Secret CSO: James Doggett, Panaseer

What advice would you give to aspiring security leaders? "A security leader must be able to balance their security strategy through risk principles so that is why we should focus significant efforts to solving the basics of security permanently."

Name: James Doggett

Company: Panaseer

Job title: CISO and VP North America

Date started current role: December 2017

Location: Texas, New York and London

Leading information security practice at EY, Jim developed a deep understanding of the intersection of controls, risk and cybersecurity. After leaving EY, Jim was CTRO at JP Morgan, Kaiser Permanente and AIG. In each of these roles, Jim focused on automating the control processes over IT and Security, consolidation of all security-related issues into a single view of security, and the elimination of testing the same controls multiple times.

What was your first job? I started my career in accounting, as a financial auditor for Ernst & Young.

How did you get involved in cybersecurity? It was a natural evolution - I was at Ernst & Young for 27 years and I helped build the company's cyber security practice from the ground up. I moved from financial auditing to internal controls, then to technology controls and computer security, which then led into company security (the precursor to cybersecurity).

What was your education? Do you hold any certifications? What are they? I majored in accounting and worked as Certified Public Accountant for my tenure at Ernst & Young.

Explain your career path. Did you take any detours? If so, discuss. After nearly 30 years at Ernst & Young I held some fascinating roles before joining Panaseer. I served as the Chief Technology Risk Officer for AIG, the Chief Security Officer and Chief Technology Risk Officer for Kaiser Permanente and I was Managing Director of JP Morgan Chase. There weren't really any detours, just a series of progressions.

Was there anyone who has inspired or mentored you in your career? I had a phenomenal direct report at Ernst & Young who was one of the leaders that headed up the Americas. He has a great ability to listen and advise without any agenda and the ability to always provide advice in my best personal interest.

What do you feel is the most important aspect of your job? Working with a startup is a very different experience - it's fast and very varied. My role extends across advising on product features, to engagement with new and prospect customers. I think the most important aspect of my role is to ensure that I am applying my industry experience and knowledge in a pragmatic way.

What metrics or KPIs do you use to measure security effectiveness? Obviously in cybersecurity having measurable metrics are imperative to drive change, but where I see many people going wrong is that they start with a wrong metric, which ultimately drives the wrong behavior.

I always advise that when creating metrics you thoroughly test them in the first instance to make sure that they are complete, accurate, easy to build/ sustain and relevant.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I have a controversial view. When it comes to cybersecurity personnel I think we focus on the wrong issue - whether or not there is a skills shortage. I think we need to move the conversation onto effectiveness. So much of a security team's time is eaten up in manual, mundane reporting. As well as being a waste of their time it's also mind-numbing, which effects retention of workers and lowers the average tenure.

Cybersecurity is constantly changing - how do you keep learning? After spending decades working in large companies with key leadership roles for security and risk, I took the brave leap to join a startup; I think there are much bigger opportunities for learning's when your role is so varied. Interfacing with so many CISOs at industry events is also keeping me very current as I am constantly discussing pain points and where these are common and different across sectors and geographies.

What conferences are on your must-attend list? When it comes to conferences I think you really get what you put in. There's obviously the big ones that are great for engaging with industry peers, suppliers and partners - such as RSA in the US and Infosec in the UK. In terms of new business, the more specialised events such as FS-ISAC are very good.

What is the best current trend in cybersecurity? The worst? There's obviously topics that drive headlines - industrial espionage, voter hacking, dark web drug sales etc. Then there's the so-called trends that take up lots of features, like AI and GDPR readiness etc., However, I think these actually serve as a distraction from what needs to be the focus - the basics.

The fact is every day there are new and advanced security tools hitting the market, which are designed to help solve a cybersecurity problem; but then why are the numbers of breaches continuing to rise?   No one can give up and say it's just a battle that cannot be won.  Yes, it's natural to be attracted to new shinny balls…the super technical security risks. And yes, these risks are real, but does focusing on them really provide the best ROI for security?  Ultimately most problems are arising from bad actors taking advantage of very basic flaws in the security ecosystem.

What's the best career advice you ever received? Don't believe everything you think. Test any assumption and base decisions on data and evidence.

What advice would you give to aspiring security leaders? Make sure you fully understand risk. Today's security leader needs to be able to balance risk with security. We know longer live in an era where we can fix everything and where an organisation can be 100% secure. A security leader must be able to balance their security strategy through risk principles so that is why we should focus significant efforts to solving the basics of security permanently.

What has been your greatest career achievement? I was very proud when I made partner at Ernst & Young in my early thirties - it was a great achievement.

Looking back with 20:20 hindsight, what would you have done differently? As a general statement I wouldn't change anything I've experienced thus far in my life.  I've learned from my mistakes and will continue to do so.  But I do wish I hadn't sold my old Porsche many years ago.  It is worth so much more now.

What is your favourite quote?I quite like the quote from Tom Petty: "It just seems so useless to have to work so hard and nothin' ever really seems to come from it."  It makes me think about how we can spend so much time firefighting and chasing our tails, rather than thinking smart and being proactive.

What are you reading now? I am midway through Squirm by Carl Hiaasen.

Most people don't know that I... really don't watch TV. The last time I put Netflix on was about two years ago and if I recall correctly it was a concert that I had on in the background.

Ask me to do anything but… Eat a Dorian fruit - yuck!

In my sparetime, I like to... I am fanatic about music - I enjoy listening and watching music across a wide range of genres, across blues, rock, funk, jazz and pop. I am currently midway through a woodworking project to build a credenza to hold my collection of vinyl records.