As the Chief Information Security Officer of Sunrise Banks, Mr. Diaa Abu-Shaqra is on a mission to transform, enhance, and simplify risk management to break down organizational silos, increase risk visibility, lower cost, and promote collaboration and accountability.
Abu-Shaqra holds a Master of Science in Security Technologies from the University of Minnesota and is currently working on a Ph.D. in information systems from Dakota State University. In addition, he is a Certified Cloud Security Professional, Certified Information Security Manager, and Certified Information Systems Auditor.
Abu-Shaqra is responsible for developing, implementing and monitoring a strategic, comprehensive enterprise information security program for Sunrise Banks. With over two decades of extensive experience in the in the financial, technology, education, and government sectors, his role entails directing the bank’s cybersecurity strategy and overseeing information security governance and policies.
Empowering financial wellness with a focus on financial inclusion
Based in the Twin Cities – St. Paul and Minneapolis — in Minnesota, Sunrise Banks, N.A., Member FDIC, strives to be the most innovative bank empowering financial wellness. Sunrise is recognized as a Community Development Financial Institution (CDFI) by the U.S. Treasury, a title only around 100 banks countrywide have attained.
It has shown a commitment to open corporate governance and having a beneficial impact on the community, by becoming a member of the Global Alliance for Banking on Values, a public benefit corporation, and a Certified B Corporation.
Sunrise provides traditional banking products for business and personal banking clients. In addition, the bank partners with financial technology companies to offer services that improve consumers’ credit and provide access to safe, affordable loan products.
The areas under Abu-Shaqra’s leadership include security governance, operations, engineering and consulting. This includes security operations, incident response, threat hunting, Identity and Access Management (IAM), Threat and Vulnerability Management (TVM), education and awareness, security policies and standards, cloud security and infrastructure security.
“I joined Sunrise Banks because I was drawn to our core mission and our values,” he states. “Sunrise is focused on empowering financial wellness through its products and services. While we’re a local bank, we scale our reach nationally by partnering with financial technology companies that provide affordable access to credit and the mainstream financial system. I agreed with Sunrise’s focus on financial inclusion and wanted to do my part in furthering the bank’s mission.”
Leveraging a lifetime of experience to enhance the company’s security posture
Abu-Shaqra’s has over 25 years of experience in IT and security, 16 of which are in the financial industry, where he learned a great deal about a wide range of technologies, security, and risk management.
Adding his experience in leadership positions, including as CISO for local city government and as an entrepreneur, he was able to use that knowledge to bring security as a key partner to all areas of IT and the business.
This included implementing new products, services, and controls to enhance the organization’s security posture, and establish a strong foundation for its growth, especially in the cloud space.
These changes enabled improved awareness and understanding of security requirements and controls, improved end-user and endpoint protection, improved partnership with areas across IT and business, reduced risk, staff upskills and empowerment for employees.
“Security is interdisciplinary and plays well into my interest and abilities; and being able to leverage the experience and expertise I’ve accumulated throughout the years is a great opportunity,” Abu-Shaqra remarks.
An innovator creating custom solutions to improve efficiency and effectiveness
Abu-Shaqra’s responsibility as CISO of Sunrise Banks includes all aspects of information security, including operations, engineering, consulting and governance. A regular day at work includes meeting with his team members to go over their goals, tasks, risks, roadmap, issues, discussing progress and roadblocks, brainstorming ideas and solutions, and providing direction or suggestions for further steps.
Mr. Abu-Shaqra also connects with his peers and leadership to ensure there is a clear understanding of priorities and initiatives, so that they are best positioned to support each other. “The last thing any leader or company wants is to be an afterthought or included late in the game, when quality and morale will always be negatively impacted,” he observes.
Abu-Shaqra notes that security, unfortunately, has been historically associated with being an overhead or roadblock, which is why security teams’ engagement has been avoided or delayed until necessary. Part of his goal as a security leader is to continue to challenge that misconception by demonstrating great engagement and value, being pragmatic, and explaining risk in business terms to help drive informed decisions.
Abu-Shaqra also points out that Identity and Access Management (IAM) is one of the most challenging areas in any organization. “We have a unique portfolio of systems/applications for which almost none of the Commercial off the Shelf (COTS) software met our needs,” he reveals.
With support from his leadership and team, Abu-Shaqra designed and built an IAM system that not only has allowed them to have much better visibility into their access areas and controls, but also implement Role-based Access Controls (RBAC) so that they can streamline on- and off-boarding to improve efficiency and effectiveness.
A visionary leader building high-performing teams to transform security operations
Abu-Shaqra chooses to define himself as a visionary, someone who predicts how the future might look or ought to be, but also does so as a technique to be a better planner and think through what-if scenarios.
“We can be many things at the same time, we can also excel at many things. The idea that one must shoehorn themselves into one discipline, department, career, or description is extremely limited and antiquated. It was born out of a desire to develop a ‘work’ culture, and not necessarily enabling and encouraging talent and skills,” he observes.
