From Bangladesh to Cybersecurity Leadership: Javed Ikbal on Navigating Culture, Phishing Threats, and AI Governance

Show Notes

Javed Ikbal shares his transformative experiences as a CISO, highlighting the challenges of cultivating a security-centric culture in organizations. He emphasizes the importance of communication, understanding user psychology, and establishing foundational practices to navigate the complexities of cybersecurity today. 
• Importance of cybersecurity culture in organizations 
• Challenges faced as a CISO in different environments 
• User psychology impacts on reporting security issues 
• The need for clear policies around AI usage 
• Lessons learned for aspiring CISOs and cybersecurity leaders

Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.

PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!

Chapters

• 0:08: Cybersecurity Culture Challenges and Solutions
• 15:29: Cybersecurity Threats and Human Behavior
• 35:14: AI Governance and Security Principles

Transcript

Joshua Crumbaugh: 0:08

All right. Hello and welcome to another edition of Fishing for Answers. Today I have the pleasure of speaking with Javed Iqbal, the CISO of Bright Horizons. Just impressive resume. You've been at this for quite a while, Javed. Maybe if you'd introduce yourself, Tell us a thing or two about you.

Javed Ikbal: 0:34

Great to be here and thanks for inviting me. So I was born and grew up in a country called Bangladesh. It's in South Asia. I came to the United States in 1992 for grad school often the immigrant story and I worked for a few years for a company that sold computers and I was one of those kids who took apart clocks and radios to see how they were.

Joshua Crumbaugh: 1:06

Oh, me too.

Javed Ikbal: 1:06

I can't tell you how many I broke growing up yeah, exactly, where's that little man inside that radio who keeps talking? So take it apart to find that guy. So I like tinkering and that led me to computers. I came here, I became a system administrator for a company and so I sort of moved east from Midwest where I was going to school, and one day, totally out of the blue, I got a call from a recruiter this is 1998. Saying we are looking for a security person. Well, they're looking for more than one. But there is me. And I said I am a Unix admin, I do security, but it was not in my title. And she said yeah, we know we cannot find anyone with security in their title and back in 1998.

Javed Ikbal: 2:13

I doubt you could the word cyber hadn't been used in a information security context at that point at all, that that was a completely new thing. So anytime now I hear people use simply the word cyber, nothing else added to it, when talking about information security, and that always makes me chuckle. So this was a large mutual fund company. They are privately owned and they were really forward thinking. Because they are privately owned, not beholden to wall street or the shareholders, they could spend a ton of money on it and security. Especially when the economy went bad, they spent even more money. That was a very interesting lesson that.

Javed Ikbal: 3:09

Yeah that's not common, not at all.

Javed Ikbal: 3:11

It's not common, but they figured like that's the time where they can squeeze the vendors the most right. No one is buying. So if they go in and say, hey, we want to place large orders, give us really big discounts that word. So that's where I really learned about security. So even in my team I have people from that company that I hire and I rose to the rank of director of information security at that company. And then another company from the Boston area called me Very small FinTechech company, saying we have a CISO opening first. Ciso, are you interested? And I said sure. So I went from this 30,000 person company where everything is very structured to this 150% company where people refuse to sign the acceptable use policy, people who don't want to do the right thing and I am the army of one.

Javed Ikbal: 4:33

I have the CISO title, but no staff, nothing. And it basically felt like you know how the when a bone gets broken and sets the wrong way, the doctors or surgeons have to break it again to set it straight. So that company's culture got set the wrong way. And it's a startup that's profitable from day one because this was a spin-off from two large financial services companies, so it was a. You cannot put them in like the typical startup bucket. Because they were profitable, I could get some resources.

Javed Ikbal: 5:22

They were also regulated, which is a very, very big hammer to have, because if it's a sec regulated entity, there are certain things that are completely black and white. There's no argument about those, so I could use those. But it was also a lesson in catching more flies with honey than vinegar. So you do not want to sign this acceptable use policy. Can you tell me why you think this infringes on your freedom? The implicit part about that conversation is that the company also has the freedom to let you go, because we cannot have a situation where someone says I never signed this policy, so I am free to do whatever I want.

