Secret CSO: Richard Jones, Orange Cyberdefense

What conferences are on your must-attend list? "I really enjoy the big industry events, such as Infosec Europe, and for me the main draw is the quality of the speakers…"

1 2 Page 2
Page 2 of 2

What was your first job? I was a trainee accountant, on the path to becoming an accountant, at a very small accountancy practice called CK Wong in Chinatown, Manchester. I couldn't even tell you if they're still trading. It was a long time ago.

How did you get involved in cybersecurity? Back in 1989 cybersecurity wasn't even a thing. It is a term we have become more familiar with, certainly in the last decade, if not more recently than that. But ultimately, the accountancy firm I worked at was very small, and one of my colleagues at the time was extremely IT-oriented, even back then. Being young, and fresh out of school, I showed a very keen interest in the IT side of things. That really got my thirst up for working in IT, not necessarily cybersecurity, but that set my future in motion. When I moved on from CK Wong, I worked closely with IT processes in my next role, and then shortly after that I started my full-time career in IT in around 1995-96. Since then, I've never had a role outside of IT.

What was your education? Do you hold any certifications? What are they? I don't currently hold any professional certifications for information security. However, I have heavily leaned on CISSP/CISM throughout my career as my go-to bibles. So much so that, only this year, I decided that I would try to recover the situation, and become certified. I'm actually now enrolled on a CISM course that is designed for graduates, so I'll be the pensioner in the room! Unfortunately, COVID-19 has disrupted the course, which was due to take place in April, and is now due to take place in November.

In terms of education, at the end of secondary school, I went to a private college specialising in accountancy, but at the end of that training course I became more focused on topics in IT. In addition to this, I have undergone countless vendor training courses and exams over the years, almost too many to remember.

Explain your career path. Did you take any detours? If so, discuss. Apart from the initial switch from accountancy, my career path has been relatively focused on IT. As many children growing up in the 80s with games consoles, I attempted programming that I read about in magazines and other games, often not with the desired result! So, I have always had a thirst for knowledge in the IT department. Unfortunately, careers advice at school never really covered IT at that time.

Since I've been in the industry, I have worked in a number of different roles within the IT sector, before making the switch to true information security around nine or ten years ago. I was very fortunate to work for N Brown, which encompassed brands such as Jacamo, Simply Be and JD Williams, for a significant number of years. During my time there, I worked from the IT help desk through to security architect and then into information security, becoming CISO. I then went on to join what was SecureLink before the company became part of Orange Cyberdefense last year. And here I am.

Was there anyone who has inspired or mentored you in your career? I wouldn't say there were any pivotal influences in my career. No cybersecurity celebrities or anything like that. However, there are three former colleagues who standout to me, all former managers. The key factor I always take from what inspired me about them was their ability to listen. They were incredibly good at listening and explaining, which really resonated with me as I always felt like I could go to them with any problem.

What do you feel is the most important aspect of your job? I don't like to place priority on any one component of what I do, but it follows a similar thought, as ultimately the most important aspect of my job is being available to the team around me. I really do make myself available, far more than I should, at the consequence of some of my own work really. But I find that it's important to me so I'm comfortable with making that choice.

What metrics or KPIs do you use to measure security effectiveness? In our management systems we have a number of KPIs, but for confidentiality reasons I won't describe them all. For me the important ones are the Vulnerability Management Index, our Security Awareness Index and the Availability Index. We do much more around Incident Management, but I feel that the KPIs that are closely related to business objectives are the best.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? As a traditional CISO, I could answer that question in the exact method you would expect. However, working in a cyber security company surrounded by nearly 2,000 colleagues specialising in cyber security there is a rich abundance of resources available to get the right answers or the right opinions.

We are not necessarily short of skills, but if I were to identify the most challenging thing about recruitment, even though cybersecurity is now a very mature industry, I would say that experience is still a difficult aspect to pick out on a lot of CVs these days.

Cybersecurity is constantly changing - how do you keep learning? People often say that cybersecurity is the most dynamic and fastest changing risk facing organisations. The question is how do you keep pace? For me, I am very fortunate that I have worked with world-class managed security service providers so I'm always in and around people at the cutting edge of the industry. As part of my role, I am an active member of lots of the forums where I can consume information for my own needs, to translate that on the inside, not just as a consultant, but also as a practitioner.

