Mark Walmsley is not your typical Chief Information Security Officer (CISO). He spent several years as a private investigator and recruitment consultants before moving in to law and then becoming the CISO of global law firm Freshfields Bruckhaus Deringer LLP - a position he’s held for the past 5 years. Over several coffees, on what happened to be the one rainy day of the summer, Mark discusses why sharing information is key to securing our future, how cyber security training needs to be done in a more intelligent way and why there’s no compromise when it comes to cooking.
CISO: the new fund manager?
Mark compares the role of a CISO to that of a ‘fund manager’ where, “you've got to keep moving your funds around constantly to make sure that you're getting best value for them. We're looking at behavior, we're moving roles and defences around, and we're training people.”
This marks a change from the CISO who traditionally came from an IT background. Now CISOs are expected to display an adequate amount of business acumen and understanding of how the organisation operates.
Throwing tech at the cyber problem
The problem, for Mark, is that many CISOs still think technology resolves risk so they throw more technology at the problem, an action that can have disastrous consequences. “If all you're doing is managing technology - you've not got your eye on what the risk look like down the road,” he states.
Mark says that the disciplined approach of creating ‘roadmap of risk’ - an understanding of what the next six months ahead looks like - is essential for good cyber security management. It’s an increasingly difficult and stressful task to contain every risk on a daily basis. “If you split your time and contain the very biggest stuff, abandoning the smaller stuff where the impact is lower, that leaves the rest of the time to strategise what the next six months are going to look like for you as an organisation,” he advises. This gives you the opportunity to expense the business, seek good guidance and figure out what approach you want to take.
Investment in people, not technology
Mark feels more should be done on the ”softer side” of cyber security. A lot of people look to technology as a solution but people are the problem; it's an accountability and mindset issue.
“Much better investment in people is needed to make them more aware of risk and how to identify and manage it. So part of that is education - but we have to do it in a much more intelligent way,” Mark states. He has three tips for better training:
- Make baseline training mandatory for people - that's old school e-learning but gives a basic level of intelligence around it.
- Run a phishing campaign - to catch and analyse people’s behaviour. Test everybody’s ability to pick up on fake emails and where they get it wrong; that allows you to spot any behavioural problems in a particular region and to provide the relevant training.
- Run training sessions for executives, such as City of London Police’s cyber security simulation game. The game is designed to encourage company boards and their IT teams to think and prepare for security problems before they happen. “Decent, practical stuff that's a bit fun and actually puts it all in context,” he adds.
Mark does not adhere to shaming staff members for bad security behaviour as it, “totally disengages and alienates the individual.”
Coping with stress - make sure you're in control
So how does Mark deal with the pressures of being a CISO?
“You have to stick to your guns - if you’re constantly flexing and bending over for different people - it becomes very stressful because you lose control,” Mark advises.
He also advocates ‘sharing’ concerns about challenges, of which there are three strands:
- Sharing problems and solutions amongst fellow CISOs which is like a kind of “therapy.”
- Sharing with those more senior to you as “you get someone looking at the problem from a different perspective.”
- Sharing within your team - because talking to the team can validate some of your concerns. It’s a 24 hour job and you have to divide the workload.
Mark uses a psychologist to help the team manage stress and maintain a healthy and resilient lifestyle. He also advocates making time for ‘non-negotiables’ (the activities which really engage you and enable you to switch off from work). For Mark it’s cooking - an activity in which he is “fully immersed” and he won’t compromise on making time for.
The psychologist also talks about, ‘unacceptable personal pressure’. “Checking and responding to emails in the middle of the night is neither expected nor conducive to a healthy work/life balance,” Mark says. In other words, we have an individual responsibility to manage our stress by observing self-imposed boundaries.
“Deep breathing also helps,” he adds.
I ask Mark whether there’s a time he ever turns off his phone to be unavailable.
“No,” he responds, “literally, no.” Though he has cunningly developed a habit of choosing holiday destinations with minimal phone reception.
“I’ve got a brilliant assistant. When I go away, she's on top of everything and texts me if there is a problem,” he says. He’ll go for a run to gain access to reception. However, the phone is on 24 hours a day, “just in case Armageddon happens in which case I'm packing my bags and going into the bunker…”
Mark’s advice for being a great CISO? Keep it simple, stupid
“You have to be able to speak in very plain language about what the risk looks like - there's no magic in it,” he explains. Keeping the message simple and inclusive are key to keeping people’s attention. “We need to put together noddy guides, not the encyclopedia of quantum physics,” he says.
He concludes by saying that you have to be O.K with not being able to fix it all and leaving some of the low level fruit behind - even if it’s easy to fix. You cannot do everything.