Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Aaron Revell on Cybersecurity Leadership, Growth Mindset, and Building Security-Aware Cultures
35 Plays2 months ago
In this Infoversity episode, Aaron Revell, Information Security Officer and IT Operations Director at Cynosure, reflects on his path from Syracuse iSchool student to cybersecurity leader. He shares lessons on balancing growth with risk, fostering a security-aware workplace, mentoring teams, and why curiosity and a growth mindset fuel lasting success in tech.
Recommended
Transcript
Introduction to Infoversity Podcast
00:00:01
Speaker
a
00:00:09
Speaker
Hello and welcome to another episode of Infoversity. My name is Jeff Hemsley and I'm coming to you from the School of Information Studies at Syracuse University.
Meet Aaron Revel, Information Security Officer
00:00:18
Speaker
Our guest today is Aaron Revel, Information Security Officer and Director of it Operations at Sinosure, which is a limited liability corporation.
Career Journey in Cybersecurity
00:00:28
Speaker
A 1996 graduate of the iSchool at Syracuse University, Aaron has built a career at the intersection of technology operations and cybersecurity leadership. At SinoSure, he oversees enterprise-wide information security and IT operations programs, guiding both leadership and technical teams to embed cybersecurity into every layer of business.
00:00:50
Speaker
From ensuring regulatory compliance and data protection to leading digital transformation initiatives, Aaron's work is all about balancing innovation with protection.
Passion for Security-Aware Culture
00:01:01
Speaker
Aaron is passionate about cultivating a security-aware culture, helping organizations not only defend against today's threats, but also prepare for tomorrow's challenges with agility and resilience.
00:01:13
Speaker
I met Aaron a couple months ago in Boston at an alumni event, and I'm really delighted that he came out to spend some time with us. It was great to meet you, actually. it was It was great to have you come out to Boston. I know you you probably don't be able to get out of, you're not able to get out of the the campus area very much. it's It's even better to be back on campus. This has been really eye-opening and a bit fulfilling and refreshing to to see how everything has changed and how everything has kind of stayed the same.
00:01:40
Speaker
Yeah, so what's the biggest change that you can think of?
Reflections on Syracuse University Experience
00:01:43
Speaker
the Well, the food's better. the the the The campus layout is is really very similar. the The school itself, the way that the iSchool specifically has has changed...
00:01:56
Speaker
ah is is awe-inspiring. It was really, really impressive to see how we had gone from being a part of a building somewhere else to our own facility with our own our own conference rooms and our own teaching, rather than using a kind of a shared teaching environment.
00:02:14
Speaker
It feels, i don't want to say um more professional, but I would say when I was here, it didn't quite have the same, that same level of of professionalism formality.
00:02:28
Speaker
It was kind of, but we were kind of in a growth mode, I believe at the time we were kind of feeling out where we wanted to go as a school. I think that's probably true for the iSchools as a whole. Back in the 90s, they were still kind of figuring themselves out.
00:02:44
Speaker
And the iSchools themselves is still a relatively new movement, starting just kind of in the early 2000s when the iSchool Caucus was first put together.
00:02:55
Speaker
So let me ask you a question about... about the start of your career. When you look back at the start of your career, was there a particular moment or experience that set you on the path toward technology and security leadership?
00:03:08
Speaker
there's i I think I mentioned when we when we met a little while ago, I i kind of fell into IST. I kind of fell into the iSchool. what I know Syracuse was going to be my My main choice, this is where I wanted to go to school, but I was selected as a student for IST.
00:03:27
Speaker
Never really was on my radar in high school. went After maybe a year, year and a half of taking a few of the introductory classes, I just fell in love with it. I really wanted to to pursue the remainder of this career and and kind of go on with it.
