John Qian, CISO at Aviatrix talks about lags in modern tech and ITÂ systems, AI in cloud infra management, best practices for CISOs and more…
———–
Hi John, welcome to this CIO interview series. Tell us about yourself and your journey as a CISO.
Thank you for having me. I started my career as a software developer at Cisco Systems, focusing on security appliances and policy-based security management tools. Security products are high-value targets, and I was involved in numerous in-depth security investigations and incident responses. This experience sparked my interest in transitioning into a full-time product security role, where I helped create and roll out multiple secure development initiatives at Cisco to improve security assurance for our customers.
In 2020, at the beginning of the pandemic, I joined Zoom, which was experiencing rapid growth and facing heightened scrutiny around security and privacy. I led the team responsible for securing Zoom’s product features, critical IT applications, the supply chain, AI security, and the multicloud infrastructure, all while ensuring compliance across an extensive global footprint. It was an incredibly fast-paced and dynamic environment, and we made great strides in building out a program that is now one of the most mature in the industry.
Most recently, I joined Aviatrix about a month ago as its CISO, and I’m excited to continue building and maturing the security posture of a company that plays such a critical role in cloud networking.
Also Read: CIO Influence Interview with Simon Tusha, Founder and CTO of TecFusions
What are you most looking forward to as Aviatrix’s new CISO?
As Aviatrix’s new CISO, I’m particularly excited about the opportunity to work with this exceptional team and its innovative technology. From my past experiences, I’ve seen firsthand how challenging it can be to connect and secure workloads across multicloud environments and on-premises data centers, all while enforcing consistent security policies. Aviatrix’s cutting-edge technology simplifies cloud networking, strengthens security, and delivers critical visibility. Its robust egress security solution and high-speed encryption between the edge and cloud effectively address specific use cases I’ve encountered, making it a key reason why I chose to join the company. Moving forward, I’m eager to collaborate with some of the most talented individuals in the industry here at Aviatrix to help customers securely navigate their cloud networking journey and unlock new business opportunities. I’m thrilled to be part of this mission.
Can you share a little on what keeps B2B CISO’s up at night today?
In today’s B2B landscape, CISOs are navigating an increasingly complex threat environment. As applications and data are increasingly spread across multiple clouds and hybrid infrastructures, the traditional enterprise perimeter has dissolved, creating new challenges. Some key concerns that keep CISOs up at night include:
- Data Exposure and Compliance: Protecting sensitive data in distributed cloud environments is a significant challenge, especially with the need to meet regulatory requirements like encryption, data residency, and data privacy laws. A single misstep in securing data or complying with regulations can lead to catastrophic consequences, including loss of customer trust, regulatory penalties, and reputational damage.
- Lack of Visibility: Hybrid environments often create blind spots, making it difficult to monitor network traffic and detect potential threats. This lack of visibility allows malware and advanced persistent threats to operate undetected, while insufficient egress and lateral movement protection increases the risk of data exfiltration and internal malware spread. Additionally, correlating logs from disparate sources can delay detection and response times, making incident response more difficult.
- Misconfigurations and Insecure APIs: Cloud misconfigurations and vulnerable APIs are among the most frequent causes of data breaches. Attackers often exploit these weak points to gain unauthorized access or execute malicious commands. The continuous push for rapid development and deployment can exacerbate this risk, making proper configuration and API security a top priority.
- Human Element: No matter how robust the technology, human error remains one of the weakest links in cybersecurity. Phishing, insider threats, and mistakes made due to lack of training can lead to significant breaches. Ensuring employees are well-trained in security awareness and implementing strong access controls to mitigate user-based risks is essential.
Also Read: A Brief History of Cybersecurity
Can you talk about some of the biggest lags you see in modern tech and IT staff and what C-level staff should do to lift and train these teams better?
While continuous learning is essential for everyone, I see three key gaps in modern tech and IT teams that need attention.
- “User Experience” gap: Security is inherently complex, especially for non-technical decision-makers. One significant gap is how security is communicated across teams. I believe this stems from the lack of a “user experience” mindset in security functions. Security needs to be framed in ways that non-technical stakeholders can easily grasp. C-level executives should foster better cross-functional collaboration and invest in communication skills that translate security issues into business impacts.
