A Q&A session with Shahryar Shaghaghi, BDO Consulting National Practice Leader, Technology Advisory Services
Download the PDF Version
How did you get started on your career path?
My career really started in the 80’s while I was still in college. I initially went to school to study aerospace engineering, but became fascinated by the emerging computer science field, which was still very much in its infancy. At the time, computers were used almost exclusively by universities and some sectors of government. My first job was a night shift programmer for NASCAR. It was fun because I was able to learn about racing and even tried a few laps myself on the Daytona Beach International Speedway.
While I was pursuing a dual degree in aerospace engineering and computer science, I also took a job as a lab assistant, helping other students with their programming assignments. My passion for computer science and reputation for articulating complex subject matters in a simple way earned me a position as adjunct faculty, and I began teaching programming classes and developing applications on top of my schoolwork.
I enhanced my knowledge of technology through educational training programs with AT&T and IBM and continuing to split my time between programming and teaching. Through these programs I gained a tremendous amount of technical knowledge and developed a number of innovative applications in the administrative computing space, including the first online registration system, and got my first taste of infrastructure development and management.
In the mid-90s, I was given the opportunity to join Embry Riddle Aeronautical University’s Software Engineering Master’s program, which was in alignment with Carnegie Mellon's newly developed curriculum. Carnegie Mellon pioneered the quantitative approach to software development, which had previously been treated more like an art. As one of the first graduates from that Master's program, I had a unique view on software development, applying engineering disciplines to every aspect of the software development life cycle. That experience transformed my skills in IT strategy and positioned me to lead many large and global transformation programs with Fortune 500 companies, consulting with major management consulting firms.
Throughout your career, you've worked on a number of large-scale transformation programs. What stands out as the most memorable project to date?
Citigroup brought me in as an executive responsible for its IT risk management and tasked me with overhauling the bank's approach to IT risk management, in order to meet the regulatory requirements for a pending Office of the Comptroller of the Currency (OCC) and Federal Reserve Bank (FRB) review. I was given 18 months to get the bank back to a satisfactory rating. While the set goals for the project were clearly defined, it was deceptively complex —at the time, Citi was the largest bank in the world with no standardized approach to risk management.
The IT risk management transformation initiative was a massive undertaking with hundreds of implementation projects across more than 150 countries. Eighteen months later, Citi passed its OCC and FRB review and all sanctions were lifted, enabling the bank to resume acquisition activities.
What are the top risk management challenges facing today’s CIOs and CISOs?
Over the past 10 to 15 years, the role of the CIO has evolved from supporting back office functions to focusing on managing risks and now fully aligns with corporate strategy and innovation around products and services. In the meantime, due to the increased frequency and degree of cyber attacks, the CISO role has also been escalated in importance, at times all the way up to senior management and the board of directors.
We've entered a new digital age and have far more information at our fingertips than ever before. We also have more regulations —Dodd-Frank, FATCA and mandates from OFAC, to name a few. The CIO and CISO are in the driver's seat when it comes to dealing with the subsequent risks and challenges.
Technology is key to risk management. Some CIOs at larger organizations have even created dedicated business units for compliance technologies because of the amount of work involved and the level of priority.
But as much as technology solves, it also creates significant risk. Security can be breached, confidential or competitive information can be exposed, and basic operations can fail or be disrupted. A technology failure not only has a direct financial impact; it can also damage a company's brand. CIOs and CISOs are now expected to oversee all these risk management issues and develop a leading-edge approach.
From your perspective, how should organizations weigh the advantages of gaining on their competition through the latest leading-edge technologies versus the risks to cybersecurity?
It's a balancing act. In today's world, Big Data is the name of the game, and it's becoming more and more complex for organizations to get their arms around it. And in order to be competitive, companies need to have the flexibility to act on market insights and adapt innovative, agile solutions. However, being creative also exposes you to a certain amount of security-related risk.
Companies should design their products and services with risk management in mind from the get-go. If they take a step back and architect core security functionalities into the beginning of the product development process, they can create a robust product with solid security.
But again, it's a balancing act between technology, ease of use and security. Companies that are too heavy-handed in their approach to security —e.g., adding multiple layers of security or higher degrees of authentication that bog down the product —lose out to competitors that create more user-friendly products. It's important to first ensure that the product features functionality that satisfies the needs of its target market, and then apply a number of scenarios against it to identify the potential vulnerabilities. Those vulnerabilities can then be minimized through a set of optimal mitigation strategies.
What do you like about working at BDO?
BDO has been welcoming and engaging from the get-go. Thanks to senior management’s commitment and partnership across the firm, I have been pointed toward many exciting opportunities in a relatively short period of time. I have also been fortunate to help with multiple client engagements while developing and rolling out my strategy to build a best-in-class Technology Advisory practice. There is nothing better than being able to keep client work front and center while expanding our capabilities.
Shahryar Shaghaghi leads BDO Consulting’s Technology Advisory practice, having more than 25 years of experience providing information technology (IT), operations and risk management services to global organizations. He focuses on strategy and transformation services that enable innovation and address regulatory and compliance requirements. A trusted advisor to CIOs, COOs and CISOs, Shahryar implements IT strategy, risk and compliance optimization programs that address business and customer needs through the integration of process, technology, organization, and relationship building to increase profitability and manage cost and risk. He can be reached at firstname.lastname@example.org.