Secret CSO: Phil Packman, BT Global Division

Name: Phil Packman

Organisation: BT’s Global Division

Job title: CISO, Commercial Contracts

Date started current role: March 2018

Location: London, UK

Phil Packman is the client-facing CISO for BT and is responsible for understanding the risk between BT and its commercial clients, as well as building peer-to-peer relationships for the purposes of sharing knowledge and intelligence, as well as developing a security community.  Packman has both a technical and leadership background supporting service delivery into BT’s major outsource contracts for over 25 years and has worked across a broad range of industries including Oil and Gas, Commercial and Brands, Finance, Aerospace and Public Sector.

What was your first job? My first real job in between becoming an apprentice and leaving school was at a major UK retailer doing customer services.  Although I am not sure I recognised it at the time, I now see this was an amazing grounding into understanding customer requirements and the importance of expectation setting.

How did you get involved in cybersecurity? Following my apprenticeship, a set of organisational changes saw me take on a technical customer service role.  Building on the skills learned in that role, I followed a traditional route into network engineer, designer and then operations management within global outsourcing.  I focused on a more exclusive security path about fifteen years ago, when the contracts I was involved in started to take a much more serious focus on the risk and security considerations of their infrastructure. It was clear this was becoming an ever more important topic and the timing was perfect to grow with the industry in many respects.

What was your education? Do you hold any certifications? What are they? I left school and became a telecommunications apprentice which included doing college education in the field of electrical engineering. Not long after I completed my apprenticeship, I found myself wanting to continue my education and was fortunate enough to be sponsored to do a part-time degree in Business Studies and Information Technology and after that, an MBA.  In parallel to my academic education, I have held various technical accreditations that supported the roles that I was in. As my role developed to be much less hands-on, I have undertaken the ISACA CISSM certification and I am a Full Member of the Chartered Institute for Information Security.

Explain your career path. Did you take any detours? If so, discuss. My career has seen changes in focus between operations and strategic roles as my responsibilities have shifted more towards leadership over time. When starting out, I probably saw myself as an electrical engineer. However, in the early days, as I came to the end of my apprenticeship, I rapidly realised that my vocation was more likely in front of a keyboard and I discovered I was much better at this than soldering!

Was there anyone who has inspired or mentored you in your career? I can honestly say that every single one of the managers that I have worked with over my career taught me something. But two - who I won’t embarrass by naming - stand out for mentoring me and encouraging me to push harder. One was in the early part of my career and helped greatly with my move into leadership. They were also instrumental in me completing my MBA. The second person also invested in my personal development, but most importantly was incredibly straightforward and honest in terms of direct feedback on my performance and especially in helping me strive for more.

What do you feel is the most important aspect of your job? Spending time with my stakeholders. Understanding the impact and challenges that my stakeholders are facing is critical to make sure that the decisions I make enable them, not restrict them. Often there is a difficult balance between manging risk and reducing business friction, but I believe that having a wider perspective helps me make stronger, more informed decisions.

What metrics or KPIs do you use to measure security effectiveness? The measurement of security effectiveness is one of those topics that many of us constantly battle with. I often find that different audiences require different measures and rarely does a KPI meet the needs of everyone whilst is also easy to measure consistently.  All too often, KPIs rely on the outputs of tooling and this is often a measure of the tool coverage, not its effectiveness. Moreover, effectiveness could mean how good the controls are at delivering on the security strategy or it could mean the success of supporting the objectives of the business. A good KPI should ideally track back to the success of delivering a desired outcome. Whilst these can be hard to measure with tangible values, I believe that KPIs which show a positive impact on the business objectives are useful to demonstrate the contribution made by the security strategy - e.g. trajectory and magnitude of avoided or minimised security related loss over time.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I am fortunate enough to work in a truly global organisation with a very strong and flexible group of colleagues which is often great for helping me find the skills I need.  I also feel that my organisation’s continued investment in apprentices and graduates has been very positive in creating a diverse flow of curious and talented people. This gives many more options for pivoting to new skills when the need arises and has the added benefit that the wider team often emulate the desire to continually adapt their skills too. Where I think it becomes more difficult is in the more established areas like Assurance, Policy or Risk Modelling where a level of understanding and innovation must be blended with the culture and appetite of the organisation. This is much harder to teach and hence for me, the availability of key specific elements of experience, as opposed to skills, is perhaps a better way of terming it.

Cybersecurity is constantly changing – how do you keep learning? I spend a lot of time talking to peers and I also still invest time in formal digital learning, reading and podcasts. I have found several online training applications to be a fantastic way to consume topics in bite-sized chunks, especially when travelling or doing exercise, and this has also allowed me to invest time in less mainstream topics. One important area I have found to be pivotal in shaping my understanding is my company’s membership of the International Information Integrity Institute (I4) forum. I find the content and discussion at I4 to be extremely beneficial and the level of sharing and challenge of ideas has helped me greatly in defining my own approaches and thinking on key topics.  

What conferences are on your must-attend list? Outside of the I4 forum mentioned above, which I value as my top must-attend, I do not regularly attend other conferences due to having such a busy diary. I have had some good experiences with CiiSec, ISF, Infosec and Blackhat in the past as well as some of the very well put together vendor events.  However, I tend to prioritise I4 as my main event to attend.

What is the best current trend in cybersecurity? The worst? The best trend right now is the rising tide of focus on individuals as a cornerstone of security. At BT, we refer to this as the “Human Firewall”. With greater attempts in many walks of life to make people more aware of how to look after themselves whilst utilising the many obvious benefits of IT, we find that greater awareness can lead to an improved security posture. The worst trend now must be the well reported growth in 2020 of phishing, malware, scams and fraud and especially how this often impacts individuals.

What's the best career advice you ever received? For me to recognise opportunities when they present themselves and never fear failure, even if the opportunity was at the limits of my comfort zone. Some of my best achievements were when I stepped outside of what I was comfortable doing.

What advice would you give to aspiring security leaders? Seek out opportunities to gain a broader set of perspective and views. Constantly challenge your own thinking and be open to alternative opinions. I find that by talking to a wide variety of stakeholders and peers I can build a much rounder picture of a topic which often helps me make better decisions.

What has been your greatest career achievement? Probably the piece of work that I am most proud of was my involvement in the security operations of the London 2012 Olympic and Paralympic games. I had a dual role working as a senior security representative for BT, as well as leading the network security team working in the technical operations centre. The period building up to and during the games was such a memorable, enjoyable and unique project to have been involved with.

Looking back with 20:20 hindsight, what would you have done differently? I think I would have perhaps looked to have taken a role in another country earlier in my career. I also think there were several opportunities in the past that I chose not to take but which with hindsight may have set me on a different path from a career and company perspective. It’s difficult for me to say if these would have led to a better outcome. Some may not have done but could have been fun trying – especially those roles which gambled stability for the excitement of setting something up from scratch.