CISO Insider S1E3 — The OODA Loop with J.J. Agha

At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.       

We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.    

Compass Chief Information Security Officer J.J. Agha sits down with us to share some of the most important learnings from his career as a security leader: the many practical applications of the OODA loop in infosec, how COVID is forcing us all to become better communicators, and why creative problem solving can help us face the neverending challenges of ambiguity while working in tech.

Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at support@nightfall.ai.


Chris Martinez: Welcome to CISO Insider, Nightfall’s chat with chief information security officers. We host CISOs from different industries to discuss their pathways to the role, the challenges they face in their everyday work, and lessons they can share with anyone aspiring to become a CISO. This podcast brings you into the world of cybersecurity and gives you a window into the most brilliant minds in the business.    

Chris Martinez: Today on CISO Insider, we’re joined by J.J. Agha, Chief Information Security Officer at Compass. J.J. shares his journey as an information security professional, covering his childhood from how he grew up playing DOS games, to eventually starting an entrepreneurial business in college. He talks about how these experiences were formative to his curiosity about technology and learning the ropes as an information security engineer.   

Chris Martinez: Here’s my colleague Michael Osakwe from the Nightfall marketing team to chat with J.J. Please join us in welcoming J.J. to CISO Insider.       

Michael Osakwe: J.J., thank you for joining us. Tell us about your educational background. Were you drawn to tech at an early age or did you discover tech later in life? How did you get into tech?

J.J. Agha: I was kind of exposed to it at an early age. There were always computers around. It started with video games and computers, an old IBM where I would just jump in and type at three years old, just because I thought it was cool. Then it turned into Windows 3.1 and my dad playing Doom and me trying to figure out how can I play Doom when he’s not around. Opening up DOS and prompting up the window so I could play Doom or Treasure Cove. At that age, it’s early 90s and I started really getting into video games, as anyone would at that time. Then translated into me getting a cable modem in my house. That’s what really unlocked it. AOL and getting my first personal computer, that was just the start of, at being 10 years old, connected to the internet. It unlocked every single possibility, question and curiosity that I had. 

J.J. Agha: My brother-in-law was a big influence. He was going to school for computer science at the time, so I had a kind of mentor and influence in my life of a college student treating me as his brother and teaching me how to mod computers and how to overclock my processors. I was the kid selling burned CD-ROMs or burnt DVDs at the school, because I always had to have a side hustle. Then it turned into Dreamcast games and bootlegging content that I couldn’t afford as a kid. So I started bootlegging and started pirating as much as possible. Eventually started getting into, “Well, I can make a career.” So at 18 I was hired as a consultant just doing some basic Adobe Photoshop design work, some light HTML, but mainly it was just basic computer training or configuration of setting up a office LAN and installing Windows XP on 20 devices. That’s where I first started getting my first taste of, “Oh, there’s money behind this,” versus, “I really enjoy just doing this.” 

J.J. Agha: In school, I didn’t go in for computer science. I went in for business administration, because I was like, “Oh, I love selling things. I love talking to people.” I switched to communications. I changed my major about 10 times and then I did major first in computer science for one semester, but then ended up settling on information science, because I wanted to graduate on time. That was the only way that I could graduate on time. That worked out really well, because I was able to, throughout the four years of school, constantly touch technology as I worked for the help desk for the university, where I was helping the CISO there, I was helping remove malware from student’s laptops. I did basic blackboard support and basic hardware and computer support.       

Michael Osakwe: Did you find that your interest in security was peaked early too, or did this general tech interest kind of move into security in college? When exactly were you exposed to security as an interest?

J.J. Agha: There were no cyber security programs or no IT security training that I was exposed to when I was going to school. I watched Hackers, I watched Matrix, but that was my superficial understanding of what these “hackers” were. My understanding of security was, I would say the majority of what the world thought of were these hackers. These Angelina Jolies running around with pay phones. It was not until, I would say my senior year in college, where I started working with a CISO of people getting kicked off our network. People breaking our acceptable use policy and understanding, well now you’ve got to talk to our CISO. 

