Secret CSO: Geoff Forsyth, PCI Pal

Cybersecurity is constantly changing – how do you keep learning? “Cybersecurity is fun if you have an enquiring mind. I also like the fact that cybersecurity draws on a diverse, global community of people working together to solve problems and make new (and old) systems more secure.”


Name: Geoff Forsyth

Organisation: PCI Pal

Job title: Chief Information Security Officer

Date started current role: September 2016

Location: Ipswich and London

Geoff Forsyth is the Chief Information Security Officer at PCI Pal, where he is responsible for the overall information security and regulatory compliance of the organisation’s global services, including legal compliance, IT systems risk analysis, incident response planning and business continuity management. As a Fellow of the British Computer Society, Forsyth has spent over 25 years working with internet and telecommunications services.

What was your first job? I began my career as an apprentice engineer at the Electricity Board, in spite of my father’s advice to go to university before starting my career.

How did you get involved in cybersecurity? I’ve been a keen gamer ever since I bought my Sinclair ZX Spectrum in 1982. I began exploring the computer code that powered computer games as a way of discovering hacks that would provide me with additional powers or ‘lives’ so that I could continue playing for longer. That led to a life-long interest in coding, ethical hacking and cybersecurity. In the 1990s I changed career from engineering to computing and moved into my first cybersecurity role in 2000 when I became CTO of an internet start-up and had to protect our network and software against online attacks. I have an enquiring mind and am constantly learning more about the latest vulnerabilities and fixes.

What was your education? Do you hold any certifications? What are they? After completing my engineering apprenticeship at the Electricity Board, I took an engineering degree through a day release scheme when I was in my twenties. I had to work one day each weekend for four years to pay back the time. I hold a Bachelor of Engineering, BEng, and Certificate of Engineering, CEng. I’m also a Chartered IT Professional, CITP.

Explain your career path. Did you take any detours? If so, discuss. I began my career as an electrical engineer, but also had a personal interest in coding and gaming. In the 1990s I switched from engineering to computing, this culminated with a role as CTO at an internet start-up in 2000. The security element of my role increased as the company grew and added more networks and services which needed to be protected against hackers. When the company created a new CISO role, I took the opportunity to move into that role and build a team of specialists who were dedicated to cyber security, data privacy and breach prevention.  I have an enquiring mind and am fascinated with the way that new technologies can create amazing new opportunities, but also open up fresh risks, so you always have to be thinking a few steps ahead. It’s like a never-ending game of chess. It keeps things fresh as you’re always learning something new.

Was there anyone who has inspired or mentored you in your career? I have to thank my Dad for encouraging me to get my degree. If I hadn’t had that advice I may have never gone to university and discovered my passion for computing, which provided the grounding for my career in cybersecurity.

What do you feel is the most important aspect of your job? In addition to the technical aspects of my role, education is vitally important. All employees need to think about security, not just the ‘techies’. We have a company mantra: Security is job zero. Vigilance is everyone’s responsibility. We hold regular staff webinars and training to keep everyone updated and involved in maintaining security. We also run social engineering and phishing simulations, to maintain awareness of the types of ploys that cybercriminals will use in a real attack. A key aspect of security awareness training is to ensure that there is a no-blame culture in the organisation. People must feel comfortable to speak up if they suspect that their company device is infected with malware, if they have clicked on a link, or if they have given sensitive information over the phone thinking that they were speaking to a colleague or customer.

Our whole mission is to enable secure financial transactions in contact centres and to provide merchants and government entities with a way to accept payments without having to handle or store sensitive information such as credit card or bank details. This provides merchants with the peace of mind that they are taking extra precautions on behalf of their customers and that, if their systems are comprised, there is no sensitive payment data for cybercriminals to steal.

Knowing that my work helps businesses and government organisations to maintain the highest levels of payment security, without impacting their customer experience is a huge motivator.#

What metrics or KPIs do you use to measure security effectiveness? We run regular training and phishing simulations to measure the effectiveness of our ‘human firewall’. Where this reveals gaps in colleagues’ knowledge or understanding we swiftly update their training.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We haven’t been impacted by the security skills shortage.

Cybersecurity is constantly changing – how do you keep learning? I keep learning because I’m a techie at heart and I love the ins and outs of coding. I find it fascinating how technological development in one area can create an unforeseen vulnerability in another area, so I’m always keen to learn more. There’s a constant, ‘if this, then that’ aspect to cybersecurity, which really appeals to me as a life-long gamer and problem solver. Cybersecurity is fun if you have an enquiring mind. I also like the fact that cybersecurity draws on a diverse, global community of people working together to solve problems and make new (and old) systems more secure. Working for the greater good gives me a real buzz.

