CIO Spotlight: Allan Alford, Mitel

Do you have KPIs to quantify the value of IT? "We track incidents, detection times, closure times and dwell time. We also track the successes of our various security training efforts and our speed at remediation penetration test findings."

Name: Allan Alford

Company: Mitel

Job title: CISO

Time in current role: 4 months (started in July 2018)

Location: Austin, Texas

Allan Alford is Chief Information Security Officer (CISO) at Mitel, formerly CISO at Forcepoint and at Polycom. In his CISO roles Alford has managed enterprise security as well as compliance with various frameworks such as GDPR, NIST SP800-171 and ISO 27001. With more than 30 years of IT and Engineering security experience, Alford has a strong product and cloud security background, having served at Pearson as Product Information Security Officer (PISO), supervising the security of a massive-scale companywide cloud transformation program, and Polycom where Alford built and managed the product security program, integrating it fully into the business.


What was your first job? I was a french fry cook at a fast food restaurant. I worked the closing shift and walked home each night. Only one year later I got my first technology job, supporting customers at a local print shop in using first-generation Macintosh computers to design and print documents.

Did you always want to work in IT? I never really thought of it as working in IT or not working in IT. I just knew that I had to work with technology. I was good at it, I enjoyed it, and I found it rewarding.

What was your education? Do you hold any certifications? What are they? I have a Bachelor's Degree in Liberal Arts with a focus on Leadership from DePaul University, with credits transferred from The University of Texas, Texas Christian University and Harvard University, and am also currently in the process of completing a Master's Degree in Information Systems and Security from Our Lady of the Lake University, with some graduate hours in engineering and technology management from Louisiana Tech. After this, I have my eyes on completing an MBA program. I will never quit studying and learning, and will always be a student, a teacher or both.

Explain your career path. Did you take any detours? If so, discuss. My career trajectory has been steady. I went from working in IT operations with a security focus to engineering with a product and cloud security focus. I have now reconciled the two into one overarching security career, based once again in IT.

What business or technology initiatives will be most significant in driving IT investments in your organization in the coming year? Putting together a comprehensive DevSecOps operation is a big project for me this year - and working on this project is fun. Mitel was grown through acquisition, so there is a lot of combinative work around here as well. I love being able to choose from a few established processes, pick the best of each one and forge a new universal process.

What are the CEO's top priorities for you in the coming year? How do you plan to support the business with IT? The unified communications (UC) and unified communications as-a-service (UCaaS) worlds are the perfect grounds for maturing a security program. Continuing to broaden the security apparatus of the company by diving deeper into business processes is my main goal for the year. But because UC and UCaaS are ever-changing worlds, I'm not deprived of being able to implement cutting edge tools and methods either. My team and I have worked tirelessly to assess new and disruptive security technologies and practices and have an aggressive roadmap in 2019 to upgrade many facets of our operation.

Does the conventional CISO role include responsibilities it should not hold? Should the role have additional responsibilities it does not currently include? The CISO role is new enough that its definition is both fairly consistent and sufficient to the tasks at hand in most organisations. What is interesting is the intersections between the CISO and the CIO, the CISO and the Board, the CISO and legal department, and the CISO and the CRO. Security is risk, but a unique variant of risk, and a good CISO lives right between the technology leadership, the board, regulatory compliance and the risk management apparatus of the company. The CISO must be prepared to interface with all these entities regardless of who they report to.

Are you leading a digital transformation? If so, does it emphasize customer experience and revenue growth or operational efficiency? If both, how do you balance the two? Mitel's digital transformation is built upon the pillars of both improving customer experience and our operational efficiency, with a goal of each enabling the other. For implementing security in such a transformation, the CISO must be there early and often, bringing good security practices and tools to the table in a proactive manner, as a business enabler rather than as an obstacle.