J.J. Agha: Then once I started working at my first job, at AmerisourceBergen, I was working with the DEA’s public key infrastructure. So that really got me interested into, whoa, what is public key infrastructure? What is crypto? We needed to do this to support ordering of schedule two drugs through our portal. And through that process, really kind of snowballed into I really like security and then me actively looking for a security job after my first job out of school. My first security job was Northrop Grumman after that.       

Michael Osakwe: As you got into security, how did you figure out that you wanted to be a CISO? What was that ah-ha moment, or was there an ah-ha moment, where you’re like, “I want to be a CISO. I want to be in charge of security. I’m really into it?”

J.J. Agha: I think it’s been ingrained in me at an early age of being the manager, or being the leader, the captain. I’ve always played sports, whether it was online with video games with friends for 40 hours straight, SOCOM, Halo, or playing tennis, baseball, football, softball. I always gravitated towards the leadership role. Always towards the person who wanted to take the accountability, take the responsibility and say, “Hey, whether we win or lose, it’s up to me to help everyone out.” That’s always been ingrained in me at an early age. 

J.J. Agha: Once I started going into security, and I started working at EdgeCast Networks, that’s when my mentor at that time, and still my mentor, a great guy, he introduced me into, “Hey, I’m a CISO. What does this mean? What does a CISO mean?” He was kind of that player coach who would pull me in for two hours and he really set the tone of what I loved about not just being an engineer but being that technical CISO that I was really drawn to. I think it was partly just my upbringing, but then being exposed to the right leadership, the right mentors at the right time in my career path, that said, this was something that I wanted to achieve and grow towards.       

Michael Osakwe: How did you identify the resources that would help you smooth your trajectory up the ladder to becoming a security leader?

J.J. Agha: One of the best decisions that I tell everyone that I made was I was born and raised in New York and I made the decision to take the leap and move to California to work for a startup. That was kind of the idea of I want to be really uncomfortable. I want to learn from anyone that could help me out to get me towards this path of this constant growth. I wanted to be challenged. I wanted to unpack these multiple puzzles. So, when I moved across the country, I started working at EdgeCast, which then I got introduced to the CISO that was my mentor. But that was one of the biggest resources, just picking the right company and the right time. Based off of the right company, the right time, the right mission that they had set, the right technical challenge that they were trying to solve for, I fell into a rabbit hole of, “Well, okay, now I work security, what does this mean?” That was software security and application security. 

J.J. Agha: Then I had a great mentor, his name is Cliff, who also helped me out with just asking questions constantly. So it was kind of what everyone says…is you want to surround yourself with the five smartest people. I had the luxury to be the person that walked into the room with five people smarter than me. So was constantly exposed to things that I normally wouldn’t have and was provided to me to make the decision. That constant exposure, that rapid growth, things that you only see and get exposed to at a startup, at such an early stage of my career, helped me get 10, 20 years of experience in such a short amount of time.       

Michael Osakwe: What attracts you to an opportunity? What about the company culture, the people, the experience attracts you to your next move?

J.J. Agha: In life, we want stability. But from a security profession and just purely technical standpoint, I want something that will challenge me every day. I want to be able to wake up and feel that I’m growing or learning something new. I think with everything that’s happening in the world as well, being aligned to goals outside of the business goals, but what our society expectations are, what our new system should look like, that’s where I think I’m really leaning heavy towards where it’s like, “All right. We’re aligned philosophically. We’re also aligned with the technical challenges that you are trying to solve for and I feel like I would walk in, be able to help, but also be challenged.” 

J.J. Agha: I don’t think I would ever want to, at this point in my career, want to walk into a place where I said, “I know all the answers, just listen to me.” Nor do I think anyone has all the answers. But I do want to be able to walk in and say, “I’m thoroughly challenged, you’re empowering me to make the right decisions to drive the business forward. This is kind of a perfect glove if you will.”       

Michael Osakwe: What attracts you to advisory work and why specifically did you choose Nightfall for example as one of the companies you advise? 

