Sodexo's CISO left academia to "make the elephants dance" at the French firm's service vouchers and cards division. Paul Fisher reports.
Abdellah Cherkaoui hopes he is not the only Moroccan CISO I will meet, but he is certainly the first. The Knights Bar at Simpson's in the Strand makes an unusual setting for a discussion about information security. This shabby genteel 19th-century venue does not even have up-to-date sockets, as our photographer found out when trying to plug in his lights.
It does, however, have a website on which it boasts about some famous past visitors, including Vincent van Gogh, Charles Dickens, Sherlock Holmes, George Bernard Shaw, Benjamin Disraeli and William Gladstone, some of whom may have actually visited. Although probably not Sherlock Holmes.
But this must surely be the first time that a Moroccan-born, deep-sea-diving chief information security oficer has visited the establishment. Cherkaoui works for the service vouchers and cards division of Sodexo, one of France's largest businesses. With activities in 30 countries, the company is heavily involved in employee benefit schemes. According to Sodexo, more than 20 million beneficiaries worldwide used its service vouchers and cards to pay for everything from lunch to medicine in 2007, and the company worked with one million affiliated partners and merchants. In the UK, Sodexo has been working with the Home Office on its asylum seeker voucher scheme and has a major presence in childcare and other private employee benefit schemes.
Before joining Sodexo, Cherkaoui was something of an academic star, with applied research positions at the Universities of California and Washington. Prior to this, Cherkaoui was a project manager in the business and government sectors in Morocco. He has a PhD in marine geophysics, a Master's degree in geotechnical engineering and was awarded a NASA International Fellowship in 1987 and a Fulbright Doctoral Fellowship in 1993.
Not your usual CISO then. Hugely confident and engaging, Cherkaoui ensures that this is not going to be an interview short on words.
He believes his diverse background is something of a strength. “I very often find myself having to fall back on my experience. For example, dealing with a provider in Brazil is completely different from dealing with one in the US. It's going to be different what you expect in terms of understanding,” he says.
The move into information security was more down to chance than a planned career move, he explains. “I wanted to do something different and I heard about an opportunity at Sodexo – something about vouchers and cards. Then I discovered the group's values, the start-up environment – it appealed to me very rapidly,” he recalls.
So he gave up the geophysics and, in his words, “fun and very complex things” that included 40-day sea expeditions trawling terabytes of data from the ocean floor by dangling hugely expensive equipment over the side of a boat. But it wasn't a straight move into security.
“I started by supporting our business in Boston and then moved to a couple of other projects in India and Mexico. After a year I took charge of a project improving the security of our business operations worldwide. A year after that I essentially assumed the position permanently,” Cherkaoui explains. “And it's been three challenging years, because right after that we got compliance coming in. We did it in October 2005. And I think we were the second private European group to do that.”
So having introduced compliance, looked at the business and its existing set-up and systems, what were his objectives? “My primary goal was to simply improve the level of reliability for systems in our approaches worldwide. But I think my greatest achievement is that there is no doubt in the board of each subsidiary, as well as in the central board, that security is important. And that the reliability and quality of our services, and the competencies in the organisation of the people who are in charge of those infrastructures are key. Nobody questions it.” So he has what is still only too rare: a security-aware board.
“I don't have to justify security investment,” he says. “We do not impose, but if we think the investments are needed to secure our business, which is what it's about, then the board will not question it. We have a strong voice.”
It sounds ideal, and many in his position would beg to have a similar level of rapport, but I suggest his bosses must need to see a suitable return on investment from their much-travelled CISO and his department.
“Here is what is surprising,” Cherkaoui says in a softer tone. “In fact, I often tell them they are overinvesting or investing in the wrong area, or not the area of highest risk. I ask the board how much appetite they have for risk. We take the decisions together – it is very consensual.”
So what would his advice be to those who do not have such enlightened boards and have to fight to get their message across?
