Go Phish: We get to know Chris Hodson, CISO, Tanium

Go Phish: We get to know Chris Hodson, CISO, Tanium

We ‘Go Phish’ with Chris Hodson, CISO, Tanium, who explains why distributed working is unquestionably the major talking point of the industry.

What would you describe as your most memorable achievement in the cybersecurity industry?

My first role running a security organisation at a large UK retailer; being entrusted to develop a cybersecurity strategy for a company at such a young age is something that I am incredibly proud of. The role was vital in shaping the trajectory of my career.

I’ve also been fortunate enough to collaborate with many industry leaders on subjects that I am incredibly passionate about, including cloud computing risk and cybersecurity. My paper on demystifying the myths of public cloud computing was published in Computer Weekly. I have also written Cyber Risk Management: Prioritize Threats, Identify Vulnerabilities and Apply Controls, which became a bestselling book on Amazon.  

What first made you think of a career in cybersecurity?

I started out working in traditional IT roles, but this developed due to my curiosity and drive to understand the inner workings of IT systems to make them more secure. I was originally working in application development and systems engineering, but went on to take Microsoft exams and security electives at the end of my first role. From there, I was drawn to security, creating threat models and protection strategies.

What style of management philosophy do you employ with your current position?

My style of management is one of cross-functional responsibility. At Tanium, our engineering practices are both agile and waterfall. We need to ensure that security is offering pragmatic risk assessment, often under time pressure, and catered to the situation at hand. Our security leadership is given a lot of autonomy and we provide services to a broad range of internal stakeholders. When it comes to recruitment, we are extremely diligent in our process. We always look to smart and tenacious people who are inspired by our mission to help some of the world’s largest enterprises and governments solve their hardest IT challenges and close critical endpoint visibility gaps. 

What do you think is the current hot cybersecurity talking point?

Given the current pandemic, distributed working is unquestionably the major talking point of the industry. The past few months have seen vulnerabilities emerge that have resulted in some damaging public attacks. As a security leader, you must keep on top of patch management and allow for black swan events and significant changes to operations.

The sudden rise in unknown endpoints as a result of widespread remote working has resulted in a surge in unprotected computing devices and stressors that threaten to expose corporate assets to elevated cyber-risk and compliance challenges. Our recent research revealed that 93% of UK IT leaders have discovered computing devices within their organisation’s IT environment that they previously didn’t know about.

Leaders can be fundamentally blindsided by unknown devices in their environment. This lack of visibility into how they see and manage endpoints can cause major issues. Without true visibility and control of all their IT assets, organisations are creating vulnerabilities that can be exploited. As a security leader, you must be able to answer the questions, ‘what patches are missing?’ or ‘how many IT assets do we have under management?’

How do you deal with stress and unwind outside the office?

As is the case with so many others at the moment, a definite benefit to working from home is the added time I have been able to spend with my family. I do also like to spend time in my home gym as I find exercise is a fantastic way of refocusing and unwinding.

I also spend some of my spare time reading books that are related to the job, either directly or indirectly. Right now, I’m reading a great book on risk-centric threat modelling.

 If you could go back and change one career decision what would it be?

I genuinely choose not to have regrets. All the decisions have been opportunities to learn and improve, and without these I would not be where I am today. Security in particular is an industry where you have to try a lot of different things and might face some setbacks, and having regrets can make you less likely to be creative.

What do you currently identify as the major areas of investment in the cybersecurity industry?

CISOs continue to tell me that they struggle with the cybersecurity basics. As a result, they’re investing in three foundational areas: Zero Trust, data protection, and endpoint visibility and control, to help protect the distributed workforce.

Zero Trust: Organisations want to minimise their reliance on corporate networks, so they’re investing in security which doesn’t depend on a hub-and-spoke data centre architecture.

Data protection: Companies are generating an increasing volume of data and separating what’s relevant from what isn’t is a growing challenge in the industry. Understanding the critical information within systems is a crucial prerequisite to reducing enterprise risk. Companies are turning to tools which can identify sensitive data at rest and in transit, along with solutions for data minimisation and obfuscation.

Distributed Workforce: The shift to home working has created an explosion in potentially unmanaged remote endpoints, which could create dangerous visibility gaps. Most (55%) of IT leaders we spoke to recently argue that these gaps could leave them exposed to cyber-attacks, and 23% are concerned about non-compliance fines.

That’s why we’re investing in technology to help organisations close visibility gaps in their IT endpoint environments, as the workplace continues to evolve.

Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?

Every region differs when it comes to cybersecurity. That’s why it’s important for CISOs to spend time with their regional leaders to understand the current landscape and the security, IT and compliance challenges that each region faces. This knowledge can then be incorporated into the wider global CISO strategy.

The cybersecurity industry is still — in some countries, companies and verticals — struggling to shake the stigma of being a ‘department of no’. Ensuring that the security leader is acutely aware of local cultural requirements is vital in the delivery of cybersecurity controls for enterprise risk reduction. Also, the privacy and compliance laws of each country are too different to allow for just one approach.

What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?

We took the decision to build a global cybersecurity team at Tanium, so my role has grown over the past 12 months. While most vendor CISOs are external-facing only, focused on customer advisory engagements, we have put everything related to security under one team. This centralisation has allowed us to define an overarching strategy for cybersecurity.

Consolidating our internal and externally-facing security functions allows Tanium to better serve its customers, providing good practice recommendations on using Tanium (the platform) and our partner ecosystem.

What advice would you offer somebody aspiring to obtain a C-level position in the security industry?

People skills are crucial, so it makes sense to develop this part of your repertoire if it’s something you feel needs work. Listen to the people you work with, take them for coffee and show them your care. You also have to have a continued thirst for knowledge within the cybersecurity industry. Get in the lab, build things and break them down again. The best C-suite staff I know thoroughly enjoy working in their industry because if you don’t, you get exhausted. Passion for the industry is vital.

Browse our latest issue

Intelligent CISO

View Magazine Archive