Secret CSO: Paul Baird, Qualys

Name: Paul Baird

Organisation: Qualys

Job title: Chief Technology Security Officer UK

Date started current role: February 2021

Location: Midlands, UK

Paul Baird is a 20+ year IT veteran who migrated to cybersecurity six years ago. Baird previously built a security programme from scratch at a FTSE 250 company, and later accepted the challenge of building an entirely new SOC function for luxury automotive manufacturer Jaguar Land Rover. Now at Qualys as their Chief Technical Security Officer for the UK and North EMEA, he helps to drive the Qualys vision with customers and partners at C-level. Baird prides himself on leading by example and enjoys the people aspect of cybersecurity.

What was your first job? I was a systems administrator for Elonex, who were one of the biggest PC manufacturers in the UK at the time. I was 23 years old at the time when I took the bus down from Scotland to London for an interview to work on the PC manufacturing line, but came away with a role in the IT department instead. This was my first exposure to business IT (NT 3.51, Novell 3.12 / 4.11, Exchange 5.5, SCO Unix) and the start of my IT journey. This was a fantastic time in my life and gave me a good insight into enterprise IT, but I also quickly learnt that working in London full-time wasn’t for me.

How did you get involved in cybersecurity? While working in the hosting world as an infrastructure engineer, I had the opportunity to support and work closely with the security teams. It was during this time that I realised that I wanted to move into cybersecurity full time.

What was your education? Do you hold any certifications? What are they? I did my Higher National Certificate (HNC) in Computer Science and later joined Stirling University to study for my computer science degree. After two years of muddling through, I realised that learning via books was not for me and so I left knowing that I needed to learn in a more practical way.  I did however pass my CISCO ICND1 (now expired) and have the obligatory ITIL v3 and GDPR practitioner certifications.

Explain your career path. Did you take any detours? If so, discuss. I had a brief detour in my career when I left University. While studying, I had become a manager at McDonald’s part-time and briefly thought that this could be a good career path for me to pursue full-time. I have spent years regretting that decision as I felt that it was a waste of time, but now I realise that it taught me a number of lessons and skills around people management that have all been incredibly valuable in my subsequent IT and security roles. After that, I got my first job in IT in 1998 and I haven’t left since.

Was there anyone who has inspired or mentored you in your career? Sadly no, I haven’t had an inspirational mentor throughout my career. I have however seen a number of managers and senior colleagues who weren’t always that supportive of their team, so I quickly learnt exactly who I didn’t want to be when the time came for me to manage my own team.

Thankfully, not all my managers were like this. In particular, Chris Pearce, CIO of Vistry Group, was my first C-Level boss and was very conscious of always looking after and protecting his team which made the role at Bovis Homes (now Vistry Group) really enjoyable. This was my first experience of a people-first approach, and something I’ve always tried to replicate when managing my own teams.

What do you feel is the most important aspect of your job? For a more traditional definition of a CISO/CTSO role, I believe leadership is a vital aspect of the job. The ability to lead a team effectively in such a high pressure and often under-resourced environment is so important, yet there isn’t anywhere near enough focus on the ‘soft skills’ required for this position.

Whereas in my current role, I don’t have a team to manage and so have to be fairly self-sufficient. As a result, it’s vital for me to ensure I’m always up to date with the latest news, incidents and ideas in the industry so I’m constantly reading to further my knowledge.

What metrics or KPIs do you use to measure security effectiveness? It’s fairly standard, but the KPIs I’m interested in are around Mean Time to Detect (MTTD) and Mean Time to Recovery (MTTR). I often hear many security professionals boasting about their coverage achievements in 90-100 percentage terms, but this can be a misleading statistic if your visibility isn’t at 100 percent too. What’s important is that organisations achieve full visibility of all of their assets first, and then work on securing them all. If you don’t have 100 percent visibility, you don’t have 100 percent coverage either.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? The security skills shortage is affecting every organisation, and I hear this exact issue from the Qualys customers that I’m working closely with on a weekly, or daily basis. The problem however is not just recruiting staff, but retaining them too. When IT and security are often such a high pressure yet seriously under-resourced environments to work in, many staff experience burnout and choose to leave in order to protect their mental and physical health. Secondly, as a direct result of the supply and demand issue, employers just keep increasing the size of remuneration packages to poach staff from other organisations, which negatively impacts smaller organisations who can’t afford to keep up.

Cybersecurity is constantly changing – how do you keep learning? Every spare minute I have during each day, I’m constantly checking the leading industry news sites to keep up to date with the latest developments.

What conferences are on your must-attend list? I’d encourage any security professional to attend Black Hat, RSA and InfoSecurity.

What is the best current trend in cybersecurity? The worst? The worst trend is artificial intelligence (AI), but only because it’s often hailed as the technology that will save the ‘cybersecurity crisis’ we’re currently facing. AI is a powerful tool and will be of immense value to organisations, but it won’t save the day entirely. For that reason I’d also say that the best trend is AI, providing we’re realistic about the value it does offer. With infrastructures growing in complexity and size and security teams struggling with information overload, AI can really come into its own to help us analyse and manipulate vast amounts of information in real-time and cut out the noise that often bogs down security teams.

What's the best career advice you ever received? A previous manager once shared the advice with me that “if you’re not happy, leave”, which is incredibly simple but also quite powerful to remind people of their ability to change a situation if it’s no longer satisfying them. Thankfully their comment was not directed at me, but I agree that the worst thing anyone can do is to sit and fester in a job that they’re no longer happy in as they’ll become miserable and bring down everyone around them.

What advice would you give to aspiring security leaders? Treat your staff as human beings, not as tools. If a security leader can get to know their team both personally and professionally, they’ll be in a stronger position to support them moving forwards whatever arises.

I’d also suggest that they should closely align themselves and their objectives to the business. This might seem like generic advice but it’s often very difficult to achieve in practice. Make sure your work is understood by a non-technical audience and that it is in support of the overarching business goals.

What has been your greatest career achievement? There have been a number of achievements throughout my career to date, but the biggest was reaching C-level, as this is something I always aspired for. From my children’s perspective, taking part in a podcast elevated my status in the house to ‘best Dad ever’.

Looking back with 20:20 hindsight, what would you have done differently? I wish I had moved into cybersecurity a lot sooner than I did. I had a few opportunities to do so about 20 years ago, but at the time it was a little known job, so I chose to stay working in infrastructure engineering for longer than I’d now have liked.