Andre Shori is the Regional Chief Information Security Officer at Schneider Electric, where he is responsible for leading, animating and implementing the IT and OT cybersecurity programs for the Asia Pacific region. Andre brings over 30 years of cyber experience, a SANS Technology Institute Master of Science in Information Security Management, and 18 major cybersecurity certifications.
As Regional CISO for Schneider Electric, Andre’s mission is to continuously advance and mature the cybersecurity posture for his regional ecosystem of customers, partners and employees. Andre adopts an approach of being constantly risk informed while implementing defence in depth to ensure that cyber risks to Schneider Electric’s IT and OT systems are deterred, detected, and defused to the maximum extent possible. Andre also serves as an Executive Board Member of the (ISC) 2 Singapore Chapter and Vice President of the Association of Information Security Professionals (AiSP) where he strives to advance the cybersecurity profession through a network of cross border partnerships with other professional associations.
Recently, in an exclusive interview with Digital First Magazine, Andre shared his professional trajectory, insights on the future of cybersecurity, the best piece of advice he has ever received, future plans, words of wisdom, and much more. The following excerpts are taken from the interview.
Hi Andre. Can you please tell us about your background and areas of expertise?
I am the Chief Information Security Officer of the Asia Pacific Region. I’m based in Singapore and responsible for Schneider Electric’s Information Technology (IT) and Operational Technology (OT) cybersecurity programs’ maturity and posture across India, North and South East Asia, Australia, and New Zealand. My Cybersecurity journey began, like many others, in IT (back when my discipline didn’t exist yet) but quickly reoriented to Cybersecurity, culminating in a wealth of amazing expertise and experience in both IT and OT Security (with a healthy sprinkling of physical security and product security thrown in).
What part of your current role do you enjoy the most?
I enjoy working with a team of experts worldwide, across cultures and time zones, to design, continually improve, and implement an ever-evolving cybersecurity program capable of defending our enterprise safely and securely.
According to you, what will cyber security look like in the next 5 years?
By nature, cybersecurity leaders have to be able to sail on rough waters to face an unpredictable threat landscape, and this will be confirmed even more in the future. However, I remain optimistic that the evolution of groundbreaking improvements in Artificial Intelligence and quantum encryption will enable greater security (as opposed to deteriorating our ability to defend ourselves).
What are some of the challenges with cybersecurity and risk assessment right now that you see no one is talking about?
There are still many misconceptions surrounding OT technology. Still, I see the awareness topic maturing quickly, with a more aligned view on the nature and associated challenges by public and private enterprises. Close cooperation between these two sectors is the path to increased maturity.
What are the top skills, both technical and soft skills, that are greatly needed as a cybersecurity professional in the current digital landscape?
I feel there needs to be a better understanding of the challenges and rewards (beyond just remuneration) to ensure that people considering exploring careers in Cybersecurity understand what’s required of them. Regardless of all the tools and technology, a fundamental understanding of the basic philosophy is mandatory to understand the likelihood and impact in a risk-managed conversation.
How do you think we can attract more young people to this field?
In a post-Covid world, HR studies and opinion polls on the job market show that Millennials and Gen Z aspire to give meaning to what they do. In cyber, when you mitigate the risks for your company, it benefits society as a whole, making your work immensely meaningful. Also, most companies still don’t have a clear career path for cybersecurity practitioners, so there’s little appeal. Sure, there’s high demand today, but you have to show your people the opportunities of tomorrow, too.
In your academic or work career, were there any mentors who have helped you grow along the way? What’s the best piece of advice you have ever received?
Continuously pursue your passions. If you’re passionate about art, pursue it. If you love cars, find a career in the automotive industry. Your passions will give you the energy to continue spending hours on the topic without it feeling like drudgery.
Throughout your career, you have been a recipient of prestigious awards such as the Tech Talent Builder Award and recognition as one of the top ten CISOs in APAC to name a few. Our readers would love to know the secret mantra behind your success.
There’s no secret mantra: I have a lifelong passion for technology and security. The right motivation gives me the energy and focus to ultimately make a real difference in maturing the cybersecurity posture of society, the company I work for, and my loved ones.
What are your passions outside of work?
Outside of work, I engage as much as possible with ISC2 and AiSP, two active cybersecurity professional organizations in Singapore. I’m personally motivated to help create a collective cybersecurity ecosystem of trust whereby knowledge-sharing communications channels and trustworthy intelligence are much easier to share. A good test of this is when a company gets breached. Do all the other companies react by improving their defences with a copy of the attacker’s IOCs, or do we all just cut ties with one another whenever there’s a problem?
My other passion is Star Wars. I’ve always loved that series, especially the original trilogy. I’ve taken up participating in charity costuming events with the 501st and Rebel Legions in Singapore and love seeing the smiles on the public’s faces when they meet characters from the movie.
Where do you see yourself in the next 5 years?
I’d love to be in a more prominent strategic leadership position leading a global OT/IT cybersecurity program, where the focus would be maturing an organization’s defences to protect better its staff, production, brand, and image.
What advice do you have for anyone who is in a CISO role?
Hang in there! It’s a demanding role with tons of responsibilities, but ultimately, as a CISO, you’re positioned to set the course for your organization’s cybersecurity program and to trust your team to steer the ship properly. You cannot do it all; you must have a team of trusted individuals that you can rely on to handle the day-to-day operations, allowing you to focus on tomorrow’s challenges.
In addition, Cybersecurity isn’t a blame game. You are there to help your organization manage its cyber risks, not be the scapegoat for when something goes inevitably wrong. You must help your stakeholders understand that there is no perfect security, and mistakes will happen, but you will learn from them. It’s also helpful for stakeholders to understand that without an effective CISO, the impact of every breach would be infinitely much worse. Finally, as many of my fellow practitioners often say, focus on doing the right thing rather than just doing things right.