The Future of Zero Trust and SASE is Now! Watch on-demand

close
close
  • Why Netskope chevron

    Changing the way networking and security work together.

  • Our Customers chevron

    Netskope serves more than 3,000 customers worldwide including more than 25 of the Fortune 100

  • Our Partners chevron

    We partner with security leaders to help you secure your journey to the cloud.

Highest in Execution. Furthest in Vision.

Netskope recognized as a Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge.

Get the report
Netskope recognized as a Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge.
We help our customers to be Ready for Anything

See our customers
Woman smiling with glasses looking out window
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn about Netskope Partners
Group of diverse young professionals smiling
Your Network of Tomorrow

Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.

Get the white paper
Your Network of Tomorrow
Introducing the Netskope One Platform

Netskope One is a cloud-native platform that offers converged security and networking services to enable your SASE and zero trust transformation.

Learn about Netskope One
Abstract with blue lighting
Embrace a Secure Access Service Edge (SASE) architecture

Netskope NewEdge is the world’s largest, highest-performing security private cloud and provides customers with unparalleled service coverage, performance and resilience.

Learn about NewEdge
NewEdge
Netskope Cloud Exchange

The Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.

Learn about Cloud Exchange
Netskope video
The platform of the future is Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview
Netskope video
Next Gen SASE Branch is hybrid — connected, secured, and automated

Netskope Next Gen SASE Branch converges Context-Aware SASE Fabric, Zero-Trust Hybrid Security, and SkopeAI-powered Cloud Orchestrator into a unified cloud offering, ushering in a fully modernized branch experience for the borderless enterprise.

Learn about Next Gen SASE Branch
People at the open space office
Designing a SASE Architecture For Dummies

Get your complimentary copy of the only guide to SASE design you’ll ever need.

Get the eBook
Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn about NewEdge
Lighted highway through mountainside switchbacks
Safely enable the use of generative AI applications with application access control, real-time user coaching, and best-in-class data protection.

Learn how we secure generative AI use
Safely Enable ChatGPT and Generative AI
Zero trust solutions for SSE and SASE deployments

Learn about Zero Trust
Boat driving through open sea
Netskope achieves FedRAMP High Authorization

Choose Netskope GovCloud to accelerate your agency’s transformation.

Learn about Netskope GovCloud
Netskope GovCloud
  • Resources chevron

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog chevron

    Learn how Netskope enables security and networking transformation through security service edge (SSE)

  • Events and Workshops chevron

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined chevron

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

Elections, Disinformation, and Security
This episode takes a look at aspects of election security around voter registration and physical controls at polling places.

Play the podcast
Blog: Elections, Disinformation, and Security
Latest Blogs

Read how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky
SASE Week 2023: Your SASE journey starts now!

Replay sessions from the fourth annual SASE Week.

Explore sessions
SASE Week 2023
What is Security Service Edge?

Explore the security side of SASE, the future of network and protection in the cloud.

Learn about Security Service Edge
Four-way roundabout
  • Company chevron

    We help you stay ahead of cloud, data, and network security challenges.

  • Leadership chevron

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Customer Solutions chevron

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Training and Certification chevron

    Netskope training will help you become a cloud security expert.

Supporting sustainability through data security

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more
Supporting Sustainability Through Data Security
Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain
Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn about Professional Services
Netskope Professional Services
Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn about Training and Certifications
Group of young professionals working
Post Thumbnail

This episode features an interview with Max Chan, Chief Information Officer at Avnet. In his role, Max is responsible for the delivery of strategic business IT and digital transformation initiatives. Prior to Avnet, Max held several IT leadership roles at publicly traded companies like VF Corporation and Johnson Controls.

In this episode, Mike and Max discuss digital enablement, fostering security from the top down, and how to talk to the board about security.

Do not play adversary with your security organization, whether or not they are part of your group. At the end of the day, truly see that as your personal accountability, looking at it through the lens of the enterprise. That will ensure success.

—Max Chan, Chief Information Officer at Avnet
Max Chan

 

Timestamps

*(02:30): Max’s explains what Avnet does*(22:04): How Max talks to the board about security
*(03:28): Max’s journey to becoming a CIO*(28:51): 2030 Goggles
*(08:11): Max’s take on security as a team sport*(32:15): How we can get more diversity in security
*(14:30): How Max is aligning teams across his organization*(37:34): Quick Hits

 

Other ways to listen:

green plus

On this episode

Max Chan
Chief Information Officer at Avnet

chevron

Max Chan

Max Chan is Avnet’s chief information officer. In this role, he is responsible for all information technology (IT) areas throughout the Avnet ecosystem, including the delivery of strategic business IT and digital transformation initiatives. He oversees the resources and capabilities of the global IT team and ensures that the organization maintains a robust and optimized IT environment.