What conferences are on your must-attend list? I really enjoy the big industry events, such as Infosec Europe, and for me the main draw is the quality of the speakers. Some of them are very technical, and also extremely compelling. I truly go there with open ears, excited by every topic. For me, the knowledge that I have acquired there is probably some of the most useful and interesting I have gained in my time in cybersecurity. At other events that I've been to, I sometimes hear something that I might have heard five or ten years ago, which makes you realise that the cybersecurity industry sometimes has issues getting its point across. I certainly don't think that's something I've picked up on at Infosec Europe.

At Orange Cyberdefense, we also run industry events, albeit on a smaller scale, and I'm lucky to work with some real thought leaders, who are very inspiring and make me feel lucky to be surrounded by such expertise.

What is the best current trend in cybersecurity? To satisfy the threats faced by our critical assets today, cybersecurity solutions really have got as close as possible to real-time detection. Some vendors are rapidly closing that gap between a major incident being detected and two months passing before you find out about it. I believe that the best of these solutions is a hybrid of many not just the one, and those that are focusing on the endpoint from a detection and response point-of-view are the ones that are really exciting at the moment.

What's the best career advice you ever received? To move into information security. When I made the transition out of true IT to IT security, the person who offered me the role basically set the scene about the importance of the industry, and convinced me that the future of the discipline would be so significant that it would be the best career move I ever made. It's what got me to where I am today.

What advice would you give to aspiring security leaders? In continuing with my theme, I would say learn how to listen. Too many times have I seen information security and cyber leaders be a very negative influence on business or decision-making policies. By listening and ultimately enabling your business is the reason you are there, so I think the common ground theme is to listen.

What has been your greatest career achievement? Success comes in different measures, there are days when I finish the day with huge anxiety and thoughts in my mind about how we are going to overcome things. There are other days when I leave the house with a small skip in my stride, as we have come to great decisions and achieved what we set out to do. That's how I measure success of a day-to-day basis.

One of the things I am most proud of in my career was when we were faced with a huge DDoS attack in one of my previous roles. We were struggling, there's no two ways about that, but we were in the process of procuring a solution to defend against such attacks, ironically, so we turned to one of the providers to help us out. Over many hours we recovered the situation and got our operating platforms back online with very low impact to the business.

It was, without a doubt, one of the scariest moments of my career, being defenseless, helpless and stranded not knowing where to go. Fortunately, at that time, we had the right contacts in place and the right providers supporting us that we got through it.

Career achievements is so subjective, but for me, if I enabled the business to do what it needs to do, that is such an achievement.

Looking back with 20:20 hindsight, what would you have done differently? From my point of view, I truly wish that I had begun my career in the cybersecurity domain. I would have had the opportunity to do more training, and to gain more certifications such as CISSP/CISM to enable me to be better equipped for the job. My analogy is when I moved out of network security and cybersecurity as a technician, moving into information security as a domain was like a joiner suddenly taking up a role in a plumbing company. I felt kind of stranded, as the domain is so huge, far vaster than I anticipated. Where I am today I feel blessed that I have the right capabilities and competence to do the job I need to do, but looking back if I had done better with my education, that's what I would have done differently.

What is your favourite quote?"Leaders who don't listen will eventually be surrounded by people who have nothing to say" - Andy Stanley. This quote sits with me every day. Another favorite of mine is "Common sense is a mythological flower, but it doesn't grow in everyone's garden".

What are you reading now? I am a huge fan of FBI and American police crime dramas. It allows me to learn more about different countries and how they operate. The book I am currently reading is the seventh book of the Josie Quinn detective series by Lisa Regan. I always have to choose a book, which is part of a series and has more than one for me to read. Fortunately, in this series there are nine for me to work through.

In my spare time, I like to… Run and cycle. I'm a very keen runner and cyclist. If I'm not running I'm cycling and if I'm not cycling I'm running. I was really looking forward to running in some events this year, and I was training to run my first marathon before it was cancelled due to the coronavirus. I had just reached the 20 mile marker in my training before lockdown, but now I'm only running about 10-15 kilometres every other evening.

Most people don't know that I… The only confession that I have is something that I used to do in school, which is speak and burp at the same time. It's a talent, which is rarely used in the office I must admit. I'm sure that there is a technical phrase for this which I would rather you use if you can find one, if not make one up in your journalistic skills… Spurping?

Ask me to do anything but… Work at height. I am terrified of heights. Even office buildings I can't go much above six or seven floors. If I do, I have to stay in the centre of a room, which is a strange thing for me as I'm 6ft 5in, so as a tall chap people often wonder how I'm afraid of heights. It stems from a bad experience in a lift, where the lift went outside the building, and I didn't know it would be doing this causing me to pass out. I just can't do heights, but strangely can look out the window of an airplane in the sky without any problems.

1 2 Page 2
Page 2 of 2