His answer makes perfect sense, yet too many infosec professionals still fail to grasp this basic lesson: “What makes this position is that you need to bring value to the business and, therefore, you need to understand the business. But in many companies the board sets the objectives and then asks IT and security to react to that. We make changes in the organisation so that we work together well and we're responsible as a team,” he says. “We need to understand the business, but we have to teach the business as well. Learn to present to the board in a non-technical manner, make it business-oriented with objectives for the next two years – here are the priorities and here are the risks we're going to be facing by doing them.”
Technology and hardware, it seems, are not the most important items on the list. Nor does Cherkaoui have much time for some of the vendors, who, he says, need to break the habit of expecting customers to implement one-shop solutions. What matters, he believes, is how much it costs to maintain and how complex will it be to manage in 30 different countries. “Am I just going to be patching holes and making things a lot more complicated to use?” he adds.
So what else is required of the modern, global CISO? How much of an entrepreneur do they need to have in their DNA these days? “A techie is just not going to cut it”, he says, matter of factly. You need to be able to talk to the business and the outside world as well as talk to the engineer,” he points out. “The business knows the world is changing. As an example, Sodexo is now managing the financial flow with vouchers and cards, which is a benefit that our clients can give to their employees. We don't have the power of the banks, but we're managing a pretty decent amount of money. The business wants to be the leading outsourcer of social benefits, so how do we do that? The challenge is 30 countries doing their own thing, some very competent, some not at all,” he continues.
It's significant that throughout the conversation, Cherkaoui refers to the business Sodexo is in and its particular challenges rather than just the security challenges he and his department face. He can talk business with the best of them. Proving that he is one CISO that can talk up the business need with real understanding. Take this assessment of Sodexo's recent results:
“The group has just posted the best quarter results, and our results are still up. Essentially we're meeting our growth objectives. One of the strategic objectives of the group is to improve our margins, so our profitability can still be improved. On the vouchers and card activity, because of our fixed-cost infrastructures, we are seeing our profitability shooting up with the increase of our volumes. The company as a whole is showing a pretty stable and strong financial model.”
Given these business challenges and accepting that Cherkaoui is right about the business need and the importance of being able to adapt approaches, it is true that you have to be more holistic. But you still need kit, you still need technology. And that means dealing with the vendor community. What's the Cherkaoui approach?
“I used to be a perfectionist. I had to become a pragmatic perfectionist,” he says, cutely, before adding that he tends to take a softly-softly approach. “We go one step at a time, do a pilot, and see how it works. Let's see the return and then let's move forward. But we can innovate in-house, so when it comes to vendors, we're going to go with proven solutions and not reinvent the wheel. It comes back to ‘how do you make the elephant dance?',” he says, throwing in one of his favourite phrases.
When not making that elephant dance, he says the most pleasure he gets from his job is when users thank him for making their lives easier. “One thing that really satisfied me was when I took an IT project under my umbrella two years ago to share financial systems for five of our largest subsidiaries in the US,” he recalls. “Well, we did that. We cut the costs, but we actually really focused on improving the reliability by putting our eggs in the same basket. Yet at the same time we got credibility for this project. We worked really hard.”
Like other French global businesses, Sodexo is on the acquisition trail, and Cherkaoui is very much on board, as his challenge is to integrate these new units. “We're spending a lot of effort integrating those businesses in terms of processes and IT systems. It's a difficult job, because you have time constraints and you have systems that don't talk to each other. You have solutions that are different. But although we are acquiring businesses that are completely different, I think we're also going to have a lot of opportunities,” he explains.
“What I'm looking forward to is kind of taking over that part around setting up new structures to support and integrate those businesses together, which might be linking IT business and maybe security as well. It will be pretty challenging.”
He is confident, however, that the newly centralised security structures he has put in place can now be rolled out globally across the group, including any new acquisitions. “What we have created is an organisation that is working together with IT and security and a committee that's allowing essentially all the decisions to be taken in one place and then spread to each of the other areas very efficiently. And that has a lot to do with the past two years,” he says.