Secret CSO: Paul Baverey, Lemongrass Consulting

What metrics or KPIs do you use to measure security effectiveness? “Security needs to be as transparent as possible. In parallel to this, people need to feel safe and have the assurance that there is a net should they make a mistake – we’re all human.”

Lemongrass Consulting

Name: Paul Baverey

Organisation: Lemongrass Consulting

Job title: Global CISO

Date started current role: March 2019

Location: United Kingdom

Paul Beverey is a highly experienced IT leader with over 20 years across multiple industries. Founding technical leader growing SAP-centric Cloud organisations from start-up to $40m+ with 40% YoY growth. Group CISO responsible for the establishment, growth, and continuous development for the Secure cloud operations of Enterprise applications within Fortune 500 organisations, including GxP, Life Sciences, Financial regulated industries.

What was your first job? While studying at College, I worked as Service Desk Operator for an Internet Service Provider, in the evenings, handling general technical issues such as “my email has stopped working” or “for some reason, I cannot connect to the internet; I didn’t change any settings – honest”

How did you get involved in cybersecurity? I started focusing on Cybersecurity roughly 5 years ago when there was an incident that needed my attention; at that point I realised how exciting Cybersecurity was and I was hooked.

What was your education? Do you hold any certifications? What are they? My formal education started with a diploma in Information Technology, followed by an A+, N+ and then MCSE (yes, I know, I’m old). Over the years, I have obtained several technical certifications in the relevant fields I’ve worked in such as SAP Basis certifications, Azure and AWS certifications.

Explain your career path. Did you take any detours? If so, discuss. I’ve held several different positions throughout my career in different sectors of IT from 1st line support through to Technical Architect, in Desktops, Servers, Networking, Database Management, Web Hosting, Cloud Services etc. This gave me a very strong grounding across all sectors of IT as well as in depth knowledge of several of the layers we now protect in the Cybersecurity realm.

Was there anyone who has inspired or mentored you in your career? I’ve been very fortunate to work for 2 inspiring managers who have definitively helps shape my career. The first being Craig Fancy who guided and supported my shift from general 3rd line infrastructure engineer across to SAP Basis specialist. Craig was a phenomenal mentor to me, not just in the work environment and I wouldn’t be where I am today without his guidance and support so many years ago. More recently in my career it was Walter Beek who suggested that I start to focus more on Security. If not for his support and guidance I would not be the CISO at Lemongrass.

What do you feel is the most important aspect of your job? I see my role as being accountable for 3 primary elements:

  • The security of our network and data.
  • The security of our users; even from themselves.
  • The security of our customer’s environment and data.

This can also mean protecting it from the customer themselves.

What metrics or KPIs do you use to measure security effectiveness? There are a few that need to be considered:

  • The backing of the Executive Leadership group: Without this, you will be continuously fighting an uphill battle.
  • Getting your users onboard: Without buy-in from the business, implementing new policies and controls will be a constant battle.

Security needs to be as transparent as possible. In parallel to this, people need to feel safe and have the assurance that there is a net should they make a mistake – we’re all human.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? There is a general shortage in the market of experienced Security Architects. There are a lot of people who think they have the experience, but when you dig a little deeper, you quickly find that what they have is paper based; they don’t have the scares to prove it yet.

Cybersecurity is constantly changing – how do you keep learning? You need to remember that every day is a school day. You cannot ever believe that you know it all. Always keep an eye on your favourite blogs and news feeds. Listen to what the community is tracking and keep a close eye on industry trends (Moore’s Law).

What conferences are on your must-attend list? As head of Cybersecurity, you need to stay connected to the industry and attend as many conferences as you can. This is not only for technical education as to what new and who the new players in the market are but even more importantly for networking. At the end of the day, we’re all protecting our companies from the same risks and the more we can band together, the better chance we have of keep our environments safe.

What is the best current trend in cybersecurity? The worst?  The best trend at the moment is probably “Zero-Trust”. It gets used a LOT at the moment as a pre-sales buzz-word. If we go back a few years, “least privileged” was a buzzword and now it’s part of our everyday process. Zero-Trust has its place, but it is a complete mind shift from the last 20 years.

The worst tend at the moment seems to be how AI is be hailed as the saviour of the Cybersecurity world. AI is a great tool to be used in conjunction with people. It should be used to help narrow down the focus and point out issues or concerns; but AI is not yet at the level everyone is proclaiming it to be, and it is not the Cybersecurity “silver bullet” (yet).

What's the best career advice you ever received? Learn to think on your feet. There is never a single way to tackle an issue. Always have multiple options when the going gets tough.

What advice would you give to aspiring security leaders? Never stop aspiring to achieve your goals. You will have time where your great ideas are knocked back; never give up. Always have your facts and figures ready. No-one can argue with data.

What has been your greatest career achievement? Seeing how some of my “hair-brained” ideas a few years ago are now commonly used designs and the processes are accepted and used within the company and by our customers.

Looking back with 20:20 hindsight, what would you have done differently? I would have liked to get into Cybersecurity earlier than I did. It is an amazing field that is only going to accelerate.

What is your favourite quote? "The only person you are destined to become is the person you decide to be” - Ralph Waldo Emerson.

What are you reading now? Anything by Clive Cussler.

In my spare time, I like to… Spend time with my children, Ride Enduro Bike, Paddle Board and Woodworking. You need something that allows you to disconnect from the 24x7 world we’ve chosen to be a part of.

Most people don't know that I… Absolutely love being in, on or under water. I’m an absolute water-baby and will take any opportunity to spend time with my family around it. Likely my children have inherited that from me, so I can use them as the excuse.

Ask me to do anything but… Going for a walk without a destination. Some people like going for a walk, just to go for a walk. I need a purpose and a destination.