Join us for a conversation with OpenSSF General Manager, Omkhar Arasaratnam.
Omkhar Arasaratnam is a veteran cybersecurity and technical risk management executive with more than 25 years of experience leading global organizations. Omkhar began his career as a strong supporter of open source software as a PPC64 maintainer for Gentoo and contributor to the Linux kernel, and that enthusiasm for OSS continues today. Before joining the OpenSSF, he led security organizations at financial and technology institutions, such as Google, JPMorgan Chase, Credit Suisse, Deutsche Bank, TD Bank Group, and IBM. As a seasoned technology leader, he has revolutionized the effectiveness of secure software engineering, compliance, and cybersecurity controls. He is also an accomplished author and has led contributions to many international standards. Omkhar is also a NYU Cyber Fellow Advisory Council member and a Senior Fellow with the NYU Center for Cybersecurity.
Why did you decide to join the OpenSSF?
It was really important to me to find a role that aligned with my personal ethos to make the world more secure. My long history of open source support, contribution and use, combined with two decades of cybersecurity experience made this the ideal choice for me. The OpenSSF’s mission of securing the software supply chain aligned perfectly with the impact I hoped to have.
How have your previous experiences led you to this role?
The earliest days of my career introduced me to open source software, which immediately became my life’s passion. From there, I began doing cybersecurity (or information security as it was called back then), and that’s where I’ve been for the last 20 years.
Throughout my career, I’ve been privileged to have positively impacted the security of billions of users worldwide. That’s incredibly rewarding. The desire to have a continued positive security impact in the open source supply chain is what led me here, it’s really the culmination of what I’ve been interested in for the last 25 years.
What professional experiences have shaped your leadership style?
I’m adamant about ethics, transparency, and principles. Many times in my career, I’ve seen major long-term impacts because of a shortcut taken in technology, process, or ethics. In the long run, I’ve found the best path is to transparently take the technically optimal, process-correct, ethical path above all else – no exceptions.
My role is to provide the team with clear guidance on our short, medium, and long-term goals based on my industry knowledge and consultation with key stakeholders. I’m also accountable for setting the right incentives and roadmap so that people know where they are along the journey and that our stakeholders continue to see positive progress while feeling vested in their ability to provide input and direction.
In my earliest days, I was adamant about spending my career as an IC (individual contributor). One of my previous managers, who started as an engineer as well, provided me the opportunity to think of leading people in the same way that we think of designing distributed systems. Give people the opportunity to fail safely. Implement performance improvement plans where required. Keep an eye on capacity challenges and backpressure. Framing leadership in this way inspired my leadership style.
What are your primary goals for the OpenSSF?
Our goal is to make the open source software supply chain more secure. The OpenSSF has made great progress in this direction. My goal is to ensure we secure the open source supply chain with even greater velocity through transparent decision-making, accountability, prioritization, and even more participation from stakeholders around the world.
What are you hoping to accomplish in your first few months on the job?
Having joined on May 1st, I’ve spent most of my first 30 days listening and understanding the needs of our stakeholders. All feedback is a gift. I’m in the process of synthesizing the feedback to craft a mid and long-term plan for the OpenSSF. We have amazing work being performed, and I aim to provide a framework and structure through which we can have even more impact.
What challenges do you foresee in your role, and how do you plan to address them?
We never have enough time, money, or resources to fix everything in security. At some point, we have to make prioritization decisions. In the 20 years I’ve been doing security, I’m constantly worried that one of these decisions deprioritizes fixing something that will be the root of the next Log4Shell.
I try to ensure that we make the best decisions with the information we have available at the time. The OpenSSF prides itself in promoting diversity, which provides us the privilege of having a number of diverse points of view when making these decisions. While it’s unusual to have a decision that is entirely optimal for all stakeholders, it provides me the confidence that we’ve appropriately evaluated all available options and arrived at the best available solution.
It’s really hard to do security in the abstract. So, prioritizing our efforts through a prescriptive set of use cases and threat models is a great way of determining where we should focus.
Equally important is the practice of using retrospectives and metrics to determine whether our original point of view or decision was correct. Having an unbiased way to evaluate whether we’re still on the correct path and to consider the switching cost of changing direction without the weight of confirmation bias, is very important.
In an ideal world, the best way to fix security problems is to make sure they never exist. The goal is to build our languages, build systems, frameworks, and runtime environments in a way that security is a default. It should be incredibly difficult (or impossible) to traverse an insecure path. “It should just work”
Tell us something interesting about yourself.
Increasing diversity within security engineering is incredibly important to me. Other than advocating for diversity, equity, and inclusion as part of my day job, my wife and I fund a scholarship at NYU Tandon’s Cyber Fellows program.
I firmly believe that we can’t fix the problems we have today if we continue to think about solutions the same way. Diversity of thought is paramount.
What do you think is the most important factor to keep in mind that affects the future of the open source community?
We’re all connected. It’s impossible to hermetically seal one part of open source software from everything else and declare it secure. To make meaningful progress in securing open source software, we need to consider the entire ecosystem prioritized against a series of use cases and threat models and use that to inform our actions.