Secret CSO: David Scholefield, Demica

Is the security skills shortage affecting your organisation? “… there is no shortage of enthusiastic and intelligent individuals that can form an excellent security team. Just don’t ask for 10 years+ experience with hands-on security operations, that’s not realistic…”

Headshot of David Scholefield, CISO at Demica

Name: Dr David Scholefield

Organisation: Demica

Job title: CISO

Date started current role: June 2022

Location: London

With over 25 years of experience in information security, Dr. David Scholefield comes from a background in internet software development, on-prem and cloud network administration, and penetration testing/red teaming. For the last 10 years or more, Dr. Scholefield has held the role of CISO in a wide range of organisations including Flexys, a fintech SaaS company dealing with B2B debt management solutions, and Theo Paphitis Retail Group, where he was responsible for the security of some of the UK’s best-known high-street brands, and currently Demica – a leading fintech in supply chain finance solutions. He is also a member of the International Cyber Expo Advisory Council.

What was your first job? Writing operating system code in Z80 assembly language for a manufacturer of handheld computers called ‘Husky Computers’ in Coventry, UK in 1984. There were three of us in the programming department and we were responsible for all software that powered their ruggedised handhelds. My very first task was to design and write a bespoke network protocol that communicated over serial links (no internet or even TCP/IP in those days) It was the first and only time I’ve developed code whilst watching an oscilloscope!

How did you get involved in cybersecurity? After leaving my lecturing post at University of York in 1996, I set up an internet consultancy company with a colleague and we created internet applications for companies like Apple, Toshiba, English National Ballet and others. We soon realised that there was little or no expectation of security in these systems even though they were starting to take payments and store very sensitive information. I began to offer security consultancy as a ‘value add’ to our services and became fascinated by the challenges involved. I clearly remember staring at my first web server’s firewall configuration and scratching my head!

What was your education? Do you hold any certifications? What are they? I had an unusual education: I failed to attend much school as I didn’t really fit well with the rigid and (I thought) authoritarian approach to teaching kids. I left school with few qualifications but after working in the computer industry for a while I realised that a degree in computer science would be beneficial for my career, so I applied as a mature student (at the age of 20!) to Hatfield Polytechnic which had a great reputation for its computer science program. Luckily, I was accepted, and I finally gained my first-class degree. After a short period lecturing on the very same computer science program I’d graduated from, I was offered a research post at University of York where I also undertook my PhD in computing and mathematics. I’m not sure that this route would be so easily available today, but I was very lucky that some key people had faith in my academic abilities. I have some professional certifications in security as well: a OPST from ISECOM which is a penetration testing certification, and I also hold the now almost ubiquitous CISSP.

Explain your career path. Did you take any detours? If so, discuss. That’s a complex question. I’ve been a security consultant for decades, but I’ve dipped my toe in permanent employment now and then as well: I’ve been a penetration tester for a couple of years with IRM (now part of Capgemini), I was the chief architect for MessageLabs anti-spam product (now part of Symantec’s suite of email management products) and was head of security for CSC’s project for digitising the NHS patient records system. I think the biggest ‘detour’ was spending 5 years architecting and implementing a clouded SaaS platform for wholesale supply chain and order management for the UK’s largest FMCG wholesaler P&H during the late 2000’s and early 2010’s. Even then I was spending a lot of time on their security as well as writing a lot of code. I’m not sure how much of a detour this was though because the hands-on experience of developing and managing a SaaS platform has proved invaluable in securing an increasingly cloud/SaaS world!

Was there anyone who has inspired or mentored you in your career? Yes, many, but even though I don’t want to miss anyone out I will name a few. Juliet Brown was an inspirational lecturer in computer science at Hatfield Polytechnic and inspired a lifelong love of learning in me. Without a doubt, Juliet has been the biggest influence on my career and my approach to problem solving; we became great friends and are still very much in contact. Damon Mannion was the CIO at Theo Paphitis retail group when he contacted me after we had worked together a few years prior, and he asked me to work with him on security for Theo’s companies. Damon has been a friend and a mentor to bounce ideas and questions off ever since, and I owe him more than a few beers in return! I must also mention Jon Hickman and Brian Smith at Flexys Solutions who both invested a huge degree of trust and faith in me during my time as CISO at their growing company, and they demonstrated how an organisation can be successful whilst offering a human place to work where the individual’s needs are forefront and where their career is also supported and nurtured.

What do you feel is the most important aspect of your job? The ability to clearly communicate and enthuse all types of people, regardless of their role or level in an organisation, to encourage them to be engaged with security and to want to actively help and support the organisation’s security program. Once everyone in the organisation is part of your security team the battle is half won. Protecting information assets is the most important aspect, but in order to achieve this you need everyone, and I mean absolutely everyone, onboard.

