Alexander Antukh is an award-winning cybersecurity leader with 15 years of experience in various companies, from tech unicorns and consultancies to some of the largest financial organizations in the world. He successfully completed his Executive MBA cum laude and actively supports various non-profit organizations that promote education and equality. On a personal level, Alex loves brewing tea, playing chess, and having conversations around philosophical topics. He currently holds the position of Chief Information Security Officer at AboitizPower.
Recently, in an exclusive interview with Digital First Magazine, Alexander shared his professional trajectory, the most favorite aspect of his current role, the best piece of advice he has ever received, future plans, pearls of wisdom, and much more. The following excerpts are taken from the interview.
Hi Alexander. Can you please tell us about your background and areas of expertise?
Hi there! I’m Alex, currently serving as a Chief Information Security Officer (CISO) at AboitizPower, the largest energy company in the Philippines. My journey began in 2009 as an intern malware analyst at Kaspersky. Since then I have worked in such fields of cybersecurity as malware analysis, vulnerability research, ethical hacking, and application security, before moving to security governance. In 2021, I founded Cyber Hermes, an Estonian consultancy with a mission to help small and medium businesses build their first cyber programs and serve as a trusted cyber advisor, helping them navigate the complex landscape of digital risks.
What part of your current role do you enjoy the most?
Making the impact. In hindsight, this explains why I was moving towards higher levels of abstraction, as it helped me to see the broader perspective of corporate governance, and how cyber efforts fit there. By understanding business context and working with peers from other verticals as well as the Board of Directors, we are able to come up with a tailored strategy to manage our digital risks while being closely aligned with business objectives.
According to you, what will cyber security look like in the next 5 years?
While it is hard to accurately predict anything that might happen in five years in such uncertain times, I think that we will see further regulatory developments related to breach disclosures, cyber-physical systems, artificial intelligence, and collective defense. It is not unreasonable to imagine stricter controls for supply chains as they increasingly become targets. Furthermore, there is certain optimism about the broader use of AI for security, potentially allowing us to tilt the scale of the Defender’s Dilemma in our favor. Finally, I think there will be more awareness of cybersecurity in the boardrooms, which will allow for better protection and resilience overall.
What are some of the challenges with cybersecurity and risk assessment right now that you see no one is talking about?
Difficult question. I see there is no shortage of discussions about the many challenges, but sometimes what’s missing are real solutions that can be applied today, especially at companies outside of Fortune 500. Furthermore, it is often assumed that it is somehow possible to “fix cybersecurity” without addressing foundational issues related to areas such as general corporate governance, IT, Risk, Legal, Compliance, PR, HR, and more. I believe it is understood that the nature of cyber risk is systemic. That implies that the solutions must be systemic too, and if we accept that premise, we return back to square one where cybersecurity’s success is a direct responsibility of the CEO and the Boards.
What are the top skills, both technical and soft skills, that are greatly needed as a cybersecurity professional in the current digital landscape?
The term “cybersecurity professional” encompasses a wide range of roles, each demanding its own set of skills. Nevertheless, if I’m to outline some of the common skills of the many talented individuals I’ve met during my career, I’d place curiosity and humbleness in the broad sense at the top of my list. Without enjoying the process of continuous learning and accepting that we cannot know everything, it seems impossible to develop a good understanding of this complex field and stay on top of the evolving digital landscape. Ideally, cybersecurity professionals should also have a few hobbies and interests outside of the field, as this helps to develop systems thinking, see interconnectedness of the world more clearly, and bring fresh ideas “from the outside” and of course, don’t forget communication skills!
How do you think we can attract more young people to this field?
Cybersecurity is a fascinating but not necessarily well-understood field, and as such the primary motivation to enter it is often financial stability. While compensation is an important factor, I’d argue that we need to show the intrinsic value of being in the field more clearly – in other words, to make it interesting in the first place. There are successful examples of organizing school Capture-The-Flag (CTF) events, engaging people in open-source community projects, running mentoring programs to show different aspects of cybersecurity, and even assisting public entities in hunting threat actors. The diversity of choice should also be noted, as not all roles must be focused just on technology. Finally, as cyber attacks become more prevalent and disruptive, there is an important ethical aspect of becoming a cybersecurity professional. In my view, developing a strong message based on the above and promoting it across both public and private sectors will ensure succession of the next generation of experts.
What has been your most career-defining moment that you are proud of?
Disassembling a virus that has infected my father’s desktop computer, which I used for games. This triggered my interest in the field of malware analysis and led me to my first job as an intern.
In your academic or work career, were there any mentors who have helped you grow along the way? What’s the best piece of advice you have ever received?
I’ve had a number of great examples throughout my career of how to be effective in my role–and sometimes, how not to be. One piece of impactful advice I received was while working at Goldman Sachs, where the then-CISO told me about the importance of storytelling, offering vivid examples of how to engage an executive audience. I also learned a lot from leaders who deeply cared about their team and embodied the principle “it’s not all about you.”
What are your passions outside of work?
I love brewing and drinking tea using gongfu style for many years, and at some point, I decided to get more serious about it and to become a certified tea sommelier. Apart from this, although philosophy has never been my major, I’ve grown to appreciate it over time. The more I read the works of past and contemporary philosophers, the more this field fascinates me.
Where do you see yourself in the next 5 years?
This question is even harder to answer than about how cyber will look like in the next five years. I find beauty in the flow of life and its inherent uncertainty, and I consider it equally possible for me to remain in my current role or to find myself in Uruguay, embracing a new passion for tango and mate.
What advice do you have for anyone who is in a CISO role?
You are not your job.