Secret CSO: Paul Lewis, Nominet Cyber

Name: Paul Lewis

Organisation: Nominet Cyber

Job title: CISO

Date started current role: May 2022

Location: Oxfordshire

Paul Lewis has over 22 years’ experience of working within IT and cyber security. He has worked in a range of technical and senior management positions and is responsible for information security across Nominet. Prior to taking up his position of CISO at Nominet, Lewis was the senior director for cyber security at RELX, a FTSE 100 analytics and information company, responsible for the security of a business unit with over a $1bn turnover across EMEA & LA, US and Asia.

What was your first job? My first general job was wrapping hamburgers in a food factory, which helped me decide to go to university and get some qualifications! My first computing job was with the Medical Research Council in Oxfordshire as an IT support and printer technician.   

How did you get involved in cybersecurity? When I was in my first computing job, my boss used a shiny new thing called a firewall, which nobody had ever heard of and asked me to help manage it. I then started to get involved in managing security and working in anti-virus. The rest is history.

What was your education? Do you hold any certifications? What are they? I have a CISSP (Certified Information Systems Security Professional) qualification; a PhD in cyber defence from Cranfield University; a master’s degree in information security from Royal Holloway; a bachelor's degree in business computing from the University of Hull and an HND in software engineering from Sheffield Hallam.

Explain your career path. Did you take any detours? If so, discuss. I decided to work in security more formally after my first computing job. I was a security engineer and moved up the career path in risk assessment and risk management. I took a detour for two years to work in research and development for the Joint Academic Network. As I became more senior, I moved towards becoming a CISO, which is where I am now with Nominet.

Was there anyone who has inspired or mentored you in your career? My old CSO at a major systems integrator told me to just relax and helped me realise I couldn’t do everything. It was really good guidance and wisdom that I’ve taken on throughout my career.

What do you feel is the most important aspect of your job? Stopping bad things happening to nice people. That's why I get out of bed in the morning. What Nominet does is vital for both the UK and the rest of the world. Not only do we manage and protect the .UK namespace, but we deliver our Protective Domain Name Service on behalf of governments worldwide, securing their public sector and critical national infrastructure. I truly believe what I do for a living is important.

What metrics or KPIs do you use to measure security effectiveness? How quickly we can remediate vulnerabilities. That's extremely important because the easiest way to have a security breach is not patching vulnerabilities, be that configuration or software vulnerabilities.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? The answer is yes, but I know an extensive network of people, so I can draw on those networks to help fill any of my vacancies. The skills that are most difficult to find are for DevSecOps roles. It’s a really difficult role to fill because you've got to have development experience, you've got to have security experience, and you've also got to have operational experience.

Cybersecurity is constantly changing – how do you keep learning? With my CISSP, I must do continued professional development. I have to keep abreast of developments in the industry, on social media and in the news, as well as attending conferences. It's a certification cycle of every three years, so you have to kind of get to a specific point by the end of each financial year. I also teach a security management module at Royal Holloway University, which keeps me on my toes.

What conferences are on your must-attend list? I try to get to BSides London and Infosec UK, which helps me keep up with friends and contacts. There is also CCC in Germany, which I’d love to go to.

What is the best current trend in cybersecurity? The worst? Currently, the best trend is getting back to basics. Cyber hygiene is really important because you have to do the basics before you can move on to things like machine learning or artificial intelligence. The worst trend is silver bullets. The idea that one technology will save you and make sure everything's okay just doesn't exist.

What's the best career advice you ever received? The best career advice I’ve ever received is go and learn about standards and certifications because you’ll never be unemployed.

What advice would you give to aspiring security leaders? Do a handful of things really well and don't try to do everything.

What has been your greatest career achievement? I’d say getting my PhD because I did it part time over seven years and it was hard work. Especially as I got married, moved house and had my children!

Looking back with 20:20 hindsight, what would you have done differently? I would have liked to stay at one of my previous roles a little bit longer because at the time cyber security and information security wasn't mainstream and I would have liked to see it flourish as it has done now. The department where I was working changed its focus which is why I decided to move to a role that was more centred around security, but I would have liked to witness how the adoption of cyber security played out there.