Secret CSO: Philip Swain, Extreme Networks

What's the best career advice you ever received? “Don’t be afraid of making a mistake. The key is to learn from it.”

Extreme Networks

Name: Philip Swain

Organisation: Extreme Networks

Job title: Chief Information Security Officer

Date started current role: November 2016

Location: Raleigh-Durham, North Carolina

Philip Swain is the Chief Information Security Officer at Extreme Networks where he is responsible for implementing and leading the information security strategies for the global enterprise with nearly 3,000 employees spanning 80 countries. He brings more than 20 years of experience solving problems and facilitating organisational change across international teams that address cybersecurity, InfoSec risk, compliance, and infrastructure management.

What was your first job? I studied finance in college, and my first paid job out of school was in the finance department for General Electric Co (GEC). Specifically, I worked on account projects, tracking costs, and managing hours booked from manufacturing.

How did you get involved in cybersecurity? Following several years in finance, I joined ABB, an electrical and electronics manufacturing company. During that time, there were some leadership changes and the CFO oversaw both accounting and IT teams. The CIO tapped me to support IT project management and system implementations, and from then on, my career trajectory shifted to the IT track.

What was your education? Do you hold any certifications? What are they? I studied finance and accounting at Staffordshire University. When I switched into cybersecurity, I received my CISM and CRISC certifications.

Explain your career path. Did you take any detours? If so, discuss. My journey to an InfoSec career was not a straight path. I started on a finance track and then pivoted to IT and security. After my time at GEC, I joined JSB Lighting – again in a financial role. During this time, I also picked up the IT Manager role – and then transitioned to ABB for nearly ten years working in various IT roles in the UK and abroad, most recently as the Global Security Manager.

Finally, I joined Extreme Networks in 2016. I had experience working for large, global companies (ABB had nearly 140K employees), and I wanted the opportunity to build a security strategy at a company that was growing quickly. Extreme was a great fit. Between 2016 and 2019 we completed four acquisitions – the wireless LAN business from Zebra Technologies, the campus networking business from Avaya, the data center business from Brocade, and the entirety of Aerohive Networks. With acquisitions comes great opportunities, but also new challenges to problem solve when it comes to things like figuring out how to consolidate and secure disparate networks. It’s been a demanding journey with twists along the way, but it’s been incredibly rewarding.

Was there anyone who has inspired or mentored you in your career? Josef Nelissen, the Global Head of Information Security at ABB. I admired how he would cut through the rubbish on a project or task. Josef was great at asking the difficult questions to get to the heart of an issue and what needed to be accomplished. He was also incredibly passionate, which motivated me and the rest of the team. One of his great characteristics was his ability to recall small details whether work related or about his team members.

What do you feel is the most important aspect of your job? Understanding the value our business brings to the global networking market — and our thousands of customers daily — is critical. Especially now, our technology is being used to support telemedicine in healthcare, remote learning in education, and provide essential connectivity to businesses while working remotely. We’re doing something important and valuable, and that’s very motivating.

My philosophy on this solidified during my onboarding at JSB, where new employees all had to spend their first month working on the shop floor. I saw how products were made, stocked, and shipped. I gained hands-on experience and an appreciation for what it takes to make the product that we are selling. I always try to apply that in my role today at Extreme when working with different departments. The best relationships are forged when you garner a real understanding for what different teams do and internalise the business process and product set.

What metrics or KPIs do you use to measure security effectiveness? KPIs are always changing, and in security your work is never “finished”. I encourage my teams to never take their eyes off the basics of security. Particularly in light of the ongoing COVID-19 pandemic and shift to remote work environments, it’s important for us to remember the fundamentals. For example, safeguarding user access and fortifying firewalls are the building blocks of a strong security strategy.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I think all organisations and security leaders grapple with finding and retaining talent. As a global networking company, we work with both cutting-edge technology as well as traditional infrastructure. Our primary challenge is to find individuals with the aptitude to secure both the new tools (Microsoft Suites, AI, ML) as well as the more traditional tools and processes.

At Extreme Networks, we value continued education and prioritise investing in the next generation of IT professionals. In fact, we have a program called Extreme Academy that provides teaching resources, access to hands-on experience with technology, and the opportunity for students to gain a qualification as an Extreme Networks Associate (XNA).

Cybersecurity is constantly changing – how do you keep learning? I’m a member of several local security chapters and organisations, including InfoGuard, ISSA, and ISACA, which helps me keep pace with the fast-evolving landscape.

What conferences are on your must-attend list? Some of my favorites include the local ISSA InfoSecCon and Gartner’s Security and Risk Management Summit. I think it’s important to rotate what conferences you attend each year so you can meet different people and hear different perspectives.

What is the best current trend in cybersecurity? The worst? I’m encouraged by the increased focus on data security over PC security. For many years, conversations were centered on a PC’s antivirus technology, but the whole point of antivirus software is to protect the data on the PC, not the PC itself. Additionally, I’m glad to see that in light of COVID-19, enterprises are starting to be more thoughtful and vigilant when it comes to things like remote access, network access control, and prioritising network visibility. Those are incredibly important security fundamentals.

IoT creates an interesting challenge. There are great new innovative uses for this technology and everyday items we’ve never imagined before. At the same time, there is an element of buzzword bingo around some offerings. The security challenge is to understand the data being collected and why. What is the business process that this will support? How can we implement the same type of controls we would apply for other data sources and more traditional equipment in the environment?

What's the best career advice you ever received? Don’t be afraid of making a mistake. The key is to learn from it. A previous manager shared this advice with me, and it resonated throughout my career. Too often, I see colleagues, particularly new employees, who walk on eggshells to avoid making a mistake. However, once you accept that slip ups are inevitable and instead frame them as opportunities for learning and growth, you’ll experience a new sense of freedom in your work. That said, the key to this advice is to learn — don’t make the same mistake twice.

What advice would you give to aspiring security leaders? Learn how your business operates. I benefited from starting my career as an accountant. It was a great way to understand the law and finance business processes. With this holistic picture of an organisation, it will make you a better security practitioner because you will have a contextualised perspective. It’s great to learn the technical skills that are essential to your security role but comprehending the inner workings of a company and what value it brings to the market will make your contributions to your team more valuable.

What has been your greatest career achievement? I’m not sure if it’s the greatest achievement but deploying ISO 27001 in six months was a great team effort and something that I’m proud to have driven through the enterprise. There have been many high points along the way, from new major control frameworks to new technologies.

Looking back with 20:20 hindsight, what would you have done differently? Had I known then what I know now, I would have spent more time studying enterprise technology and IT. That said, I think my indirect career path to the InfoSec industry made me a more well-rounded professional with an understanding and appreciation for how businesses operate.

What is your favourite quote? “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know.” – Donald Rumsfeld, Former U.S. Congressman and Secretary of Defense.

What are you reading now? I’m a fan of thrillers. I recently enjoyed, The Elephant Game by Andrew Watts.

In my spare time, I like to… Go for walks and spend time outside. When I’m indoors, you’ll likely find me in the kitchen. I aspire to master Indian cuisine at some point in my life.

Most people don't know that I… Drove around the Donington Park motorsport circuit in the UK, the site of several Grand Prix races.

Ask me to do anything but… Anything involving reptiles. No thank you.