Chan joined Avnet in 2013 as vice president of IT for Avnet Technology Solutions in Asia Pacific. He led critical system implementations and enhancements, helped build Avnet’s Global Development Centers and drove process improvement initiatives in the region. In 2016, he transferred to Phoenix to take on the global application and business relationship management role and was promoted to CIO in 2019.

Prior to joining Avnet, Chan held several IT leadership roles, including chief information officer, Asia at VF Corporation, and vice president, IT Global Supply Chain, Building Efficiency at Johnson Controls.

Connect with Max on LinkedIn

Visit Avnet

Mike Anderson
Chief Digital & Information Officer at Netskope

chevron

Mike Anderson

Mike Anderson serves as Chief Digital and Information Officer for Netskope. Over the past 25 years, he has built and led high-performing teams across various disciplines, including sales, operations, business development, and information technology. He joined Netskope from Schneider Electric, a global fortune 500 company, serving as SVP, CIO and Digital Leader for North America. In 2020, Constellation Research named him a member of the Business Transformation 150, an elite list that recognizes the top global executives leading business transformation efforts in their organizations. The National Diversity Council also recognized him as a Top 50 CIO for diversity and inclusion in 2020 and 2021. Before Schneider Electric, Mike served as CIO for CROSSMARK, where he digitally transformed the business capabilities for the 40,000 employee service provider to the retail and consumer goods industry. Also, he has held executive leadership roles at Enterprise Mobile, a Microsoft joint venture that is now part of Honeywell, Insight, Software Spectrum, and InVerge, a web services pioneer he co-founded in 1999. Mike serves on numerous technology and industry advisory boards and volunteers his time working with nonprofits focused on mental health and suicide prevention and those that benefit the development of our future workforce in science, technology, engineering, and mathematics.

Max Chan

Max Chan is Avnet’s chief information officer. In this role, he is responsible for all information technology (IT) areas throughout the Avnet ecosystem, including the delivery of strategic business IT and digital transformation initiatives. He oversees the resources and capabilities of the global IT team and ensures that the organization maintains a robust and optimized IT environment.

Chan joined Avnet in 2013 as vice president of IT for Avnet Technology Solutions in Asia Pacific. He led critical system implementations and enhancements, helped build Avnet’s Global Development Centers and drove process improvement initiatives in the region. In 2016, he transferred to Phoenix to take on the global application and business relationship management role and was promoted to CIO in 2019.

Prior to joining Avnet, Chan held several IT leadership roles, including chief information officer, Asia at VF Corporation, and vice president, IT Global Supply Chain, Building Efficiency at Johnson Controls.

Connect with Max on LinkedIn

Visit Avnet

Mike Anderson

Mike Anderson serves as Chief Digital and Information Officer for Netskope. Over the past 25 years, he has built and led high-performing teams across various disciplines, including sales, operations, business development, and information technology. He joined Netskope from Schneider Electric, a global fortune 500 company, serving as SVP, CIO and Digital Leader for North America. In 2020, Constellation Research named him a member of the Business Transformation 150, an elite list that recognizes the top global executives leading business transformation efforts in their organizations. The National Diversity Council also recognized him as a Top 50 CIO for diversity and inclusion in 2020 and 2021. Before Schneider Electric, Mike served as CIO for CROSSMARK, where he digitally transformed the business capabilities for the 40,000 employee service provider to the retail and consumer goods industry. Also, he has held executive leadership roles at Enterprise Mobile, a Microsoft joint venture that is now part of Honeywell, Insight, Software Spectrum, and InVerge, a web services pioneer he co-founded in 1999. Mike serves on numerous technology and industry advisory boards and volunteers his time working with nonprofits focused on mental health and suicide prevention and those that benefit the development of our future workforce in science, technology, engineering, and mathematics.

Episode transcript

Open for transcript

Max Chan: Do not play adversary with your security organization, whether or not they are part of your group. At the end of the day, truly see that as your personal accountability and looking at it through the lens of the end price. That will ensure success. That will ensure the right tone from the top down through the organizations to ensure that everyone embrace that vigilance that is so needed to secure the company.

Speaker 2: Hello and welcome to Security Visionaries. You just heard from today's guest, Max Chan, chief information officer at Avnet. Securing your company and doing it successfully starts at the top. From speaking with the board to enabling employees, CIOs are personally accountable for communicating risks and solutions to folks throughout their organization. Max Chan is ensuring his company maintains a robust and secure IT environment through thoughtful communication. Before we dive into Max's interview, here's a brief word from our sponsor.