00:03:42
Speaker
ah Post-graduation, I had been a teaching assistant at Syracuse for a little bit and in the IST arena, and I wanted to continue teaching a little bit. So I taught for a couple of certification companies ah just as I got out, wound up traveling around the United States while I was doing this, and gained a lot of certifications. Now, to answer your question as far as kind of where I kind of turned the corner,
00:04:09
Speaker
It became very easy to learn those certifications. In some cases, people have a really hard time advancing their career after they get to a certain point. um It was very, very easy to pick up new things and just pivot wherever I needed to pivot.
00:04:27
Speaker
I wound up being one of the top instructors and decided to put my money where my mouth is and start providing leadership within the corporate world. Do you attribute that ability to pivot quickly in technology to things that you learned at the high school? Absolutely.
00:04:42
Speaker
So the if I had i majored in something like engineering or science or computer science or something that was a really focused area, I don't think that I necessarily wouldn't have been able to pivot.
00:04:55
Speaker
But looking at information science itself, looking at the the whole of information and how it's being utilized really helped me see the tools that I was learning as just tools. They were just a way of getting the information to the right people at the right time.
00:05:12
Speaker
Yeah, I actually hear that story from a lot of alumni, that but one of the things that the iSchool prepares people for is to is to ah be agile with the current and and evolving technology.
Focus on Healthcare and Security
00:05:25
Speaker
100%.
00:05:25
Speaker
hundred percent So you've held a lot of leadership roles at Fallon Health, Care Access Research, and now Sinosure, um each tied to healthcare and technology in different ways.
00:05:37
Speaker
So what motivated you to focus your career in this space, and what continues to inspire you about working at the intersection of health and security? Everybody needs healthcare. care um To a certain point, yes, there's an altruistic part of it where there's, you know, my heart wants to help move, advance the public good. I want to serve the public.
00:05:57
Speaker
ah But at the same time, there's also some decent money in it. There's, I'm not going to lie. They, they tend to pay fairly well. ah There's a certain set of rules that you have to follow with healthcare care that I think in other industries you won't necessarily find.
00:06:12
Speaker
And even where I am right now, Sinusure, and now that we've merged Sinusure, Lutronic, it's a medical device manufacturer. If you came to my office and and you looked at the rest of the building, it looks like more of a manufacturing facility. I like to tell people I had to learn how to ah lasers are made in order to get the job.
00:06:32
Speaker
um but So it's more of a manufacturing facility, but the data that we're getting and the information that we're getting from these devices as they're being used in different clinics all has to get digested. It's all being used to improve people's lives.
Balancing Growth and Security in Business
00:06:45
Speaker
It all centers around helping people. Yeah, that actually sounds really rewarding. it It is. It is. It's rewarding and it really helps power through some of the, um when when you get stuck in a rut, sometimes you have little frustrations that can come up.
00:07:00
Speaker
Focusing on that why really, really helps you get through. Yeah, I totally agree with that. So what does it mean to balance growth and agility with cybersecurity and risk management?
00:07:11
Speaker
And why is that balance so critical in today's digital landscape? This is something that I think gets missed in the security field quite a bit. You have a lot of security practitioners who know exactly what they need to know in order to exploit a vulnerability, for example, to hack their way into a website, to to pull somebody's identity information.
00:07:33
Speaker
um There's others who know ah how to grow a company, how to generate revenue. Bridging those two, that's really what information security and and in information technology is there for. Our job is to not make sure that we are protecting the data and keeping it sealed behind closed doors.
00:07:53
Speaker
It's to make sure it's getting to the right people at the right time. So when we're talking about information security and in any type of a business environment, you have to be cognizant of the growth potential that this information can have.
00:08:07
Speaker
You have to be cognizant of the fact that the company might need to change direction um as as a whole. Security itself might need to change direction. There have been plenty of times where I've said yes and I wanted to say no.
00:08:19
Speaker
There are times that I had to say no and it generated a lot of friction within the organization, especially at the at the upper echelon where you're having to explain to a chief sales officer or a chief financial officer, we cannot do this because...
00:08:34
Speaker
They don't like the word cannot. Instead, what you have to to do is rephrase as, if we're going in this direction, these are the guardrails we're going to need to put in place to make sure that we're not breaking any rules and we're not putting ourselves on the wrong track or on a on a course we're going to get in trouble.
