Go Phish: John Smith, EMEA CTO, Veracode

Go Phish: John Smith, EMEA CTO, Veracode

We ‘go phishing’ with John Smith, EMEA CTO, Veracode, who tells us about life inside and outside the office.

1.         What would you describe as your most memorable achievement in the cybersecurity industry?

My most memorable moment was when I was running an AppSec training course for a customer and an enthusiastic student accidentally shut down a business-critical SQL Server via a SQL Injection vulnerability we had been discussing. In terms of achievement though I think that my time at Veracode has allowed me to help many customers both large and small with their AppSec challenges over the (almost) 10 years so far. This is my first time in a SaaS vendor and I was struck right from the beginning by the difference it makes to the relationship when your customers rent your software rather than owning it.

2.         What first made you think of a career in cybersecurity?

Truthfully my first step was entirely a happy accident. I was working as a developer and a former colleague brought me into a security start-up as part of the development team. The thing that has kept me in the security space is the pace of evolution and innovation – both from the attackers and the defenders. These days I think that more than ever I also appreciate the responsibility of cybersecurity. You don’t have to look far to see real world examples of the consequences when defences are breached and so the extent to which all aspects of our lives are now entwined with the digital world makes cybersecurity ever more important.

3.         What style of management philosophy do you employ with your current position?

I’ve been fortunate to have some truly excellent managers over my career so far and one thing that they’ve had in common is that they almost never told me what to do or how to do it – at least not beyond giving me assignments or projects to own. When I needed help, they were happy to coach me and patient enough to let me reach my own conclusions. That’s how I try to work with my team.

4.         What do you think is the current hot cybersecurity talking point?

The most recent cybersecurity fire drill has been the Log4J vulnerability which once again highlights the difficulties in managing the security of the Software Supply Chain. This was a hot topic throughout 2021, including the Executive Order. More broadly I think that the trend of Everything as Code will drive a lot of cybersecurity conversations in 2022. When EAC is combined with the rapid deployment of code (i.e., CI/CD) there are huge benefits to enterprise agility but that also brings a new challenge of also being able to apply continuous security.

5.         How do you deal with stress and unwind outside the office?

I have a very basic workshop in my garage where I work on various projects, with varying degrees of success. I also enjoy gardening and in particular growing vegetables, again with varying degrees of success. I find that much of my working life is virtual, and never more so than in the last 2 years so doing something quite different that has a physical result helps me to fully switch off and unwind. It also helps that once in a while I make something that is useful or tasty.

6.         If you could go back and change one career decision, what would it be?

I don’t think there’s a lot that I would change. That’s not because I haven’t made any bad decisions – anyone who thinks that is either very lucky or not being honest with themselves – but I don’t think that agonising over mistakes (or sub-optimal choices) is helpful. Learn from mistakes and move forwards.

7.         What do you currently identify as the major areas of investment in the cybersecurity industry?

One major area of investment in the cybersecurity industry is the growing cybersecurity skills shortage. Companies are increasingly realising the need to invest in ongoing training to meet the demands of the changing workforce and skillset. Even though the number of cybersecurity graduates is expected to double in the next two years in Europe, ENISA already predicts this is not enough to close the skills gap which means it’s up to businesses to invest in training and education to close the gap. 

8.         Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?

There are, of course, different levels of market and technological maturity in different regions so the challenges are slightly different but I think that the delta has shrunk over time. Global connectivity has driven that strongly but also cloud technology. Increasingly, we see that software and infrastructure is in the cloud and so the region is less of a determining factor than the particular cloud provider or technology you use.

9.         What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?

My role has been stable over the last 12 months – building and optimising my team to help our customers gain value from their partnership with Veracode. What has changed and will continue to change is what that value looks like and the stakeholders we are working with. This is a continuing trend for Software Security where ownership is transitioning from a pure CISO led function to a Development led approach. Most organisations are somewhere along this journey but the pace seems to be accelerating and that means that we need to move with it.

10.       What advice would you offer somebody aspiring to obtain a C-level position in the security industry?

Don’t over-specialise. That’s not to say that it’s a bad thing to develop deep knowledge of the space you are currently working in but you shouldn’t be afraid to branch out and explore domains that are at first glance unrelated. This is true in both a horizontal (different technology domains) and a vertical (strategic vs. tactical) sense.

Browse our latest issue

Intelligent CISO

View Magazine Archive