What conferences are on your must-attend list? The PCI SSC Community meetings are a must on my annual agenda and you can usually find me in attendance at PCI London. Looking ahead to 2022, our virtual conference ‘Payments: The Future of Security and CX’ is an accessible option for those managing payments and customer service.  I’m particularly looking forward to contributing to the agenda with our many partners, customers and industry specialists.

What is the best current trend in cybersecurity? The worst? The best current trend in cybersecurity is the introduction of AI machine learning which help to automate routine aspects of security incident and event monitoring, freeing up security staff to focus on anomalous activity and out-of-band patching.

In terms of the worst trend in cybersecurity, remote working is a double-edged sword. It’s been wonderful for enabling companies to carry on serving customers during the pandemic, but it’s also increased the cybersecurity risks because so many employees are working outside of the traditional firewall and company controls.

PCI Pal works with hundreds of contact centres to ensure that they are able to handle payment information securely. At the start of the pandemic, they had to scramble to get their staff set up to work from home, with IT teams quickly implementing new remote access systems for their colleagues while they were adjusting to working from home themselves. In some cases, the priority to ‘keep the lights on’ resulted in rushed, poorly implemented systems that left home devices vulnerable to hackers, which could then be used as a conduit into company networks. In addition to the external threats, working from home without the usual monitoring systems provided an opportunity for some contact centre employees to steal personal data.

What's the best career advice you ever received? Be prepared for every eventuality and keep an open mind, as there is always something new to learn.

What advice would you give to aspiring security leaders? Keep learning: Learn to delegate. Learn to listen. Learn to communicate.

Select the right people for your team, then trust them to do a good job. You can’t stay on top of everything if you micromanage.

Don’t work in a security silo as that can create an ‘us and them’ situation in your organisation. Get buy-in for security from all staff, from the senior management team onwards and speak about security in business terms such as its impact on customer relationships, company reputation and brand value. Good security awareness and practices are important throughout the company, regardless of the role performed.

Learn to think like a hacker. What is most valuable to them. What are they looking for? Where are they likely to look? What tactics might they try?

Cybersecurity professionals often comment that they have too much to do with too little resource, but taking basic steps, training your colleagues, entrusting and empowering your team members, and helping everyone in the organisation to understand their own responsibility for security can significantly improve your organisation’s security.

Use the cloud. The major cloud service providers have spent millions on their security systems.

Finally, learn from your peers, everyone is facing the same battles. Back in 2005, I started listening the ‘Security Now’ podcast, presented by Steve Gibson GRC and hosted by the broadcaster Leo Laporte. Each week, they discuss security stories in the news and steps that organisations can take to avoid being breached. It’s still going today and I’ve found it to be a really good resource over the past sixteen years.

What has been your greatest career achievement? I have been extremely fortunate to have had many great moments throughout my career but I would say my involvement with PCI Pal and seeing how the organisation is flourishing is my greatest achievement.

Looking back with 20:20 hindsight, what would you have done differently? I suppose the only thing we might have done differently is moving to the cloud earlier to enable us to scale internationally sooner. My biggest advice to other organisations is to let the cloud take the strain — after all, these companies have spent millions on security and have well-resourced teams to maintain them.

In 2016, we wanted to start our global expansion, beginning with a launch into the US market. However, we realised that we couldn’t serve organisations based in the US because all of our infrastructure was hosted in private data centres in England. We initially considered installing clones of our UK platform in the US, but this would not have allowed us to scale globally, so we had to completely change our approach. The solution was to migrate our telephony systems to VoIP and move into the public cloud. We had to upskill and learn about modern cloud technologies and the latest security methodologies, working with third party security companies and compliance experts to design, build and deploy a highly robust, secure and scalable cloud platform on the Amazon Web Services platform. We’ve subsequently been able to introduce our platform in Canada, Europe and Australia.

What is your favourite quote? "The way to get started is to quit talking and begin doing" – Walt Disney.

What are you reading now? I am currently reading Project Hail Mary by Andy Weir (the author of The Martian). It's OK but not a gripping page turner. Prior to that I enjoyed Helgoland by Carlo Rovelli - all about the latest thinking on quantum physics and not as dry as you would think! The best super gripping sci-fi novel I read recently was Recursion by Blake Crouch; a novel I have recommended to friends.

In my spare time, I like to… If I ever have a spare half hour, I like to indulge my lifelong passion for gaming and go on 3D virtual adventures with my VR headset. At weekends I love to walk with my wife and our Border Terrier at the nearby beach and through the local forest trails.

Most people don't know that I… signed up as a Fellow of the Royal Society for Arts, Manufacturers and Commerce back in the mid noughties. As part of a 30,000 strong community, we work as problem-solvers, delivering solutions for lasting change. To me, what is really required is more compassion and tolerance in the world.

Ask me to do anything but… Answer this question!