Aaron Ansari, the virtual CISO for Exela Pharma Sciences, has an impressive background in global management and security solution development. His expertise extends to risk management, both in cybersecurity and mental fortitude, as evidenced by his most recent Ironman completion in 2022. Hear Aaron’s take on the importance of proactive planning and why he says your organization may not have as much control as you think.
Aaron Ansari, the virtual CISO for Exela Pharma Sciences, has an impressive background in global management and security solution development. His expertise extends to risk management, both in cybersecurity and mental fortitude, as evidenced by his most recent Ironman completion in 2022. Hear Aaron’s take on the importance of proactive planning and why he says your organization may not have as much control as you think.
Aaron Ansari: It's not for everyone, but like for you to go through and do, you know, your personal sort of summit that's there, that's, that's huge.
Megan Garza: After I finished, he was like, what do you think? And I'm like, I am never
Megan Garza: doing that
Aaron Ansari: that question. no, no, not until you finish. Welcome to Speed Data, quick conversations with cybersecurity leaders. I'm your host, Megan Garza. I'm excited to welcome Aaron Ansari, the virtual CISO for Accela Pharma Sciences. Welcome, Aaron.
Aaron Ansari: Hi. nice to be here.
Megan Garza: Aaron is a tenured information security executive with practical business experience and a background in global management and security solution development. His skill set includes information security, risk management, network administration, and programming, and he is proficient in standards and regulations such as HIPAA, [00:01:00] PCI, DSS, NIST, and HITRUST. In his free time, the Ohio State University graduate enjoys volunteering, partnering with organizations such as Girls in Tech and the OWASP Foundation, and competing in Ironman challenges. Wow, that is quite impressive. Erin, what made you want to and how did you get started in cloud security?
Aaron Ansari: Yeah, you know, I sort of saw the trend of migration from on prem to cloud starting back in 2006.
Aaron Ansari: I was in a chief architect capacity at a financial services firm, BMW Group Financial Services, and we were looking at evaluating You know, moving and migrating some of our applications to have high availability and those sorts of things to the cloud.
Aaron Ansari: And, you know, at the time, you know, back in 06, 07, 08, talking about putting your bank account online and like, you know, all those sorts of things. People, they'd laugh you out of the room sort of [00:02:00] thing. Not exactly, but. Partially,
Megan Garza: Yeah.
Aaron Ansari: uh, but the point being, you know, you see, you see the rise of, of public cloud providers and that sort of thing start all the way back then and obviously momentum and growth and the trends sort of continued.
Aaron Ansari: So I kept, um, I guess I'll say a career eye or professional eye on it, um, kept my certifications and, and my knowledge base, um, there. And it was, I guess back in 2019 when I really sort of. Dove dove in, which doesn't seem that long ago, but, you know, we're knocking on the door of 2025 already. and, you know, um, with a company called Trend Micro.
Aaron Ansari: Dived into the, um, the cloud realm, specifically with like workload protection, CNAP, uh, cloud security posture management, and those sorts of things.
Megan Garza: thing about your role?
Aaron Ansari: I'll flip that question around. I thought about this one a lot, and I'll say, you know, what's most needed in this role? And the answer is [00:03:00] actually not technical capabilities.
Aaron Ansari: It's not certifications or attestations. It's not understanding, you know, ISO 27001. It's empathy. And, um, working with business leaders to understand their pain points. It really requires empathy, uh, because regardless of how I view security and what I want to get done from an agenda standpoint, the founders of the business and the people that are driving the business towards growth, have a very broad and very company oriented view and it's something that I certainly have to do from a security lens of the broad company view.
Megan Garza: Yeah, and tell me a little bit about your day to day responsibilities.
Aaron Ansari: Yeah, so we have a team that's responsible for everything related to security at Accela, and this can be Simple things like password resets, which we've worked on automating, um, to more complex things such as data breaches or, you know, we're getting attempts to log in from Russia [00:04:00] and we don't have any employees in Russia sort of thing.
Aaron Ansari: And so management of the day has to be planned weeks, if not, you know, a month in before. Of course, you know, little fires will come up and we have to work as firefighters. But if, if we don't, if we're not proactive in the way that we build our weeks and months, almost think of it like an application, sort of like a, a, a release cycle, uh, and planning each, release, uh, we will quickly be enveloped and on our heels more than we are sort of being a little bit more proactive.
