Secret CSO: Chris Hodson, Cyberhaven

Name: Chris Hodson

Organisation: Cyberhaven

Job title: CSO

Date started current role: January 2023

Location: London, UK

Chris Hodson is Chief Security Office for Cyberhaven where he oversees all facets of security to protect Cyberhaven customers and employees. Prior to Cyberhaven, Hodson held cybersecurity leadership roles at Contentful, Tanium and Zscaler. In addition, Hodson is a fellow of the Chartered Institute of Information Security and holds an MSc. in Cybersecurity from Royal Halloway University London. He is the author of Cyber Risk Management, a #1 Amazon bestseller.

What was your first job? I worked at a law firm in IT support in my hometown. It was a good starting point because I learned the principles of customer service and enabling a business. Law firms take confidentiality obligations very seriously, so it was also a very good foundation in the principles of information protection and cybersecurity.

How did you get involved in cybersecurity? Among my IT roles, I worked as a network engineer and earned the Microsoft Certified Systems Engineer (MSCE) credential. That exposed me to security topics and I quickly became fascinated with how cybersecurity either works or breaks down.

What was your education? Do you hold any certifications? What are they? Besides being an MSCE, I hold accreditation for the Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), BCS certificates for Enterprise and Solution Architecture and CompTIA Advanced Security Professional (CASP+) status. I’m also a Certified Blockchain Professional (C|BP).

As for academia, I earned a master’s degree in cybersecurity from Royal Holloway, a public research-focused university – at the University of London. In Europe, Royal Holloway is considered somewhat analogous to MIT in the US.

Explain your career path. Did you take any detours? If so, discuss. My first career goal was to be a sportswriter! I was in love with sports and writing was natural for me. My first experience in IT at the law firm put me on a different path, though; I became an engineer, then an architect, and ended up as a CISO.

Was there anyone who has inspired or mentored you in your career? I’ve sought out and had the benefit of 360-degree mentoring all along the way, from supervisors to CEOs, colleagues and university professors. Also, I get a fresh perspective from cybersecurity students. Over the years, I’ve returned to Royal Holloway giving talks on cloud security, metrics and the CISO role criteria.

But as you mature in your career, mentoring gets enriched by input from peers; I’ve had that benefit of participating in working groups such as DSMM, serving in board advisory positions, and especially from my peers that work in specific industries—take healthcare as an example.

What do you feel is the most important aspect of your job? Overall, it’s to reduce risk and uncertainty while enabling the business. In other words, help the organisation grow, while protecting it. As a CSO, you accomplish that by, first and foremost, listening to stakeholders and understanding what’s important about security for them. 

Take the CFO as an example. Security resonates more with the CFO when the focus is on the financial ramifications of security. We can’t do our best when security is in a silo, and by talking with a CFO, we learn they are concerned about breach liability, regulations that carry stiff penalties for non compliance. Every CFO thinks about GDPR, and fines that are linked to the revenue of the company.

We also transmit and try to instil a mindset of security by design, where all projects begin with a solid security foundation and appreciate both the functional and non-functional aspects of cybersecurity. I’m a proponent of data-driven security architecture: ensuring that stakeholders understand how information is being stored, processed and transmitted.  Security controls must be delivered commensurate with the sensitivity of assets.

What metrics or KPIs do you use to measure security effectiveness? This may sound a bit esoteric, but in recent years, I’ve shifted from KPIs and KRIs to a model that is aligned with `Objectives and Key Results’.

KPIs and KRIs are great but they can sometimes leave security measuring its success in a vacuum.   

An approach based on business objectives affords tighter alignment with my stakeholder community.  The model I am outlining allows for ruthless prioritisation of security projects, mapping requirements for data protection, vulnerability management and security awareness to corporate goals.  I plan to write a lot more about OKRs so watch this space!

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? If a company was not affected by the cybersecurity people shortage, they probably were not paying enough attention to cybersecurity in the COVID era. The macro hiring environment has shifted back toward a balance, but it’s still hard to find experts in modern, cloud-native technologies—it continues to be a challenge to hire DevOps, DevSecOps, and SaaS talent.

