Secret CSO: Mark Herridge, Calligo

What is the best current trend in cybersecurity? "The best: Absolutely the continued rise of machine learning and integration of AI into security programs. Not only will this help improve our data safety but will also go some way to filling the skills shortage."


Name: Mark Herridge

Organisation: Calligo

Job title: Chief Information Security Officer

Date started current role: August 2013

Location: St. Helier, Jersey

Mark Herridge joined Calligo in August 2013 and is the company’s Chief Information Security Officer. He is responsible for driving the information security strategy whilst protecting the business from security threats and ensuring operational compliance to the ISO and SOC standards. Herridge has over 20 years of experience working in information technology in various security, operations and project management roles. With a track record of delivering optimal solutions to meet business requirements, he has significant experience in managing outsourced services, strategy development, infrastructure consolidation, disaster recovery and leading businesses through transformational change.

What was your first job? I began my career working in private banking in Jersey. The island is a huge financial hub therefore it made sense as there was a lot of opportunity. In this role, I moved around a variety of departments and managed high net worth clients. This was a great early experience and helped to build a strong work ethic and sparked my interest in technology. 

How did you get involved in cybersecurity? It has been quite a journey. After working in banking, I moved across a number of different sectors, but IT or technology was always at the heart of my work. From there, I began delving deeper into IT and subsequently cybersecurity.

I joined Calligo 7 years ago and initially ran our cloud operations before taking on the CISO role in the summer of 2018.

What was your education? Do you hold any certifications? What are they? Unlike many in my position, I left school at 16 with just my GCSEs. For me, college wasn’t an option, so I went straight into the world of work to gain practical experience. I’m proud of my background as it shows that you don’t need to go to university to succeed in the world of tech. 

However, I do hold several industry certifications, including ISC2 CISSP, ISACA CISM and EC-Council Certified CISO.

Explain your career path. Did you take any detours? If so, discuss. Many, many detours.

After banking I worked for an intellectual property group, then took a job at an IT helpdesk. I later moved onto a system administration role, then network administration and a position focused on virtualisation when that began to take off, before moving up in to infrastructure and project management. 

Was there anyone who has inspired or mentored you in your career? I don’t have a business ‘idol’ (like Elon Musk or Steve Jobs) but my first IT Director, Bill James, has been a big inspiration. 

He used to work for Apple and was the king of remaining calm under pressure. He always treated everyone equally and helped me learn how to manage a globally dispersed team – even more important in today’s climate. 

What do you feel is the most important aspect of your job?  Firstly, ensuring the security program supports Calligo’s business goals – it is not enough to have the right plan in place if that plan doesn’t relate back to where you want to go as a business – this is a top priority for me at all times. 

Secondly, understanding and addressing threats to our information security. Naturally, this is a huge part of my role and I need to be aware of any potential risks that can hurt our business. 

What metrics or KPIs do you use to measure security effectiveness? We use many metrics but the most important for me are our level of preparedness, so understanding the devices on our networks and their patch status, as we know that 70% of cyber-attacks exploit known vulnerabilities that could be patched. We also track patching cadence, so how long it takes the teams to implement patches or mitigate vulnerabilities once identified. The other key metrics for me include intrusion attempts, security events by type, Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes, the skills shortage is real. We’re currently struggling to fill a number of vacancies for security analysts and have now extended our search outside of the UK and into Europe and Canada. And these roles are just looking for around three years’ experience. It is very hard to recruit, especially at this time of year and with the current market conditions making many anxious to move. 

Cybersecurity is constantly changing – how do you keep learning? To stay on the pulse, I keep up to date daily with various online resources, such as The Register and CSO Online, as well as numerous webinars and online technical training.

What conferences are on your must-attend list? Black Hat is on my must-attend list. It is normally in Vegas but going digital this year due to the pandemic. Cybersecurity & Cloud Expo is one I frequent to network with peers, and to see what other vendors are doing. CyberUK hosted by NCSC is in my calendar for 2021, as is Microsoft Ignite and VMWorld. 

What is the best current trend in cybersecurity? The worst? The best: Absolutely the continued rise of machine learning and integration of AI into security programs. Not only will this help improve our data safety but will also go some way to filling the skills shortage.

The worst: Increased cyber-attacks in the healthcare sector. In recent times, we’ve never been more reliant upon healthcare and so it’s sad but unsurprising to see cyber criminals are exploiting this to hack hospitals, medical records and other sensitive health information. 

What's the best career advice you ever received? The importance of work/life balance, as they say, “work to live, not live to work”. At the start of my career, I would regularly commit long hours week after week and most weekends, but I have long since become more disciplined with my time. Calligo has also encouraged this same theme of wellbeing which has helped make me feel a lot happier in my career.  

What advice would you give to aspiring security leaders? Take the time to build a broad range of skills and experience and don’t focus solely on security itself. It is vital to develop your knowledge across areas such as legal, data privacy, risk management and project management. You need to be able to understand the big picture to excel in a senior role. 

What has been your greatest career achievement? The project I am most proud of is an integration in Delhi, India. Following an acquisition, we needed to get a company set up in a new purpose-built office facility which also involved physically relocating over 700 staff to these new premises, as well as integrating the numerous business processes and technology.

It was a huge undertaking, yet we managed to get the transition completed on time and with minimal disruption. For a job of that size, and the geographic complexity, I am incredibly proud of what the team accomplished. 

Looking back with 20:20 hindsight, what would you have done differently? If given the chance to do it all again, I would make learning a programming language a priority. I do possess basic scripting skills from on the job experience but being able to understand and use a language like Python is a great skill to have. And certainly, another ability I would recommend the new generation to pick-up if they can. 

What is your favourite quote? Benjamin Franklin: “Don't put off until tomorrow what you can do today.”

What are you reading now? Essentialism: The Disciplined Pursuit of Less and the Royal Yachting Association Powerboat Handbook (to support my son in his hobby).

In my spare time, I like to… Walk the dog along the beaches or cliff paths in Jersey and go to my son’s football matches.

Most people don't know that I… Most people don’t know that I left school at 16 – and those who do are surprised that I didn’t study at university.

Ask me to do anything but… Manually trawling through system event logs. Back in my system administration days, I would spend hours looking for errors as my then organisation wouldn’t invest in tools to assist. This was a tedious and time-consuming task that (thankfully) is now a thing of the past.