Career Profile: David Soldani, Rakuten

Name: David Soldani
Affiliation: Rakuten

Can you briefly introduce your current role in cybersecurity?

Areas of my responsibility and expertise include, but not be limited to: security innovation and advanced research; security architecture design & standards; security engineering; methodology & tools; security assurance (DevSecOps); security policies, governance, risk management and compliance; security solutions development for current (5G) and future mobile networks (6G) on cloud native platforms.

How did your career in cybersecurity get started?

I have been active in the ICT field for more than 25 years and cybersecurity is one of the areas that has been keeping me busy the most, particularly after we designed 5G, back in 2013. Initially, my focus was on security engineering and architectures, advanced safeguards (e.g., cryptography for data confidentiality and integrity protection, network and software security, identity and access management, and security assurance), technologies for mitigating risks (threats x vulnerabilities) and solutions to agile security operations. Then, as CISO, beyond that, I have been responsible for security policies, security posture of virtual and physical infrastructures, governance, risk management and compliance (GRC). Which are equally important.

What does a typical workday look like for you?

We generate new ideas, work on new approaches, methods to improve security of network infrastructure, cloud native platform, cloud native functions (network micro-services), applications, and business of our organisation. Our current focus is on cloud native security and observability for current (5G) and future (6G) open virtual mobile networks. Among other important tasks, I need to review, set the priorities, and discharge new and ongoing action items and tickets; supervise the progress of our focus projects, manage my organization (including housekeeping) and support my team members; identify new leads and address pain points; develop my technical skills; consult and interact with my internal and external stakeholders
ensure we are doing the right things, and things right, following our business processes, governance, and policies. Also, when time allows, I contribute to technology events, publications, and technical specifications (standards) to promote our solutions and thought leadership.

What are the most challenging and the most enjoyable aspects of your role?

I am enjoying all aspects of my role, and I love new challenges. Think of security as a process, which comprises Plan, Build, Deploy and Runtime phases. In the “Plan” phase, I am pleased to contribute to innovation and advanced research, collaboration with universities or other research organizations, security architecture, proof of concepts, technical specifications, and standards. In the “Build” phase, I am captivated by new approaches and technologies for image scanning, securing CI/CD pipelines, secrets management, securing the host OS, and securing the workload access to the host. In the “Deploy” phase, I like to work on cluster hardening, perimeter firewalls, security groups, admission controllers and secure way for exposing network capabilities and services. In the “Runtime” phase, I enjoy working on network policy, application layer policy, monitoring and observability tooling, encryption (e.g., mTLS), auditing and new approaches to threat detection. For runtime security, I advocate the use the extended version of Berkeley Packet Filter (eBPF). This transformational technology is accelerating the way to redefine networking, security, tracing, and observability for current (5G) and future mobile networks (6G). Attaining support from senior management, security governance, risk control – including qualitative & quantitative analysis of potential losses, and effective measures to mitigate the identified risks to a bearable level for our business owners – and compliance are probably the most challenging aspects of
security management.

What do you consider the three most important skills to succeed in your
role?

You need strong skills, experience, and expertise (know-how) in security governance, risk management and compliance, security architecture and engineering of modern network infrastructures. This means that you need to be familiar with the best practises and technologies for container and container orchestration (Kubernetes) security and observability; and know how to secure CI/CD pipelines (DevSecOps). Also, you must be highly skilled and very proficient in identity and access management (IAM), and related business processes. You need to know how to identify, authenticate and authorise the access of a subject (user, user group, service account) to an object (device, application, or platform resource), and know how to detect & respond (resilience) to any possible (internal or external) unauthorized access, particularly to your services, data, network, and cloud platform related
resources. You need to understand the most important security standards, certifications, and network element security assurance schema adopted by the industry, such as, but not be limited to, ISO 27001, SOC2 Type2 and GSMA NESAS. And how to preserve privacy, e.g., in compliance with of local laws and EU GDPR.

What advice do you have for people starting their career in cybersecurity/looking to enter this industry?

I would focus on cloud-native architecture and technologies, such as, e.g., containers, service meshes, microservices, immutable infrastructure, and declarative APIs, and familiarize with Kubernetes, and cloud-native network functions, i.e., network functions designed and implemented to run inside containers – an example of a cloud-native radio access network is the Open virtual Radio Access Network (Open vRAN), defined by the O-RAN Alliance. And develop strong cybersecurity skills for protecting those assets, including the related information (data) at rest and in motion. Also, I would get some of the most important certificates, e.g., but not be limited to, CISSP, CISA, CKA, CKAD or CKS (or KCNA), and most importantly join an industry organization that allows you to further develop your skills, abilities, know-how and, especially, put in practice your theoretical knowledge of cybersecurity working on modern Telco (virtualised) infrastructures, cloud native platforms,
applications, and technologies, such as, e.g., Kubernetes and eBPF.

If people would like to learn more about your role in cybersecurity, where should they go?

You may follow me on LinkedIn (https://www.linkedin.com/in/dr-david-soldani/), with over half a million downloads in one year. See: https://www.linkedin.com/pulse/selected-public-speeches-papers-dr-
david-soldani/. Thank you.