Over a glass of wine on a balmy summer’s afternoon in Kings Cross, London, Brian Brackenborough, Chief Information Security Officer (CISO) at Channel 4, shares invaluable lessons he’s learnt along the way, what makes a good CISO and how he’s traded DJ-ing for DIY.
Brian Brackenborough’s LinkedIn profile states: “Having risen to become the Head of Information Security at the BBC after 12 years, Brian eventually left to Join Channel 4 in December 2011 where he is currently the CISO.”
That’s not bad for a bloke who hated education and “fell into cyber security”. Brian claims that computing was the only subject he excelled in at school and from there, with a lot of hard work and luck, he landed a job at the BBC.
I’m intrigued to know how the industry has evolved from the days when anything computer related was just another ‘IT issue’ to now where we have a specific and dedicated role for cyber security.
Cyber security, not just another IT issue
“The biggest change is that people are more aware of the importance of cyber security. It’s no longer just a barrier to getting tasks done - it’s necessary,” Brian says.
“It’s bad to say, but the Sony attack in 2015 was a brilliant opportunity,” he concedes. It woke management up and sparked greater awareness and seriousness about cyber security. When the hype dies down however, it becomes more challenging to maintain their attention. “Breaches happen all the time, but it’s only until it happens in your industry that people start to take note,” he adds.
Being CISO of Channel 4 is not a role without pressures, but Brian seems blissfully unphased by stress. In fact, he thrives on pressure and finding creative solutions to issues against the clock. “With problem solving, you can’t always follow the rules,” he says. It’s about breaking down and mitigating a problem and finding a solution. In a room full of intelligent people with a diverse skill-set, he is confident that he can get there.
Cyber security; more people, less tech
He says that the toughest age group to deal with is the 40’s-50’s who are the most resistant when it comes to changing the way they’ve always done things. Although, there have been improvements. Millennials have also proved tricky - a generation which paid scant regard to their own privacy, uninhibited in what they shared online - partly due to a culture of openness, and partly due to the unknowns of the territory. However, Brian feels that Generation Z is a lot more security savvy. “They ask the right questions about where their data is going and what it’s needed for,” he states.
The conundrum is getting people to take security seriously. How does Brian feel is the best way to communicate with people? “Make the message personal, make it relevant to them, and make sure they know you’re running a ‘no blame’ culture (after all we are humans and make errors) - they become much more receptive to what you're recommending,” he advises.
The greatest misconception about his job is that he’s the ‘anti-fun police’...although that image is mellowing slightly. He loves the fact he gets to help a whole range of people on a daily basis. “I would like to think that people view me as someone who can help them understand rather than, as in the old days, the police to tell them off,” he says.
People are more likely to implement change and put security into practice if it’s something that affects them directly. So instead of repeating the hackneyed phrase ‘change your password’, Brian sits down with individuals and shows them examples of their Facebook account being hacked, how a hacker could eventually talk to all of their friends and family and extort money from them. “That registers and then they start to think where else is unsecure. Once that mentality is there, they naturally become security aware,” he adds.
“I’ve the easiest job in the world - it’s just cyber security. Others have to do their job AND cyber security, whereas I’ve just got to do security,” he modestly declares.
Essential CISO traits
Brian states that ‘common sense’ is essential; everything else can be learnt. “A computer is not going to randomly do something bad - someone has done something along the chain and it’s about recognising the flags and finding the solutions,” he explains.
‘Pragmatism’ is also important and you can’t always follow the rules, Brian reveals. Having a drink after work with colleagues often mitigates a problem where middle ground can be found, in lieu of blindly following the rules.
A ‘sense of humour’ always helps too, he adds!
Brian’s most valuable lessons
Interestingly, neither are from the InfoSec World.
The first is, ‘always help others’ - something he picked up during his first Saturday job which his mother arranged for him. Each week he served as an assistant at an Aladdin’s cave-esque homewares’ shop, a job which involved - “a lot of shifting around terracotta pots”. He noticed that his boss would go out of his way to help potential customers - recommending a competitor who had an item in stock which he didn’t have. Brian admits he was perplexed by this action as it often resulted in losing the customer. His boss’s response was, “yes, but they’ll remember this and eventually return.”
‘Leave it at work’ - is another lesson which he picked up along the way. He advocates pub visits with colleagues - “where you talk about everything other than work”. “You have can have a blazing row or difference of opinion in the office, but at the end of the day that’s just work - you’ve still got to get along and show each other some respect,” he states.
Cyber security - a 24/7 job
And how does he unwind?
A slight chuckle is greeted with, “Unwind - that sounds nice, unfortunately it’s a 24/7 job.”
“As hacking is an international business, when we are going to bed, they’re waking up - they’re trying at all hours. He says nerves are definitely high from 3-5pm on a Friday afternoon when he’s thinking whether something big will happen before the weekend.
As hobbies go, these days DIY and gardening have replaced DJ-ing (a hobby he used to take seriously which guaranteed party invites). His phone remains ‘on’ permanently bar two weeks per year, when he escapes to a wifi and signal free zone, in the heart of nature. This year he’ll be walking in Wales with his family and Monty, their German Shepherd-Husky Mix dog.
Much deserved, I think.