Speaker 3: The Security Visionaries podcast is powered by the team at Netskope. At Netskope, we are redefining cloud, data, and network security with a platform that provides optimized access and zero trust security for people, devices, and data anywhere they go. To learn more about how Netskope helps customers be ready for anything on their SASE journey, visit N-E-T-S-K-O-P-E.com.

Speaker 2: Without further ado, please enjoy episode 14 of Security visionaries with Max Chan, Chief information officer at Avnet and your host, Mike Anderson.

Mike Anderson: Hello, everyone. Welcome to today's episode of Security Visionaries podcast. I'm your host, Mike Anderson, chief digital and information officer here at Netskope. Today, I'm joined by my friend and peer, Max Chan, CIO for Avnet. Max, how are you doing today?

Max Chan: Mike, doing well, really good to be talking to you here today. I say to you when you send me the invite, I don't know why I'm here, because I don't profess myself to be a security visionary in any way. So, maybe you can enlighten me throughout the conversation today.

Mike Anderson: Security is a team sport, so I'm sure we'll have a lot to talk about, and the key is hiring good people on our teams that know how to lead the security program. Before we jump into that though, just to set the background, maybe tell everyone a little bit about Avnet, because not everyone is familiar. I am obviously, because I've worked with Avnet over my career as both a customer and partner. Then, also maybe tell us about your journey to becoming a CIO.

Max Chan: Absolutely. So, Avnet is one of the largest technology solution provider specializing in supply chain solution for all technology distributions. We're actually taking care of the entire value chain of that technology solution from design to new product introductions all the way to mass productions and go to market. We work with our supplier partner as well as customers at any step of their value chains. As long as we are able to bring value to them, we can play a role in their supply chain.

Mike Anderson: That's great. Tell us a little bit about your journey to becoming a CIO. Obviously, you got a CIO 100 award earlier this summer. I got to be there with you when you received that award. So, tell us a little about that journey to becoming a CIO, and then we'll jump into some more of the security topic that you're so familiar with.

Max Chan: So interestingly, I still consider myself as a newbie at Avnet. I've only been with the company for 11 years. Avnet has been in business for a little bit more than 100 year, and many of the leadership team has been with the company for well over 20 years. When I started with Avnet, I was asked to go to Hong Kong to take on a divisional CIO role for the Asia Pacific business, did that for the first three and a half years with the company, implementing a regional template for ERP for the business there, as well as rolling out a regional instance of CRM for the business. Having done that after the first three and a half years, came back to Phoenix, Arizona to take on a global application role which evolved over time into a divisional CIO for the Americas business, before being offered the job of a global CIO about four years ago when the previous CIO, my predecessor, left the organization.

Mike Anderson: That's a great journey, definitely that international experience, definitely will play in. We'll make sure and dial into a little bit of that from a security standpoint, because I guarantee you know more about security than you lead on. Before we jump into the security specific topic, I know you got the award for CIO 100. I know it's great. You always like to talk about the great work your team is doing, maybe just one minute on the exciting projects you're working on there. Then, we'll dive into some of the security topic.

Max Chan: Just like many companies, our focus is on digital transformations. I like to just unpack a little bit more on what that means for Avnet, because digital transformations, the same two words means all kind of different things to everyone. As far as we are concerned, there are three key components to digital transformation, the first thing being digital enablement. That is the typical digital transformation that people talk about where we look at internal, external interactions. We do a digital workplace. We do look at AI, ML, as well as automations. That is where we look to create the most value to the organization, to the business, introducing frictionless transactions or interactions, machine to machines, as well as capabilities that allowed us to be better service provider to our supplier partner, as well as our customer. You continue to hear me mentioning supplier partner, because they are a important component in our entire ecosystem, right?
Avnet is in the paper business. It's all about our supplier. It's all about our customer. It's all about employee, and that's why that digital enablement strive to create that single pane of glass, single source of proof, a solid integration layer through API M, microservices allowing us to get data downstream to where it needs to go for consumption afterwards. So, that's the first pinnacle component to our digital transformations. The other two aspect which is more foundational to the digital transformation that we have is really our cloud migration and our ERP modernization. We see that as critical component to bring us to achieving the digital enablement I talk about. The idea here is really to drive modernizations, and we move all the workload into the cloud, leveraging the inherent capabilities that we can get from the cloud, as opposed to what we are doing here on premise. ERP modernizations, it is what it is, as the name suggests, a long journey, but important to our overall success.

