Secret CSO: Greg Notch, Expel

Name: Greg Notch

Organisation: Expel

Job title: Chief Information Security Officer

Date started current role: April 2022

Location: New York City metropolitan area

Greg Notch is the Chief Information Security Officer (CISO) at Expel. He is responsible for ensuring the security of Expel’s systems, as well as keeping customers educated on the threat landscape and latest techniques for mitigating risk in their environments. Notch has more than 20 years of experience helping companies large and small through all three dot-com booms to build high-performing engineering teams, and improve their technology, processes, and security. Before Expel, Notch spent 15 years as the CISO and Senior Vice President of Technology at the National Hockey League (NHL). He also led the league’s technology strategy, digital transformation, and cloud initiatives. Prior to the NHL, Notch worked on infrastructure, security, and software systems for Apple, Yahoo! Search, eMusic, and several other NYC-based tech startups.

What was your first job? My first job was as a line cook for a seafood restaurant in Clifton Park, New York. Even though that’s about as far away from cybersecurity as you can get, it taught me a lot of interesting lessons about triage, timing, prioritisation, and sequencing. Turns out those lessons come in handy in cybersecurity.

How did you get involved in cybersecurity? I started out in my technical career as a Unix system administrator and an infrastructure engineer. In those days, security was just part of the job. Very few companies had dedicated security teams at that time.

Actually, my first security-focused job was as CISO for the NHL. At the time, I was handling infrastructure, operations, networking, and video technology for the league. Of course, security considerations were always a part of that work. After the Sony breach, I strongly suggested to NHL leadership that they should bring a CISO on board. I built out a presentation that explained the type of executive they should hire, the skills that person would need, how the business should change, rough cost models, etc.

It was a little surprising when leadership then turned around and asked me when I could get started on that work! That’s how I shifted from considering cybersecurity in my day-to-day technical role to taking on more of a leadership role.

What was your education? Do you hold any certifications? What are they? I went to college, but most of my technical knowledge came from practical experience. However, as I’ve advanced in my career, I’ve completed multiple GIAC (Global Information Assurance Certification) Certifications through the SANS Institute, including Assessing and Auditing Wireless Networks, Penetration Tester, and Certified Intrusion Analyst, among others.

I’m now also involved with the GIAC Advisory Board.

Explain your career path. Did you take any detours? If so, discuss. My career path wasn’t very linear, but I’m glad I took the path I did. After I started out as a Unix sysadmin, I worked for a bunch of startups, and just took on progressively larger jobs and projects.

I built infrastructure for Yahoo!, and I did some coding at Apple. I spent five years as a network engineer. I took on a journeyman approach to infrastructure and technology, but with a deep focus on networking and automation. This sort of work eventually came to be called devops and once I landed at the NHL, I was able to synthesize all of that and use it to transform the way the NHL built and deployed technology. As the cloud became a reality, I was in a good position to help drive the transformation to SaaS and cloud infrastructure.

That was valuable for me because I got to understand the underlying technology disciplines that go into building software and networks and cloud infrastructure and more. Once you have practitioner-level experience and built teams of practitioners in those disciplines, you better understand their challenges and what their day-to-day looks like.

So it was a bit of a winding road, but I wouldn’t change a moment of it.

Was there anyone who has inspired or mentored you in your career? There were so many people throughout my career that reached out and helped me along. Some of the most notable people are Neil Boland from MLB, Michael Palmer who was with the NFL at the time, David Hahn who was at Hearst, and Rick Howard from Palo Alto Networks. They were CISOs that really helped guide my thinking.

When you work for an organisation like the NHL, you have some specific problems that really only CISOs from the other professional sports leagues have faced, so we formed a consortium of security leaders. It was natural to reach out to and learn from CISOs in the other leagues. For example, Michael Palmer had written some policies that the rest of us could learn from, and Neil had built out a great federated security program model. I was able to share some of the technology expertise and best practices that I had learned.

In so many ways, cybersecurity is a team sport.

What do you feel is the most important aspect of your job? The most important aspect of my job is the ability to interact with people effectively. People management skills are so important in this role, and it trumps all the technical skills I just mentioned. Being able to convey a vision to non-technical stakeholders, give them what’s important, and work with other leaders to align with their vision while achieving my goals. This is the most important aspect of my job.

What metrics or KPIs do you use to measure security effectiveness? Measuring the effectiveness of security is a tricky subject. It’s customised for each organisation. Counting things (like vulnerabilities) or relying on percentages is fraught with peril because you can have tyranny of small or large numbers. I tend to prefer to benchmark where I can, for example against the MITRE and NIST frameworks. I pick critical metrics for each outcome I’m trying to drive, figure out how to get it from a tool or a resource on my team. Sometimes they are a bad proxy from what I’m really trying to measure, but the only thing worse than a bad metric is no metric at all.

There are some nuts-and-bolts things I measure around cybersecurity resilience and the effectiveness of the tooling and processes in our environment. I look at how quickly we’re responding to issues, trends in numbers or kinds of issues, how various systems are performing, and the like.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I’m blessed to work for a security company that has a great reputation thanks to our employee experience and the great work we’re doing for customers. I think we at Expel have it a bit easier than others in terms of finding good talent. That said, finding and retaining good people is a challenge for every leader.

We’ve found it hardest to hire great product and application security engineers. People skilled with automation technologies or with deep expertise in data and machine learning are also challenging. Those folks are in high demand, for good reason!

Cybersecurity is constantly changing – how do you keep learning? I’ve found that one of the best ways to learn is through collaboration with my peers across a variety of disciplines. Of course, I speak with a lot of CISOs, but I also talk with practitioners, venture capitalists, industry analysts, and other business stakeholders.

I also read blogs and the news, listen to podcasts, and look at wider trends outside of cybersecurity. Casting a wide net helps with making sure I’m well informed. Lastly, I also maintain a small lab environment where I can test new technologies and keep my technical skills sharp.

What conferences are on your must-attend list? My “must-attend” conferences are Black Hat, DEF CON, and the RSA Conference. I usually try to sprinkle in some other private security conferences in the New York City area too, but those three are at the top of my list.

What is the best current trend in cybersecurity? The worst? The best current cybersecurity trend in my opinion is the movement to hire people with talent from non-traditional sources, and bring them into the cybersecurity community. We can really benefit from hearing different perspectives. I truly believe that we’re better when different, and it’s critical as we look to build the next-generation of cybersecurity professionals.

The worst trend is the non-stop cycle of confusing terminology, product categories, and overlapping marketing concerns getting in the way of defenders solving cybersecurity challenges. This trend gets in the way of addressing the fundamentals and draws attention to the “shiny new thing.” It can be a significant obstacle to addressing real security problems.

What's the best career advice you ever received? Two pieces of advice come to mind, which I’ve been given over and over. First, hire the best and smartest people you can find and empower them to be great. And second, seek out and listen to advice from mentors and folks who are doing the things you’d like to do and learn how they do it.

What advice would you give to aspiring security leaders? Soft skills are more important than technical skills. Communicating in the language of business is far more important than speaking cybersecurity. One must remember that as security leaders, they’re working to solve business challenges rather than technical ones.

What has been your greatest career achievement? There isn’t one single achievement that I can point to; I’ve had a lifetime of learning, and a lot of little things sustained over a long period of time. I view my career as a series of transitions that led me from being a line chef all the way to being a CISO.

Looking back with 20:20 hindsight, what would you have done differently? I’m really happy with what I’ve done in my career, but a couple of things come to mind. First, I would have sharpened my focus on security earlier. Second, I would have spent a lot more time learning the language of business and sharpening my soft skills earlier.