Secret CSO: Deryck Mitchelson, Check Point

What advice would you give to aspiring security leaders? “The best advice I would give is that clear concise communication is critical, both at a technical and business level.”

Headshot of Deryck Mitchelson, Field CISO, EMEA at Check Point
Check Point

Name: Deryck Mitchelson

Organisation: Check Point Software Technologies

Job title: Field Chief Information Security Officer, EMEA

Date started current role: January 2022

Location: Dundee, Scotland

Deryck Mitchelson is a commercially focused C-suite executive, distinguished by expertise in cyber security and cloud, with global experience across both private and public sectors. His leadership in Consulting, Oil and Gas and Healthcare provides Mitchelson with the platform for building and delivering IT and Security strategies and the application of emerging technologies, delivering a positive impact on both business goals and bottom line. In his current role at Check Point he acts as a security evangelist, advising C-Suite leaders on digital transformation, underpinned by security resilience and strategy. He is a recognised thought-leader and visionary, named in the top 20 IT influencers in the UK by Computer Weekly and winner of Holyrood’s prestigious digital leader of the year award, amongst others.

What was your first job? My very first job, after university, was at a teaching college in Aberdeen. I was part of the IT department, managing student record systems as well as management information systems. Essentially, looking after the digital services that helped to run the college. It was there that I got my first taste of Unix and Networking.

How did you get involved in cybersecurity? I got involved in cybersecurity in my third job, when I was working for a managed service provider, delivering hosting and internet services. We decided at the time to get the ISO 27001 certification, which is a security standard that we thought would give us a competitive edge. Being the first Data Centre in Scotland to attain that certification delivered huge benefits. It was ever since then, that I have had a focus on everything cybersecurity.

What was your education? Do you hold any certifications? What are they? I started studying an accountancy degree but soon found it wasn’t the right fit for me. I spoke to my advisor who suggested a joint honours degree with computing instead. Since leaving university I’ve gone on to receive various other certifications in project management and enterprise IT and risk management (ISACA). At the moment I’m studying for the MITRE ATT&CK Defender Certification, which I’m hoping to complete soon. This looks specifically at how threat actors target our services, what techniques and tactics they use and how we can defend against them. This is an area of cyber I’m fascinated with.

Explain your career path. Did you take any detours? If so, discuss. The only real detour was when I thought I was going to be an accountant. Apart from that, cyber has always been a passion of mine. In my most recent roles in IT leadership, security has formed a critical part of my job. I don’t believe you can be in any technology leadership role without wearing a security hat. My current role at Check Point is my first CISO exclusive role, before that I have held joint CIO and CISO roles, so maybe this chapter is a little bit of a detour, one I’m relishing at the moment.

Was there anyone who has inspired or mentored you in your career? A lot of people inspire me, from family and friends to hearing peers speak passionately at conferences to some brilliant teachers at school when I was younger. I have also had some amazing and diverse bosses who have helped shape my career, the best of whom gave me space to flourish, support when making mistakes and encouraged autonomy in decision making. I have never had a formal mentor as such and have relied hugely on my network of peers for advice and guidance. There is a large cyber community out there willing to help – I learnt early that you only have to ask.

What do you feel is the most important aspect of your job? The most important aspect of my job is collaboration and communication. I spend significant time with customers and partners, understanding their plans and strategies and supporting them with maturing their cyber posture, whether that is through the Check Point portfolio, basic hygiene or other third-party solutions. I enjoy networking with peers and other security professionals at events to highlight key trends and innovations. I recently spoke to students at a large University about future career possibilities in the cybersecurity space. This one is especially significant to me as we have so many gaps across the sector. Collectively, we need to be doing everything in our power to encourage younger people, especially women, to explore the possibilities of a digital driven career as there are so many opportunities out there and we need all of the talent we can get.

What metrics or KPIs do you use to measure security effectiveness? When I begin a new role, what I always understand first is whether cyber security is properly owned at the highest board level. Are our executives accountable for cyber risk and if not how can I influence this. The most effective cyber programs I have delivered have had Chief Executive Sponsorship and not just commercially but also to measure impact and return on investment. Secondly, are we investing enough in education and training programs and, if we are, are they impactful? For example, are we getting fewer people clicking on phishing emails and are all attempted breaches being flagged to the help desk so that we are aware of any potential security risks? This is all about evaluating the cyber culture within an organisation. Although not technical, these KPIs are essential in providing a solid baseline for all digital activities.

There are many technical metrics which as a CISO I focus on including average days to resolve a critical vulnerability (internal and vendor), intrusion attempts and security incidents, number of open tickets and resolution time. However, many of the basic hygiene metrics are still top priority such as continual reporting on vulnerability scanning and patching. This is because organisations are still experiencing cybersecurity breaches as a result of sufficient patching not being carried out, particularly around RDP and VPN services, combined with elevated privileges.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I think every company is feeling the impact of the skills shortage. It’s across everything from leadership, engineering, analyst and compliance roles. I don’t think we’ve ever been in such a hot marketplace where salaries and turnover are both so high. We need to continue to encourage much more diversity to help fill these shortages, move away from a culture requiring experience and qualifications and look to recruit based on attitude and personality. Current job adverts are asking far too much of young candidates – the learning starts on the job.