J.J. Agha: So, Rohan and Isaac reached out to me on a cold LinkedIn message, and I get probably 20 to 50 to 100 a week. Rohan and Isaac just hit the right approach based off of where they came from. Rohan had his work with Uber Eats, with that big large distributed data system in his background, becoming a founding engineer and growing that out. That was something I was like, “Okay, technically they’re onto something.” Speaking with Isaac, with him coming from the VC world, he’s very articulate and knew how to ask the right questions and dig deeper. He wasn’t superficially fishing for, “Hey, I want a challenge and I’m going to go solve for and I plan to do X.” He wanted something meaningful, something meaty. Something that really was a challenge that he could solve for. 

J.J. Agha: Secondly, once we started going back and forth, we really figured out what was the challenge that they were looking to solve for and I loved the idea that they would bring a diverse lens into solving it. They weren’t coming in from my CISO lens, or VP of security saying, “Hey, this is how we have to solve for it.” Rohan and Isaac, they were coming from, “Well, we go about the pipeline, the data, if we do X, if we do Y, we could actually make it easier downstream.” So as opposed to fixing it so far downstream of, “Well we just need to do asset management,” the traditional way of we want to classify, they decided, “Hey, let’s go further up stream. Let’s get it before it becomes a problem.” So they shifted the paradigm of the problem. So they shifted the paradigm of how to solve data security for programs or for businesses, that their diverse background was able to provide to the challenge. And they’ve really hit a home run.

J.J. Agha: Funny enough, additionally, as we started building out this relationship, what sealed the deal was, I took my team to meet Rohan and Isaac. This was before, I think Watchtower even had a name, or it was Watchtower before Nightfall. They came out, I took them out for dinner, and they shared a meal together. They weren’t the, “Hey, we’re just going to try to spend all your money.” They were humble. They were frugal. They both have great experience and background, big wins early on in their career. They didn’t come in saying, “You owe me the world.” They came in very similar to our approach, it is, “I want to be observant, I want you to tell me, I’m going to make the best decision based off the facts that you’re giving me and let’s make this conversation.” 

J.J. Agha: Even just that simple of them saying, “You know what, we’re going to share a meal.” It showed me that they were in it for the right reasons. They were willing to take their shirt of their back to hand it to one another. And from a co-founding standpoint, I was like, “These guys really are in it to not just help individually themselves, but to help the larger group.” I see that with some of my best friends where we’ll come together, and I have the luxury to work with one of my best friends, where we will constantly take that approach where I’ll take the shirt off my back to help him out, and however we have to do to make the project initiative or goal move forward in the right way, if it takes some individual sacrifices.      

Michael Osakwe: With your own advisory work, how does it help you grow as a CISO and as a person?

J.J. Agha: That’s a great question. Being able to do context switching quickly. So I have my process where I have to do my day to day, then I also have the advisory work of, “Well, what are the challenges that Rohan or Isaac are having?” Maybe it’s not a security product decision, maybe it’s about, “Hey, do I have to have a conversation with a customer? Am I having a conversation with the next VC? Another advisor. How can I help shape their path as a company?” From being an internal, I am very closely knit day to day with what are our business goals, or our business initiatives? 

J.J. Agha: So the context switching is a lot less, so it allows me to be fresh. It allows me to constantly take my learnings that I have day to day from my day job, apply it to the advisorship and then even from being an advisor, I’m able to take that kind of quick two hour, three hour hit that I might have with a company, take that bang and say, “All right, how they’re actually approaching this is actually a better way? Let’s figure out how do we need to solve for it and provide feedback.” So it’s this constant feedback loop and you’ll probably hear me say it multiple times in this interview of OODA loop, but it really is a gigantic OODA loop within myself of I’m going to observe, I’m going to act and then I’m going to make a decision and then I’m going to just constantly follow through that process.       

Michael Osakwe: That word you used, OODA loop, what is that? 

