Digital Transformation Advice: Interview with Alex Antar, Author of The Art of Benefits Realization Management

Featured in 2021 Who’s Who in Cyber Security, a regular keynote speaker and author of “The Art of Benefits Realization Management,” Alex Antar was the perfect candidate for our Interview with a Specialist Series.

Alex is a passionate Cyber Security & IT Programme Leader with a wealth of global experience delivering complex digital transformational changes for fortune 500 multinationals.

Hope you enjoy his insights as much as we did!

Q. For you, what came first, Programme / Project Management or Security?

Security. I started my career as a software developer in the early 90s. Project Management was then a logical career progression after three years of coding.

Fun Fact: Before the commoditization of the internet, security for mainstream software development was mainly limited to access authorisation and rarely addressed encryption.

Q. As a security Programme Manager, how important is it to understand technical aspects of security?

Elementary, my dear Watson: Security is an ever-ending co-evolutionary predator vs. prey game where cybercriminals are the predators.

Sophistication is key to success for both sides.

A security expert can only make a difference by keeping abreast of the latest advances in cyber security warfare in terms of defence techniques & tools and the latest attack techniques and tools.

Q. What is your favourite security framework, and why?

MITRE ATT&CK, because it is an adversarial attack-oriented security defence framework based on up-to-date real-world attacks.

It makes sense, as a minimum, it makes sense to ensure your security defences can protect against known real-world attacks that are documented in the MITRE ATT&CK matrices.

However, it is only good for producing security heatmaps to the sub technique granularity level. Other frameworks must be leveraged for a comprehensive view, such as NIST CSF and ISO 27001.

Q. What is the most challenging part of your role?

Getting the Board, decision makers and budget owners who have not yet suffered a major attack to understand and stay away from the following fallacies:

1. We’re safe because we’ve never had a major attack so far.
2. We’re safe because we’re outsourcing security to a reputable SSP.
3. We’re safe because we do pen testing once or twice a year.
4. We’re safe because we are audited and certified ISO27001 or NIST etc.

Well, suffice it to say that for those fallacies above, cyber criminals don’t give a hoot by certified companies or reputable SSPs.

Q. Digital transformation has been the leading driving force for IT and Security hiring. What advice would you give business and tech leaders about embedding security by design into processes and culture? 

The sooner they adopt DevSecOps the better. The essence of DevSecOps is to embed security end-to-end cross all phases of the traditional SDLC (Software Dev Lifecycle). Some of its key practices are as follows: Controlled, standardized build & update process, Automated infrastructure and code security testing as part of CI/CD pipeline, threat modelling, shared threat intelligence, least privilege, automated testing and container isolation, enforced configurations in production by using configuration management scripts that continually run against all your environments to enforce configurations, static application security testing (SAST), Dynamic testing (DAST) also called black-box testing, interactive application testing (IAST), Runtime application self-protection (RASP). Of course, for a successful DevSecOps, you have to provide certifications and training to the relevant staff.

Don’t forget to implement the tightest security measures to your Disaster & Recovery (DR) platforms and include it in the frequent cyclical automated testing too. The DR is is often a blind spot.

Q. As a renowned Programme Manager, what do you look for when hiring Security Project Managers and BA’s for programmes?

• Demonstrated Project Management skills with AGILE (must) cert + PMI or Prince2,…
• Demonstrated verbal & written communication skills
• Minimum 3 demonstrated end-to-end projects in delivering security projects
• Security certs like CISSP, CISM, CISA, MITRE ATT&CK, OWASP,
• Good understanding of DevSecOps, cloud Security: Azure, AWS, ITGC’s, PCI, GDPR, ISO 27001, NIST, IAM, Access Authorisation, security operations and SOCs, SIEM, EDR, Incident response playbooks, etc.

Q. What book/s has prepared you for the challenges in your role?

I don’t have to convince anybody that today, the old school thick paper books are outdated for self-learning advanced technical topics. I have thrown away many of my paper-based books or given them to charity.

Today, I learn mostly through the following:

• Professional IT Certs. Worth paying for some online certs at your own pace, and they add value to your career.
• Mostly free advanced topics in digital eBooks and other free pdfs (no more than 10 pages) downloadable from selected expert sites. Good news: 99.99999% are free to download.
• Advanced IT focused blogs and forums by selected bright expert leaders who share the latest tips for free.
• Free Webinars: sometimes if the panel is rich and the topic worth the time
• Podcasts: very rarely.