Joshua Crumbaugh: 6:20

Culture change is one of those topics that just comes up all the time in cybersecurity, but I rarely see it. I do see it from time to time and you know I wish it was more of the commonplace, but too often cultures are not security-centric at organizations, are not security centric at organizations, and so I think that must've been an amazing experience. What would have been like your top takeaways from dealing with the company that had to be have their bone reset, for lack of a better example?

Javed Ikbal: 7:05

to be have their bone reset, for lack of a better example. So a few things, but I see I am sitting in a rainbow glare so let me just move my laptop a bit. Okay, that was very interesting. I'm sure my kids would love seeing that photo.

Javed Ikbal: 7:24

So it is one of those things where it's a FinTech company, the CEO would not wear his badge because his point was the guard knows me and I can just go in and he'll only take out his badge to swipe at the door, and then it went back to his wallet, not to speak ill of a former employer. But he also at one point said that, oh, computers are not our main business. We settle trades and we do trade-related activities. So I told him what are you talking about? If the computers are down, do you think you can do these trades with pen and pencil, with pen and pencil? So it was an astonishing revelation to me that the CEO of a company who knows that technology is the lifeblood Without technology there is nothing.

Javed Ikbal: 8:37

They don't have any physical presence other than the offices, one in New York, one in Boston. They do not deal with customers face to face. How are they going to transact business? So these are the badges, of course, a security issue, but the fact that computers are not important, we do not need to invest on DR and we do not need to invest on dr and we do not need to wear badges, is, to set an example, be important, and I think some of that apathy almost, or ignorance sort of flowed down. That's why, like people said, people thought I am a star developer and I do not want to be bothered with signing a policy when I say, I mean, I've seen it, I've been that guy before

Javed Ikbal: 9:36

actually okay. So so it was a. So it was an interesting thing and working with these people. I will digress for a second, I'll move over to another topic and then I'll come back. I am quite active in the Metro Boston CISO community so we talk a lot about experiences etc. And I see fellow CISOs sometimes saying, yep, this happened and I couldn't make them do it and I said, okay, sign the risk acceptance and it's fine. And with the SolarWinds and Tim Brown being sued by the SEC, I don't think that cuts it anymore. The CISO might be held personally responsible, liable if they know about something and it's not addressed, addressed. And I also have a very black and white view about certain things. There is a red line where I think mere risk acceptance is not enough. I still have the responsibility to protect the company, its reputation and its revenue and I will either insist on getting that fixed or I will say I am leaving. So I once wrote this post.

Javed Ikbal: 11:11

Sorry go ahead.

Joshua Crumbaugh: 11:11

Just to make a comment there. I think any risk acceptance, my opinion, should come with mitigating controls. So if you want to get any risk acceptance approved, you've got to have mitigating controls in place.

Javed Ikbal: 11:24

Yeah. So I once wrote a post on LinkedIn saying can you say no to your boss or the CEO all the way to the board? So I was at this CISO summit this week and one of the keynote speakers was saying that their job is to say yes. And someone proposes something that goes against security principles, and they will work with them, negotiate, they will say yes and add security features to it. And add security features to it. And I have a slightly different view. Maybe out of a million interactions like this, one time I'll say no, or hell no. And being able to look the CEO in the eyes and say no, under no circumstances.

Javed Ikbal: 12:38

I think the CISO has to have the guts and the spine to do it, and not necessarily a cyber example. If someone says example, if someone says, okay, I am going to bribe this person, how can you say yes? And to that I have had situations. We have this gift policy. For like $250 or above, you cannot accept a gift.

Javed Ikbal: 13:06

So one of my team members received a Boston Bruins jersey that was $280 or something. So they came to me and said, hey, what do I do with it? I said, fine, keep it Whatever, doesn't matter. I know you are not doing the vendor any favors, the situation changes. This person is not a decision maker. I am a decision maker. I would not accept that jersey. And these are not situations where I say yes and someone said, oh we, the customer is asking us a direct question, can we fudge the answer? And the answer is absolutely no. We will not fudge the answer. We'll try to work with the client and say, hey, here's this thing where we are falling short and give us three months or six months to fix it. Here's our plan. But it will never be. Oh, everything's green. So you asked me a question about changing culture and I sort of went well beyond that. But I just wanted to explain my security mindset first before I went into how I work with people. Okay, makes sense.

