Secret CSO: Ash Hunt, Apex Group

Is the security skills shortage affecting your organisation? “There is no skills shortage for 90% of security roles, just poor hiring strategies focusing on the wrong target audiences.”

Headshot of Ash Hunt, Global CISO at Apex Group
Apex Group

Name: Ash Hunt

Organisation: Apex Group

Job title: Global CISO

Date started current role: October 2022

Location: London, UK

Ash Hunt is an information (cyber) security and technology risk specialist. He developed and published the UK's first quantitative framework and actuarial model for information risk. Having previously advised international governments, FTSE and Forbes organisations in information security and quantitative information risk analysis — he is currently Global Chief Information Security Officer of Apex Group, a global, top-tier independent financial services provider, servicing nearly $3trn in assets across administration, depositary, custody and under management, operating from over 80 offices in more than 40 markets worldwide, with over 10,000 employees.

What was your first job? If you discount paperboy, then my first job was for the UN International Telecommunications Union (ITU) working on international cyber doctrine.

How did you get involved in cybersecurity? I self-published my first paper when I was 18 on the lexicon, terms & definitions used in international cyber policy and their effect on nation-state defence strategies.

What was your education? Do you hold any certifications? What are they? I was educated at a school in Hampshire and later attended University to read Ancient History & Philosophy at Royal Holloway, University of London, simply because I loved the subject (I had already began working in cyber by this time). I hold no certifications and don’t believe they’re an effective benchmark for an individual’s performance in cyber security. 

Explain your career path. Did you take any detours? I actually began playing Jazz music professionally from the age of 16, and intended to pursue that from there on out, but a natural, keen interest in defence, foreign affairs and problem solving brought me swiftly into contact with cyber and I’ve never looked back. Within my career, I’ve been fortunate enough to experience a wide range of roles & activities from government/public policy, intelligence, research, actuarial modelling, behaviour change and many more across a variety of sectors.

Was there anyone who has inspired or mentored you in your career? In the first instance, my parents, who instilled in me a driven and conscientious work ethic, as well as providing me with critical early opportunities. Beyond them, I owe a significant amount of my career to a British Army Officer who mentored me from my late teens to this day in a plethora of disciplines, helping me identify development opportunities and furnishing me with a portfolio of useful skills. My current boss equally continues to be an influential mentor and inspires me daily by way of model behaviour, providing the highest standard of integrity and excellence.

What do you feel is the most important aspect of your job? At a strategic level, ensuring the organisation can achieve its strategic objectives, as well as develop and seize revenue-generating opportunities. Tactically, to determine the business’ greatest areas of loss exposure and take targeted, justifiable investment decisions to reduce the exposure within an acceptable threshold whilst providing a demonstrable return on investment. I want to also mention working, supporting and developing my team who work in lockstep with colleagues across the wider business day-in, day-out to make the above an achievable reality.

What metrics or KPIs do you use to measure security effectiveness? Return on Control Investment; Loss exposure (quantified); Risk-spend efficiency; control design and operating effectiveness; vulnerability escape rates & remediation velocity, to name a few…

Is the security skills shortage affecting your organisation? There is no skills shortage for 90% of security roles, just poor hiring strategies focusing on the wrong target audiences. The profession concentrates excessively on certifications and demanding candidates to have multiple years of specific type experience for entry-level engagements, rather than attitude, aptitude, ability to problem solve, creative thinking, and broader cognitive diversity.

Cybersecurity is constantly changing – how do you keep learning? That’s predominately a personal character trait; if you don’t have the desire to learn and discover, you’ll never be able to keep up, even with external assistance –– you need to be hungry for it.  

What conferences are on your must-attend list? FAIRCON; RSA; Innovate

What is the best current trend in cybersecurity? The worst? Best is the move (albeit glacial) to quantifying risk; worst, is between the pervasive use of compliance-based, McKinsey-esque security frameworks or Zero-Trust (which has been a tenet of security for as long as I can remember).

What's the best career advice you ever received? Everything is an opportunity.

What advice would you give to aspiring security leaders? Learn disciplines beyond security –– strategic communication, behaviour change, stakeholder management, psychology (cognitive biases & heuristics), statistics etc. It will shape (and accelerate) your career more than you’ll know. And always ask questions, no matter how simplistic they may seem.

What has been your greatest career achievement? Hopefully it’s yet to come, but a couple that resonate in my mind would be briefing the classified defence opinion leaders conference in the MoD; developing the UK’s first actuarial framework for measuring technology Risk and serving as a security commentator for Sky News & ITV –– all the above are additions to the work I leave behind in my former roles, which I think is a more candid and transparent reflection of whatever achievements I’ve attained.  

Looking back with 20:20 hindsight, what would you have done differently? Read more. And I already read a lot, but there’s a gamut of ideas and sound practice to leverage from other disciplines, and so I wish I had engaged with a wider breadth of content in earlier years.

What is your favourite quote? I have a couple currently that I’m repeatedly wheeling out: “retain uncertainty without obscuring certainty” and “all models are wrong, but some are useful.”

What are you reading now? The Metrics Manifesto: Confronting Security With Data by Richard Seiersen.

In my spare time, I like to… Walk my golden retriever to the pub; running (clears my head from tech); playing piano and spending time with family & friends.

Most people don't know that I… am a former music scholar and one of only a couple of British students accepted in my year into Berklee College of Music

Ask me to do anything but… develop; I’m a practicing but fairly atrocious coder.