Mike Anderson: That's great work. I definitely agree that everyone's got a different definition of what digital transformation means, and it's important to clarify in simple terms what that means for your organization. You did a great job of doing that. When I think about the transformations you're doing around the enablement and APIs and cloud modernization, the theme this year of this podcast is security as a team sport. Because, now as we think about our cloud journey, we have to make sure we have the right security posture around our cloud environments. We have to make sure that we don't have blind spots there when we enable our customers and think about APIs. The CISO is governing the policy and the program, but obviously we have to embed that into our people across not just IT, but the entire organization. So, maybe frame a little bit. How do you think about that challenge? And, how do you make sure security is in the mindset and as a team sport at Avnet?

Max Chan:I liked how you put it. Security is a team spot, right? You alluded to earlier, Mike, that the CISO and the security team essentially are defining the strategy, creating the framework, ensuring that we are actually measuring the right things so that we can improve on the right thing to secure the environment, to secure the organizations. However, the security team does not have the resources to do a lot of the downstream execution. For example, let's take a very, very simple vulnerability patching. When the security organization identify areas where we need to secure our environment through patching, we do not have a large group of security team who will be able to go to the entire environment to look at what we have and secure the environment. We need the operations team. We need the applications team to identify what are critical and to also look at potential impact of the patches that may have on the environment to go execute it.
Then, so the security team would then help to, for lack of better term, program manage, ensuring that what we say we would do has been done and reported out to the organizations and help track that. The other aspect of it is that in any sport, we typically have backup players. Working with trusted partner like Netskope and others allowed us to tap into the resources and other players as needed to augment what we may not have to complete the work on a timely basis. We all know that from a security threats perspective, every minute you waste, every day you waste is additional risk to the organizations. That is where the backup players, the partners that we have coming in to help lower that risk by providing us timely resources to do the work on time.

Mike Anderson: We definitely appreciate that partnership. When I think about the role there, as we look across our group, obviously cybersecurity, we see Gartner Research, and you see any poll from any analyst firm. Security is, if not number one, number two on every agenda, because it does represent, as you said, that risk. We always think about what's the enterprise risk, just like supply chain. How do we take risk out of our supply chain with supplier diversity?

Max Chan: Well, with people at Avnet who knows how you can actually do a pin to pin replacement, allowing you to have more divers diversified groups you may not have access to directly. But, I'm sorry, that's just a plug for ourselves.

Mike Anderson: No, hey, that's great. I love it. The plugs are great. It's also great. I know you've always been a big proponent of putting forward the great work that your company and teams are doing, and that's great. That all goes to the team sport too, because our job a lot of times is to make the team around us better. When you think about other CIOs, what counsel would you give to them around when they're thinking about, if it was a first time CIO moving into the role, what recommendation would you give them around security?

Max Chan: Before I answer that question, I think I'm fortunate to have security under my scope or area of responsibility. Many of you who are listening out there may disagree with me that our security has to be independent. I get it. I do not disagree with that. However, based on what our organization needs look like, I'm really fortunate to have security under my area of responsibility. Whether you have security reporting to you or not as a CIO, you need to take personal accountability for the organization to the organizations from a security standpoint. At the end of the day, it all comes back to securing the environment, ensuring that we have the right processes, the right people, the right technology stack. And, you talk about team sport, Mike, earlier. The collaborations that is needed not just between IT and security, but IT security and the entire business to truly be successful in securing your environment.
So, do not play adversary with your security organization whether or not they are part of your group. At the end of the day, truly see that as your personal accountability and looking at it through the lens of the enterprise. That will ensure success. That will ensure the right tone from the top down through the organizations to ensure that everyone embrace that vigilance that is so needed to secure the company. Mike talked about the need to hire the right people. That is very true. How can you have the right security leader, the CISO, so to speak? How can you ensure that you have the right strategy and structure to support the organizations? And, what is your support organizations required to be able to keep the company abreast when it comes to potential threats and risk to the company? So, that team that you are going to build either within your organizations or as a separate organization is really key for your success, as well as the entire enterprise success.

Mike Anderson: No, I couldn't agree more and you just touched on a lot of why it's so important to work cross-functionally across the organization. As we talk about that topic specifically, let's go there for a minute. I heard someone say before, when the CISO sneezes, the person that often gets a cold is the head of infrastructure, because you went back to your patching point. They're the ones that have the hands and feet on the ground to go actually deploy those patches and do that work. Both of those are obviously going to be direct reports to yourself. How do you help drive that partnership between those two organizations to align priorities? Because, that misalignment obviously, as we know, is when you have different teams with different priorities. It of often causes friction in the organization. What are you doing to drive that alignment across those teams to make sure that they do have that close partnership?