Joshua Crumbaugh: 14:27

So well, that just brings up a whole bunch of different directions we could go. Actually. Let's jump straight over to stories. Actually, I think that's a really great one. Tell us about maybe I don't know, one of your most memorable cyber stories, whether it's just internal politics or an incident or anything. Is there anything that sort of stands out as I don't know more memorable than the rest?

Javed Ikbal: 15:11

Well, there are a couple. I'll start with how I got recruited to this Boston-based company. So the company was Fidelity Investments and after I joined I heard this story. So remember this is 1998.

Javed Ikbal: 15:29

The internet is still sort of new and for most of the people it's America online and computer and internet is outside universities. Internet means dial up, internet still modems. So fidelity is thinking of going on the internet, have some sort of online portal where people can at a minimum look up their balances, if not transact stock trades or manage their mutual fund savings. So fidelity's external auditor at that time wrote a report saying hey, before you go on the big, bad internet, these are the things that you need to do to stay secure. And that report languished and no one really paid attention to it.

Javed Ikbal: 16:33

So Fidelity Mutual Fund has the equivalent of a board of directors. They are called trustees. So they just a new trustee had just joined and this trustee was uniquely positioned to understand this report. So he saw that. He saw that the findings, because this external audit firm actually said you guys have these gaps that need to be fixed. So this trustee saw this and he said until you guys fix this, I will not be. I do not feel comfortable that you should be on the internet, and he went directly to the chairman because he's a trustee for the fund. So this gentleman was Robert Gates, just retired as the director of the CIA, so I don't know what the number was, but he was probably a handful of people on the business side to really understand the implication of that report and also someone who could actually go to the chairman. So the company got security religion overnight and, like I said, they were not averse to spending money. They just wanted to understand where that money needed to be spent and where that money needed to be spent.

Joshua Crumbaugh: 18:13

So you know, to that point, a lot of people sell features when they need to be selling risk mitigation and that's why they don't get budget.

Javed Ikbal: 18:22

Yeah, and so when the chairman was made aware and someone explained it in very start time, someone that he really respected, obviously it resonated and suddenly like, yep, we need to ramp up our security. So they had security before, but they decided to bring in a new cohort of technical people and I was fortunate enough to be recruited as part of that class and um, and here I am so this was one of my interesting life stories, but there are others as well well, I love stories, um Any good phishing stories.

Javed Ikbal: 19:17

Couple. Let me see if I can string them together in a sequence. So it is. There are some phishing emails that are really, really obvious. You know bad grammar, terrible spelling. The email address completely stands out as absolutely not related. We get this phishing emails where it's an executive impersonation so the CEO's name saying hey, can you call me back with your cell phone number? I have this urgent task to do. It's gift cards, yeah, the gift card scam. So one day I received an email from Javed Iqbal saying One day I received an email from Javed Iqbal saying hey, javed, this is Arjun, can you call me back? I'm sorry, can you text me? I'm at a conference and I cannot talk Sincerely. Javed Iqbal.

Joshua Crumbaugh: 20:29

They're probably blasting this out and they did not even notice that they were emailing me, impersonating me.

Javed Ikbal: 20:34

That wouldn't happen. Nowadays. Ai is smarter than that. Yeah, you know, human intelligence will, although human stupidity will always beat AI.

Joshua Crumbaugh: 20:44

Artificial intelligence? Yeah, probably.

Javed Ikbal: 20:47

So a couple of days ago we were getting these phishing emails where the link led to somethingit, an Italian top level domain, so we blocked it. So the phishing email is appropriate for the season and this is a PSA for listeners or viewers. Year-end, there are always this annual performance evaluation or bonus or salary discussion or something like that phishing emails that have high probability of a the email will be open, b it might be clicked. So we have developed this culture where people report this regularly to us.

Joshua Crumbaugh: 22:07

So for the listeners, if not this year, next year, end of year.

