Secret CSO: Cath Goulding, Nominet

What do you feel is the most important aspect of your job? Creating and maintaining a culture of cybersecurity awareness across the whole organization.


Name: Cath Goulding

Organisation: Nominet

Job title: Head of Cyber Security

Date started current role: 7 years

Location: Oxford, UK

Cath Goulding is Head of Cyber Security at Nominet UK and Board member of the Women’s Security Society. Goulding has over 15 years’ experience in the cyber security profession having worked for both UK Government and the private sector. A thought leader in her field, she frequently speaks at security and internet conferences and has provided articles and comments for multiple publications.

What was your first job? I had a Saturday job silver-service waitressing at weddings.

How did you get involved in Cyber Security? I started out in maths but came across a master’s programme in human-computer interaction. This was around the time when interest was growing around the possibilities of computer technology opened up and I was intrigued so I enrolled. The programme led me to start working in IT at GCHQ, which is how my cyber security career started.

What was your Education? Do you hold any certifications? I studied Maths at the University of Edinburgh and earned a bachelor’s degree, before going on to gain a Master’s in Human Computer Interaction at Heriot-Watt University.

Explain your career path. Did you take any detours? If so, discuss. When I started at GCHQ, I initially applied to be a mathematician, but the team were interested in my Master’s in Human Computer Interaction and offered me a job in IT instead. In the year 2000, I was approached by the newly formed network defence research team to apply my data mining skills to this new field. It wasn’t what I had originally intended, but it turned out to be a great opportunity that saw me stay at GCHQ for 15 years.

Not so much a detour as a lane change. My role with Nominet has definitely been a departure from the civil service job I had been in, but still along the lines of public service which appealed to me greatly. The work Nominet does is crucial to keeping the UK connected to the rest of the world. We look after vital infrastructure, which is great, as our work feels so central and connected to everything online. It’s the sort of thing that you don’t think about day-to-day, but keeping a namespace safe and secure is a core and often underrated part of the world’s internet ecosystem.

Was there anyone who has inspired or mentored you in your career? When I was growing up, my dad encouraged me to pursue other avenues than those that were typically expected of women. I was one of only two women on my 50-strong master’s course, so I think that encouragement might have led me to a career where I was in the minority as a woman.

What do you feel is the most important aspect of your job? Creating and maintaining a culture of cybersecurity awareness across the whole organization. As I lead the security initiatives, it’s important that I’m visible and approachable for everyone from the receptionist to the CEO when they have concerns or questions. Security policies that stand alone and do not permeate the day to day actions of all employees across an organization will not make an impact.

What metrics or KPIs do you use to measure security effectiveness? I use a variety of metrics to measure security effectiveness and believe they are crucial to any cyber security management system. I use a capability maturity matrix to measure the high-level status of the organization which assists strategic planning. A variety of security controls are then measured monthly with a report going to management. We also have a successful security competition where individual staff and their respective teams are scored.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? As well as the traditional technical skills involved in the IT sector which are in short supply, we also need more skills in the roles that support Cyber such as the policy strategists and communications professionals. Critical thinking and application of theories and principles to solve problems are large parts of what we do that don’t require the ability to code, but are intrinsic to the success and direction of security sector efforts. We run a Cyber Apprenticeship programme where the students are given a wide variety of objectives to give them the skills needed to work in this sector.

Cybersecurity is constantly changing – how do you keep learning? Security is constantly changing, and it is important to allocate time for reading and learning. There are many reputable websites, blogs and forums that report on the latest news and trends in cyber security. I also go to conferences and attend the occasional webinar. I like to look at the smaller start-ups as they often provide a neat and efficient service to address an issue. Nominet partners with the Cyber accelerator, CyLon, where the start-ups that participate in the program always have a great perspective on the challenges and opportunities.

What conferences are on your must-attend list? Nominet works closely with NCSC so I usually attend their annual CyberUK conference. I will go to a large conference such as RSA, Infosecurity or BlackHat about once a year, but I prefer smaller gatherings where I can learn from my peers in a trusted environment. These can be closed communities or sponsored events bringing CISOs together to discuss topical issues.

What is the best current trend in cybersecurity? The worst? It’s pleasing that security features are often now built into many of the widely used products such as Windows 10 and smartphones, and usability is important such as using biometrics.

The rapid rise of IoT devices used in the home and workplace worries me as they often fail to implement any real security measures and may be collecting large amounts of personal data.  

What's the best career advice you ever received? Learning about imposter syndrome. It might seem like a simple thing, but often just believing that you can do something is the first hurdle to actually achieving it. This can be more prevalent for women and means that we are much less likely to promote ourselves and go for the jobs that we would love to do, rather than just the ones we are are certain we know how to do inside out. Having the belief in yourself to take the leap and do something that feels like a huge step up is crucial.

What advice would you give to aspiring security leaders? Especially for women thinking about moving into IT, I would say it’s a good idea to look at roles in the sector beyond just coding and programming. Whilst technical knowledge is necessary for many jobs in industry, a large proportion of IT and cyber roles are actually geared further towards understanding of human interaction and business. These jobs are no less prestigious or well rewarded, they just require a different set of skills whilst pursuing the same aim. Just because you may not be excited by the prospect of wrestling with code, doesn’t mean that you can’t contribute to this diverse and exciting sector.

What has been your greatest career achievement? Being named Security Champion at the Women in IT Awards 2015. Since achieving the award I’ve realized that one of the greatest things you can do to address the gender imbalance in the industry is to be a role model for the next generations.

Looking back with 20:20 hindsight, what would you have done differently? I would have bought lots of bitcoin! Seriously though, I don’t regret any of the decisions I’ve made throughout my career and wouldn’t have done anything significantly different. I just wish I’d had more confidence (that imposter syndrome again) to be able to take more risks and initiatives.

What is your favourite quote? The only stupid question is the one that you didn't ask.

What are you reading now? How to measure anything in cyber security risk', and ‘The English Patient' by Michael Ondaatje.

In my spare time, I like to… Be outdoors - cycling, walking or running.

Most people don't know that I… I'm a whizz at DIY - painting, tiling, wallpapering and I'm pretty handy with a drill.

Ask me to do anything but… Sing. That only happens in private and even I think I'm rubbish.