Max Chan: I think it starts with the tone on the top. The way that I do it is that out of my four strategic priorities for the IT organizations, one of them is security. I ensure that every single team within the IT organizations, be IT application, be it business relationship, be it infrastructure, et cetera, they have security and compliance as one of their performance objective, as one of their goals. Everyone plays a role in ensuring success in keeping cyber threat at bay. That at the top is very important.
The other thing really is to drive that collaboration at the senior leadership level. The security leader and the application leader and the infrastructure leader, networking leader have to all be at the table at the same time, looking at what is key to success as far as the organization is concerned, one of them being security. With the heightened awareness of security in the industry around the world today, especially in the last few years, business are getting more aware of the need of security. In fact, we have had partners looking to renew their partnership with Avnet, wanting to better understand what we do from a security standpoint in order to ensure that we protect ourselves as well as them when we have that close partnership in the business. All those things really drive that common understanding, common sense of importance and awareness when it comes to the need to embed security in everything we do.

Mike Anderson: No, I can't agree more. You touched on that need. On the supply chain side, we always say if you're building a product, and a component can't be shipped because that person gets compromised or gets hit with ransomware, that can have a crippling effect on your downstream supply chain from that. When you think about security, that should be part of that conversation with your chief supply chain officers and organizations to make sure if you're going to single source a commodity product or raw material, make sure that you've got security front and center in that conversation.
Because, if you sole source, and that person gets compromised, it can have ripple effects and create risk in revenue generation, which is obviously one of the risks that we care a lot about. You touched on the business becoming more aware of security. Obviously, a lot of times, I heard someone a couple weeks ago say the security organization's job is to block bits, and the infrastructure team's job is to move bits. Obviously, there's friction there, but also as you think about, people just can't go anywhere, do anything. We've got to improve the hygiene of our people inside of our organization. You did that for your direct reporting structure around that security objective. What are your peers doing across the organization to make sure security is front and center as they think about their organizations?

Max Chan: That is something that we started, a program that we started probably about four years ago when I took on the role of a CIO and have security reporting into me. One of the key things that we recognized is that people probably the first line of defense as far as security is concerned. So, since then, we have diligently been rolling out series of campaign, awareness campaign, et cetera, all level of the organization, starting with the board and to the C-suite and all the way down through the organizations. We look at creating awareness around phishing, smishing, malware, and the different channels that it's coming from, how it's evolving, and really picking on some real life example that we have seen and replaying it back to the employee to create awareness.
I'm really, really glad to see how that has improved the resiliencies over time across the organizations. Because, when we first started it, we also introduced a simulation program where we wanted to take a baseline on how aware people are when it comes to security and how easily they can potentially get tricked into clicking the wrong link or plugging in a USB device intentionally, unintentionally, not knowing what might be within that. Maybe we have gone too far in creating so much awareness across the organizations. Our human firewall becomes so strong that they either over report to the security, the SOC, the security operation center, everything that they see as suspicious, or they start picking up and writing and educating each other on, okay, you should not be sending this email, because you have a spelling mistake here. You have an incorrect address there and a typo here.
That was fun to watch, but that was also a great feeling to know that our message has gotten across through the organizations. But, back to my earlier point, tone at the top is so critical, getting that buy-in from the C-suite, having them, the regional presidents, the BU presidents, the functional leaders all speaking the same language. We have the security leader on town hall every now and then to remind people on some of the things that is happening and how easily that they can be tricked, right? The other site benefit of this is that we also are able to avoid scam. It may not be necessarily cybersecurity, but scam is also one of the potential outcome of people leveraging technology to try to get you to open your purse string. Having done this allowed us to reduce the number of scam that we see as also a benefit through the organizations.

Mike Anderson: No, absolutely. It's interesting. This last week, there was a article that was posted where there's impersonations now. I don't know if you saw this on LinkedIn where people are impersonating CISOs on LinkedIn. There's this whole concept of deep fakes and faking who someone is. It's constantly an evolving threat. All the threats are evolving every day in different ways. That's just an example of one of the newest ones.
Max Chan: Yeah, I was smiling when I saw that, because you and I know that people have been leveraging LinkedIn to create fake profile to scam someone to potentially use it as a channel to deploy malware, or whatever it is, the latest being impersonating CISO. It was quite interesting. I remember I keep bugging LinkedIn and sending it up to them about, hey, I can recognize this being a fake profile long before the AI was able to recognize and take that profile down. So, one of my favorite past time, actually.