Javed Ikbal: 22:10

Please make your user population aware that there will be phishing email involving compensation or performance appraisals etc. So that actually leads oh, go ahead. Did you have another part? I'll just make one point. So when these emails, a few requests to the help desk saying hey, I am trying to get to my performance appraisal link but it is being blocked, can you open it up? So let me see if I can get out of the glare again. So it validates my concern that you add performance appraisal or something to do with compensation. And some people recognize the fishing attempt. Some people are so anxious they are actually opening tickets saying I cannot get to my JPA. Can you open it up? So the people who do this phishing, they understand human psychology and then they exploit it.

Joshua Crumbaugh: 23:17

Unfortunately, there are approximately 182 different cognitive biases that are these mental shortcuts we all use every single day to quickly make decisions, exploited by the hackers in order to get us to have that emotional response to the email and click on that link and give them our credentials or open that document or whatever it happened.

Joshua Crumbaugh: 23:53

The goal of it happens to be authorized that app. That's the one I see a lot of, because when you hack APIs, you don't often hit multi-factor, and so it's a lot easier for me to have a user authorize an application for a business email compromise than it is. And, by the way, I can run that business email compromise so much better through the API than I ever could by actually logging into their inbox. And so you know, whatever that goal happens to be, they prey on your emotions.

Joshua Crumbaugh: 24:28

And there's these different cognitive biases, like one of my favorite that I used all the time when I was an ethical hacker was sunken cost fallacy, and what that says is that the more time you've invested into something, the more likely you are to continue with that something, regardless of red flags. And so I found that if I made it really hard on you to run my malware, you were more likely to run my malware because the few fails that you had before you ever even got to running the application would outweigh any red flags Like, for example, virus warnings that might pop up. And I mean I literally had people click through their AV warning them about this stuff, my files and because they had invested time, they would just continue on my files and and because they had invested time.

Joshua Crumbaugh: 25:24

They would just continue on. Wow, it's fascinating the behavioral science and the psychology behind why we click Along those lines, though one of the things that I've seen is that sometimes, particularly when we try to emulate those types of fish that you just mentioned in your PSA users get upset. So have you ever had a user get upset as a result of a fishing simulation, and, if so, what did you do to mitigate that?

Javed Ikbal: 26:02

phishing simulation and, if so, what did you do to mitigate that? So, not part of phishing simulation, but we have seen this very interesting behavior and I think there is a master's thesis at a minimum in this maybe a PhD thesis for someone that the psychology of users when security incidents happen. So someone reports a phishing email to us, we go into our email security gateway and we find all the people who have received that email and we'd ask people did you click that link? And if you click that link, did you actually enter your user ID password on the resulting page. And people will tell us that no, I did not click the link. Or people used to tell us, to tell us, and we'd go into our web gateway and we'd see that they have actually visited the link.

Javed Ikbal: 27:17

And there is an embarrassment factor that plays into it and I have worked really, really hard to convey the message that you are creating an enormous risk for the company by not telling us. We are not going to yell at you, even if you gave away your password or worse or worse. We'll work with you. There is no shame involved Versus. If you don't tell me, I am going to do the same thing regardless If I see you click the link. I am going to reset your password. You are going to be locked out. You'll not be able to do your job. You will be on hold with the help desk trying to get this sorted out, because it's not my job to reset the password. I cannot do that myself. You will have to talk to the help desk and it will waste time for you. It's so much better if you tell me if you did that fishing simulation and actual fishing attempts we have.

Javed Ikbal: 28:26

It took time and it took work, but we have established the reputation that we deal with compassion and understanding. We never, ever, give the impression that you did something dumb right and it took years. I'd say it took us about 18 months to get to that point, but we have turned that around. So one of the things that I do is if someone reports a phishing incident or we find out, it's one of those things. We tell them that, hey, can you do me a favor, can you tell your colleagues what happened and that information security and they helped us work with you. And this may not translate equally well to all workplaces, but I have to give you a little bit of context about Bright Horizons. So we have 1,300 childcare locations across multiple countries. That's a lot, and these locations operate as independent. They have their own colleagues, they never come to the HQ and they are always busy taking care of children.

Joshua Crumbaugh: 29:50

It's not an easy job, so these people I imagine they don't have a lot of time for security awareness.

