Blog Viewer

Spotlight on SIMCAC Member: Lawk Salih, VP at ICBA

Lawk Salih isLawk-Salih.jpg the Vice President of Infrastructure and Digital Solutions with the Independent Community Bankers of America (ICBA). In his role, Mr. Salih is responsible for ICBA’s infrastructure initiatives in the cloud for all resources pertaining to hosting of applications, data warehouses, security, scalability, and cost management. Additionally, he is also responsible for delivering innovative digital solutions aligning with ICBA’s business goals to innovate the member experience through digital channels.

He has over 21-years of experience in the information technology field, including 15 years with nonprofit organizations and trade associations in the District of Columbia area including Search for Common Grounds, Navy Mutual Aid Associations, United States Telecom Association, National Association of Regulatory Utility Commissioners, and United States Committee for Refugees and Immigrants. In his past roles, he has contributed to many successful initiatives in areas of association management systems, web content management systems, cybersecurity programs and defenses, cloud migration initiatives, IT training, enhancements of customer services desks, and integration and implementation of application.

Mr. Salih is a past sponsorship chair of the Society for Information Management Capital Area Chapter (SIMCAC) and continues to be an active member of the community.

1) Your career has led you across several different industries and types of organizations -- what do you prioritize when joining a new organization to understand its business model and culture?

Thank you for this wonderful opportunity SIMCAC has provided me to engage, collaborate and learn from peers. It has tremendously benefited me as a technologist to learn from industry experts to transform our organization leveraging technologies to deliver business value.

One of the ways I prioritize understanding the business model and culture is to understand the mission of the organization. When joining a new organization, it is necessary for me to understand the mission-driven priorities of the organization. Be it to increase membership and retention or increase awareness of products and services within a specific segment of our societies, understanding and learning these objectives early on sets the stage for identifying time-sensitive strategies to be implemented and to align my priorities within the organization’s mission-driven priorities.

Learn the culture and build relationships. Culture and relationships are extremely important for any leader to drive value to both internal and external customers. Understanding key aspects of the key culture paradigm is crucial to understanding the dynamics of my peers and the roles they play in the decision-making process. I am a firm believer in relationships, and it has served me well in my past roles treating both peers and vendors as partners.
2) For an organization with limited phishing email defense maturity, where would you recommend they start?

Every organization must invest in a platform that ingests emails to protect against phishing fraud on its employees. In my recent blog for community banks, FBI reports that more than $1.8 billion (about $6 per person in the U.S.) in losses from Business Email Compromise and 240,000 reported phishing-related frauds. These are staggering numbers and as leaders in our organizations, it is our responsibility to implement these basic controls ensuring employees are not being impersonated or swindled.

Learn and identify your current mail provider’s capabilities. If you are using one of the leading email providers such as Microsoft 365 or Google Workplace, there are many out of the box capabilities part of your licensing that can be turned on to protect against phishing frauds. This is a great starting point to review and test these incremental enhancements to increase your security maturity to reduce the risk of compromising an employee's account and protect against impersonation.
Add an additional layer of protection for anti-phishing and malware protection to your email provider. There are many key product leaders in this space to ingest your emails and to protect against phishing frauds, impersonations, and malware within your employee’s inboxes to prevent malicious attacks on your people, and systems. Top email security providers include Proofpoint, Check Point, Avanan, Barracuda Essentials, Mimecast, etc.

Educate your employees. Educating your employees on how to identify a non-legitimate email from a legitimate business email is key to the maturity of your cybersecurity program. One of the successes we have seen at ICBA is that our employees have become key part of our cybersecurity program where they report potential phishing emails to our IT team to review and quarantine potential malicious attacks. This mutual partnership has helped us numerus times to protect our employees and systems from such attacks. Some of the key players in this space are KnowBe4, SANS phishing awareness simulation, Proofpoint, Cofense, Terranova Security, etc.

3) We've seen a lot of ransomware attacks in the news recently.  Do you recommend any critical defenses for an organization to defend against this type of attack?

Implement security controls and defenses at the endpoint. Prior to COVID-19, most of our critical protections were implemented for the premise infrastructure to identify, alert, and remediate against malicious attacks while basic virus protection was added to the endpoint. Post COVID-19, our priorities have changed and diverted some of our investments from both capital, human resources, and controls to protect at the endpoint since most of our employees are working remotely. These enhancements have helped us minimize the risk of ransomware attacks.

Implement a Security Information and Events Management System (SIEM) for your critical infrastructure components such as Firewalls, cloud resources, endpoints, and other aspects pertaining to your infrastructure. The purpose of the SIEM platform is to provide a bird’s eye in a centralized dashboard to alert and provide remediation steps to protect against unauthorized activities and anomalies.

Backup, backup, and backup. Have a robust and multi-layer backup system for your cloud resources, databases, and communication systems. Setting up a robust backup system is key to protect against ransomware that is multi-reginal ensuring you have an alternative copy of your backup if your initial systems are impacted by such attack.

Implement a Mobile Device Management System (MDM) for your devices. We have seen tremendous value in our MDM platform to comply devices with a set of policies set by our team. Policies include antivirus protection, disk encryption, conditional access, detection and response, and account protection. In addition to these capabilities, we have empowered our service desk team to provide remote management capability allowing team members to remotely wipe, offboard and onboard a device to our infrastructure. Such capability is key to hybrid environment moving into the future.

4) In the world of associations and non-profit organizations, what have you seen as a surprising aspect to their priorities or constraints?

IT is becoming an integral part of the organization. It is no surprise that IT is becoming partners in all areas of operations within organizations. Whether we need to implement an infrastructure supporting mission-critical operations or keeping the light on, IT is becoming an integral part of the mission of the organization to deliver value and generate new channels of revenue. Many of my colleagues are also seeing this change and COVID-19 certainly sped this change. IT suddenly became a champion making technology available to successfully continue conducting business operations while the world came to a halt. This is an exciting momentum for all IT leaders encompassing value, contributing to the mission of the organization, and providing new opportunities for both internal and external customers.

Do more with less. The pandemic added additional challenges for IT with incredible pressure to provide successful customer service with the same resources and human capital prior to the pandemic. Maximizing the full potential of systems, and human capital was a challenge to prevent burnout for staff members while.

Attracting new talent. Attracting new talent has become a challenge—especially for non-profits and associations competing for similar talent as Microsoft, Amazon, Facebook, and Google in the District of Columbia area. It has become apparent that due to limitation of resources (mostly due to salaries in our region), we will continue to face this challenge and the need to be creative providing a unique experience to attract new talent. I am excited for the re-opening to get out and meet potential talents in meetup groups and connecting online through LinkedIn to expand our outreach for new talents while providing additional benefits to the potential candidates such as full-time remote, academic reimbursements, etc.

5) You have been a long-time SIMCAC member and Board Member.  From your perspective, what is the primary value proposition of SIM membership, and what would you say to other senior technology executives that are considering membership (especially to those in the Capital Area)?

SIMCAC has allowed me to connect with many local IT leaders whom I call colleagues. While I was the Sponsorship Chair with SIMCAC, I got the opportunity to meet and connect with many thought leaders in our region that I couldn’t have done without SIMCAC’s platform. This unique platform, unlike others in the area, has been extremely beneficial to me. 

I encourage local IT leaders to join SIMCAC to connect with other IT leaders, develop themselves by learning and educating others from their experiences, and to give back to the community through speaking opportunities and sponsoring local STEM groups.