Name: Alan Osborne
Organisation: Paysafe
Job title: Chief Security Officer
Date started current role: September 2019
Location: London
Alan Osborne has over 20 years of professional experience in security, IT, and business leadership, underpinned by a strong technical background. Prior to joining Paysafe, Osborne was the CSO at National Grid, the £30bn FTSE100 multinational electricity and gas utility company, and the CSO at Worldpay, the $43bn global payment company. He has experience in payments, finance, technology, and critical national infrastructure. Prior to this, Osborne was a Director at AlixPartners, the management consultancy firm, where he created its cyber security practice.
What was your first job? I wanted to work from a very early age, so I had a number of jobs whilst I was still at school. From a paper round, to collecting glasses in the local pub, to stacking shelves at a supermarket. One of the more interesting jobs I had was as an ‘extra’ in police line-ups, Usual Suspects style. I would get paid when they needed to compare a suspect against a bunch of guys that were of similar age, height and hair colour!
My first career job was in an IT infrastructure team at the Chevron Oil company in London, building and supporting servers and network devices.
How did you get involved in cybersecurity? At that time, it wasn’t so easy to choose a career in cybersecurity, as it wasn’t a course you could take, or a job you apply for. For me, it was more a case of ‘cybersecurity chose me’. I had worked with some great people early in my career and one of them got in contact to ask me if I’d like to apply for a role at Symantec, in their managed security services business. The role looked really interesting, and it was a step up - so I thought why not! I had some experience with building a secure ISP in the previous few years and this led on to seven excellent years of building and running Security Operations Centres, where I really learned the ropes of becoming a cybersecurity professional. Though this was really before the term ‘cybersecurity’ existed!
What was your education? Do you hold any certifications? What are they? I have a BSc (HONS) degree in Computing, and a number of technical certifications, that have long expired now, for Novell, Microsoft, Cisco, and ITIL. I passed by Certified Information Systems Security Professional (CISSP) in 2005 and I’ve kept that current.
Explain your career path. Did you take any detours? If so, discuss. My career path started in IT infrastructure and support. After Chevron Oil, I joined AT&T, supporting IT systems and end users, and I was quite quickly enticed to join a few of my colleagues at a new start-up organisation, building an IT consulting business, and a secure ISP for our customers. For a few years, I was providing IT consulting services for various different clients, gaining quite a bit of experience across public sector, airports, telecoms and others, before joining Symantec and really focusing my career on cybersecurity.
After seven years of building, selling and running managed security services for Symantec, I decided it was time to change my focus from a vendor side to a client side, as I had become a bit of a specialist in security operations. And therefore, my next move was to join Old Mutual, a South African financial services organisation that was listed in London, in order that I could ‘own’ security end to end for an organisation, rather than being focused on a small area.
I met a number of people here, that continue to be my friends today, and a few of these people, including the CIO, who had moved on from Old Mutual, asked me to apply to AlixPartners management consultancy to set up a security practice as part of their IT consulting services. I joined them and moved back into a consulting environment, providing security services across another diverse set of clients, from financial services, to telecoms, to call centres, to insurance, until I took on an interim CSO position at Worldpay. This was my first CSO job, and I loved it. After standing in as an interim for a year and a quarter, I was persuaded to join Worldpay on a permanent basis. I stayed here until Worldpay was acquired by Vantiv.
I was looking for a bigger global CSO role, and then joined National Grid, a FTSE 100 energy company, with offices across the UK and the East Coast of the U.S. Here, I had much greater exposure to Critical National Infrastructure, regulators and governments, including close interaction with the UK National Cyber Security Centre (NCSC), and the FBI.
After this, an opportunity came up back in fintech payments, with Paysafe, and I felt it was a really interesting and dynamic organisation that is going somewhere, and one that I could help with the next stage of its evolution. I am now nearly two years into this role, and I have no regrets at all – it’s exactly what I was looking for.
Was there anyone who has inspired or mentored you in your career? At home, I have been very fortunate to have the support of my wife and children throughout my career, who I often find understand me better than I understand myself! I also have close family support and guidance, and a strong work ethic from my parents and my brother.
At work, there have been a handful of people that I could name (but I won’t - you know who you are!), who have really understood me, supported me, and helped me gain bigger and better things over my career. Some of these people have been my boss, some have been security experts that I have worked with, and I have had the help of a coach. I would consider all of them as good friends today. In addition, I could name a whole list of people that have been ‘net promoters’ for me, and I will always be in their debt for how they have helped me and my career progression.
In summary, I would advise anyone to get feedback, support and guidance from many different sources, but always from people that you look up to and respect their opinion on a number of different subjects, both personally and professionally. I get my inspiration from leaders who are passionate, energetic, and action-oriented, with high levels of integrity and honesty.