Javed Ikbal: 29:58

They do not they do not.

Javed Ikbal: 30:00

So we have built a special security awareness training for them. What's that like? It's highlights. So instead of a one hour security awareness training, it's a 15 minute training, sort of facilitated by the center director or one of the senior people at the center, and it's a lunchtime gathering, etc. And these people are also very close to each other. They are friends, they work side by side day after day for years, and so when one of them reports something and I tell them, hey, can you do me a favor? I ask this as a personal favor, can you tell your colleagues about it? The other coworkers consider a trusted colleague or even a personal friend tells them hey, I had this phishing email and security told me why it's bad and why I shouldn't click on it. And that is worth 1000 hours of training, that one minute conversation from a close friend, because there is this implicit trust between those two persons. So that is a very important lesson.

Joshua Crumbaugh: 31:34

So one of the things that I've realized or I guess one of my favorite stories rather, or I guess one of my favorite stories rather was about this hedge fund CEO from New York city. He did you definitely know the type from the sounds of it and you know we were talking about how they had this serious security awareness problem and their users were susceptible to phishing, tailgating, thumb drives, you name it. They probably had that finding in their report. And so we go through and we tell them this and he says well, you know, I'm already doing all of this and it's not working. I'm not willing to spend any more than one hour per year of my employees time to to train them. They're busy If they're not trading, they're not making me money and and basically, you know listen that that's all you get.

Joshua Crumbaugh: 32:32

And so my initial reaction is this guy's out of touch. He doesn't have a clue what it takes to truly change culture and cybersecurity. But then, as I thought about it more, I realized that one hour was actually quite a bit. If you broke it down into 60 second chunks, you could be in front of that user literally every single week of the year and not even eat up that full hour. I'm like man, well, what if we went to 30 second chunks? Well, now we can be in front of the user two times every week, every year, and not even eat up an hour, and.

Joshua Crumbaugh: 33:11

And so that's actually part of what inspired me not at the initial time but later on in my career to found Fish Firewall was that, you know, I realized you can do a lot more with the time that we're given, uh, than what most are, than what we're we're currently doing in most cases, and so, um, yeah, shortening that training and uh, and just making it as as tailored to that individual as possible has, to me, really proven to be very, very effective.

Joshua Crumbaugh: 33:47

So I like some of what you're doing there, and particularly, like you know, if they're a tight knit group, I doubt tailgating is a big concern, whereas you know they may need to learn about thumb drives and the dangers of putting your data on that more, or even just picking one up from the parking lot, so very interesting. I love to talk about AI a little bit. It brings a lot of new threats, but one of the things that I've been uniquely interested in is what CISOs and CIOs are concerned about from an awareness perspective as it pertains to AI. What are you either planning to, or maybe already even training your users about with AI?

Javed Ikbal: 34:41

Yeah. So this is one of the things where I sort of decided that if I do not put guard rails early enough, we'll have a problem. This is even then. I was probably a few months late, so let me start by framing first how I see the AI security risks. So there are the imposters, deepfakes, et cetera. Ai is a DLP problem.

Joshua Crumbaugh: 35:17

There's the one.

Javed Ikbal: 35:19

Yeah. So there's the traditional confidentiality, availability, integrity problems, plus newer problems like biases and privacy, how ai would do that. So I almost like just to give a context, for for the longest time I drove a stick shift because I thought automatics cannot just match the performance. But then, after driving in Boston traffic for a few years, I gave in. See a new security problem or a new technology. I think it just boils down to the basic security first principles. You take care of the foundational security issues and it would address 80, 90% of the problem. So, yes, ai is completely new. It poses DLP problem in a new way, but it's still a DLP problem, so you can solve some of that using traditional DLP tools.

Javed Ikbal: 36:39

So my approach to this is first, a policy. If you don't have a policy, you cannot give a consistent message to all the stakeholders. Right number two inventory. If you don't know how and where ai is being used, how can you secure that? And the third one is how do you make sure that only approved AIs are being used? So, based on those, then there comes like secondary problems how much money do we spend on AI? And are we spending money on the right AI? What if we go down the wrong way and spend a ton of money and then realize it doesn't work well.