00:08:52
Speaker
Yeah. You know, I haven't really thought too much before about how balancing security and access can be such an issue for you guys and being able to to to designate what the needed guardrails are seems key.
00:09:10
Speaker
So your career has spanned it operations, security, and executive leadership. What ties all those experiences together for you? I'm just going to say it. I'm a glutton for punishment.
00:09:22
Speaker
ah They are all three areas carry their, their own strengths and weaknesses. The thing that ties them all together is people. And it's a different element than ah when I was referring to kind of the public health space.
00:09:35
Speaker
In this case, the people is helping the company itself, helping the people within the company grow. I, to me, The best positions I have had have been leadership positions. I love working in security. I love working with technology.
00:09:49
Speaker
I am over the moon when I'm working with people. I absolutely enjoy that to to no end. If I can help somebody grow and expand their career path, if I can help somebody um look at information with a completely different lens and take a different perspective on on ah a problem that they've been trying to tackle,
00:10:11
Speaker
um and teach them a different way of thinking, that really rewards me. For the security side and from the technology side, you have you can't know one really without knowing how it's going to influence the other.
00:10:25
Speaker
you You have to merge those two. um I like to say that the the people that know how and what will will always have a job. That to me is the the technology and the security practitioners. so The people who know why are going to be the leaders. They're the ones that are going to be able to to pull it all together and say, here's how we can use this within these guardrails to deliver the best solution.
00:10:51
Speaker
Weren't we just talking not too long ago about technology? about the people aspect yes in business and how a lot of today's graduates are really going to need to focus on how they can work with other people.
00:11:03
Speaker
Yeah, that's a good conversation. Yeah. And so something you're talking about there makes me think a lot about mentorship and being in a role where you can sort of take people up through the ranks and through possibilities.
00:11:15
Speaker
That is something that I have done throughout my career. Yeah. So how did your high school experience prepare you for the challenges of the real world? And how do you still draw on what you learned here?
00:11:26
Speaker
There are a couple of things that happened. um One of the, I think little bit of a ah funny anecdotal story that I want to pull into this. When I was here in 92 to 96, now just to date things a little bit, 96 was five years before Wikipedia came out.
00:11:42
Speaker
So this is this is way predating a lot of the information technology we have right now. I was involved in kind of a pilot program that was pre-predating being co-run among but ah several different universities using a product called c u c Me.
00:11:58
Speaker
See you, see me was a a weird way of using the internet to send video live of somebody's face to somebody else. And students from Cornell and Stanford were talking to people in Syracuse and Michigan.
00:12:15
Speaker
And it obviously that turned into things and evolved into zoom and teams and some of the technology everybody's using today. Now this is back in again, 1994, 95 is when we were piloting that program.
00:12:27
Speaker
The second part of it was um I did a ah research project. i was able to participate in a research project for Dr. Ruth Small and when she was here. And the focus there was on distance learning and the viability of distance learning, what kind of technology would need to to be used there.
00:12:45
Speaker
And a lot of it didn't really catch fire until it's several years later. And then COVID happened and both exploded. And it was really interesting to kind of see the results of that. So when video conferencing first came out, you have everybody that's looking at themselves in the camera. They're trying to figure themselves out. don't where look. What am I? I'm looking at my own face. I'm not looking at the people that I'm supposed to be talking to or looking at the camera.
00:13:08
Speaker
Then you have people that have been in front of a camera before or they understand how video conferencing works. And For me, I was already miles ahead. I had already dealt with that. This was second nature.
00:13:20
Speaker
um So the anecdotal story that turned into a long story there. As far as how the iSchool prepared me, the flexibility in my career.
00:13:32
Speaker
was the, I think, I know it's kind of vague. It may not be the very specific answer you wanted, but that is absolutely probably the biggest benefit that I got from the iSchool that I could, could take my career in myriad directions. It didn't, I didn't feel stuck.
00:13:50
Speaker
You know, what you're talking about makes me think about, so I'm just kind of passionate
Adapting to New Technologies
00:13:54
Speaker
about technology, right? Like I've subscribed to technology today, different magazines that talk about technology.
00:14:00
Speaker
And, um And it's just kind of always been there. So i I always get kind of a foreshadowing of what's to come. Is that kind of in your experience too?
00:14:11
Speaker
It is. It is. You can see certain things, certain patterns as as things evolve. I think we were talking a little while ago about ah the cloud and AI and some similarities about the implementation of both.
00:14:24
Speaker
it's It's funny to me to think about Where I was 90s and early 2000s, you could put me in an empty server room and just tell me to build it. I could build an environment right there for you, rack all the equipment, set up the servers, get everything working, speak with the people that were working for the company, present how this is going to work.
00:14:47
Speaker
Then the cloud came out and I knew nothing. knew. ah Everything, all my knowledge kind of dipped and and I had to kind of relearn the the IT world. AI is coming out and I think a lot of people are probably feeling the same thing.
00:15:01
Speaker
um But like I think I said in the in the beginning, the ability to learn and pivot quickly, um that that skill that gained from I gained from the iSchool really allows for a really quick tempo in terms of picking that new information up.
00:15:18
Speaker
um I can now confidently say that I know a little bit about the cloud. It's a big topic. It is. there's When the cloud started forming, it I couldn't tell if it was a storm or if it was going to be a wonderful day.
00:15:31
Speaker
Yeah. So you're what we call a lifelong learner, somebody who's just willing to put your head in the game absolutely and pick up new things, and especially in the field of technology. So you've talked about building security-aware culture.
Building a Security-Aware Culture at Sinosure
00:15:46
Speaker
Can you give us a glimpse into what that looks like in practice at Sinosure? there There are similarities and differences with the way that Sinosure does things and the way that other organizations. In a lot of places, you'll see things that are like phishing tests that they'll send to their employees where the IT department... What's that? We do that. Yes. I think everybody's seen them and a lot of people... I think everybody's been a victim, myself included, where you click on it and you go...
00:16:14
Speaker
ah We just so you know, we don't keep a wall of shame. there' Nobody's tracking who who clicked and who didn't. Well, not physically anyways. ah the that That's one element that everybody's going to be talking about. what Where I like to take the security aware term and and kind of turn it a little bit is not only can the the employees that are clicking on those phishing tests, for example, learn i maybe a different way to behave,
00:16:43
Speaker
The technology team, the IT t team, the security team, and and and even the organization in general can now learn what they need to do better. I like to say that the phishing tests don't teach the employees as much as they teach IT.
00:16:58
Speaker
I now need to know. what other guardrails we can put up in front, what our tech works, technology we've, you know, in which we've invested is is failing to meet the grade and where we need to impress people there.
00:17:11
Speaker
Another part of the security where culture is, is we need to bridge gaps. I think the security team has been operating in a silo just as a, as a part of how they operate. um And some of this has to do with, with leadership and some of it just has to do with the nature of the beast.
00:17:28
Speaker
But I like to bridge gaps very quickly. I came into Sign Assure and within the first two or three weeks, I think I had spoken to every director in every department. um As the information security officer, that's not something that I think is done very frequently. i don't think you'll see that in a lot of places.
00:17:46
Speaker
But I was looking for what pain points people were encountering. what are you When you think about you know security at this organization, what's what's a pain point? What kind of obstacles can I address for you?
00:17:56
Speaker
um It tells me two things. One, if they tell me there's a pain point, maybe there's a better, more user-friendly way to to put it in place. Maybe there's something that's going to work better for, again, the people that are making the money for the company.
00:18:10
Speaker
It also tells me something else. If they never mention something as a problem, it doesn't necessarily mean that we're doing it well. So maybe I need to take a look at the the the points that did not come up and see maybe we can bolster this aspect of security. Maybe we can we can beef up this castle wall, if you will, and and add a little more protection without necessarily causing an impact to productivity.
00:18:35
Speaker
Yeah, so I hear you talking about the technology, but I also hear you talking about the people. Yes. And the way the organization operates, which is definitely a cultural kind of a perspective.
00:18:47
Speaker
100%. A lot of people will say the people are the last line of defense. I don't like seeing it that way. I see them as a part of the defense. I think that it sounds like it's splitting hairs, but I don't think it is.
00:19:00
Speaker
They're just another part of your castle wall. Yeah. So I imagine you have training ah setups and things that you do for employees to make sure that they We do. We do. And and I try to again, there you can find trainings that are 45 minutes long.
00:19:15
Speaker
No CEO is going to sit through a 45-minute presentation on security. yeah So what you do instead is you tier it um and you you tailor that training program to what people are going to need. I also do live webinars with some of the employees and walk through, okay, there's this new breach that's going out that involves Salesforce.
00:19:35
Speaker
Those of you that are using Salesforce, you probably want to know about this. Here's how they're being exploited. It's a live interactive way of talking about something that is very real and very um very much something they need to keep at the front of their mind that day and going forward.
00:19:52
Speaker
Yeah. So for students who want to pursue a career in cybersecurity or IT t leadership, What skills or mindsets should they focus on developing right now while they're at
Mindset and Policy-Making in Cybersecurity Education
00:20:04
Speaker
the I school? I talked about this a little bit in a presentation I gave last night.
00:20:09
Speaker
um There's a ah way of thinking called a growth mindset. If you are going to be in security, i think regardless of what career you're going to take on, a growth mindset is going to serve you very well.
00:20:23
Speaker
But you can always tell the leaders that don't necessarily have a growth mindset. They're very fixed in the way that they think. They're very rigid. There's a lot of can't, a lot of negativity in the way that they operate.
00:20:35
Speaker
Growth mindset will take criticism willingly and use it as an opportunity to advance. um The other thing that I like to point out is even in security, why is extremely important.
00:20:48
Speaker
If you're going to come back and tell somebody we can't do this or we need to put in this policy that will that will restrict something in some way, you need to be able to explain why. If you're writing a policy, a formal policy for the organization and you're going to ask the CEO to sign off on it, you better be able to explain why a policy needs to exist. If you can't justify it, it ain't going to sell.
00:21:10
Speaker
That's a great answer. You know, what it makes me think of is our students and picking up a growth mindset and why some of our alumni feel that way probably is because when I interact with our faculty, most of them seem to have that kind of growth mindset.
00:21:26
Speaker
So maybe they're just modeling that for our students in a way that's worked out really well for our alumni. It's a wonderful thing. And I, I wish it wasn't termed a soft skill because I think it downplays the importance.
00:21:39
Speaker
it's It's vital. Yeah. I totally agree with that. Okay. If our listeners take away one message about cybersecurity and leadership from you, what do you hope it is?
Advice for Aspiring Cybersecurity Leaders
00:21:49
Speaker
keep at it. That is the the smallest way I can put this. I could talk for hours on this topic, but keep at it. This field um will be at once exhilarating and exhausting for you.
00:22:04
Speaker
You will have days that you are giddy to get up and go to work. You cannot wait. And there will be days that you don't want to get out of bed. You don't want to deal with whatever meeting is on your your calendar.
00:22:16
Speaker
um You know that there's an incident that's happened that you need to tackle. Right now, my team is tackling one as i as we speak. It happens. It's part of the game. You need to look at it not even as a marathon. You need to look at it as almost an endless marathon. You need to keep at it.
00:22:34
Speaker
Never stop learning. IT needs to be a couple steps ahead of the business in order to better enable them. Security needs to be a couple steps ahead of IT t in order to make sure that the guardrails are there before the road's built.
00:22:47
Speaker
and And the leaders need to be ahead of all of that and keep on top of it. And it it will it will get tiring, but it is so rewarding. I very much appreciate you coming and talking to us. It was great.