What first made you think of a career in cybersecurity?
Early in my career as an electrical engineer in 2003, I got exposed to just how much inherent trust is assumed in many systems by default. My very first job was at Advanced Micro Devices designing Peripheral Card Interface sub-systems (PCI) and I was shocked that at the time, any peripheral, whether it was a graphics card or sound card, was effectively 100% trusted to read or write memory anywhere in the system. It was considered a performance feature and not a bug. That sent me down the cybersecurity rabbit hole starting with hardware-centric roots of trust, like TEEs and TPMs, to today much more focused on the data-centric side of things.
What style of management philosophy do you employ with your current position?
I feel deeply blessed to have had some fantastic managers and I try to emulate those great attributes. The single most consistent of which was a focus on empowering others to be great. As such, I see it as my job to provide those on our team with the resources they need to get their job done – to do the blocking and tackling necessary to allow them to achieve and otherwise get out of their way. It’s win-win in so many ways, from a quality of life standpoint and helping others grow by giving them new chances and opportunities.
What do you think is the current hot cybersecurity talking point?
Zero Trust data protection. While Zero Trust has previously been poorly or inconsistently defined, there is a growing consensus on what it means to achieve advanced Zero Trust protections within any of the seven pillars, quite concretely. Data protection and in particular classification/tagging and subsequent encryption of data for the means of controlling access to it wherever it may go, is greatly benefitting from clearer guidance and expectations from industry and relevant government bodies publishing Zero Trust guidance.
How do you deal with stress and unwind outside the office?
My mind always finds something to worry about and I love building things with my hands, so I always have a project to turn to that involves soldering or drilling or something of the sort, that can keep my mind occupied improving some set of skills. Above all, the best therapy for me involves getting outside in the fresh air in a natural setting. Even if I have to be on a work-related call, just being outside connected to nature keeps my stress levels down and my focus up.
If you could go back and change one career decision what would it be?
I started my cybersecurity career in a research context which was much more academic than practical. I wish I’d had hands-on practical Information Assurance experience earlier in my career, to inform my academic research focus with real-world context. The more no-kidding experience I’ve had deploying and configuring practical IT tools to protect a team, the more empathy for the end-user I gain and that pays big dividends when working on solutions designed to deliver practical, easy-to-use value.
What do you currently identify as the major areas of investment in the cybersecurity industry?
Interoperabledata protection standards for data encryption and policy. Today you can invest in strong identity once and take it anywhere. One of the biggest hurdles to consistent enforcement of policy across an enterprise is a scalable interoperable policy language and corresponding data standard to allow data to persist the relevant protection requirements independent of any particular app or environment.
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?
I’ve noticed a shift here. Historically, organisations with different enforcement requirements – whether due to geography or to industry regulatory burdens – would implement bespoke protective regimes. However, increasingly – particularly where there are high collaboration needs across these boundaries, whether across large enterprises or governments – efforts to harmonise the mechanisms have been much more successful than trying to build purpose-specific approaches that may impede interoperability.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
As CTO of a cybersecurity company in the data protection space, I’ve benefitted greatly from the increased awareness and appreciation for the approach that we’re taking, so while historically I’ve played a much more evangelical role, educating audiences (partners and customers) on the realm possible, I can now focus much more on practical engagements and accelerants to adoption in a better understood space.
What advice would you offer somebody aspiring to obtain a C-level position in the security industry?
Cybersecurity can be deeply rewarding and high-impact when your peer executives are bought-in to the value of appropriately investing in the domain. Knowing how to translate these values into business outcomes can be a rarer set of skills than the hard technicals and a massive differentiator, so practicing that as a skill is deeply strategic. Correspondingly, interview your other C-suite and board to ensure baseline alignment ahead of time.