A conversation with Andres Andreu, senior vice president and chief information security officer at 2U, Inc., an online learning platform for universities and organizations. This is one of a series of security leadership profiles prepared by Cybersecurity Collaborative in conjunction with SC Media. Cybersecurity Collaborative is a membership community for cybersecurity leaders to work together in a trusted environment. Find out more here.
Prior to serving as CISO at 2U, Inc., Andres Andreu spent a decade as IT director of the Drug Enforcement Administration’s New York Division. Outside of the public sector, Andreu was a company partner and global chief application architect at Ogilvy & Mather, and has consulted for high-profile organizations. He was a founding member and chief technology officer of cybersecurity product at Bayshore Networks, which was acquired by Opswat in 2021. Andreu is the author of “Professional Pen Testing for Web Applications.”
What makes a successful security leader?
If I had to sum it up in one word: balance. Let me explain. When you're in leadership in this type of role, you're kind of a bridge between two separate worlds. You have to manage the technical — the cybersecurity rank-and-file — but you also have to interact with the business folks, or at the C-suite, the board of directors. Those are two polar opposites in many ways. You have to operate in both — on both ends of that bridge — and you have to be able to do it successfully. I’ve met CISO peers that come from the business world exclusively, and they could never earn the real deep respect of the technical rank and file because they just can't speak their language. Then you have people like myself that come up the technical ranks and you have to learn the verbiage and the modus operandi of the business folks and learn how to play in that space, as well. And so that balance, to me, is critical. You need to be able to put one hat on right now, get off this meeting, go to a technical meeting, put that hat on, and be successful in both worlds. And I think finding that balance has been, for me at least, very critical in terms of my career.
What are some of the external priorities and internal priorities that leaders should be focusing on?
Externally? It really depends. For example, if you're a publicly traded company, the SEC has a lot of say in your external focus. For instance, they have new rules on the table that they're going to vote on soon. And if they vote for those rules, for example, the reporting mechanism and the timelines for reporting that get placed on public companies like ours are very different than what exists today. If you're a publicly traded company, you need to keep tabs on that, because if that does come through, it means a lot of changes on our end. You know, externally, also from a compliance perspective, if you have to get ISO certified or SOC 2 assessed and all of those type of compliance type framework exercises I don't consider those internal, those are external elements that you need to keep tabs on, as well, because they can get very time consuming. If you've ever been through one of those processes, you understand that they could hurt, they could get painful. Beyond that, there's the obvious focus on always making sure the customer is satisfied because we're selling something right, always making sure the customer is satisfied and building this, at least from my perspective, building the safest environment for our customers — in our case, students. My ultimate objective is to create and maintain the safest platform possible for our students to learn.
What are some of the security features students are looking for in platforms?
If we're the custodians of their data — it comes down to that: protecting their data. Making sure there's no data exfiltration events within our organization, making sure there's no data leakage that takes place. These sound like they're trivial to accomplish, but if your ecosystem is complex enough, they're not trivial at all. And so I see it from that perspective. I see it really at a data level: I have to protect my students’ data. When you're dealing with 60 million-plus students, it could be an interesting exercise.
How can cyber leaders work with corporate peers to win buy-in from C-suites and boards of directors?
I am a stickler for honesty and transparency. I think the minute you start fudging anything — numbers, metrics — it's just a bad day, you're going down a bad road. Even if the news I'm giving you is horrible, I'm going to give it to you as factually as I can — no emotion, I just stick to the facts. So I think that transparency is A-No. 1, and within that, the honesty part comes to play, as well. I think it's important to be able to tell stories. People generally understand stories. So if I come to you with a bunch of dry facts — dry numbers, metrics — to try to paint a risk picture, that's a very different exercise of me coming and telling you the story of what could happen in the event of X and treating it as a more organic process where that human relation is totally possible — it's not a mathematical exercise. I don't believe in leading with FUD: fear, uncertainty and doubt. I think that worked 15 years ago, and I come from the government where that worked … because in the government people were taught, you know, whatever the top says, that's what you do. In the real world out here, it's not like that, and so I learned to let go of that FUD when I left the government some years back. … I hate to use that cliche term, but you start to really become more of an enabler in terms of things happening securely, because our job is, ultimately, security. I don't ever lose sight of that. So my job is not to facilitate you doing something silly — my job is to facilitate you doing it as securely as possible. … If you can take all those with you when you go to deal with the C-suite, when you deal with the board, you start to gain a strong level of trust between them and yourself.
