Secret CSO: Will North, MHR International

Name: Will North

Organisation: MHR International

Job title: Chief Security Officer

Date started current role: March 2019

Location: Nottingham

Will North is the Chief Security Officer at MHR International. As a certified information security professional within the cyber security industry, North helps organisations to identify critical information security gaps and implement pragmatic solutions to mitigate information security risks to an acceptable level. North has a wealth of experience working within organisations of all sizes across all industry segments, with particular knowledge within the financial services sector having worked for a number of retail, private and investment banks.

What was your first job? My first ever job was at the age of 16 making tea and coffee for a café in my local market. It was a very busy market so was hard work, but it taught me the value of money from a young age. My first professional job came seven years later when I took a graduate job at Deloitte in their IT audit department. If you’ve ever worked for a large consultancy, you’ll know that it is hard work, working long hours over evenings and weekend, but it gave me a great work ethic and a great attention to detail.

How did you get involved in cybersecurity? Studying maths at university, I always enjoyed solving problems. With cyber security focused on trying to break into something you shouldn’t be able to, and often finding a way in through an innovative approach, it intrigued my problem-solving nature.  This led to me spending my spare time at university on hacking websites, legally I might add, and tying to complete hacking challenges. One of the first ones I did had a login page and the challenge was to get in with no other tips. It turned out the password was in the html code, you just had to think to look there – brilliant!

What was your education? Do you hold any certifications? What are they? While studying maths at university I choose to take a few IT and security specific modules such as Internet Security, which mainly covered encryption, and Visual Basic programming. Within my first job as an IT auditor, I obtained the Certified Information Systems Auditor (CISA) certification, which gave me a great foundation in all things IT and security, including even more on encryption. Further into my career when I started to specialise as a security auditor, I obtained the Certified Information Systems Security Professional (CISSP), which gave me a great foundation in theoretic security principles. I even read every word of two huge CISSP study books before taking the exams, which my girlfriend would occasionally find me to have fallen asleep in while studying! Certifications are great for process, however cybersecurity is constantly evolving, so I rely mostly on my work experience and soft skills to progress me through the later years of my career.

Explain your career path. Did you take any detours? If so, discuss. Information security has always been a key part of each role throughout my career. After my first IT auditor role in Deloitte, I flipped between IT audit roles and security consulting roles in the Big 4 or within financial services companies - I’ve now worked for three out of four of the Big 4! After working my way up to being a senior manager within KPMG’s security consulting practice, I decided that rather than just spending quite a short time with organisations as a consultant or auditor, reviewing their controls and recommending improvements, I wanted to get really hands on with helping an organisation to improve their controls and seeing the fruits of my labour. I then applied for a CISO role, and the rest is history.

Was there anyone who has inspired or mentored you in your career? There is no one that has inspired me specifically, but I’ve learnt a lot from a lot of people. My time at Deloitte and PwC really improved my written communication as the customer facing role required me to work at a higher level than perhaps a normal internal role. Having relied on my ability in maths throughout school and university to get by I could barely spell when I left university, so this experience was invaluable in my career. This is now one of my strongest skills.

What do you feel is the most important aspect of your job? Relationships. The role of the CISO is to understand where the biggest issues are and to get these fixed. If you don’t have good relationships with people, then they will not tell you where the issues are. Also, if you don’t have good relationships, you will never get any issues fixed. Most people try to get things to work in the quickest and simplest way, and security isn’t their top priority. To ensure that security is built in from the start (or sometimes afterwards) you need good relationships to be able to influence people to add that security in, even if it’s not the quickest or simplest thing to do.

What metrics or KPIs do you use to measure security effectiveness? An organisation is only as strong as its weakest links and creating a control environment within a large company that only has strong links is very challenging. It is therefore difficult to identify a small number of metrics (e.g., is your AV up to date) that confirm you don’t have any weak links. One of the metrics that I feel can best do this is the results of simulated attack exercises (e.g., red teams). If you are trying to protect against a cyber-attack, and your organisation can withstand a realistic simulated attack with little findings, this is a good measure of how effective your security is. Another all-encompassing metric is risk management. If you’ve done a proper assessment of your key risks and mitigating controls, the percentage of key controls that are effective is another good measure of how effective your security is. Also, you can’t go wrong measuring how many vulnerabilities haven’t been addressed within a sensible timeline.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Although the cost to get a good security professional seems to have skyrocketed, I don’t feel like we’ve been impacted by the skills shortage. When recruiting for an information security manager recently, we got a lot of applicants with reasonable security skills, and some with too much experience. Finding the right person that would fit in with the team and company so that both parties would benefit can be hard for any company. I believe there is no point in employing someone with exactly the right skills and experience, but that would not have room to grow in the role and so would leave after twelve months.

Cybersecurity is constantly changing – how do you keep learning? Although I partially agree that cyber security is constantly changing, at a high level I don’t think cyber security has changed in decades. In my first job over fifteen years ago, I used to assess the strength of passwords, check anti-virus was up to date and check vulnerabilities were being patched. Fast forward to today and although cyber criminals have become a lot more organised and systematic, which means the likelihood of getting attacked has increased tenfold, the way attackers get into an organisation and the protection to stop them are broadly the same: strong passwords, anti-virus, and patching.

What conferences are on your must-attend list? I certainly attended a few in my early career. I once saw someone fall asleep at the back, which makes you wonder perhaps some people are just keen to take time off work! I really do need to start attending more in the future for sure. Finding the right one you need at a particular time is the trickiest part. I did see the NCSC online conference early this year and found the talk by the incident response team incredibly insightful – I would recommend that.

What is the best current trend in cybersecurity? The worst? This is probably a bit old now, but I think behaviour analytics using machine learning is going to continue to grow in popularity. There are so many ways an attacker can breach and move around your network, it’s a lot easier to spot what isn’t normal against a baseline, rather than trying to programme in all potential malicious behaviour into a signature-based system and spot that.

What's the best career advice you ever received? “Hard work keeps you motivated.” I think this is so true as if you work hard on something it makes you passionate about it and drives you to succeed.

What advice would you give to aspiring security leaders? Make sure you understand how attackers are compromising other organisations. If you don’t know how an attacker would compromise you, how can you protect yourself. Also, understand how a business works and how you can communicate with senior business stakeholders. At the end of the day, you wouldn’t have a job if it wasn’t for the business, so you need to know how security can enable the business and not slow it down for no reason.

 What has been your greatest career achievement? Being quite a self-critical person, I’ve not achieved it yet! With high ambitions, I hope that my greatest achievement is yet to come.

Looking back with 20:20 hindsight, what would you have done differently? With security skills in such high demand throughout my career, I’ve changed jobs many times. A lot of these were after less than one or two years, and a couple even before I started! Although this has given me great exposure to many different companies and ways of working, and most likely accelerated my career progression, there are lots of lessons and soft skills that I expect I missed out on.