Mike Anderson: That's great. Well, that takes team sports a whole level. It's making the ecosystem around us even better. I want to go back and touch on, you talked about the board before. When you work in collaboration with your CISO, and obviously you've got a great CISO, I've spent time with him as well. How was the conversation track with your board? How do you talk about security when it comes to the board of directors? And, how has your CISO helped? You've got to obviously get out of the tech speak a lot of times when you talk to your board about security. Talk to me a little about that interaction.
Max Chan: If you know how to work with the board, it actually boils down to three things that they want to know on any topic, especially security. Number one is why are you telling me this, right? Why are you telling the board this particular thing, be it a scam, be phishing, be it what's happening in Ukraine, et cetera, right? Why are we telling them this? Number two, how is it impacting Avnet as a company? What are the potential risks or threats that we may be facing from the things that we are telling them? And, last, but not the least is what are we doing about it? With these three things, they can then have a good sense of, okay, is this something that they need to lose sleep about, or if Avnet, the management has a good handle of it.
The CISO essentially help to prioritize and look at all those things that is happening out there and what are most critical to Avnet as an organization. Obviously, the other thing that we bring to the board, my CISO would then be telling them about, okay, what are the critical indicators that we are tracking for them to know and get the sense that we are doing well, we are doing okay, or we are struggling? That is how we partner to communicate and collaborate with the board. If there are concerns, then we would then be reaching out to the board to get potential advice or guidance. But, that's how we collaborate to work with them.

Mike Anderson: That's great. Then, one of the questions I often get, and so I'm going to throw you a little bit of a curve ball question here, I would imagine your CEO and your board ask the question, how do we know we're doing enough when it comes to this topic? How do you answer that question? Max Chan: I always go by we don't, because security threat or cybersecurity threats evolve every day. I know that within the environment that we have, within all the things that we do today, we are at least addressing over 75, 80, 85% of what we know. However, there is this additional 25% that is always evolving that may come up tomorrow, the day after, next week, that we need to always keep ourself abreast on. So, we try what we know. We're always on the lookout for what we may not know.
That is when sometimes you have to listen to the board as well, because many of the board members sit on other boards. Sometimes they're like, "Hey, I heard about this from the other company, the other board that I'm on. What are we doing about it?" If those are things that are completely new to us, then okay, we'll take it back. We'll come back with our finding the next time on either, yes, we are covered, or that is irrelevant to us because of this, this, and this. Or, no, we didn't have that on our radar, but we are now tracking this. So, always coming back with an action plan to closure, but there is no 100% these days, because there's always this lingering 25% that we never know what's out there tomorrow.

Mike Anderson: No, I 100% agree. I heard this. It was at one of the Gartner IT symposiums here recently. I had the opportunity to go to attend the one in Australia. They were talking about this concept of protection level agreements. It all comes down to how much are you willing to spend relative to how tight you want a control to be? Because, you can't ever get it to 100%, because there is no dollar amount you can write for that. But, what is your appetite for risk? It's based on how much you want to invest around the control and making sure your board understands what that investment is so that when it comes down to if something happens, and it's not a failure of the control as long as you meet the control. It could just be we all agreed that this was the investment we were looking to make around that. That's the-

Max Chan: No, that is an excellent point, right? people are leveraging ISO 27001. People are looking at NIST CFS. Whatever you do, be very aware and cognizant to what is your appetite of risk, what exactly the company is willing to sacrifice or the company is able to absorb. From there, carve out a program that makes sense to you, not all the financial institutions or healthcare or whatever that requires the highest standard of maturity when it comes to security, et cetera. But, based on that, and Mike, you brought up a great point, that alignment with the board, the alignment with the C-suite is so critical to ensure that we have the right expectations, and we have the right scorecard to manage the success from that outcome.

Mike Anderson: Absolutely, always. You made a great point there too, which is not all organizations are created equal. A lot of times, if you do have a board member that sits on the board of a bank or a healthcare organization, but then they're on your board as a manufacturer or someone in supply chain or distribution, the dynamics are different. The risk posture is different when I'm dealing there. Because, from a manufacturing side, it's I want to be able to continue to ship product. So, disrupting my supply chain and ability to generate revenue is the biggest risk. Whereas if I'm a bank, the data and a data breach and having information get out about your people, your customers, or your users is obviously as important as a system going down in that world. So, that's 100% on point there.
I love the human firewall as well. We actually have T-shirts our CISO sent out that are called the human firewall that we sent out to our employees to promote that concept. I love that you use that term, by the way. We're going to pivot to some future predictions here. But, before I do that, I do want to say you know a lot more about security than you think you do. I think you have a lot of good advice for people that are listening to this podcast around how they should think about security in their organizations. It's really doing great work at all levels, so kudos to you and your organization.

