Secret CSO: Jim Doggett, Semperis

Name: James (Jim) Doggett

Organisation: Semperis, Inc.

Job title: CISO

Date started current role: March 2021

Location: Houston

Jim Doggett joined Semperis in March 2021 as chief information security officer (CISO). A longtime partner at Ernst & Young (EY) LLP and a veteran security and risk executive, Doggett is  responsible for managing Semperis’  cybersecurity posture and information and risk management programme, along with helping customers improve the resiliency of their foundational identity systems. Doggett has coached and mentored some of today‘s leading CISOs and has been a staunch advocate for taking a risk-based approach to security. With more than 35 years of experience leading cybersecurity and risk programmes at global organisations, Doggett brings a powerful combination of leadership acumen and real-world experience to his role at Semperis. Doggett served as partner at one of the largest professional services firms in the world, EY, for 28 years, where he was practice leader of the company’s information security group and responsible for all aspects of running and growing the business. 

What was your first job? I joined Ernst & Young (EY) right out of school and joined their Audit Department as a financial auditor.

How did you get involved in cybersecurity? Cybersecurity came very naturally.  In my first years at EY, I got involved with their Computer Audit programme. This programme focused on the IT (general) controls on our audit clients. I continued to split my time with financial and computer audit over the next ten years. When I moved to Houston, we hired a fantastic individual out of the Air Force Information Warfare group who was highly experienced in security, especially attack and penetration testing. We began selling these services and it grew from a couple of people into a group of over 100 people. 

What was your education? Do you hold any certifications? What are they? I’ve always said that your background in education never limits your potential. My undergraduate degree was in Business Administration, and I stayed an extra year to get the needed credits to sit for the CPA exam. Education taught me how to learn, and I was able to use what I learned in auditing (i.e. risk) and apply that to my security efforts. This ultimately led to me taking on Chief Technology Risk (information security and IT risk) roles at several large companies. It was the perfect blend of security and applying that in the business environment. Continuing education has been a key part of my growth, starting with education to get my CPA licence, then attending weeks of school annually at EY, and as a partner I am attending EY sponsored classes at Harvard in the leadership area. 

Explain your career path. Did you take any detours? If so, discuss. Really there were no detours in my career path. It was truly an evolution from auditor to IT auditor to security to technology risk. Each step laid the foundation for the next role. And now I am getting the opportunity to apply what I’ve learned in the startup/smaller company world. The only real detours thus far in my career have been moving to further my career: Raleigh, Cleveland, Miami, Houston, New York City, San Francisco, and now operating remotely (Houston).  Each move was challenging, but each also provided a great opportunity to learn, develop my social skills and learn to love change.

Was there anyone who has inspired or mentored you in your career? I’ve had two key mentors throughout my career. First was an EY managing partner, Hilton Dean. He brought me to Miami and we developed a strong relationship. What I valued most from him was his directness. He provided continuous feedback (good and bad) and never sugar coated his comments. The next mentor was a fellow partner at EY, Tikhon Ferris.  Unfortunately, we lost Tikhon a few years ago; however, I continue to get inspiration from him. What made him so effective was that he always listened to what you were saying, never trying to make it about him. Interestingly, both of these mentors also became close friends. 

What do you feel is the most important aspect of your job? First, is the need to balance security with the operations of the business. Finding that right balance is an art and one that I draw upon all my experience. The second important aspect of my CISO roles is the ability to hire diverse talent and blend it into an effective operating group.  Having people with different skills and backgrounds makes for a better group, and certainly more fun to lead.

What metrics or KPIs do you use to measure security effectiveness? Well, that really depends on several factors: the company, the state of security at that company, and the key initiatives that we are working on. At my current company, Semperis, we are fairly small (200+ people), with several security folks developing and maintaining our security posture. Here, we are focusing on metrics over endpoints, access controls, SDLC and data protection. 

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? At this time, we are recruiting to expand our security coverage, especially in the security operations area. Thus far, we are finding a lot of security folks interested in Semperis, so we are not having a lot of difficulty hiring. I do think COVID has made it more difficult to recruit, as I have always preferred to interview in person. 

Cybersecurity is constantly changing – how do you keep learning? Read, read, and read some more. There is no end of articles on security. It’s more deciding what to read and what not to read as you can’t spend all your time keeping up. Also, never forget that the biggest security risks today still tend to be the basics….not patching, too much access, poorly configured devices.  I try not to get caught up with the latest shiny risk out there. That takes a bit of discipline.  

What conferences are on your must-attend list? For me, conferences are all about networking. Meeting and talking with my peers in industry provides some of the most usable information I receive. With that said, I tend to go to the industry conferences (e.g. FS or H ISAC).

What is the best current trend in cybersecurity? The worst? From my perspective, I find the trend of CISOs becoming equal parts security professional and risk professional to be a very positive trend. There are too many security risks to solve them all, so we must focus on those that most profoundly positively impact my company’s risk posture. The worst trend from my perspective is the continued tendency to keep buying security tools to the point where we have too much information to manage. We need to better learn to consolidate the security data we have into meaningful risk data.

What's the best career advice you ever received? The best career advice I have received over the years is twofold: 1) Touch once and deal with it; and 2) Hire people smarter than you.

What advice would you give to aspiring security leaders? Aspiring security leaders need to be a business person first, and a security/risk leader second. In the end, if you don’t understand the business, and the leaders of the business, you will have a difficult time properly securing the company you work with. Always remember that those who generate the revenue typically control the purse strings, and the business ultimately is responsible for risk…including security risk.

What has been your greatest career achievement? Making partner at EY. It was a goal I set myself when I joined EY and I worked every day towards that end.

Looking back with 20:20 hindsight, what would you have done differently? It’s so easy to look back and say what if I had done this differently. But once I realised that I learned from all my triumphs and failures, I probably would not change anything. It’s more useful to look forward. Oh, I would probably speed a little less if I had to do it again.