GoTo is one of the world’s largest SaaS companies, with more than 3,500 global employees, over US$1.3 billion in annual revenue and tens of millions of users. Attila Török, Chief Information Security Officer at GoTo, talks about the major areas of investment within his industry and offers advice to those aiming for a C-level position.
Describe your current job role.
As a CISO at a large tech company, I am responsible for overseeing the information security strategy and governance of the organisation. I lead a team of security professionals who manage the security operations, risk management, compliance and product security functions. I also collaborate with other C-level executives and business units to align the security objectives with the business goals and ensure that the security posture of the organisation is adequate and effective.
What would you describe as your most memorable achievement?
I re-joined GoTo this year as what we call a boomerang. In my first tenure at GoTo (then LogMeIn) in 2014, I built a security champion programme I am very proud of, which involved hundreds of community members. Now, a programme like this at a tech company is common. Back then, however, we were learning as we went with a lot of trial and error. This included the following six stages to help keep the champions engaged:
- Establish a network
- Organise regular catch-ups
- Utilise the network
- Measure success
- Reward (praise, communication, swag)
- Help them to grow (promote, career development)
It was incredibly rewarding to oversee this programme as we found our groove. I am even prouder to say that it is still in place today.
What style of management philosophy do you employ with your current position?
I employ a participative and transformational style of management philosophy within my current position. I believe in empowering and engaging my team members to contribute their ideas, opinions and feedback to the decision-making process and the continuous improvement of our security practices. I also strive to inspire and motivate them to achieve their full potential and to align their personal and professional goals with the organisational vision and mission. I foster a culture of trust, collaboration and innovation within my team and across the organisation.
What do you currently identify as the major areas of investment in your industry?
The current major areas of investment as I see it include:
- Cloud security: As more organisations adopt cloud computing, there is a need to invest in cloud security solutions and services that can protect the data, applications and infrastructure in the cloud environment. Cloud security also involves addressing the challenges of shared responsibility, compliance, governance and visibility in the cloud.
- Zero trust security: As the traditional perimeter-based security model becomes obsolete, there is a need to invest in zero trust security, which is a paradigm that assumes no trust for any entity, whether internal or external, and requires continuous verification and authorisation for every request and transaction. Zero trust security also involves implementing the principles of least privilege, micro-segmentation and multi-factor authentication.
- Cyber-resilience: As cyberthreats become more sophisticated and persistent, there is a need to invest in cyber-resilience, which is the ability to anticipate, withstand, recover and adapt to cyberattacks. Cyber-resilience also involves enhancing the security awareness, education and training of the workforce, as well as developing and testing the incident response and Business Continuity plans.
If you could go back and change one career decision, what would it be?
I would tell myself to learn not just the technical pieces of security, but the over-arching structure of how a security programme is built up sooner. Doing individual activities is easy. Learning how to put those activities together is what’s going to drive success.
I would also get my CISO Certification with EC-Council sooner. It changed the way I look at everything and would have been an asset earlier in my career.
What advice would you offer somebody aspiring to obtain a C-level position in your industry?
• Develop your leadership and communication skills: as a C-level executive, you need to be able to lead, influence and communicate effectively with various stakeholders, such as the board of directors, senior management, customers, partners, regulators and media. You need to be able to articulate your vision, strategy and value proposition, as well as to negotiate, persuade and resolve conflicts.
• Expand your business and technical acumen: as a C-level executive, you need to have a broad and deep understanding of the business and technical aspects of your industry. You need to be able to align the security objectives with the business goals, as well as to leverage the latest technologies and trends to enhance the security capabilities and outcomes. You also need to be aware of the market dynamics, customer needs and competitive landscape of your industry.
• Build your network and reputation: as a C-level executive, you need to have a strong and diverse network of contacts and relationships that can support and advance your career. You need to establish and maintain your credibility and reputation as a trusted and respected leader and expert in your field. You also need to be proactive and visible in your industry, such as by participating in events, forums, publications and associations.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
• In recent years, the biggest change to security is that it often functioned in its own silo. There has been a heightened priority to ensure the security team is in lock step with the rest of the business, knowing which areas will need the greatest security support. Follow the money and increase security accordingly.
• As for what’s to come, the buzzword is true: AI. With this boom of AI comes three emerging trends:
o Enable businesses to utilise AI so that it can be done in a secure and protected way
o Leverage AI, Machine Learning and large language models (LLM) as a runway for security. How can we use AI to respond faster? Do better?
o Know that with all the benefits businesses can gain from AI, so can the bad guys. There is an increased sophistication in phishing emails and targeted attacks, where hackers are using AI to personalise the attacks by analysing social media platforms. Security awareness and training is more important than ever, and automating processes will help make your security and responses even faster