J.J. Agha: It stands for observe, orient, decide, act. In security in general, its roots are from Army intelligence. We take a lot of these nomenclatures and these acronyms from the military. The OODA loop came from an Air Force pilot and was a way to help them make decisions faster. To make the best decision with the information that they have. So the idea is that you’re going to observe, you’re going to orient towards the information that you have. You’re going to make the decision and then you’re going to act on that decision and you’re going to constantly do that. 

J.J. Agha: It was a way to react within an actual dog fight. But that idea of observing and orienting, is the same idea of how do I observe and collect information as best as possible? How can I then take enough of that information and provide a solution or a decision point where I have enough understanding of the business trade-off, I have an understanding of the technical risk and then making a decision, the action, to drive the decision. What the actual lever of pulling the decision point to say, “All right, this is the action that we’re taking based off of all of this information.” Then if that action doesn’t work out, quickly redo the OODA loop and observe, orient and redo it again and again.       

Michael Osakwe: Moving onto the general situation in the world, if someone is up and coming during COVID-19, how would you say they should begin their career as a security professional? If you were to put yourself in their shoes, what do you think you would do to get ahead during the pandemic?

J.J. Agha: The challenges with COVID now and how you actually start your career can look like this: If I’m a fresh hire, I just graduated in May and I started a new job here, you’re going to be forced to be a better communicator. You’re going to learn how to articulate and how to self-learn. There are people that I’ve come across who are not willing to learn. They just want it to be fed to them. They just want a secondary exposure. For me, if I hear someone having a conversation, I’m going to go over or I’m going to show my screen and say, “This is the problem that I have.” I think with this post pandemic world, that we’re moving towards, the time horizon of this type of learning is going to be shrunk down to months versus what might have taken years. 

J.J. Agha: But mainly, I think everyone is going to have to learn how to be a better communicator and how to translate the kind of concerns and the risk in email or in Slack or in Zoom, in a way that is clear, that is transparent, that provides enough information, that doesn’t muddy down what you’re trying to get across, to the point where the person on the other end could say, “I understood you provided me with the appropriate information, here’s my quick feedback.” Versus, divulging into a two hour, three hour, “Wait that doesn’t make sense.” It happens. It still happens. It happens in person. It happens online. But I think as we mature through this process, it’s less of the, “I need a dissertation. Provide me five or six bullets that are appropriate.” 

J.J. Agha: Even Jeff Bezos, his idea of, “Hey, I don’t want a PowerPoint, I want a three or four page clear understanding of what is the problem and how you’re going to solve for it?” Versus, these cheap bulleted, when do we want the problem? Now. How do we solve it? Now. It was like, great. You’ve got me excited, but what’s the meat of it? I do think the part of this process, part of this learning is that the person’s not going to be able to ping someone on Slack and get an immediate answer, because you’re not sure where they’re in the middle of the work. You can’t look over their shoulder and say, “All right, they’re free, let me ping them.” They’re going to have to self-learn. 

J.J. Agha: They’re going to have to be a Google ninja. We all use Google. We all have resources available at our fingertips. We have policies and procedures. We have run books that have been created. Those resources, I think, are going to be more and more useful and require folks to become accountable to themselves, versus accountable to saying, “Well you tell me.” I think that lens of switching and learning will go a long way and then hopefully it rafts up with the appropriate way on communication. The biggest challenge that I think we face is that it’s hard to communicate with clarity what we’re trying to solve for. What are the trade-offs that we’re trying to solve? 

J.J. Agha: It might be as simple as, I want to put an allow list in this particular program. What’s the impact if you go that route? Or it might be as complex to me sending an email to the COO and saying, “We can’t do this business venture because of X, Y, Z.” However I approach those, one’s a very strategic decision and one’s a very operational decision, and a risk that I’m taking. But how I actually frame that information, and communicate it, is pretty much the same way.       

Michael Osakwe: Can you recommend resources for people up and coming in infosec during the pandemic, especially for self-learning? 