Megan Garza: you definitely don't want to be in that position where you're kind of playing catch up.
Aaron Ansari: Definitely not.
Megan Garza: from your perspective, what are the biggest differences between data security in the cloud and on prem? I know you said you kind of saw the writing on the wall with that. What are the biggest differences there?
Aaron Ansari: um, It's very important to understand, and you know, we'll talk about this a little later, but shared responsibility. Um, when you're not the one that's, that's sort of governing or owning the infrastructure and the layer one, layer [00:05:00] two, um, physical components, um, all the way up to the, to the virtual, you know, their seven sort of stuff.
Aaron Ansari: You have to be keen to know where your responsibility starts and where responsibility stops. but the biggest challenge there is visibility. certainly need to have visibility when you've gone beyond an infrastructure that you're incomplete. I didn't say control, but I'll say ownership of.
Megan Garza: what do you think most organizations misunderstand about cloud security?
Aaron Ansari: So that's the thing, right? That, that, the ownership versus control. Even when you're on prem and you have everything in your, your four walls, so to say, don't have as much control as you think you have, right? You'll discover all sorts of things that are happening in your network or on your environment that you didn't know happening.
Aaron Ansari: Um, back in the, um, 2010s, we found this twice at one of my, one of my jobs, um, somebody running a Bitcoin mining server, on our environment, in our, in our [00:06:00] four walls, right? We didn't have control over that, um, until we found out later. Um, so it's really ownership, ownership and visibility and getting that, that understanding that, you don't have control, you need the visibility to have ownership.
Megan Garza: And what are some of the biggest challenges in understanding your security posture across all platforms?
Aaron Ansari: Yeah, for sure, that visibility is key there, but also resources, um, so our team, you know, has, the resources that we've been allocated. And of course, every leader wants their team to be, you know, as big and as broad as they can. But the reality is, you know, if you look at, you know, Efficiency and you look at the way that that businesses need to be able to run.
Aaron Ansari: You do have to run as optimized as possible. And that's where we use partnerships. Um, so we have, you know, partnerships such as yours, where we're getting visibility and we're getting reporting. We're getting expertise. That we don't normally get on the teams and the resources that we're able to build.
Aaron Ansari: And truly relying on [00:07:00] partnerships, is fundamental to being able to understand and mitigate the risks that's associated with operating in the cloud or on prem today.
Megan Garza: And in your opinion, what is the best way to defend against a cyber attack?
Aaron Ansari: perfect segue because, you have to have the, the, Partnerships and the resources in place. So let's go back to my comment about making certain that you're proactive in planning, right? We have to ensure that we've got retainers in place so that when we, when we have to make the call to say, Hey, we've got an incident, it's not somebody that's like, who are you?
Aaron Ansari: We don't, We don't know who you are, and we've got 50 other people that made the same phone call before you, so take a place in line. Having those partnerships, having the visibility, having the relationships already set up is paramount, and it's my responsibility as an information security leader to ensure that the business leaders understand this, going into a budgetary cycle, going into, you know, an annual sort of, evaluation phase, [00:08:00] so that when the incident happens, we're as ready as we can be.
Megan Garza: What advice do you have for other security leaders on first steps when discovering a vulnerability or exploit?
Aaron Ansari: translating that vulnerability exploit into business language is paramount, right? If you say, hey, we're susceptible to a relay attack, You know, your, your, your
Megan Garza: oh, is that bad? I dunno,
Aaron Ansari: right, what if you say, you know, somebody could, could overload our processor and cause a fire in, you know, on a physical asset, that's going to be something that's completely different and received in, in a much more, um, we'll say logical way so that the business can respond to that risk appropriately.
Megan Garza: Yeah. You wanna break it down to where they understand like, okay, well what could be the consequence if we don't, uh, do anything about this? in terms of ai, that's, you know, the, the big buzzword
Megan Garza: today. how do you think AI is impacting data security? Both positively and also negatively
Aaron Ansari: large language models, [00:09:00] machine learning, artificial intelligence, there's a search for, you know, it's, it's kind of a, solution without a problem sort of, sort of thing. Not really, but, vendors, um, are, I won't say struggling, but are working to implement those in the best possible ways.