What do you feel is the most important aspect of your job? I find it very difficult to pin this down to one area but the key to success in my job is getting results and achieving desired outcomes. It is important to make changes, deliver new controls and capability and get things done quickly, and demonstrate that things are happening, risks are reducing, and security is improving. It is important to set and achieve targets and illustrate the progress against these goals. On the back of this, it is then all down to communication, upwards to the Executive Teams and Board members, across your peer group, and across your team, who need to feel part of the bigger picture, and see that the work they are doing matters, and will make a difference to the organisation.
What metrics or KPIs do you use to measure security effectiveness? I have a list of KPIs and KRIs that underpin all aspects of my responsibilities, which we report on a monthly basis, but many of these are detailed and mainly useful for the security team to sense where things are, and whether we are in control and have the finger on the pulse – these are used as a governance and assurance mechanism to uncover issues and ensure that the right attention is applied to the right areas. Increasingly though, we are shifting to a continuous controls monitoring model, where security controls are actively monitored, and deviations to what we have in place are immediately alerted. This helps us to ensure that the security controls we have designed, continue to be in place at all times, and don’t fall away over time, as environment changes are implemented.
There is a smaller number of key KPIs that I use to sense our security position overall, and these attempt to begin answering the question of ‘how secure are we?’. This is generally the question that any organisation needs to answer and is useful context for the conversations we have with the Board.
This smaller list of KPIs should (in an ideal world) always have the answer of zero, and anything other than zero is ‘red’ and something that needs to be jumped on immediately, to get this back to zero. I find this helps to focus the team on the most important measures, gets all eyes on the problem, with urgency. These KPIs include (not an exhaustive list): ‘how many high or critical, external-facing security vulnerabilities do we have?’, ‘how many executed malware or ransomware events have occurred?’, and ‘how many impactful / service affecting DDoS attacks did we have?’
Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I think many organisations are suffering from the same issue. It is really difficult to find enough talented and experienced cyber security resources in the right locations. This problem runs across a number of different disciplines within a cyber security team, but if I had to pick one, I would say the most difficult roles to fill are those in the application security area. Diversity is also a challenge; we simply don’t have enough experienced female and diverse candidates coming through to interviews.
Cybersecurity is constantly changing – how do you keep learning? I read quite a few online articles, to learn about the latest trends, incidents, strategic thinking and approaches. However, mainly, I talk to people in my professional network (many of which are friends – and these conversations would often happen over a beer, before Covid-19), but the most valuable of all... is listening to my own team. All the latest ideas will bubble-up through the team either directly, or via one of my direct reports. Often the most relevant or useful information will come out with the passion and energy from people in my organisation.
What conferences are on your must-attend list? This may not be a popular response but I actively avoid many of the conferences. I find I can learn so much more working through problems with my team in the office, but there have been a few exceptions where I know that some of the speakers will be truly of value.
I would advise anyone to be really thoughtful with any conferences they attend - you can make a career out of attending these (and dinners!), but ask yourself if you will really get value from this, and will you learn something that your organisation will benefit from?
Personally, I would rather spend time with my team, colleagues, and my wider network, than attend conferences, and I would rather have dinner with my family or friends.
What is the best current trend in cybersecurity? The worst? The best trend is what people are calling cyber hygiene. I’m not a huge fan of the term but getting the basics and the fundamentals right in cyber security makes total sense to me. Good security is all about plain old good governance, risk management, controls, monitoring, configuration reviews, response and recovery planning etc. It might not be exciting, but it is so important. In my experience, the major security incidents that we read about in the news, are always linked to a missed basic control. If, and only if, we get this right first, do we get to play with the latest fun and clever technologies.
And that leads me to the worst. In my mind, there is far too much focus from an information security perspective on artificial intelligence, machine learning, blockchain etc - and I love all this stuff too! But what problem are we solving with these technologies? Are we ready to make the most from these? Do we have the fundamental coverage and capability in place across the organisation in order to benefit from these? My view is that every organisation must get the basics right first, before even considering these.
What's the best career advice you ever received? We spend so much time at work, and thinking about work - follow a career path that interests you, doing something that you enjoy, and this way it will never feel like “work” at all! Never follow the money or status... that will follow your success in a role that you love doing.
What advice would you give to aspiring security leaders? Manage yourself like a company would manage itself. It’s your own brand and reputation - think about your marketing, sales, delivery, results. Take the opportunity to reinvent yourself with every step in your career. And take it personally - this is your reputation on the line with your company’s reputation.
What has been your greatest career achievement? Playing my part in the Worldpay transformation, taking the company from a carve out of RBS to a successful IPO, and subsequent sale to Vantiv. It was energising, rewarding and enjoyable, and I had huge support from the Group Exec and Board.
Looking back with 20:20 hindsight, what would you have done differently? Trust your instincts and make good decisions more quickly. I can think of a few occasions where I should have taken earlier decisive action, and it would have saved me a lot of difficulty.