J.J. Agha: I pay for Pentester’s Academy, a broad diverse group. How someone likes to learn might be tangible, they want to be hands on, versus I want to read a book and I want to go the certificate route. Providing a suite of available resources has kind of been the approach. The time that I have now, I like to read, but I make it practical. Read a chapter, apply it. How do I actually make this useful? What I’m reading in a book, whether if I’m going for a certification or if I’m going for an exam, when I’m reading the book and what’s in the exam might not actually be applied to the real world, because there’s variables that are not seen from the instructor or from the exam creator. That goes into the issues with certificates and these people who have 10 acronyms after their name because they have every single certificate out there. 

J.J. Agha: I have a CISSP, but do I feel that it was well worth it? 100%. But back to your question about what’s the best way to learn now, there’s a lot of these academies online. Pentester Academy and hackthebox.eu is a great CTF challenge. So it depends, because security in general is so diverse. Do you want to become a network security engineer? Do you want to become an enterprise security engineer? How do you get access to a Google or G Suite enterprise account? Well, how do I get access to AWS and not cost an arm and a leg? These are, I think, one of the issues with certificates, is that they try to generalize security so much. They try to generalize the problem versus just get a basic understanding of how TCP/IP works, how does the OSI model this. The particular protocols that work and how the internet works, get those basic understandings and then apply what’s interesting to you around those frameworks, around those protocols to security. 

J.J. Agha: You’re not going to become a crypto expert and then a network security expert and then a software engineer overnight, but if you pick these particular verticals and say, “I’m going to dive into it, because this is what’s interesting,” then you can match the right learnings to it. You’re then able to apply and make it actual practical knowledge, versus I have a book knowledge and I have just a basic understanding, or I just have a book understanding of how encryption works. Well tell me actually what’s the SSL handshake, why is it important? What is an elliptical curve? What’s forward secrecy? These are the things I ask my team. They’ll say, “Hey, I learned this about encryption.” It’s just that snowball effect of if you constantly provide that, “Hey what about this?” 

J.J. Agha: Resources are Wikipedia, Hack The Box, Pentester’s Academy. But once you start getting practical, it’s nice to have a conversation with people you consider as a coach, a mentor, a manager, or even just a senior lead engineer on the team to say, “Hey, I read this, can I bounce this idea off of you?” That was something that as I went through and got my certificates, early on in my career, I had a soundboard to constantly ask. Say, “Hey, what about this? Okay, great this is what I read, but how do I actually apply it to the real world?”      

Michael Osakwe: How do you think practitioners should be making the most of certificates, or should people even be getting certificates anymore? Or is it sort of an antiquated concept? 

J.J. Agha: I think it’s antiquated in the sense where from an HR hiring manager, people would just say, “I need a CISSP. I need someone with CISN.” It’s a lazy way of writing a job description and writing what qualifications or what you’re actually looking for. What makes a CISSP  a CISSP? They have the exam. They passed the certificate. What actually are you truly looking for? Are you trying to hire someone with analytical experience, with software engineering experience, with experience on cloud computing for AWS or experience on providing threat reports? Write that out. 

J.J. Agha: Be very open ended. Because even if you write, “Hey I want someone with 10 years of experience.” Or you see job descriptions that ask for 20 years of experience with blockchain. Well, blockchain hasn’t even existed for 20 years, but good luck. Those are the things that steers away the graduate. It steers away the people that are trying to break into it, because they see, “Okay, if I get a CISSP or if I get a Security+, I qualify for the job.” You’re likely going to get interviewed for a job with a terrible job description, because the hiring manager has asked the recruiter to look for anyone with a Security+ certificate. 

J.J. Agha: From the graduate side, I can’t fault them for wanting to get that experience. Because they are looking for any way of getting that security position. I’ve even asked my team to get Security+ because it shows that you really are into wanting to learn about security. These are for folks that typically started off as network engineers or system engineers. I always say to get some basic understanding of the different domains and verticals within security. So then, when you come over to security, you have a better orient of whether you want to go for application security, systems security, or enterprise security. Getting that Security+ is a way for them to get that rapid exposure, and they have basic understanding of how the technology works and then they can apply security to it. 