Cybersecurity is constantly changing – how do you keep learning? You learn every day. As soon as I switch my computer on, there are three or four cyber feeds that I consume. I have alerts on my phone letting me know who is saying what, any critical vulnerability notifications and cyber headlines. There is so much to learn by going to cyber events and engaging with peers as well as colleagues. Everyone has a story to tell and something you can learn. That’s the great thing about cybersecurity, every day is different and brings about a different challenge.

What conferences are on your must-attend list? There is still a buzz around the large events such as RSA and Black Hat and I always try to arrange my schedule to attend these and meet up with peers. At the moment though I’m enjoying much smaller round tables and C-Suite dinners, where the conversation is more intimate and informal.

What is the best current trend in cybersecurity? The worst? The best trend is definitely the current innovations in machine learning and artificial intelligence. This evolution of cybersecurity is fascinating, yet we are nowhere near the pinnacle of what this can deliver. The capabilities are already very complex and mature, enabling fast decision making, which is making a massive impact. AI can respond much faster than we can, we need to be careful however and ensure sufficient guardrails are in place. For example when in the NHS I wouldn’t want AI to change any policies that could impact medical devices or critical care pathways, the right combination of technology and people is critical.

I think there are two trends that are hurting us. First is the high level of salaries which is just not sustainable. This is being driven by the skills shortage. We need to invest more in nurturing and promoting talent and creating a sustainable work-force. Secondly, is the strain and number of hours that are required to work in this industry. It is too easy to burn-out with long lasting mental health issues. I think we need to have to look at how we can bring more focus on wellness into cybersecurity.

What's the best career advice you ever received? Particularly as a leader, the best advice was not to be scared to make a decision and to take that decision with conviction. If it goes wrong, own it, escalate quickly and take remedial actions as soon as possible.

It’s critical that if something isn’t going right, you shouldn’t dwell, just fix it. Secondly, is to ask if you don’t know or are unsure. A strong leader doesn’t have all of the answers and it is a sign of strength to ask for advice at an early stage – there is a large peer network always willing to provide support, let’s engage more.

The other one I give to myself is – trust your instinct. You should trust that first gut feeling, you’re getting it for a reason.

What advice would you give to aspiring security leaders? The best advice I would give is that clear concise communication is critical, both at a technical and business level. Being a cyber leader is no longer about being an expert in networking, although at times that can be beneficial. Boards are looking for their leaders to be their trusted advisor on all things cyber, the cyber equivalent of the chief financial officer. Key to this is cyber risk management. The board doesn’t talk cyber but it understands risk. Invest in expertise in the risk frameworks such as NIST CAF, how they apply across industries, how they strengthen operational resilience. I would also recommend you “buddy up” with others in the profession, the community is always on-hand to provide support – the hardest part is often that initial ask.

What has been your greatest career achievement? My greatest career achievement so far is delivering Scotland’s COVID-19 digital response as National CIO for NHS Scotland. There isn’t anything that even comes close to it. Decisions I was making in the morning were being relayed by the first minister for Scotland to the public just two hours later on live TV broadcasts – it was a surreal experience but that was just how impactful that role was. It was so meaningful too, because not only was I acting as a digital and security leader, I was responsible for saving lives through my decision making and delivery. Without the digital team, there would have been no shipments of vaccines getting delivered, appointment letters mailed, no alerting if you were in proximity of someone who tested positive or visibility of COVID hotspots which was a result of effective contact tracing. The great digital team I managed was one of the reasons why we were able to come out of COVID much quicker and it was an absolute pleasure to lead this programme.

Looking back with 20:20 hindsight, what would you have done differently? I don’t have any regrets in my career at all. None. I always look forward, never look back. If you get to a point where you’re not getting up in the morning and getting inspired, then move on and do something different. That’s what I always do. Life is too short to look back.

What is your favourite quote? ‘Never lose your curiosity’

What are you reading now? I don’t read very much. If I get a spare half an hour, I prefer to watch a TedTalk or YouTube video, I can relax and learn doing that. I wouldn’t even be able to tell you when I last read, maybe on a holiday six years ago.

In my spare time, I like to… Not do cybersecurity! I’m married to a veterinary surgeon so we tend to have a lot of animals around and I enjoy walking and playing with them, especially my two small Jack Russell terriers. I also play keyboard part time in a band, which I really enjoy. Other than that, I do enjoy taking broken things apart, fixing it, and putting it back together again. Sometimes I fix it, sometimes I don’t! The fun is in the trying.

Most people don't know that I… This is the secret CISO question! Most people don’t know that I am a six-time highland dancing world champion and play in a band every weekend.

Ask me to do anything but… Ask me to do anything and I’ll give it a go!