What kinds of non-technical training do security leaders need to be successful in leading global enterprises?
I think learning that type of communication … if you came up the technical ranks — it's not natural for us. … It's not natural for me to go explain risk. I mean, how do you explain risk to somebody who doesn't even think in terms of risk? And then there's the emotional aspect, which is where it gets really interesting. … because you can explain risk, again with some metrics — mathematically, almost — and you can explain risk in terms of the potential negative impact for the organization. But then how do you correlate the emotional part of that equation? Let me give you an example. Let's say I come and I say I've identified an area of risk — I need a little bit of budget to address that risk. Typical business leaders don't care about the risk. They look at how much it's going to cost, and they estimate how much we could lose if that risk gets acted on. … Fast forward, they'll say, “No, it's not worth the expense.” Fast forward a month — there's a problem based on that exact risk. All of a sudden, the emotional response now is you get whatever you need — fix the problem. Then you kind of sit there chuckling, you know, we could have avoided this if you gave me what I needed two months ago. And so weaving that into the story is an art. It's not a science — it's an art. And so this is where human interaction starts to become really important. You have to understand how to speak to humans. … I mentor some individuals, and I tell them all the time: “Every chance you get, go speak publicly.” Even if it's as a panelist, because being a panelist is actually tougher than being a speaker … that's very different when you sit on a panel and the questions are organic and the conversation’s organic — you can't prepare for that. … I speak on panels every time I get invited, assuming I can fit it into my schedule, and the reason why is because it keeps me sharp, it keeps me honest … but it keeps me out of my comfort zone. In other words, if you like to sit here quietly and just work at your keyboard, that's your comfort zone. Now suddenly you're in front of an audience of hundreds of people … stepping out of that comfort zone — that's the type of non-tech training that, to me, is important. … In this industry, if you don't know your stuff, it'll be very obvious to the audience. So this forces you to know your stuff … to really focus what you say and make sure that there's technical accuracy to what you say.
Why did you join the Cybersecurity Collaborative?
I really enjoy the different perspectives that come to the table when I interact with my peers. I think that really leads to power, but not in a negative way. It empowers you to make decisions based on, oh, you know, I remember Person X had this different perspective on the same topic, right? You can't know everything in this field. It is impossible. It's just too wide in breadth and it's too deep in depth. So if you ever think that you know it all, you're done. So that learning has to be continuous. And, you know, you get to a certain stage that learning comes from your interaction with peers. And so, for instance, even when we go to one of the dinner sessions that these organizations have — a dinner conversation, which is casual, can lead to some insightful points that you walk away with.
What has been valuable to you with your membership in the Cybersecurity Collaborative?
I'd say the bi-directional relationships. If I can add value to somebody, awesome. And if I need their help, they're there. And I've made some really good relationships, especially in this organization. But since I don't work, for example, I don't work down here in North Carolina. Like I told you, my job's in New York — my professional contacts are mostly in New York. But I'm in the Raleigh area with the Cybersecurity Collaborative, so I've now made local contacts here, which is really cool because I don't work here. And so it's funny because perspectives change based on areas. Let me explain. For example, New York has a finance-centric mindset. San Francisco has an entrepreneurial-centric mindset. Right? You look at RTP down here in North Carolina, it's more of a really engineering type mindset and that molds your perspective in terms of securing things. And so I love dealing with the different perspectives. Like when I'm in New York, they think one way; when I'm down here, they think differently. And I think all those relationships, all those perspectives coming together is just super cool.