What metrics or KPIs do you use to measure security effectiveness? I think meaningful KPIs are very difficult to define for information security projects because the environment is always shifting, and the numerical measures are only meaningful if you have near perfect knowledge of the current risk landscape. For example, the common metric of counting how many critical vulnerabilities are present in your systems, or have been resolved, is dependent on knowing about them all, and with new ones being discovered daily, the goalposts are constantly shifting. That’s not to say that you shouldn’t devise useful KPIs because you need a mechanism for ensuring continual improvement. I prefer to measure a small number of critical items well, and not be too concerned about the minute details – first define your major objectives, then define metrics that measure how close you are to meeting and maintaining those objectives, and limit your focus on those. These KPIs are likely to be more qualitative than quantitative but that doesn’t lessen their usefulness. Having said all of that, I feel that if my CEO is fully informed about the current risk landscape, and can sleep well with that information, then neither of us are going to worry overly about too many ‘KPIs’.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? There’s a bit of a myth around the security skills shortage. Experience is one thing, and is only gained through hard graft and time; and there is a definite shortage of this, but security ‘skills’ can be learnt, and a good leader should be able to nurture bright and enthusiastic individuals to become very useful in the security sector very quickly. If there’s one thing I have found over the last 20+ years of being in the position of hiring new talent, it is that there is no shortage of enthusiastic and intelligent individuals that can form an excellent security team. Just don’t ask for 10 years+ experience with hands-on security operations, that’s not realistic, or necessary if you have the right leadership and opportunities to learn. What I look for is enthusiasm, open minds, and either technical ability or past exposure to some kind of GRC functions.

Cybersecurity is constantly changing – how do you keep learning? Increasing complexity is the bane of CISO’s lives – we all say it. I listen to podcasts during my morning and afternoon dog walk, I read a ridiculous number of security text books, subscribe to a small number of security news and threat hunting websites, and write software tools for experimenting with hacking and assurance testing (I find ‘doing’ often embeds knowledge better than reading.) It’s a huge challenge, but I’ve come to realise that one person can’t know everything so having a great team and encouraging knowledge sharing is vital.

What conferences are on your must-attend list? If only I had more time for them!

I made time for the International Cyber Expo this year on the 27th – 28th September at Olympia London (where I’m a member of the advisory council). It has been an honour to work alongside some of the industry’s well-renowned experts, including Professor Ciaran Martin CB of Oxford University and former CEO of the NCSC, to shape the event’s agenda. In fact, together, the council covers the legal, insurance, technical, government and entrepreneurial perspectives. Equally important, the council is diverse, with an even gender split and representatives for neurodiversity.

The organisers are committed to producing a high-quality event made by the community, for the community. It has something for everyone, not least a world-class Global Cyber Summit, an exhibition space, live immersive demonstrations and informal networking, making it an event you shouldn’t miss!

I will also make every effort to get to Black Hat Europe this year in person, rather than remotely. Conferences are great learning and networking opportunities, but you need to be very selective.

What is the best current trend in cybersecurity? The worst? The best is definitely the shift to the cloud and the shared security model that major cloud providers support. This gives us the chance to leverage the expertise of some of the most experienced security practitioners in protecting the core infrastructure and managed services we use; it doesn’t absolve us of the need to secure the remainder of the stack, but it goes a long way to close down vulnerabilities in the underlying hosting platforms. The worst? The term ‘zero trust’! The idea is excellent, but the misleading terminology undermines the advantages of the approach: there’s no ‘zero’ in ‘zero trust’ as I’ve written about elsewhere. Oh, and whilst I’m on a rant, signature-based antivirus in endpoints has become the totem for a false sense of security and the sooner we banish it to the scrapheap of history, the better!

What's the best career advice you ever received? Do what you enjoy most and have a passion for. If you don’t already know what that passion is, keep looking until you find it. I love the challenge of information security and am grateful to have found this out relatively early in my career. Also, if you don’t like your current position and you’ve given it your all, leave now – time is short!

What advice would you give to aspiring security leaders? Understand the importance of building relationships and working in collaboration with as wide a range of people in as many different roles as you can. Information security is all about people. Having said that, also try to keep your hand in with technical operations as well: as soon as you stop understanding technical conversations about security controls, you’re pretty much lost as a CISO.

What has been your greatest career achievement? Two really: firstly, working with Venda (a managed e-commerce service provider which is now owned by NetSuite/Oracle) as the lead security consultant to implement a PCI-DSS program which resulted in them becoming one of the first service providers in the UK to achieve PCI-DSS Level 1 audit success. It was early days for PCI-DSS and we were all finding our way through the very first iteration of the standard, and the satisfaction of gaining the final positive audit result was huge. Secondly, has been all of the occasions where I’ve designed and implemented a full security program for organisations that were greenfield sites before I worked with them – and taken many of those organisations through ISO 27001 audits, PCI-DSS audits, and other programs and left them in a better position than I found them. Working closely with different organisations and collaboratively making demonstrable, valuable, and appreciated, progress in security is a joy.

Looking back with 20:20 hindsight, what would you have done differently? Worried less about what other people thought of my efforts and had more faith in my own abilities. None of us are perfect and we all make mistakes, but imposter syndrome is real and afflicts more people than would like to admit. This is something that can’t be learnt easily though, and we all need to find our own way.

1 2 Page 1
Page 1 of 2