NT NETWORK
A Goan by birth, Sarfraz Shaikh completed his education in Goa before moving to the United States to pursue graduate studies. He earned a Master’s degree and built a career at the intersection of technology, business operations, and organisational transformation. Today, he serves as Chief Information Officer (CIO) and Chief Information Security Officer (CISO) for a diversified oil and gas services company in the United States, overseeing technology strategy, cybersecurity, digital transformation, and operational technology across manufacturing, construction, engineering, and surveying divisions.
Excerpts from an interview:
As someone who grew up in Goa and now leads technology and cybersecurity functions for a major U.S. based organisation, what perspective has that journey given you?
Growing up here taught me the value of relationships, community, and adaptability. Those lessons have stayed with me throughout my career.
Moving to the United States exposed me to large-scale operations, emerging technologies, and increasingly complex cybersecurity challenges. But one thing remained constant: people are at the centre of every successful organisation. Technology changes, threats evolve, and business models transform. Leadership, however, is still about building trust, understanding people, and helping teams succeed.
When people think about cybersecurity, they often picture hackers and ransomware attacks. Why do you focus so much on people?
Because technology exists to serve people. Every major innovation, from the telephone and internet to smartphones and artificial intelligence, has helped make life easier and work more efficient.
But every advancement also creates new risks. The same technologies that improve productivity can be exploited by cybercriminals. What many organisations overlook is that technology alone cannot solve cybersecurity challenges. Employees interact with systems every day, and their decisions often determine whether a security program succeeds or fails.
Employees are often described as the weakest link in cybersecurity. Is that fair?
Most employees aren’t trying to create risk. They’re trying to get their work done. Think about a hotel employee during Goa’s busy tourist season or a project manager working against a deadline. When security processes become too complicated, people sometimes take shortcuts—not because they’re careless, but because they’re trying to
stay productive.
If employees consistently bypass security controls, leaders should ask whether the process is helping people do their jobs or making them harder. Cybersecurity cannot succeed if it becomes an obstacle
to productivity.
What are some of the biggest challenges organisations face when implementing security programs?
Complexity is a major challenge. Organisations have added multiple layers of security over the years: password policies, multifactor authentication, compliance training, software updates, phishing awareness programs, and more.
Each measure may be valuable on its own, but together they can become overwhelming. This creates what we call ‘security fatigue’, where employees become mentally exhausted by constant security requirements.
Another challenge is communication. Employees are often asked to follow new policies without understanding why changes are being made. People are much more likely to support change when they understand its purpose.
Why has cybersecurity become a boardroom issue?
Because technology touches every part of the business. A cyber incident today can impact operations, finances, customer trust, reputation, and business continuity. It’s no longer just an IT problem.
Executives increasingly recognise that protecting digital assets means protecting the organisation itself. That’s why cybersecurity discussions now happen at the highest levels of leadership.
Has your leadership approach evolved over the years?
Absolutely, one of the most important lessons I’ve learned is the value of empathy.
Several years ago, our leadership team made it a priority to spend more time visiting operational sites and engaging directly with employees. The goal was simple: to better understand their work environment and the challenges they face.
Those conversations helped us gain a better appreciation for factors such as remote locations, varying weather conditions, connectivity limitations, and the operational demands of field work. It also helped us understand how technology and security requirements affect employees differently depending on their roles.
At the end of the day, cybersecurity is not fundamentally a technology challenge. It’s a people challenge. And when people succeed, technology usually follows.
