do their jobs. Then it’s easy for me to utilize the Modern Management Theory with a Servant Leadership style. With Modern Management Theory, emphasizing the system and the individual is critical, but when you are focused on compliance and security you also need quantitative considerations in everything you do. You need the numbers to prove that your approach is working. Of course, incorporating Contingency Theory is also very important when working with risk.
What do you think is the current hot technology talking point?
For me, privacy laws and serverless code are the hot topics we need to keep in mind. Serverless code changes almost everything about infrastructure security and leaves lots of security technologies obsolete. We’re becoming more and more dependent on the protocols and communications between different pieces of code for security, rather than traditional firewalls. Additionally, privacy laws are changing and growing at a pace that far out runs the technology to keep up right now.
How do you deal with stress and unwind outside the office?
I love hiking, fishing and working on my vintage car always helps me re-focus. I also enjoy cooking for family and drinking a good glass of wine.
If you could go back and change one career decision, what would it be?
It’s difficult to nail down to one decision, but I probably should have been more politically astute with my opinions in the past. There have been times when I’ve thrown politics to the wind and said exactly what I think to the wrong people.
What do you currently identify as the major areas of investment in your industry?
DevSecOps and privacy. DevSecOps is the next generation of DevOps. This is when the developers are running security testing and involving the security team while they’re designing the code. That way when a project gets to production, you know the security is baked in. It’s critical to continue pushing security to the left and integrating it into the earliest stages of software and product development. Our biggest security challenges right now lay in supply chain and infrastructure weaknesses.
Data privacy regulations are rapidly spreading across our individual states and other countries; soon every state in the US will have an individual privacy law and we’ll be seeing the equivalent of GDPR at the federal level. These need to be addressed with both technology and legal investments.
What are the region-specific challenges when implementing new technologies in North America?
Once again, I have to talk about privacy. With the rapidly changing regulations across North America and Europe, it is important to not be left behind in your technology or philosophy. Even though this question is specific to North America, the world-wide privacy laws being put in place and modified have a big effect since doing business in just North America is not realistic. Your local implementations must reflect a global attitude.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
In the past year we transitioned from a purely remote function back to an in-office and hybrid situation for my team. This is just as big of a challenge as our initial push to go 100% remote at the beginning of the pandemic.
The other big change has been focusing on serverless environments and freedom from protecting the hardware and OS level. This allows for more abstract thinking in the security architecture. I don’t see hybrid teams changing much in the next 12 months, but more abstracted operating environments will continue becoming more and more prevalent until nothing else makes any sense.
What advice would you offer somebody aspiring to obtain a C-level position in your industry?
For a CISO, ‘your industry’ means something different because you always have to include Information Security globally as part of your industry. For example, with Voice of the Customer specifically, I think that understanding your customers business and data needs is first. For Information Security, you absolutely must develop an understanding of all the different technical disciplines as a base (networking, applications, APIs, compliance frameworks, local and international laws and regulations, databases, software development, cloud, infrastructure, etc.).
A good CISO must be able to blend a deep understanding of business and financial concepts with legal, technical and human considerations, to create a solid risk model to guide the rest of the C-level staff in their decisions. Lastly, developing and demonstrating excellent communications and leadership skills is more important than any other C-level function.