Q&A with Alex Manea, Chief Security Officer, BlackBerry

Canadian Security: What is your role in BlackBerry?

Alex Manea: When I joined BlackBerry, I was very much focused on the product management side of things — working with high-end customers like the U.S. government, like major U.S. corporations, to understand their security needs. And so over time, my role has evolved into more of an executive level role where now I look over all of BlackBerry’s security strategy and make sure that we’re staying one step ahead of where the market is going and where the hackers are.

CS: Who looks after the security of the physical infrastructure?

AM: Mike Webber looks after the internal security of BlackBerry. His title is CIO. The CIO is responsible for protecting BlackBerry as a corporation from external hacks and the CSO is responsible for protecting BlackBerry customers… The majority of the physical security falls under the CIO organization.

CS: What is your relationship with customers?

AM: Really, the big thing I try to understand is, what do customers need and what are they looking for when it comes to security? Different customers obviously have different levels of security needs. When I travel down to Wall Street, for instance, you’re going to get a certain set of security requirements. They’re going to be different than government security requirements [or] individual security requirements that are much more focused on privacy. Every single customer set and every single customer base has different security requirements. My job is to understand all of those requirements and try to figure out how we translate those into product requirements and give customers what they really need. At the same time, we also start running into the “innovator’s dilemma” where customers won’t always know what they need or won’t always tell you what they need. A lot of my work involves working with external entities like security researchers and hackers and understanding what are they looking at, not just in terms of products but in terms of the industry as a whole and what are the key trends that we need to be aware of if we want to stay ahead of the game.

CS: Serving so many different industries, each of which has different challenges, how do you stay ahead?

AM: It’s always a challenge. Really, the big thing that we look at is, what are the common factors across all of the different regulatory bodies and are common across all of the different markets. If you look at, for instance, a market like Europe, there’s a lot of talk about GDPR (General Data Protection Regulation), but the reality is [with] GDPR, a lot of the requirements are basic security principles, and basic security know-how. We can take a lot of the stuff that we do for GDPR and apply it to the North American market and the Asian markets as well. Where there are specific requirements for specific markets, we have to start evaluating those and see how we meet those requirements without stepping on the toes of other countries or other regions of the world.

CS: How much of that is poured back into the R&D of future products?

AM: Pretty much 100 per cent of it. It’s important to understand that when it comes to security development, there tends to be a long lead time with getting all the requirements into the products. A lot of what of I focus on is not, what are the requirements today but what are the requirements two, three, five years down the road? Those are the types of timelines that we’re looking at for R&D, especially if the requirements require a fundamental re-architecture of a specific product or a specific solution. A lot of what we do is about looking to where the market is going and focusing there rather than necessarily focusing on the specific requirements of today.

CS: How is your role evolving over time?

AM: What I see about my role is it’s becoming much more strategic. If you look at where CSOs and CISOs were five to 10 years ago, it was very much tactical, very much reactionary: “Oh my God, we’ve been hacked! What do we do now?” That was very much the mindset of CSOs. These days it’s becoming a lot more proactive and much more [about] not “How do we recover from this fire?” it’s “How do we prevent forest fires?” To me, that’s the right approach that every CSO should be taking — being more proactive and figuring out how you build a strong platform that’s less vulnerable to hacking rather than focusing on what happens once you’ve been hacked.