Max Chan: Thank you. Coming from Mike Anderson of Netskope, I'm humbled. Mike Anderson: So, let's pivot to the back to the future. This is always a fun time here. So, if we fast forward to the end of the decade, 2030 or even 2025, what do you think CIOs would've wished they would've invested in looking back?

Max Chan: A few things. I think this is a great era in the technology space, because from what we have come through the last two and a half years, we have so many employees who started enjoying the power of freedom and the power of technology enabling that freedom and still be productive. This is a great time for any CIO today to think about a digital transformation in a very structured way that is relevant to their organizations right now. This is a great time to doing that. What has been working for the last 10, 20, 30 years? Ask me, I know. We have been around for 100 plus years. What have been working well will not work in the next five, 10 years if you don't pivot, if you don't transform. So, transformations is key. When I talk about transformation, do not think about it as an innovations exercise that you dabble into something, but never think about scaling. That is just going to be hobbies for your team, for your organizations.
As soon as you find something that you know is going to work and going to change the way that you do business, the way that you interact with your customer, your supplier, your employee, or strategic partners, you need to quickly scale. At scale is so much more difficult than the innovations. So, look for help. Look at partners that can help you scale what you need is so key, which also leads to my second point here, which is identifying and establishing strategic partnership with people that you can leverage to help you skill your solutions is key.
Not least, you cannot overlook security, simply because it is only going to get bigger and more important. Now, I'm not saying go out and build an army of security team, because that is not practical as well. But, if you don't have a framework in place, establish that framework. Start looking at what's important, understanding the appetite, creating that awareness within organizations, and really drive continuous enhancement of your security posture of your organization. If you don't do it, your partners, your customer, your supplier is going to demand for it. If you don't have it, they are going to leave you.

Mike Anderson: No, that's great advice. One of the things when we think about our teams and skills as well is diversity is also important. Also, as we evolve more leaders from a CIO standpoint, what are some thoughts you've got around how you promote diversity within your teams? What are you doing to grow our future leaders from a diversity standpoint?

Max Chan: I think the first thing that we all need to recognize is diversity comes in very different shape and form. If you are still of the mindset that diversity is being defined by one of the two things ... I know you know what I'm talking about here, and people listening will understand what it is, then you are not going to be successful in promoting diversity. For me, the first thing is diversity of thought. Don't surround yourself with people who are always agreeable with you. Really surround people with different approach, different mindset, different background, different upbringing, et cetera, within your leadership organizations. I think that's number one.
Number two is I'm really, really glad to say that most of my direct reports at the IT leadership level have been with the company for at least 10 or more years, most of them. To your point, Mike, earlier, the internal opportunity allowing them to move from one role to another over the years and coming up to a leadership position is the best way to develop a loyal as well as passionate leaders for the organizations that is going to be focusing on the success of the organizations. Last, but not the least, don't hesitate or be afraid to move someone from one domain to another. Someone who was doing applications, if they can develop a passion and an interest in the security area, should be given that opportunity to develop themselves technically as well as dabbling into that area from a lower level and see how they grow. I think that is how I have been fortunate enough to surround myself with team members who have taken different role, play different roles throughout their career at Avnet before joining me here at my leadership team.

Mike Anderson: That's great, and that diversity of experience is definitely important. In fact, one of the ones that I always would ask people to do too is if you have an opportunity to go work inside of a business unit and learn that part of the business, because you have to first understand what you're going to change. You can't just change something without first understanding it fully. That's something that you've done a lot on that whole digital enablement journey. So, doing those opportunities and exporting talent into the organization and then importing it back in can also bring another diversity of experience that can help your organization.

Max Chan: So true.

Mike Anderson: So, last question here before we get to our quick hits, we talked about buzzwords. One of the buzzwords that comes around a lot is zero trust. I think every security vendor in the world has zero trust. Is that a term that even gets brought up around Avnet? If it does, how would you define that for people? Because, obviously when the president puts an executive order out saying everyone needs to adhere to zero trust, it starts to get conversations all the way from board levels. Is that a topic that you talk about? And, how would you define that inside Avnet?