Abu-Shaqra recalls that, during a time when he performed third-party risk assessment, the job took him around the US and the world, visiting HQ, data centers, field offices, collaborating with leadership and operations in industries of all types and sizes.
The value he provided in the form of assessment, helped hundreds of companies improve their security posture and reduce risk, which is generally a memorable event in any security journey.
This unique experience positioned him well to later lead Information Security for all the staff groups for one of the Globally Systemically Important Financial Institutions (GSIFIs), where he built several high-performing teams and transformed security operations.
The importance of due diligence in an imperfect world
In terms of the changing landscape of the industry, Abu-Shaqra is still amused by the fact that, no matter how large and well-known a company is, every single major brand has had their significant share of vulnerabilities, breaches, scandals, etc.
“We don’t live in a perfect world that puts consumers and their best interests first, so as much as we would love to trust how safe and secure some product or brand is, we must take those statements with a grain of salt and perform our own due diligence to verify that an organization has the proper security protocols in place,” he insists.
Noting that people make mistakes, and software is flawed, Abu-Shaqra explains the concept of Zero Trust in security, which involves verifying a system’s security, instead of blindly trusting its ability to keep your information safe.
He also remarks that there are new products appearing on the market that are truly trying to add value and solve real-world problems (as opposed to a solution in search of a problem), but those still require a lot of manual work and up-front setup, and they are rudimentary in terms of what they can offer, when it comes to automation, integration, and intelligence.
Security is culture, and culture takes time to foster and change
For Abu-Shaqra, his definition of success is the measurement of satisfaction over an extended period. The reason he believes that is the case, especially in the security space, is because security is not about a tool, process, person or a product — security is culture, and culture takes time to foster and change, let alone transform.
“This is not to say we can’t have quick wins or short-term achievements, but true success takes time and is marked by prior failures of the same endeavor,” he insists, noting that part of our growth journey is that we challenge ourselves, stretch our boundaries, take on new responsibilities, and carry out our vision of how we think things should work or how things ought to be.
Abu-Shaqra believes that his greatest achievement has been his ability to continuously grow and stretch his boundaries to include knowledge and expertise, not just related to IT and security, but also business operations, risk management, and working with numerous different parties, including executive leadership, regulators, and auditors.
This has enabled him to take on unique challenges and opportunities while continuing to drive his career forward. He shares one example in particular, that stands out when he was overseeing security for a large group that included corporate properties, and needed to bridge the gap between their Operational Technology (OT) world and the traditional world of IT.
The transformation involved creating structures from scratch to assess risk, prioritize remediation, update policies, and drive change in the industry to improve security operations beyond their control at the time.
Empowering people by including them in the decision-making process
Abu-Shaqra maintains that, while the pandemic no doubt impacted business operations, it was not necessarily in a negative way. Working remotely was probably the most significant change many businesses faced, in terms of having the capability to do so, but also maintaining a level of service and support comparable to those achieved during in-office work.
Abu-Shaqra points out that there are arguments on both sides; some prefer in-person work, while others are partial to working from home. He personally thinks that, in many cases, productivity increased when remote work started, and people felt more empowered to manage their own time and priorities, as long as they got the job done.
“Some positions, in particular frontline workers, weren’t afforded the luxury of working from home. These workers risked their safety so we could continue to buy groceries and send our kids to school. Hats off to all frontline workers for their sacrifices. I don’t think society has appreciated them enough,” he remarks.
However, Abu-Shaqra believes that the idea of work/life balance is somewhat antiquated. “I like to think of it as work/life integration. This includes working remotely and making time to connect with family and friends. I have also recently taken up martial arts (Brazilian Jiujitsu) to improve my overall health and physical wellness and I absolutely love it,” he declares.
With a very strong passion for what he does, Abu-Shaqra continuously strives to identify and help resolve problems. He sees a lot of value in improving effectiveness, efficiency, and service, so that work keeps him busy and motivated. To keep his team motivated, he includes them in the decision-making process, and empowers them to make decisions.
“We hire people so that they can help us figure out what needs to be done, and how it can be best accomplished at that time; we need to ensure they have the autonomy and power to do that. When people are included in the decision-making process and are empowered, they are much more likely to be successful and tend to thrive,” he maintains.
If you’re not feeling uncomfortable, you’re not growing
Abu-Shaqra notes that his future plans for Sunrise Banks include increasing their focus on user training, education, and empowerment, as well as upskilling and diversifying technology and security staff.
He will also be working on further integrating security in all aspects of operations, including DevSecOps, project management, risk management, etc. He also plans to work on increasing adoption of technology baselines, prioritizing preventative controls, automation, and developing purple team capabilities.
Abu-Shaqra’s parting message to aspiring leaders in security is to “not be afraid of raising their hand or being the lone voice in the room — chances are you have a perspective that needs to be heard.” He also recommends that they invest in training and education for themselves and their team.
“If you’re not feeling uncomfortable, you’re not growing. I’d also encourage aspiring leaders to reach out across groups, departments, programs and industries. Learn everything you can about the businesses your company runs, so that you can increase your value as a business partner, and your chances of success and inclusion,” he concludes.