Aaron Ansari: And some things are really great. Um, like when you have an. AI assistant built into a solution that helps you work through, um, creating a script or, you know, creating some sort of solution. Some things sort of miss the mark, like when you've got, you know, GPT enabled search or those sorts of things that really aren't, aren't, what that solution is, is sort of meant for.
Aaron Ansari: The way that we evaluate it is to ensure that as we layer it into various services and technologies, um, it makes sense to enable in those services or those technologies.
Megan Garza: a, you know, writer and editor of aone. Um, I use Grammarly often. Um, but sometimes the changes it wants to make, I'm just like, but that's just wrong. Like, that's not correct, just so you kind of still have to, watch out for the error of, AI as well.[00:10:00]
Aaron Ansari: right,
Megan Garza: if you weren't in cybersecurity, what would you be doing?
Aaron Ansari: You know, I was asked this question at a conference just a couple of weeks ago, and you know, with boards and people in the audience, my answer is like, well, of course I'd be doing cybersecurity. That's like, that's my passion. That's
Megan Garza: Yeah, I would do it for free.
Aaron Ansari: passion. Right. Right. Exactly. Yeah. It is my passion.
Aaron Ansari: Exactly. I'm a big fan. But in reality, um, so you, you know, you, alluded to this at the beginning, uh, I'm involved in a couple of non profits, um, Girls in Tech, OWASP Foundation, um, and one dealing with, um, wildlife, uh, human wildlife conflict. how to live with wildlife.
Aaron Ansari: Um, I would be involved in helping animals and helping people all day long, all day long, as much as I could.
Megan Garza: Yeah, I, um, I volunteered with, um, Tech Girls. Are you familiar with them? We did a, um, we did a lesson on just like the basics of cybersecurity with tech girls that's like middle aged school girls, and that was really cool, and they were so interactive, which I expected them to just kind of be like, sitting there behind their computers, [00:11:00] with their parents looking over their shoulder, but like, they were genuinely asking really cool questions and like, chatting and asking this and that, and writing in the chat, and they really appreciated it, which I thought was so cool.
Aaron Ansari: For sure. Yeah, there's a whole generation of technologists that are growing up with things that we never had. And it's an extension of their personality in some instances, and we have to cultivate that.
Megan Garza: And I'm gonna I'm going to kind of put you on the spot here, but Like , tell me about being an Ironman. That is so incredibly impressive.
Aaron Ansari: You know, I say this when I talk to people about it. It's one foot in front of the other or one pedal stroke. And it's cliche to say, but so much of it is mental. So much of it is mental.
Aaron Ansari: If you can mentally build the training, just like we talked about, right? Like the day of the event is, you know, if you're planning for it, 50, and we'll say 30 weeks in advance, you can, you can do it.
Aaron Ansari: And, uh, it's all about unlocking what's up here, um, to enable what's down here to, to accomplish the goal.
Megan Garza: My husband is a marathon runner. Um, and he would love to do an [00:12:00] Ironman one day. And I thought, okay, well maybe, maybe I'm missing something. Like maybe I should get into running.
Megan Garza: Maybe I should try and see what my husband loves so much about this. So I trained for a half marathon.
Aaron Ansari: Wow. Wonderful. Okay.
Megan Garza: in my entire life. and then running it back and doing it twice.
Aaron Ansari: Right. Right. But, but, but you, but you did it, right?
Megan Garza: I did, I did, but like,
Megan Garza: there's no way I could do a marathon, let alone an Ironman.
Aaron Ansari: You know, it's not for everyone, but like for you to go through and do, you know, your personal sort of summit that's there, that's, that's huge.
Megan Garza: After I finished, he was like, what do you think? You ready to do a full marathon? And I'm like, I am never
Megan Garza: doing that
Aaron Ansari: that question. no, no, not until you finish.
Megan Garza: well,
Megan Garza: thank you so much for your time today, Aaron. I love chatting with you and learning more about your perspective and learning more of who you are as a leader. Thank you for joining me on Speed Data today.
Aaron Ansari: It's been my pleasure. Thanks for having me.
[00:13:00]