Secret CSO: Andrew Rose, Proofpoint

What advice would you give to aspiring security leaders? “…one thing to hold dear above everything? Pragmatism. Be pragmatic about your resources, your budget, and your risks.”


Name: Andrew Rose

Organisation: Proofpoint

Job title: Resident CISO at Proofpoint for EMEA

Date started current role: August 2020

Location: London, UK

Andrew Rose is Resident CISO for the EMEA Region at Proofpoint. His focus is driving Proofpoint’s people-centric security vision, strategy and initiatives amongst the company’s customer base, bringing hands on experience, knowledge and perspective in managing risk and improving cybersecurity posture across complex enterprises.

What was your first job? I worked for a large insurance company, helping auditors detect and deal with financial fraud. At that point, my experience of computing security had been hacking into games on my home computer and changing the code – I didn’t realise there were jobs that focused on that.

How did you get involved in cybersecurity? During my role at the insurance company, I started to get more involved in computing, and it really grabbed my interest. I actually applied for a role as an Incident Manager in their IT department but was unsuccessful. However, they came back and offered me a job in  their user access management team and  within 18 months, I was in charge of the team. From there, I started to work with the main security team and was really interested in what they did. One day, I simply asked them for a job, and they said yes!

What was your education? Do you hold any certifications? What are they? I started with a master’s degree in infosec, sponsored by my employer. I then personally studied for my CISSP, and I’ve since added CISM and CRISC. I think that’s sufficient, so am not looking for anymore certifications.

Explain your career path. Did you take any detours? If so, discuss. Some of it has been outlined above, but I left the insurance firm to join a law firm as a security analyst and was eventually promoted to Head of SecOps, and then CISO. I then moved to be a CISO at the largest law firm in the world and repeated the security transformation. At that point, I didn’t know what to do next - change industry? Move to a smaller firm? 

Fortunately, I got an opportunity to join Forrester Research, which was my 4-year detour. It was amazing, and I treasure the time and opportunities it gave me. However, I was tempted back to the industry to become the CISO at NATS, the UK’s leading air traffic control provider. – it was such an incredible role – and I then moved across to Mastercard before my current tole at Proofpoint.

Was there anyone who has inspired or mentored you in your career? One of my biggest regrets is that I never did find a mentor. I joined my first law firm because they had a great CISO and I thought I could learn a lot from him – but he quit on my first day!

What do you feel is the most important aspect of your job? Each role has its own priority – with NATS, my priority was safety; with other firms it has been the integrity and availability of systems. Here at Proofpoint, it’s my priority to ensure that CISOs understand the security world as we see it from the huge data pools we have and understand that email is the major threat vector and people their most important control. If I can convince CISOs of that, then they will react appropriately, and the world will become a more secure and trustworthy place.

What metrics or KPIs do you use to measure security effectiveness? I’ve been on an eternal quest to find that one key security metric, and I’ve sadly failed. Each firm needs its own selection of metrics that speak to the security culture within their firm, which reflect their personal risk tolerances, regulatory requirements, and business objectives and priorities.

Creating a security culture metric was one of my most fulfilling accomplishments, but the most useful metric I’ve used has been the simple NIST CSF maturity modelling across business units.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? They are all challenging to fill! I spent nine months looking for a deputy CISO at one firm and couldn't find the right candidate; in another example, we spent a long time seeking a specialist in vulnerability management. The best solution is to seek out passionate individuals who are interested in the topic. If you give them support and guidance, they'll blossom into amazing security professionals before your eyes.

Cybersecurity is constantly changing – how do you keep learning? I listen to what other CISOs are talking about and follow the press to see which topics are coming up. After that, I then burrow into the topics and research the problems and solutions.

What conferences are on your must-attend list? I'm not sure there is one. RSA in San Francisco was on my must-do list for many years. I think in general; security conferences are becoming somewhat stretched as they try to appeal to multiple layers of security people.

What is the best current trend in cybersecurity? The worst? The best trend would be the realisation that people are a vital component of your security solution, and that we should invest in them just as much as we invest in technology solutions such as firewalls and SIEM tooling. I do, however, get disappointed that the brightest minds in Silicon Valley minds seem to have become bored with the 'security basics' and rushed off to find fulfilment in the latest AI and ML solutions, while security professionals are still struggling to patch systems and write code securely. It would be great if they could circle back and help us because so many breaches happen because of basic issues.

What's the best career advice you ever received? It's a total cliché, but my dad did tell me to find a job I loved as that would make life much easier in the long run. I think I was fortunate enough to figure out what that job was, as many people never do, and it's been fulfilling even when it's been tough.

What advice would you give to aspiring security leaders? Well first decide if you want to be a leader. The CISO role can be tough, and it takes many skills that are not security-related such as HR, finance etc.

You can be an excellent security professional without ever becoming a CISO. If, however, you do want that leadership role, then start thinking about your personal development. That includes certifications, but it also includes communication skills, influence, personal networks, business skills, and even personal branding. The best security leaders are able to intuitively work at a business level, have a range of trusted peers to learn from and confide in, and have the profile to be able to positively represent the organisation. Oh, and one thing to hold dear above everything? Pragmatism. Be pragmatic about your resources, your budget, and your risks.

What has been your greatest career achievement? There have been two that I can't decide between. The first was winning "CISO of the Year" at the SC Awards in 2018. I'd always viewed that as the top award for security professionals, so I was amazed and honoured to be selected. The second was a 90-minute meeting between my company and a cloud provider. Security was the biggest challenge, but I didn't have to ask a single question as everyone around the table was asking great security questions – it was at that point that I knew I'd fundamentally changed the culture of that firm.

Looking back with 20:20 hindsight, what would you have done differently? I can't think of a single thing.

What is your favourite quote? Can I quote myself? I've continually told my teams that "We do what is right, not what is easy" – and if that means difficult conversations or awkward admissions, then so be it. As security professionals, we have to serve our organisations to the best of our ability, even when that makes it harder for us as individuals.

What are you reading now? Exhalation by Ted Chang. It's my second read through. An amazing collection of stories that cover technology and humanity – a little like a thoughtful, more positive series of 'Black Mirror.'

In my spare time, I like to… Write music, albeit with my very limited musical skills. I've recently started trying to write orchestral music, which is fun, but challenging!

Most people don't know that I… Was once offered a recording contract. To follow on from my previous response; however, please realise that I was a poor member of a very good band, it wasn't me they really wanted!

Ask me to do anything but… It'd be a choice between Spelunking and the Plank Walk at Huashan Mountain. Realistically I'm never going to either, so it makes little difference which I choose!