Malike Bouaoud is Shift’s Chief Information Security Officer. He plays a key role in developing security measures through governance and assurance protocols when it comes to preventing data breaches, phishing, malware, and protecting Shift information assets. We sat down with Malike to hear what brought him to Shift and some of the ways he has seen security policies and processes evolve in the last couple of years.
Tell us a bit about your background, and what brought you to Shift?
Since my early childhood I have always been passionate about computers. And for the past 23 years, I have been working in the information security industry. Early in the 80s, my parents bought my siblings and I a computer as they saw it as a tool to support our school education activities. I started to read the programming instructions that came with the computer and eventually started to create video games with my brothers. Interestingly, one of the video games that we developed had its IP stolen by a now well-known games industry player.
The end of the 90s saw the IT world booming with the push toward internet technologies and the famous Y2K bug. This allowed me to seize opportunities to grow in the professional world through several important positions with multinational companies. In one such role I led the creation of my company’s first independent information security department reporting directly to the CEO and Board with proper 4-eyes principles applied.
I developed my career across various geographies, thanks to early connections in the early times of Cyber Security, and I was once contacted to help develop a national CERT and related activities in the middle-east, which was a tremendous experience that led me to become the national cyber security advisor to a Minister of ICT.
Once the Shift recruiters reached out to me, the company’s mission immediately resonated with me. Shift was a dynamic, young, and encouraging startup, which was appealing to me for multiple reasons. First, I loved the diversity and the engagement from the leaders of the company. For my particular focus of my job, I knew there would be a lot to develop, bringing back some memories of my early career as a builder of a function while working with some existing infrastructure, policies and procedures. I was impressed overall by the teams’ commitment and achievement and when I met them and management, I immediately felt the passion, commitment, and enthusiasm from Shift’s employees.
What are some of the ways you have seen security policies and processes evolve in the last couple of years?When I began my career, most IT systems were comprised of fixed infrastructure deployed on premise. In that environment, information security - from how it is conducted to the policies and procedures that govern it - looks very different to that of today's highly connected, and many times interconnected world.
The mainstream adoption of cloud computing and "as-a-service" IT has forced us to rethink how we fortify our computing resources and how we demonstrate to others - customers, employees, partners, and regulators - that we take information security seriously and that we have taken the most stringent data and systems protection efforts possible.
Naturally, data protection and information security are top priorities at Shift. That's one of the reasons we're proud of the security certifications we've earned (link to the security pages on the web site) and why we continue to learn and understand how security implications impact emerging technologies, such as generative AI, so we and our customers can take full advantage of their benefits.
From a security perspective, how can organizations best prepare for the adoption of generative AI and ensure they do not create new attack surfaces?I think the first thing we need to do is recognize that generative AI is a category represented by a number of different products, solutions and approaches. Taking that into consideration, the level of disruption we can expect from generative AI tools will largely depend on the use cases and our ability to harness these technologies.
For example, tools like ChatGPT aim to simplify users’ lives by automating various work activities, which is highly beneficial. However, the platform collects significant user information to enrich its back-end operations and improve future service offerings. This double-edged sword requires users to think carefully about the nature of the data they provide and how it is handled. For enterprises, that may require security teams to develop processes and procedures that restrict the use of these tools, ensure employees do not share sensitive information - including company secrets, or avoid inputting code, especially if it contains credentials or intellectual property.
One major concern lies in the risk associated with using these technologies, particularly regarding data management and the lack of certainty and transparency surrounding their handling. For instance, if we consider platforms like ChatGPT, it can be difficult to ascertain the exact processing and storage mechanism of prompts/conversations, but it is known that they are stored on their servers.
For enterprises, including insurers, looking at how a controlled version of Generative AI can positively impact the business, some of these considerations can be mitigated. What do I mean by that? For example, making generative AI part of your technology stack gives IT and security professionals significantly greater control over how the technology is accessed and used by employees. Today some cloud service providers offer generative AI applications/services that can be deployed securely in a controlled manner. Is it a stand-alone tool, or is embedded in another solution with access and security controls already built in? As important, enterprise IT organizations have significantly greater control over the data being used by these technologies. This relates to not only can they control what data is being used to generate a response, but also how and where the results are stored.
My Shift Technology colleague Marc Jones does a fantastic job addressing this topic and others in a blog post he authored recently. It’s a good read and I’d definitely recommend checking it out!
What does Decisions Made Better mean to you, and why is it important?Decisions Made Better involves understanding the specific context of the organization and ensuring the efficiency required for effective decision-making. Essentially, it's about orchestrating all our processes within the organization and aligning different business units and functions towards a common goal. We strive to optimize these processes to achieve maximum efficiency in various aspects. This approach translates into our corporate processes, where improved decision-making plays a crucial role. It also extends to our products, as we aim to provide the best solutions and deliver exceptional products to our customers. Achieving this requires coordinated efforts from everyone involved, including ensuring security, building infrastructure, implementing processes, and having a strong sales and customer success management team. Each individual has a key role to play in this collective endeavor, as we are stronger together.