However, the need for people and ultimately the salary offers have to be reconciled with tighter purse strings in many organisations. I will say that with security shifting toward tighter integration into operations, I believe we will always need a particular kind of person: technologists who can carry on a business conversation and communicate well with all departments will be in great demand. With those skills on the team, the CISO can engage more effectively with the CFO, COO, CMO, etc.

Cybersecurity is constantly changing – how do you keep learning? You need to have a passion for what you do. Tech is constantly changing - you must be invigorated, because otherwise it would be extremely difficult to keep up. Stay connected to your peers, and engage with the broader global cybersecurity community.  I use a curated RSS feed, Blinkist and podcasts—a mix that keeps me learning on the go. Participating in the standards working groups, or leading them, has been a great learning method for me.

What conferences are on your must-attend list? RSA and Black Hat jump to mind first. BruCon is another. It is great to be able to get back to connecting in person with people in my field, actually shake hands and talk over coffee about security topics. I want my senior people out there as well, to push their motivation to keep learning.

Peer-to-peer knowledge is so useful in my role. I’ve been shifting from huge conferences to taking part in focused working groups like DSMM. CSOs need to hear from other CSOs who are also managing risks for their organisation.

I recently chaired Cyberhaven’s inaugural CSO Council, and that 90-minute session brought tremendous value for me, seeing what CSOs are concerned about, how they’re making security work. We are something like front-line officers, both operational and strategic, solving tactical situations all the time.

What is the best current trend in cybersecurity? The worst? The best? Shifting left. I’m very pro shifting security left, although there is some confusion about what it actually means. Whenever a developer writes code, we should apply our security controls to that new code from the beginning—at the “left.” We want teams to scan code for defects or security vulnerabilities early in the development stage. It’s far superior to the historical alternative: first build a product and then do pen testing to expose vulnerabilities further down the line, when it’s too late.

It’s more than DevSecOps, and much more than checking freshly written code. Checking security from the inception gives a strong security foundation to all kinds of business activity. It is much less costly to address security from the beginning. Shifting left is an attitude and an orientation, not just looking at code.

As far as negative development, there is one issue that springs to mind: a lack of business impact analysis.  Designing security controls without contextualising the relative importance of the environment in question.  Security controls—irrespective of our quest for ‘frictionless security’—impact users and evaluating the usability-v-security trade-offs is a must for a security team to truly be considered a business-enabling function.

What's the best career advice you ever received? To get experience in multiple disciplines before you specialise. This proves really valuable to most people. It’s not only because one can then contribute in multiple areas, but also to discover where your skills are strongest and your enthusiasm is sharpest. I’ve received that advice, and I have passed it on to others.

What advice would you give to aspiring security leaders? Admit when you don’t know something, or get it wrong. Fail quickly and move on. People want a leader who is open and honest, and they are motivated to help teach such a leader. Rebounding fast from a setback gets you to success faster. It can also reduce the cost of a mistake—and identifying the lesson it’s giving you, then applying that lesson. It also means people have less time to dwell in feeling down, and they see the results of you making a correction sooner.

Also, get to know all of your business stakeholders. You have your own view, as a CSO, of business risk—now consider what is important to HR, Finance and the IT teams.  Everyone on a commercial level is battling for the same budget.  If security projects have demonstrable business value, they’re likely to be moved up the pecking order for cross-functional collaboration.  Data is the currency all stakeholders understand, and they help me create a more holistic security practice.

What has been your greatest career achievement? It was really exciting to publish my first book ‘Cyber Risk Management’ and the entire process of writing a book—even on a subject I know well—was a new and big challenge.

For many CISOs, their greatest achievement is seeing the number of potential attacks deterred or foiled at an early stage and the damage they saved their organisation from. Of course, nobody gives out medals for possibly preventing something. It is hard to prove a negative.

It’s no accident when things go right in this job; nor wrong, because we face an adversary. There is adrenaline in knowing someone is out there actively fighting your organisation and trying to wreck your career. Great satisfaction comes from enabling the business to grow safely.

Looking back with 20:20 hindsight, what would you have done differently? I would have learned a second language. My mother was a professional translator, so I have little excuse for not knowing other languages—that being said, with all the traveling I’ve done, I would love to have other languages at my disposal.