Secret CSO: Simon Eyre, Drawbridge

Name: Simon Eyre

Organisation: Drawbridge

Job title: Chief Information Security Officer

Date started current role: March 2020

Location: London, UK

Simon Eyre is Chief Information Security Officer, overseeing Drawbridge's own cybersecurity practices as well as serving as a subject matter expert both internally and to our clients. He also leads Drawbridge's European presence, overseeing Drawbridge’s engineering, product, and customer engagement teams across Europe. Eyre brings more than 20 years of deep expertise in the financial services sector as well as IT governance, technology architecture, cybersecurity, and corporate strategy experience to Drawbridge. He most recently served as Director of Information Security at Edge Technology Group and was responsible for cybersecurity for both Edge and its clients.

What was your first job? I spent my Saturday’s working behind the counter at a local bakery at 16. I remember it being pretty hot and leaving me very hungry!

How did you get involved in cybersecurity? Back in University (and that was when PINE for email was the new ‘in’ thing) I began my interest in cyber and networking. I was fascinated by what was being done (and equally what was not being done!) on the early Internet days. Before long I was picking clean PC’s belonging to other Students that had fallen victim to a virus. However, I think cybersecurity is often an outlet for the inquisitive mind, one that delves deeper and peels back layers. With that in mind I reckon even early I had the traits as I’d take things apart to learn how they worked (everything from Stereos to the petrol lawnmower fell victim in our home).

What was your education? Do you hold any certifications? What are they? I studied Electrical Engineering in University but went right into IT instead. I took a few certifications in Networking, Storage, Virtualisation and then rounded it out with CISSP.

Explain your career path. Did you take any detours? If so, discuss. Interestingly I never saw cybersecurity as it’s own path and choose IT over cyber in the early years. It was a great time in particular for Networking and Virtualisation technology to emerge. As probably happens for many technologists, management roles slowly encroach on the time you spend on tech until you realise you aren’t doing what you enjoyed anymore. That’s when I side-stepped into cyber-security and am riding a second wave up. This time I feel much closer to the subject matter, perhaps a keynote for cybersecurity versus IT. Even at the CISO level, I feel closer to core of what we do.

Was there anyone who has inspired or mentored you in your career? I had a middle-school teacher called Mr. Peters, who scared me to death most of the time but in retrospect no-one ever pushed me as hard to achieve as much.

What do you feel is the most important aspect of your job? The primary task for me is in my title; I’m expected to protect our information. Whether it’s Staff, Corporate, or Client data, my goal is to ensure our business leads by example in Cybersecurity.

What metrics or KPIs do you use to measure security effectiveness? The evaluation of our own services against the business is a primary way of both evaluating the effectiveness of those products and the effectiveness of our own Cyber Controls. We also independently evaluate with SOC reports.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Drawbridge launched a structured approach to mentoring and career development in several key security departments that allows us to bring in the right people and develop them in a programme under some of the best minds I’ve worked with in the Industry. It’s an exciting model to see in action. I can also say, we seem to have been very fortunate to fulfil roles at a more senior level in the last 12 months than I know many other in the cyber space have been able to do.

Cybersecurity is constantly changing – how do you keep learning? Some of that is driven by prominent certifications (like CISSP) that require ongoing training or services to the cyber world in order to renew the certifications. You need to want to continually learn in order to stay relevant. I personally see this as a key point about a career in cybersecurity. On top of formal learning I like to listen to my peers on Webinars as well as breach reports, honeypot reports, security software blogs, various infosec websites; Twitter has a great cybersec community too. Probably one of the more healthy uses of social media!

What conferences are on your must-attend list? There are a few cyber expos that I enjoy attending in the UK. It’s great to get into the corners of the halls and find the new start-ups to see what new innovative things are coming along.

What is the best current trend in cybersecurity? The worst? I like to believe the corporate world has started to understand that cyber is not IT’s problem. That it is everyone’s problem. Really embracing this will do enormous good to cyber. I can’t classify this as ‘the worst’ thing in cyber but perhaps my biggest concern is properly addressing hybrid working. I’m waiting for a home network IoT device or out of date personal laptop to become the pivot point of an attack into a corporate network. It’s time to really think about device security at home too.

What's the best career advice you ever received? I think I’m a very risk-averse person. And yet somehow along the way (and all on separate occasions) I’ve moved Country for a job, left a stable career in it’s double digits, and also joined a start up. Someone must have pushed me! If you believe in your skills, even a residual risk should be easy for someone in cyber to overcome, so give those opportunities a try.

What advice would you give to aspiring security leaders? Actually probably nothing to do with cyber. Work on your personal and public skills. Getting comfortable in the public arena took some time for me but I really thrive in those situations now. It can be tough to build your confidence on voicing yourself to a group but once you’re there it is well worth it.

What has been your greatest career achievement? I’ve still got goals to hit!

Looking back with 20:20 hindsight, what would you have done differently? Unfortunately life doesn’t work quite that way. You can get lost dwelling on the past. Learn from it, absolutely. If I had any hindsight, I wish some of the mathematic skills I’d learned in University were still with me. I looked like a genius helping to tutor my kids on their GCSEs but A Levels are crushing me!