Secret CSO: Vince Warrington, Protective Intelligence

Secret CSO: Vince Warrington, Protective Intelligence

Name: Vince Warrington

Company: Protective Intelligence

Job title: Chief Information Security Officer

Date started current role: May 2018 (Open Banking)

Location: London, UK

Vince Warrington is a leading Information Assurance and Cyber Security expert with over 18 years' experience heading-up large-scale, organisation-wide IT and cyber security programmes for central Government departments, blue chip private companies and well-known voluntary organisations across the globe.

What was your first job? My first ‘proper' job was as a 19-year-old, working as a data entry clerk for my local council entering invoices into a payments system - this was way back in the days before Windows 3.11! It wasn't exactly what you'd call a challenging or interesting job, but it did pay for me to get driving lessons. 

How did you get involved in cybersecurity? Like many of us in cyber security who are of my vintage, it wasn't really a conscious decision. I'd work in government roles that required high levels of security clearance, and I was simply too slow in getting out of the way when a cyber security project came along. Once I was involved, it all seemed to make sense to me, and I subsequently kept on looking for cyber projects.

What was your education? Do you hold any certifications? What are they? I left school after completing my A-Levels, intending to have a gap-year, but then I found a job and have worked ever since then. I've picked up the usual cyber security qualifications along the way, but I value experience over certifications. They're great when you're starting out, but they don't give you the experience which is invaluable at CISO-level.

Explain your career path. Did you take any detours? If so, discuss. I worked for an international development charity with offices in southern Africa, so I spent time in places like South Africa, Lesotho, Botswana, Namibia and Tanzania. This was earlier in my career, but it taught me a lot about working on a limited budget, how to deal with different cultures, and how to spot a minefield in rural Mozambique!

Was there anyone who has inspired or mentored you in your career? I worked under Robert Coles at GlaxoSmithKline, where he was the CISO. He's a very capable leader and taught me how to work at Board level. I'd also mention Bill McCluggage at Open Banking - one of the rare examples of a leader who listens to the people around him and is not afraid to ask his team for advice.

What do you feel is the most important aspect of your job? Keeping a cool head is vital as a CISO. When it all goes wrong - and it will - you need to be able to lead without falling into a state of panic. Every CISO has had that moment when they realise that a serious breach has occurred, and you need to be the figure of calm in those situations. Everyone else will be running around like mad - your job is to get on top of the problem and lead your people to a successful outcome.

What metrics or KPIs do you use to measure security effectiveness? Whilst there are some technical measures I want to see - things such as security patching and the like - my key indicators are all around security awareness. I want to know how many of the people in my organisation know what to do when faced with a phishing email, know how to contact the security team, or demonstrate secure behaviours. I'm not a fan of once-a-year, 30-minute online training courses. I really like the work people such as Masha Sedova at Elevate Security on using human emotions and intelligence to influence security behaviours.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I don't see the skills shortage biting just yet, but that could change in the next couple of years. My real fear with the skills shortage is that we get an influx of people with qualifications coming out of their ears, but with very little real-world security experience.

Cybersecurity is constantly changing - how do you keep learning? Social media - especially Twitter and LinkedIn - is a good tool for keeping on top of the latest developments. Of course, that relies on you building an effective network of experienced security people to begin with! There are also a number of short courses you can take to keep your skills sharp, and I also highly recommend talking to your peers - sharing information is key to solving the cyber problem.

What conferences are on your must-attend list? There are a few big conferences that I think are vital to attend to understand the ever-changing world of cyber security. In the US there's RSA, Blackhat and DefCon, in Europe there's InfoSec (UK) and the One Conference (Netherlands), whilst in Asia there's the Singapore International Cyber Week.

What is the best current trend in cybersecurity? The worst? I really like the Zero Trust model, which neatly captures both the internal and external threats to an organisation by (at its simplest) stating that nothing is to be trusted until it proves otherwise. As for the worst, I think the cult of AI is annoying. Yes, AI and Machine Learning can bring something to the table but they're still just tools - they're not the silver bullet they're being made out to be.

What's the best career advice you ever received? To be told to leave a role that was no good for my career or my mental health. Sometimes by trying to fix an impossible situation you do yourself more harm than good - as security professionals, it can be hard to leave a problem unsolved. But you have to know when to call it quits - when you have no support from the management structure around you, and you're being set-up to be the ‘fall guy', it's better to walk away.

What advice would you give to aspiring security leaders? Don't get too deep into the technical side of security and neglect the softer skills. When you reach the leadership roles, you need to know more than the vulnerabilities of Port 80. Develop your people skills - learn to be a good listener as well as a good talker. And get involved in risk management - after all, cyber security is risk mitigation at its most basic level. Understand business risk, and learning to talk the language of the Board, are as valuable as any technical qualification.

What has been your greatest career achievement? I had an email recently from a lady with a teenage son who has Autism Spectrum Disorder, saying that she really wants him to have a career in computers and cyber security but was unsure how he could do it, and whether anyone would take a chance on him. I put her in touch with a couple of great initiatives (including the Community Security Operations Centre based in Malvern, who take on previously unemployed neuro-diverse individuals), so if that young man makes a great career for himself in cyber security, I'll be happy to take that as my greatest achievement.

Looking back with 20:20 hindsight, what would you have done differently? I'd have spent less time worrying about what my peers thought about me. Imposter Syndrome is quite common in cyber security, so we all need to realise that we can't know it all - it's just impossible. Do what you do well, and ask for help and guidance when you need it.

What is your favourite quote?‘It is impossible to work in Information Technology without also engaging in Social Engineering' - Jaron Lanier.

What are you reading now? I don't get much spare time to read but I've recently completed ‘Soldier Spy' by Tom Marcus, which is an insight into his life as an MI5 surveillance operative, and Dan Simmon's novel ‘The Terror', based on the ill-fated Franklin expedition to the Artic.

In my spare time, I like to… I've been a PC gamer for many years, so that's what I do in my spare time. If it's been a challenging week, I'll be taking out my frustrations by playing something like Hitman or GTA5!

Most people don't know that I… I'm a bit of a petrol head. I've previously owned a Mazda RX-8 and a Jaguar XK8, and I currently own a Ford Mustang GT - but I've got my eyes on the new Toyota Supra…

Ask me to do anything but… Get up early. I am not a morning person!



« International Women's Day: Being an engineering student, all I could think was "Where are all the women engineers?"


International Women's Day: Diversity cannot exist where misconduct thrives »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?