Dr. Michael Sardaryzadeh has a perspective that places him in an elite tier of cybersecurity leaders. Currently the chief information security officer (CISO) at Texas A&M University, Sardaryzadeh has garnered experience in higher education research, manufacturing, healthcare, finance, and government. But his expertise is also informed by his varied experiences that have provided a wider view of cybersecurity and its effect on those industries.
“Security maturity comes in waves,” Sardaryzadeh explains. “Over twenty years ago, the finance industry’s IT was being done in a somewhat distributed manner. It’s nothing like it is today. But as government regulations and oversight increased and as they were targeted more and more by malicious and sophisticated actors, they realized that the financial and reputational damage just wouldn’t be worth not taking serious action. Now, financial institutions are one of the most secure places from a cybersecurity perspective.”
Sardaryzadeh joined some of the largest healthcare providers and payers in the country right around the time this wave was beginning to form in that industry. In addition to federal and state regulations and fines, healthcare providers were becoming increasingly targeted by cybercriminals and nation states. “Now, the healthcare industry can really write the book on security,” he reflects.
It’s an interesting metaphor because, at present, Sardaryzadeh is working on his own book CISO 365, which is intended to help get new CISOs through their first year on the job. But before the last chapters could be written, Sardaryzadeh had to focus on yet another new field bracing for high security tides: higher ed.
“Micromanaging experienced security professionals will have an effect that is usually the exact opposite of what you’re trying to accomplish.”
Texas A&M is an ideal fit for Sardaryzadeh for many reasons. “This is one of the finest research institutions in the country,” the CISO says. “I hope to be able to do some of my own cybersecurity research and come up with new methods, new processes, and new tools to use in the space. But first I needed to secure the organization and it’s enterprise.”
Higher education has provided its own unique challenges when it comes to maintaining information security. Not because a university—its assets, systems, and data—can’t be properly secured but because there must be a balance between security and conducting research through a degree of purposeful openness.
“An interesting and important thing about higher ed and research institutions is what one would call ‘academic freedom,’” Sardaryzadeh explains. “The [cybersecurity] concept of locking everything down or implementing the same high level of security for all assets and data doesn’t always align with the nature and mission of higher education.
“You might want a hundred researchers across the globe to have access to some research, to add on it, and to peer review it,” he continues. “Although, ensuring that the right access is given to the right data and research is another topic altogether and equally as important.”
The last few years have helped Sardaryzadeh evolve his own approach, making sure his security organization understands the important balance between security and accessibility to research and information. “The key is to make sure that security is conducted properly with the right depth and breadth of controls while never losing sight of the needs of faculty and researchers, and the mission of the university,” he says.
“Growing your employees to a point where someday they lead you is what servant leadership is about.”
Motivated by these and other experiences throughout his career, Sardaryzadeh aims for his forthcoming book to be more than a technical manual for other IT leaders to navigate through their first year. He has a very clear vision of what has helped him lead successfully across such a diverse set of industries, and he wants to share those insights with others.
“People who work in this highly cognitive type of field [cybersecurity] often have similar themes that, as a leader, you need to be aware of,” Sardaryzadeh explains. “One of the most important of these needs is autonomy. “Micromanaging experienced security professionals will have an effect that is usually the exact opposite of what you’re trying to accomplish. They need to have a certain degree of autonomy that comes from the organization and their leaders having the right level of trust, knowing they will do great work.”
The onset of the COVID-19 pandemic served to underscore Sardaryzadeh’s philosophy. His team has been able to maintain a constant level of support to the university, but the CISO believes they’ve actually become even more effective, thanks to the additional time they’ve had to analyze, design, and architect for the near and long-term future.
When it comes to cybersecurity, Sardaryzadeh has found that servant leadership is critical. The essence of the model is for a leader to be working for the betterment of their employees. “Growing your employees to a point where someday they lead you is what servant leadership is about,” Sardaryzadeh says adamantly. “When you feel that your leader is focused on your growth and has your best interests in mind, you feel more like a true part of that team and that organization. Inclusion and trust are very important.”
The inverse is also true. “These are highly intelligent people that you’re managing,” the CISO says. “No matter how much you keep saying ‘teamwork, teamwork, teamwork,’ it’s hard to create that environment if it’s not actually engrained into the culture. As an executive leader, it’s your job to truthfully and sincerely do your part in weaving trust, inclusion, and the concept of one-team into the organizations culture.”
“All truly effective security organizations are made up of tinkers and thinkers yearning to create, to improve, and to plant seeds that will grow to change the world.”
Having spent the past few years creating what Sardaryzadeh believes is now a “much higher level and mature” cybersecurity structure for Texas A&M, the CISO and his team are focused on the increasing security innovations, deepening the level of security at the application layer, securing cloud services and cloud platforms, as well as automating processes that allows the IT team to focus on moving quicker into the bright and innovative future and begin stepping away from time consuming and very error prone home-brewed applications that have to be continuously tweaked.
“All truly effective security organizations are made up of tinkers and thinkers yearning to create, to improve, and to plant seeds that will grow to change the world,” Sardaryzadeh says, “and that’s the kind of security organization I believe we now have at Texas A&M University.
“Whether it’s the cloud-providing software or cloud-providing platforms, each has their own security challenges,” he adds. “But I’d rather share that challenge with the countless security experts at Microsoft, Google, and Amazon than do it all by ourselves.”
That is, the more experts with eyes on glass, the more quickly they’ll see what’s coming.
“While Texas A&M, like many other similar institutions, has seen a drastic rise in phishing attacks across the board, Proofpoint has enabled us to drastically improve email security by increasing our visibility and blocking capabilities. Given that more than 90 percent of malware is distributed via email, Proofpoint has proven to be a vital resource and toolset for us.” —Michael Sardaryzadeh, Chief Information Security Officer, Texas A&M University