Nick Nagle, CISO of Condé Nast International talks to TEISS about his creative approach to cyber security training, why he hates spending money on technology and how it's not all dissimilar to flying a plane.
Nick needs to thank a building society for his career. He doesn’t remember which, but he does remember being £2,000 richer twenty years ago, courtesy of shares received from his building society at that time.
Most people might have treated themselves to a new wardrobe or holiday but Nick decided to go on a Windows NT Security Training Course with his yield. The timing couldn’t have been more perfect. It was the late 90s and there was considerable buzz brewing in the infosec industry. From there Nick worked his way up the IT industry ladder.
Prior to being CISO at Condé Nast International, Nick has held a number of senior positions and most recently as a security architect at EasyJet - an apparent contrast to a glossy magazine business, but he’s grateful for the cross industry experience because at the end of the day “it’s about understanding what's important to each of those companies.”
Nick says it’s essential to get “plugged into the business” from day one. “You need to get out there and make yourself visible across the organisation; you need to meet face to face with people, find out what are the issues that don’t work for them and help them with their weaknesses,” he advises.
Cool as a cyber cucumber
Maintaining cool is important but a CISO also has to “take the right approach,” Nick says. “You must remember the CISO is here to support the business. If the business wants to put everything in the cloud, that's a business decision and as a CISO you need to stand behind that decision and you need to make that work,” Nick states.
We all love throwing technology at a problem, but being a CISO demands a “pragmatic approach,” he says. If you understand the business, you can take a step back from the challenges and ascertain whether it’s a technology, people or process decision.
“People are the most powerful assets that any company has, without people we don't have a company. So given that they're so powerful why don't we utilize those people and their experience and hopefully that will move us away from being incredibly technology focused,” Nick says.
But surely people are the greatest weakness in the company?
“They can be if you haven't got your awareness and training in order,” Nick thinks. But that weak point can be closed off and is not impossible to resolve. “People make mistakes but it’s how you manage and deal with those mistakes,” he adds.
Creativity and visibility
Nick’s selective about the organisations he works for, preferring less regulated environments where he can be more dynamic and flexible as a decision-maker, over tightly regulated ones where “decisions are made for you.”
There’s no dearth of creative stimulation within the offices of Condé Nast International. The cool, sleek interiors are graced with sumptuous images of past magazine covers, you half feel like you’re in a copy of Vogue.
“I've got lots of great creative material to inspire me which is a great reminder that you are in a creative industry. It's not black and white, this is high gloss colour stuff and so the security has to match that,” he says.
Visibility is another key factor for Nick. “If you can see what's happening and you can see where you're going then that allows you to set priorities and devise a strategy in the right way,” he advises.
Nick has drafted a three year strategy based on foundational security elements, however mindful of how fast the industry moves he “would always be prepared to navigate in a slightly different direction if need be,” he adds.
Communicating with staff - a creative approach
In much of the same vein as his surroundings, Nick injects creative flair when educating staff about cyber security. He emails eye-catching infographics to engage staff on topics such as GDPR, password security or mobile phone security. Whilst cautious not to bombard people with security advice, he does take advantage of external security incidents that are in the news to reach out to staff.
He doesn’t think an email is sufficient; visuals are an invaluable part of the communication process as people are busy - the message needs to stand out and there’s a higher chance of people remembering the information.
Can anyone be a CISO? Experience is key
“I think anyone can be a CISO but it's how successful you're going to be,” says Nick.
“You have to wear the wounds and have the scars to show that you've been through the battles. It's only when you've been through those experiences that you appreciate how something could have been much better or much worse,” he explains.
Experience also equips you with the skills needed when talking to the C-suite. “You need to speak with the leadership team and get them to understand that you're asking for some help because you're going to make their business a lot more successful, not because you're just throwing away their money,” he states.
“I hate the idea of wasting money on security tools. I've seen it happen too many times in my career,” he adds.
Flying away from it all
Inevitably his phone stays permanently on but Nick’s family keeps him in check and makes sure he’s not glued to his email. However, he does make time for a particular indulgence.
A self-diagnosed “aeroplane geek”, a perfect weekend would involve flying from Nice to Innisbrook on an A320 flight simulator.
“There is a big overlap in terms of security and flying an aircraft. Visibility is really important. If you don't have the visibility, then you need the instrumentation to be able to tell you whether you’re going in the right direction and what are the hazards that you need to be aware of, like a mountain or volcanic ash ahead of you,” he says.
“On an aeroplane you can't pull over to the side of the road and ask for directions. You have to be very calm and work out how you're going to reach your destination,” he highlights.
It’s that plane and simple. (Yes, yes, pun intended).