Secret CSO: Chris Hodson, Tanium

Secret CSO: Chris Hodson, Tanium

Name: Chris Hodson

Organisation: Tanium

Job title: Chief Information Security Officer, EMEA

Date started current role: October 2018

Location: Reading, UK

Chris Hodson is the CISO for EMEA at Tanium. In his career, Hodson has seen first-hand the changing role of IT, from a response organisation to a strategic business unit that drives value and a competitive advantage for the business. As CISO, he is a trusted advisor to executives, board members and other stakeholders, helping them define well-balanced strategies for managing risk and improving business outcomes. Hodson retains an active role in the Infosec industry through directorship of the IISP and membership of CompTIA's Cyber Security Committee.

What was your first job? My first job was IT support at a law firm - in Peterborough - my hometown. Thanks to this position, I learned very early about the importance of good customer service and business enablement, as well as the integral role that IT was starting to play in business processes. Fortunately, the legal profession early-on understood the need for confidentiality, integrity and availability of data. This early exposure to solid security principles certainly shaped my thinking of information security and data privacy.

How did you get involved in cybersecurity? My path to cybersecurity led me through various roles in IT and network engineering, as well as through my studies to become a Microsoft Certified Systems Engineer (MCSE). At the time, this certification was the rite of passage for anyone working in technology.

As part of my MCSE, I studied several security elective modules and soon realised that my curiosity and fascination to see how things work or don't work had grown. As I have discovered more concepts and practices in the cybersecurity space, my curiosity and fascination to break things down has only increased.

What was your education? Do you hold any certifications? What are they? As well as the MCSE, I obtained a master's degree in cybersecurity from Royal Holloway, University of London. I also achieved several other accreditations, including the Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) and BCS certificates for Enterprise and Solution Architecture. I'm also a certified blockchain professional.

Explain your career path. Did you take any detours? If so, discuss. When I was younger, I initially wanted to get a job in sports journalism as I enjoyed writing and had a passion for sport, which helps. However, my work experience and early involvement in the IT industry led me away from this path. Since then, my career path has been somewhat linear and mostly technically driven, going from engineer, to designer, to running security teams as CISO.

Was there anyone who has inspired or mentored you in your career? I have been inspired by so many individuals across my career. Mentorship has come in various forms - university professors, bosses, CEOs and peers in my industry. I'm a firm believer in the concept of reverse mentoring - having those who work within your function appraising your performance and suggesting improvements. These days, I regularly lecture over at Royal Holloway and I'm always inspired by questions raised by cybersecurity students. Having not had years of ‘cyber indoctrination', their viewpoints are refreshing and often require me to challenge my own thinking on many industry challenges.      

What do you feel is the most important aspect of your job? Essentially, as CISO, I'm there to highlight cybersecurity risk which could cause business disruption. The most important aspect of my role is therefore finding creative solutions and work with a range of stakeholders to address these challenges, that both mitigate risk and enable the business to be resilient against disruptions such as outages and cyber threats. I'm not there to remove all risks, but to recommend controls reducing risk to a palatable level for the enterprise in question. No two risk appetites are ever the same!

What metrics or KPIs do you use to measure security effectiveness? Most organisations want to be ‘gold plated' when it comes to measuring security effectiveness. However, security maturity should be appropriate for the company in question. The c-suite demand meaningful metrics and these metrics should take the form of Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs).

KPIs measure how effective your controls are: malware blocked, users who have attended awareness training or lines of code scanned for software vulnerabilities.  KRIs are forward-looking and identify potential cybersecurity risk, which could result in a material impact to strategic business outcomes. Effective metrics must articulate risk, qualify spend and classify information, the latter being the most important. For example, if a business doesn't understand the importance of a particular asset, then how can it define which security controls are needed to protect it?

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? The skills shortage is affecting every organisation. Good people are increasingly hard to find or already employed. One of the hardest skills to find someone with the ability to have the broader business conversation. For example, the types of roles that are outside the IT department and involve conversations about risk with wider business stakeholders. Organisations should therefore look to recruit people with a mix of technical and soft skills to plug this gap.

Cybersecurity is constantly changing - how do you keep learning? As a CISO, my goal is to reduce risk and uncertainty, while enabling our business. We do that by hiring talented employees, documenting and monitoring robust processes, and acquiring impactful technologies.

The learning process should be ongoing for any cybersecurity professional; analysing threats and vulnerabilities is a good place to start. It allows for a better understanding of which direction businesses are going in from a technology perspective and ensures that you understand how these changes impact security architecture.

What conferences are on your must-attend list? I've really enjoyed attending BruCon in recent years. These days, most conferences are live streamed, meaning attendees don't need to attend physically to hear an expert, but this conference really appreciates the value of exchanging ideas face-to-face with industry peers. I'd highly recommend going!

What is the best current trend in cybersecurity? The worst? Automation is the best trend in cybersecurity, when deployed correctly. Using this type of technology helps free up resources and streamlines incident response activities, which enables IT security and operations professionals to spend more time on other tasks, such as threat hunting.

The worst trend is organisations buying a security product without engaging the teams that will be using it. This leave security and IT operations teams with a fragmented array of legacy or alleged endpoint platforms and narrow point solutions, which leaves organisations blind and unable to effectively operate and secure their business. A new product is not the basis of successful security, it's about empowering the team of people around it. In fact, it's often the team who are the industry experts and therefore they must be consulted when businesses are choosing a product.

What's the best career advice you ever received? You can't be an expert in everything. If you're going to be a security leader, then you need to appreciate delegation and have specialists onboard to support in different areas. Afterall, cybersecurity has become a business requirement, it's no longer confined to a department but the wider business too.

What advice would you give to aspiring security leaders? Know when you don't know something. Throughout my career, I've learned the importance of being open and honest, especially when you're guiding and advising people to make important career decisions. Having a thirst for knowledge is also deeply satisfying and should be met with an equal degree of open communication from colleagues and peers.

I would also say know your endpoints. You would be astonished at the number of organisations that don't have clear visibility of their operating environment. In my experience, organisations do not manage or secure 15% to 20% of their endpoints simply because they don't know they exist. It's impossible to assess the risk or protect a device as a security leader if you don't know it exists.

What has been your greatest career achievement? The feedback that my thesis received. Having my work validated by senior academics and receiving award recognition has inspired me to bridge the gap between academia and professional deployment in my own career - I still use my dissertation today.

Looking back with 20:20 hindsight, what would you have done differently? On starting out, had I known I would travel quite so much, I'd probably have learned a second language.  My Mum was a translator by trade so there is really little excuse!

What is your favourite quote?Can I have two, please? "Everyone has a plan until they get punched in the mouth." - Mike Tyson. "It wasn't raining when Noah built the arc!" - Howard Ruff. Both of these quotes provide sage advice for any CISO - failure to plan, is planning to fail!

What are you reading now? Currently, I'm reading ‘The Singularity is Near' by Raymond Kurzweil and ‘The Fourth Industrial Revolution' by Klaus Schwab. Both great reads and profoundly relevant to the world in which we live today!

In my spare time, I like to… Play and watch sport. I'm a fan of Portsmouth Football Club, which despite the highs and lows has kept me entertained over the years.

Most people don't know that I… Play Ice Hockey, although not so much these days. I'm still an avid watcher and one of my favourite teams is the Vegas Golden Knights. Las Vegas is almost a second home these days and, although I've been to the T-Mobile Arena, I'm still yet to catch a home game!

Ask me to do anything but… Take on DIY projects or eat any kind of seafood!


« Aera plots new era of automated decision-making


CTO Sessions: Craig Harber, Fidelis Cybersecurity »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?