Max Chan: It is, but not because it's a buzzword that is out there. But, it's really recognitions of how people work today and in the future. We are going to be working with people who prefer to be remote, or we are going to start working with resources that is not necessarily full time in the organizations. How do we create that environment that allow employees or contractors or partners to truly be able to be productive, get what they need securely and without missing a beat, so that we can be agile, we can be quick in delivering value to the organizations? That is how I'm thinking about it. I'm trying to cut down on the lead time needed to give people access to the right data, to the right resource at the right time as and when they need it, as opposed to it being a big fancy implementation.
So, from that perspective, then we start looking at zero trust being the right approach to get us there. It also cut down on the frustration that people might have today relying on IT, relying on the identity team, et cetera, need to set them up a specific access to get to a specific resource. Whenever they don't have certain access, they need to go back and get that set up again. Maybe it's different from how people think about it, but in my simple process, that is what I want to get to, a better user experience allowing people to get access to the right resources easily as and when they need.

Mike Anderson: That's great. If we think about the definition of hybrid work, it's how can I allow people to be secure and productive working from wherever they want to work from, whether it's an office or coffee shop or vacation destination?

Max Chan: Exactly.

Mike Anderson: All right, so here's the fun part of this. It has nothing to do with technology, but it has all to do about Max, the person. We call this our quick hits. So, first question I've got for you, what's the best leadership advice you've ever gotten?

Max Chan: Best leadership advice that I've gotten is to act from the gut. I was a math major at college, and sometimes I can be overly analytical before I make decisions. However, many, many, many years ago, before I took on a manager or a senior leader role, the advice I've gotten is how can you make a decision, because you know in your gut that is right, based on maybe 30, 40% of information you have? I think that is really what got me to where I am today.

Mike Anderson: No, that's definitely great, great advice. Trusting your gut is always an important one. Next question, what would your last meal be?

Max Chan: Never thought about it, but if I ever have a choice, a glass of water will suffice.

Mike Anderson: Very simple, very simple.

Max Chan: Very simple. I have a Chinese heritage. We believe that we came from nothing. We will leave with nothing. So, a glass of water suffice.

Mike Anderson: All right. I have to say, you're the first person that's had that answer, but that's very insightful. Then, last one here, favorite song, and what does it tell us about you?

Max Chan: I have to say "My Shot" from the musical, Hamilton. That is the song that I continue to go back to, because I'm the kind of person that have no problem getting scrappy and always being hungry. That is how I am able to deliver value to the organizations without having to make a big deal out of it. I believe and I ensure my team do the same. Let's build something. Let's show the value. And, let's get the business buy in before we make a big deal out of it. So, I'm not giving up. "My shot" from Hamilton would be my favorite song of all time.

Mike Anderson: Well, that's great. Well, Max, I want to thank you so much for spending time with us today and sharing your insights and amazing work you and your team are doing at Avnet and also in the ecosystem, as well. So, thank you for that. Thank you for the time.
I hope you enjoyed the conversation today with Max Chan CIO for Avnet. I know I did. I want to summarize a few of the key takeaways. The first is as CIOs, we can't play the adversary with our security organization. Better said, we have to make sure that we set the tone from the top-down in the organization. To make sure not just inside IT, but across the organization, everyone's working to make sure that the company is secure. And make sure we have the right support structures in place to support our security leaders in accomplishing that goal. The second is when we speak to the board about security, we really need to focus on three things: one is why are we telling them anything about a security event? Why should they care about it? And then what are the potential risks and threats that we may face as a company, and how's that going to affect the company's ability to operate, from a business standpoint? And then what are they doing specifically within the IT and security organization to make sure that we head off and avoid those potential threat or risk to our business? And lastly, it's really about making our teams more diverse. And it starts with building diversity in our organization, bringing people from different backgrounds, approaches, and mindsets to make sure that we have a well rounded view when it comes to security. Second, we want to create opportunities for people to move around the organization so that we can continue to develop that diversity and develop really loyal and passionate leaders across our organization, really those advocates. And then lastly is don't be afraid to move someone in our organization from one domain to another, even outside the IT organization, because they can become our advocates, especially for security within other parts of our company. So, I hope you enjoyed our conversation with Max. Please stay tuned to our next episode of Security Visionaries Podcast. I'm Mike Anderson, I'm your host, I'm the CIO and Chief Digital Officer for Netskope.

Speaker 3: The Security Visionaries podcast is powered by the team at Netskope. Fast and easy to use, the Netskope platform provides optimized access and zero trust security for people, devices, and data anywhere they go, helping customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, or private application activity. To learn more about how Netskope helps customers be ready for anything on their SASE journey, visit N-E-T-S-K-O-P-E.com.

Speaker 5: Thank you for listening to Security Visionaries. Please take a moment to rate and review the show and share it with someone you know who might enjoy it. Stay tuned for episodes releasing every other week, and we'll see you in the next one.

Subscribe to the future of security transformation

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.