J.J. Agha: Folks that are getting the certificate should understand what HTTP is before they start talking about HTTPS. Understand how the internet works before you start trying to figure out how security gets applied to it. So if you have kind of a principle understanding and core understanding of the technology, then you’re able to dissect it. So going back to some of the earlier questions, like what got me into computers, what got me into technology, the curiosity is key. Not taking an answer superficially of what you read in the book, but digging deeper into why is that security control actually there? How can I manipulate it? Why does this protocol allow this to happen? If you look at DNS, you also look at HTTP, FTP, why is this actually happening, versus, thinking it’s good enough to just use SFTP. Technically the answer is right, but you won’t be able to tell me why.      

Michael Osakwe: What would you say is sort of the correct mix of book knowledge to applied knowledge? When is book knowledge important for a security practitioner and then when is the hands-on experience most important for a practitioner?

J.J. Agha: That’s a great question. I don’t think it’s a 50/50 or 60/40 split. I’m going to be transparent, I probably won’t have the answer for the right percentages. Because it’s dependent on the individual of how they actually want to learn, and the type of company and the type of role that they’re going for. There are positions where you’re just going to be doing research and you’re going to read every single white paper. But that white paper is going to have a lot of practical hands-on experience based on what the authors read, their theory and hypothesis, and how they apply it to the real world. There is some practical information in those roles.

J.J. Agha: Early in my career, this helped me get a foundation. I will reflect on myself in this answer. Reading on my own meant I wasn’t taking 40 hours of my mentor’s time. It was me getting distilled information from things like Bruce Schneier’s crypto book and then coming back to my one-on-one with my mentor asking, “Hey, this is what I read, if I applied it here, how does this work out?” I took a few hours of book reading and applied it to the two to five minutes that I have for a particular question. A lot trying to apply the reading and book knowledge practically is just pure preparation. 

J.J. Agha: Then once you’re applying it, you should know that it’s okay to not follow the book to the T. Know that it’s okay to veer off course, because what that book might be outdated, or the business is completely different: the business risk, the tolerance to what the leadership wants or what the customers want, can be completely different. What they don’t teach you, and I think books now are doing a lot better, is that they’re making you ask, “What is the business need?” None of this is binary. In computers, yes, it’s a one or a zero, and you’ve got to make a decision. But when it comes to communicating, you have to figure out what are the trade-offs. You have to understand what is the compromise you are willing to make and provide a few solutions to do it.       

Michael Osakwe: I was interested in knowing as a CISO, with the wide variance of responses and answers you can give to a problem, how do you deal with that ambiguity and how do you develop characteristics for assessing a given situation when you could have any multitude of answers?

J.J. Agha: It goes back to accountability. I want to say that this is a very important characteristic, because you want to be accountable to the program and the decisions that you make. I took it upon myself as I was growing out the team to ask how can my team and the company hold me accountable. We had our policies and procedures and went through multiple frameworks and got certified. What I didn’t have was a program plan. What is my succession plan if I get hit by a bus? What are tools that I use, what are the trades, what are the heuristic keys that I use to make the best decisions and understand how these decisions will affect the business and the team? What are the tools that we want to buy, versus these are the tools that we want to build? How do I approach the decision versus build or buy?  

J.J. Agha: One of those key pieces inside what I call the program plan, specifically for my team, is my four values: clarity, empathy, diversity and resiliency. The idea is that if you apply this to the OODA loop, or the CSF framework and other frameworks that live within security, these are the evergreen values that define why we’re doing what we’re doing. By doing a walkthrough of these values, you’ll uncover multiple ambiguous challenges through the course of a day, a month, or a year within your career, and within your tenure at the company. 

J.J. Agha: As a CISO, you need to understand and have empathy towards the strategic business goals and what makes the customer’s success. Are you empathetic to all the people that are really working towards achieving those goals? That might be empathy towards your software engineer who needs to push a release in the next two weeks, or others on your team like the product manager all the way up to the COO. Do you have true understanding and empathy and have you been able to understand what they’re trying to work towards and feel connected to it?