Describe the maturity of your digital business. For example, do you have KPIs to quantify the value of IT? Mitel's journey to a digital transformation began in 2014 and we've been on a steady path ever since. At first, it was about innovation and customer experience - and, while those are still focus areas, we are now looking at so much more. The organisation has transformed by using technology to help our employees be more productive, create innovative solutions and deliver top notch customer experience. Security has grown along with this transformation, acting as business enabler and evolving along with the business.
We conduct an annual security maturity assessment and leverage its results to drive progress. As far as KPIs go, we track incidents, detection times, closure times and dwell time. We also track the successes of our various security training efforts and our speed at remediation penetration test findings.

What does good culture fit look like in your organization? How do you cultivate it? Mitel's culture is truly one of collaboration. My remit overlaps with so many others in the organisation, and I'm thankful every day that the spirit of cooperation reigns here. As a new CISO, I have been greeted with open arms. Folks have been quick to show me not just where I can help them, but where they can help me.

What roles or skills are you finding (or anticipate to be) the most difficult to fill? The security field has more open roles than people to fill them at this stage in the game. This provides a huge opportunity for people who want to break into the field or make the transition from IT to security. If you're interested in security, this is the time to get involved. Cybersecurity is still challenged when it comes to diversity, and desperately needs the unique perspectives of all applicants from as many areas of society as possible.

What's the best career advice you ever received? Being smart is handy, but is not by any stretch of the imagination the end-all, be-all for career readiness. Attitude and work ethic are far more important than IQ. Communication skills are more important as well.

Do you have a succession plan? If so, discuss the importance of and challenges with training up high-performing staff. Always! My team is working on a comprehensive, top-to-bottom succession plan that will serve us all. This only helps a team grow.

What advice would you give to aspiring IT leaders? True IT leaders, especially in security but across other parts of the organisation as well, need to understand the business from all angles to best have a holistic view of business opportunities and challenges. In order to achieve this, aspiring IT leaders need hands-on experience in multiple facets of an organisation, including IT operations, security operations, risk management or audit, and ideally a leadership role in a department directly involved in the creation or delivery of the company's products or services. A bit of experience in development/programming never hurts either. The knowledge gained in these various roles allows a good security leader to sit at the intersection of information security and business and better translate risk into business terms. In addition to understanding the business itself and developing strong leadership skills, those who aspire to take on top IT positions need to have a complete understanding of the security side of the business. This includes becoming an authority on policy and compliance to keep their organisation in line with regulations such as GDPR.

What has been your greatest career achievement? Back in the late eighties, I was hired to work at a law firm to support the transition from pre-PC word processors to PCs running WordPerfect. I told them in the interview that I did not know all the specifics that they wanted me to know then, but that I would by the time I started. They took a gamble on me, and I made sure that it paid off. I stopped at the bookstore on the way home from that job interview, bought two books on WordPerfect, and by the first week of the job was writing macros that saved the company hundreds of hours a year.

Looking back with 20:20 hindsight, what would you have done differently? I would have bought Microsoft and Apple stock back in the day! But seriously, there were a few changes that I didn't see coming. I invested parts of my career in technologies that ultimately got eclipsed. Once upon a time I was certified in LANtastic and Novell, and was a highly skilled dBASE and FoxPro programmer. So, not necessarily doing something differently, but more just using this hindsight to always be looking ahead for the next technology innovations.

What are you reading now? I've got a few books on my shelf that are all about security metrics and KPIs; I'm bouncing back and forth between the three of them. For school, I'm currently diving deep into cloud security and telecommunications carrier networks.

Most people don't know that I… met the Dalai Lama. He came to speak at the Rothko Chapel in Houston years ago, and my mom knew some people. He was as gracious and humble a human being as I imagined he would be.

In my spare time, I like to…Read, research, write articles, podcast and do interviews about cybersecurity. This is not a field for the half-hearted. I do get away from it here and there as well. I play some retro videogames with my daughter.

Ask me to do anything but… The dishes? My wife will tell you it's the dishes.