Javed Ikbal: 37:29

So we needed a governance group, not just to set the policy and decide how things will be done, but also to sort of act as gates to approve projects.

Javed Ikbal: 37:43

So it's a cross-functional group security, privacy, legal, it, business Everyone is involved and it's almost like an architecture group that high level that approves. We settled on Azure, ai and GCP slash Gemini for one project only, with specific guarantees that our data will not be used, world garden and it will be ephemeral. Bright Horizons has the top 10 US banks as our clients, most of Wall Street and all the large insurance companies as our clients and all the large insurance companies as our clients. This is relevant because all of these companies have been fined for biases in their algorithms not necessarily AI, but even before AI became mainstream how they set insurance rates or interest rate for mortgages based on some factors that were found to be biased. So these clients are extremely, extremely sensitive. So, even though we are not doing anything regulated, they do not want to be tainted that one of their vendors did something that introduced bias and get slammed by their regulators for it.

Joshua Crumbaugh: 39:43

I mean it makes sense.

Javed Ikbal: 39:45

Yeah, absolutely. So we took that very seriously and we translated that to our AI posture. So we said we will not do any automated decision making. There will be a human in the loop. There will be a human in the loop. There will be a conscious design to ensure that those data are not used to train even our AI. Forget Azure's AI. If we write something, our own LLM will not use client data to train it. So some guiding principles, just to do things right.

Javed Ikbal: 40:32

The other things we did is like we blocked all unapproved AI. So we use our gateway to block the categories. We use microsoft copilot as our approved gen ai chatbot chat system. So microsoft allows a corporate version of the AI to be mandatory if you send certain headers through your web browser. So, using our secure gateway, we block ChatGPT, gemini, et cetera, and when the block message says go to copilot, when people do that, that we send that header with in, which ensures that this is bound within our tenant. So it's a corporate environment with our own safeguards. After 30 questions, it erases everything. People are unhappy. They hey, I did all that work and I needed that question that I asked yesterday and I'm sorry, this is ephemeral, this will go away, and if you want something critical, save that question in a Word document that you can refer back to later.

Joshua Crumbaugh: 42:05

That makes perfect sense. You know, one of the things that I've been seeing a lot of I haven't heard any stories about it yet, but I know it's only a matter of time are all of these companies creating their own internal LLMs? I like what you said about we're not even going to use our data to train it, because that's what I see is them pouring their data into these LLMs, and yet we still don't have a good way of enforcing role-based access. And so you know, to me, one of the things I see as a big threat is that junior level employee that now has access to board level data that they shouldn't, because we pump too much data into our AI. So I think it's only a matter of time before we see some of those types of things coming out. Well, hey, I really appreciate it.

Joshua Crumbaugh: 43:00

We are at, or almost at, time here. Before we go, though, I always like to ask my guests to give you know. Throughout your career, you've had countless just experiences and opportunities, and so what are the top three lessons that you've learned throughout your career that you know to any aspiring CISO, or even just a new CISO that you think would really help them along the way?

Javed Ikbal: 43:36

So I guess one of the aspirational goals for CISOs is to have independence and report to the board, because that's where there are meaningful changes to be made. So someone gave me this advice a long time ago three, four, five at most. You will get three slides, no more than four bullets per slide in five minutes. Whatever you have to say, say it in five minutes. Then questions can take an unlimited amount of time. But if your presentation to the board is taking five minutes, it's too long. So that oversimplifies it because it says nothing about the content and the tone that you should set. I thought that was very useful.

Javed Ikbal: 44:35

I sort of touched on the other thing If you want to be an effective CISO, you have to have the ability to say no. Do not think that your job is to always say yes. You will get in trouble. I say this from seeing real life examples all around me. And the third thing is that this is just a job. Leave enough time for friends and families and hobbies and do not drown in this. This is where insanity starts when you are obsessively threat hunting, etc. There will be ups and your career, but with a smile, there will always be a tomorrow.

Joshua Crumbaugh: 45:33

I like it. That's great advice. Well, hey, javed, if you can stick with me just a bit longer For everyone viewing. Thank you for watching another episode of Fishing for Answers. We'll actually be back later today with another episode. Have a great day.