- Automation gap: Another common gap is the lack of automation skills which results in manual work and inefficiencies. For example, adopting Infrastructure as Code (IaC) brings several benefits—simplifying operations, reducing errors, facilitating workflow reviews, and ensuring traceable histories. Yet, due to skill gaps, IaC is inconsistently applied. C-level leaders should prioritize upskilling teams on automation and embedding it into the organization’s DNA. This requires both targeted training and practical use cases that showcase the long-term value of automation.
- AI Literacy gap: Finally, one skill everyone can improve is the effective usage of AI. Generative AI is reshaping industries at a rapid pace, and it’s crucial for everyone to understand its potential, how it can be integrated into daily workflows, and the security implications of AI adoption. C-level executives must take the lead by fostering an environment of exploration and responsible AI use, providing teams with the resources to experiment with and safely integrate these technologies.
Please tell us more about your use of AI in cloud infra management and enhancements and how you see it playing a bigger role down the line?
We are actively exploring using AI to enhance the user experience in our products and see it playing a larger role in cloud infrastructure management in the future.
Currently, we are researching initial AI use cases in our product, such as leveraging LLMs to enable users to interact with the system through natural language. This approach is particularly valuable for navigating large datasets, allowing users to quickly retrieve the information they need. By incorporating AI, we can deliver a streamlined experience and improve the overall efficiency of how users engage with our software.
Since Aviatrix has full visibility into the data plane, we see significant opportunities to expand AI usage in advanced areas such as anomaly detection, failure prediction, and avoidance. For anomaly detection, AI can analyze vast amounts of network traffic data and identify unusual patterns that may indicate a potential security issue or system malfunction. For example, detecting traffic volume spikes that don’t align with normal usage patterns or identifying abnormal access patterns. In terms of failure prediction, AI can monitor system performance and resource utilization in real time to predict potential failures before they occur. For instance, AI can flag when a system is nearing resource overload—whether it’s CPU, memory, or network bandwidth—so that preemptive steps can be taken to redistribute workloads or optimize resources.
By integrating AI for these advanced use cases, we not only enhance operational efficiency but also provide users with powerful tools to predict, prevent, and mitigate risks—keeping cloud infrastructure more resilient and secure in the process.
Five daily best practices you’d leave every CISO with through this chat, before we wrap up?
There are many competing priorities every day as a CISO, but here are five best practices I recommend:
- Prioritize Effectively: Start each day by identifying your most important tasks and aim to complete them by the end of the day. Focusing on these high-priority tasks ensures daily progress toward long-term objectives, even with frequent context switches throughout the day.
- Stay Informed: Dedicate time to reviewing threat intelligence and keeping up with the latest cybersecurity trends. This keeps you proactive, allowing you to anticipate and prepare for emerging threats rather than react to them.
- Continuous Learning: Make it a habit to learn daily, whether in security or other relevant fields—from your team, industry peers, or external sources. Cybersecurity evolves quickly, and staying ahead means always looking for new insights and refining your approach.
- Mental and Physical Well-being: Taking care of your physical and mental health is crucial for peak performance. Incorporate exercise, meditation, and frequent short breaks into your routine to maintain focus and reduce stress.
- Reflect Daily: End your day with a quick reflection. Assess what you accomplished, what challenges you faced, and how you can improve tomorrow. This habit fosters continuous improvement and helps you maintain perspective.
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
John Qian is the Chief Information Security Officer at Aviatrix. He’s an accomplished security technology leader with over a decade of experience in technical and management roles within dynamic, global, and fast-paced environments. John has a proven track record of building high-performing teams to develop and implement comprehensive security strategies, architectures, and processes across multi-cloud, hybrid, and on-premises systems. He has led the rollout of company-wide security initiatives, including reference architecture, SDL, DevOps Security, IAM/Zero Trust, CI/CD security, training programs, and security risk and compliance frameworks. These efforts have significantly reduced corporate risk, ensured regulatory compliance, and fostered a culture of security throughout the organization.
Aviatrix is a cloud networking platform that provides visibility, security, and control for companies. They offer a single platform for multi-cloud networking, regardless of the public cloud providers used.