J.J. Agha: Once you have an understanding of what makes the business successful and the goals you’re working towards, you can be resilient and diverse as you analyze and develop the solutions and know what are you actually going to put in place will help empower and make sure that this is successful. There’s a thousand ways to skin a cat. Know that if you do it one way, this is the associated trade-off or the business risk. Help your team by providing that level of risk and trade-off, without getting so deep into the technical controls where they’re getting lost. 

J.J. Agha: Then to the clarity point, you should be clear, concise, and transparent to everyone in the organization to understand. Everyone should know what it means if we’re going to implement an allow list for all of Google extensions, or enforce multi factor authentication, and know what the actual business trade-off is. It’s great security, but where is the friction that we’re adding? These are the decisions that benefit from the OODA loop: you’re observing, you’re orienting, you’re deciding, and making action, but are you providing clarity? 

J.J. Agha: Then I ask, are my solutions, projects, or goals diverse? Are they resilient in the way we can solve for these challenges? By presenting that in that program plan, it helps steer away any ambiguity in making the decision and providing it to my team. They know there’s no ambiguity when they raise it to me. These are the four core values that I’m using to constantly make the best decision for the company.       

Michael Osakwe: What’s your proudest moment as a CISO?

J.J. Agha: When I got hired at WeWork, I was their first security director and I was tasked with building out a team to help grow the business. Going from 800 employees to 15,000 employees across the globe, building out the team of 40 plus engineers and managers was probably my proudest moment. Not only did I build out a team, I was able to build out a functioning program that supported the business to grow the way it needed to. The program would allow anyone on the team, from engineers to managers, to make decisions based on the tools and program we built together.

J.J. Agha: Going back to that succession planning, I could tell my team to go to a meeting and make a decision for me. I was able to show them my full trust in them and empower them. I’m a new father, too, for the past year and with a new baby coming in. I’m proud to have full trust in my team and I empower them to make the decision that’s best for the company with full authority. I have no quarrels about where they got the information or how they actually made that decision, because of what we built will forever last beyond me. I’ve seen people grow from the analyst or engineer role to being a manager in multiple levels, both professionally and personally, and that’s been one of the greatest achievements in my career as a leader.       

Michael Osakwe: What’s the biggest takeaway you’ve gotten from your career that you wish you knew when you were younger?

J.J. Agha: You don’t need to be the smartest person in the room. You want to have knowledge, but it’s also important to be okay with being wrong. There’s a proverb that I use a lot with my team: Don’t let perfect be the enemy of good. Are you growing? Are you constantly getting better? Be observant, be decisive, make decisions. We are very much in a now culture. If you have the information, my role is to empower you to make the right decision. If I make the wrong decision, it’s completely fine. But know that I made the wrong decision, act upon it quickly, then iterate on it to become better. 

J.J. Agha: If anyone of us got everything right, every single time, we would think there’s nothing wrong that we could do. It would be foolish to think, that any time someone asks something, I know the answer. Instead, I want to just be the person that has the four values that I’ve talked about, that truly understands what you’re trying to articulate or communicate out. I’m here to help with that process. I am making you better. Because if I’m making anyone better that I surround, in turn the program and the business get better. Don’t let perfect be the enemy of good, is what I’d tell my younger self.       

Michael Osakwe: Thank you so much for answering these questions, J.J. It’s been a very informative and engaging interview. 

J.J. Agha: Thank you.   

Chris Martinez: Thanks for listening to CISO Insider, a podcast created and sponsored by Nightfall AI, the industry’s first cloud native data loss prevention solution. If you are enjoying this show, please leave us a review and rating on Apple Podcasts. The ratings and reviews help more people find us. Follow Nightfall on Twitter, Facebook, LinkedIn and Instagram at Nightfall AI. That’s Nightfall AI, and email us at marketing@nightfall.ai with questions, feedback and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from. Stay safe out there and we’ll see you again next time.   


Stay tuned for the next episode with Lisa Hawke from Everlaw on January 20, 2021. You won’t want to miss this!

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack & GitHub as well as IaaS platforms like AWS. You can schedule a demo with us below to see the Nightfall platform in action.

Share this post: