Last name: Jean Morales
Organization: Everywhere Real Estate
Job title: VP and Chief Information Security Officer
Start date of current role: October 2020
Location: New York
Juan Morales is a cybersecurity and information technology professional with over 20 years of industry experience and proven success leading a wide range of initiatives while participating in the planning, the design and implementation of technological and information security solutions. As Vice President, CISO, Morales leads Anywhere Real Estate’s global information security program, including SOC, incident response, forensics and eDiscovery, vulnerability management, privacy and regulatory compliance, data governance, product security, information risk management, and user education and training. Morales is also an adjunct professor at Sacred Heart University, teaching graduate-level cybersecurity management courses.
What was your first job? I think I was about 11 years old. It was in a small grocery store in town. I pestered the owner for about 2 months to give me any kind of work. He finally gave in and I did everything from taking out the trash, working the deli slicer, to stocking the shelves.
How did you get involved in cybersecurity? My technical career started in information technology as a consultant doing technical support type work. I landed a job at the Bank of Montreal where I spent 13 years in various technical roles of increasing scope and responsibility. In the latter part of my time at the bank, I wanted to learn more about security controls and frameworks. I joined a local information security chapter to learn as much as I could from the field, and eventually transitioned into an in-house opportunity as a corporate information security manager . I never looked back.
What was your education like? Do you have certifications? What are they? I first attended the Chubb Institute where I received a certificate in computer technical support. Several years later, I completed my Bachelor of Science in Information Technology 100% online at the University of Phoenix. This was at a time when online learning was unheard of and not taken very seriously. (Who would have ever thought that the world would end up drifting away to learn?)
Finally, I earned a Master of Science in Cyber Security from Fordham University. I also hold CISSP, CCSP, ISSMP and CEH certifications.
Explain your professional background. Did you take any detours? If so, discuss. After high school, I never thought about a career in technology; I didn’t get my first computer until the last year of high school, so you could say I was self-taught. What really interested me at the time was the culinary arts; however, a family member went to technical school and was doing great things with technology, which made me more interested in the field. Looking back, I realized I was faced with two paths and chose the technological path. I have been on this path ever since.
Has anyone inspired or mentored you in your career? One of my first managers, Wing Chan. I learned many of my managerial qualities by reflecting on his leadership style. More importantly, he taught me to be transparent, open-minded and humble.
What do you think is the most important aspect of your job? Along with the fundamental risk management responsibility that comes with the role, the most important aspect for me is ensuring that I can provide the tools and resources needed to keep my teams performing at their highest potential – to foster their professional development and identify opportunities and challenges. that will keep them engaged. Ultimately, their satisfaction and contributions will result in gains for the organization.
What indicators or KPIs do you use to measure security effectiveness? We are rethinking how we measure the effectiveness of our program. While we performed 3rd party evaluations measuring our maturity to control executives, to me, that doesn’t tell the whole story. The metrics and KPIs we develop will help us measure return on investment against our security spend, allocate appropriate resources, identify opportunities for improvement, and provide assurance that the program is performing well.
Is the security skills shortage affecting your organization? What roles or skills do you find most difficult to fill? We were lucky not to have been affected by the skills shortage. Our workforce remains unchanged and we continue to operate successfully with the current group.
Cybersecurity is constantly evolving – how do you keep learning? It is certainly difficult. Along with the millions of things competing for my limited time, I’m working hard to find a way to stay up to date. I commit to reading at least one article a day on the latest security developments. I also listen to safety podcasts as much as I can… while cutting the grass or running on the treadmill. I try to hang on as much as possible.
What conferences are on your must-see list? Black hat/Defcon. Blackhat for the commercial aspect and the opportunity to visit current and new potential suppliers. Now is the perfect time to watch the latest and greatest as they all converge in one place. Defcon is a must for in-depth technical discussions and atmosphere. Everyone in security should experience Defcon at least once.
What is the current top trend in cybersecurity? The worst? Better? The continued increase in automation and orchestration. The speed at which attacks are happening these days requires a quick machine response to meet the challenge. Automation is a big improvement to our current and processed toolsets. He should never be seen as a substitute for the human analyst, but certainly as a force multiplier.
The worst trend is the ongoing plague of ransomware and its impact on all kinds of organizations. Attackers continue to be creative. The days of a simple locker ransomware are long gone. We must be prepared to respond to incidents of extortion, and now double extortion.
What’s the best career advice you’ve ever received? Accept failure as a lesson learned. It’s good to fail, but it’s not good not to learn from the experience. Also, really accept to step out of your comfort zone to grow.
What advice would you give to aspiring security managers? Don’t let perfection get in the way of progress. Seize opportunities to try new ideas and methods, but have a plan to fail quickly and pivot. Be bold! You will never know what you are capable of if you don’t try.
Spend time building relationships. Building your network is just as important as honing your technical skills. You’ll never know when you’ll need to call on your network to help validate an idea or help establish the next connection.
What has been your greatest professional achievement? Gain enough experience to be able to give back to the community. I felt like I finally achieved that goal when I was an adjunct professor teaching graduate courses on managing cybersecurity programs. Being able to share more than 20 years of experience has allowed me to reflect on how far I’ve come, what I’ve been able to accomplish and what remains ahead of me.
Looking back with 20:20 back, what would you have done differently? I don’t know if I would change anything. I’m lucky for the success I’ve had, the connections I’ve made, and the experiences along the way that have helped me get to where I am today. The only thing I would have done differently is to set aside more time to tinker, head down on the keyboard, trying/testing new tools, techniques, methods.
What is your favorite quote? “It is better to be alone than to be in bad company” – George Washington.
What are you reading right now? Think again by Adam Grant.
In my spare time, I like… Exercising, hiking, playing guitar, spending time with my wife and kids.
Most people don’t know that I… Played in a group, playing ice hockey; that I am a triathlete and a volunteer firefighter.
Ask me to do anything except… Working in retail… I could never work in retail.