Secret CSO: Geraint Williams, GRC International

Secret CSO: Geraint Williams, GRC International

Name: Geraint Williams

Organisation: GRC International

Job title: CISO

Date started current role: September 2018

Location: Ely, Cambridgeshire, UK

Geraint Williams is Chief Information Security Officer at IT Governance. Williams is a PCI QSA and is a highly-experienced technical professional (CREST Registered Tester). In addition to his role at IT Governance, he is a visiting fellow at the University of Bedfordshire. Williams has a strong technical background, with experience of ethical hacking, digital forensics and wireless security issues. He has broad technical knowledge of security and IT infrastructure, including high performance computing.

What was your first job? Working as an engineer on a vehicle mounted ground to air missile system.

How did you get involved in cybersecurity? Working in a University running a dedicated support team for a school of computing, building and supporting systems such as HPC ‘Beowulf' clusters and GPU clusters. I undertook several security, ethical hacking and forensic investigations and supported CERT activities at the University. I helped the head of the department develop BSc and MSc courses in Computer security and forensics and taught several of the modules. I also developed digital security labs for teaching hacking and forensics. From there, I moved into a consultant role within the industry gaining PCI QSA status and CREST pen testing certification and eventually moved up to the CISO role.

What was your education? Do you hold any certifications? What are they? First degree in BSC Mechanical Engineering, I also have an MSc in Internet Technology. I have held a CISSP for over 9 years. Throughout my career I have several certifications including various Microsoft, CISCO, ethical hacking and forensic investigations. I was a PCI QSA and am currently a PCI Professional certified.

Explain your career path. Did you take any detours? If so, discuss. My career has been a series of detours right from leaving school. After completing GCE at school I registered for a Mechatronics TEC diploma, however, insufficient students registered for that option and I ended up completing a pure Mechanical diploma. I then pursued a degree and my final year project was a computer model of a cross flow heat exchanger. In my first few roles as a mechanical engineer, I ended up working closely with electronics, computers and writing software, etc. In the end I moved into IT and became the technical services manager for a school of computing at a University. There I formalised my IT qualifications with a MSc and moved into cybersecurity.

Was there anyone who has inspired or mentored you in your career? It is hard to single out a specific person, but I have been inspired by engineers who came up with new inventions or took existing ideas and used them in new ways. It was Newton who reportedly said he stood on the shoulders of giants. In engineering and IT, we do a lot of building on what was built before to develop new systems and new uses for technology. Several students I taught at university have inspired me, they have gone on to become professors and experts in their own right and a number of them have exciting jobs within cyber security. I have self-taught a lot but there have been numerous people who have encouraged me to study and progress in my career.

What do you feel is the most important aspect of your job? To ensure the group of companies meets its mission in a secure way by being an enabler of the business in a secure manner.

What metrics or KPIs do you use to measure security effectiveness? It is very hard to find a metric to show how effective security is. You need to look for a metric that indicates how many attacks you've successfully stopped. There are some simple metrics along the line of how many phishing malicious emails are stopped and how many incidents involving email occurred that demonstrate the protection against the low hanging fruit attackers go for. Meaningful statistics about advanced attacks you have stopped are rare. I use a series of metrics such as number of system misconfigurations, number of systems with vulnerabilities, time to patch systems, number of policy violations identified, number of staff completing training, number of incidents affecting confidentiality, integrity or availability of systems, services and data.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? It is hard to find and keep good penetration testers, the ones that are passionate about their career and what they are doing. It is those who will look for new vulnerabilities rather than follow a script to find existing vulnerabilities that we look to recruit.

Cybersecurity is constantly changing - how do you keep learning? I set aside time each day to read through a number of security blogs, news sites, Twitter feeds, RSS feeds to see what is currently trending. As part of maintaining my professional qualifications I have to do CPE and I listen to webinars and read articles which makes keeping up to date and maintaining certification easier. I have always been interested in technology and find that I naturally read about what is coming next. When I find something I don't understand it is in my nature to research and inform myself to a reasonable level.

What conferences are on your must-attend list? As a CISO, conferences such as Infosecurity Europe and Cyber Security Manchester are a must, not only for the presentations and exhibitions but for networking opportunities as well. As a practitioner, conferences such as BSIDES, Blackhat, 44Con, for those in involved in PCI you must attend the European PCI SSC conference.

What is the best current trend in cybersecurity? The worst? The best trend is that cybersecurity is now being taken seriously. This is essential as cyber-attacks become increasingly more sophisticated and frequent.

What's the best career advice you ever received? As a teenager I missed out on the deadline for getting an apprenticeship at British Airways but the manager in charge of the scheme recommended that I should take a diploma rather than A-Level, as I was very practical. I'm glad I took his advice as I found the diploma and covering material science etc. very useful for when I went to University and I found my knowledge in a number of areas was greater than those who had taken their A-levels. However, it is was the cumulative advice of a number people in my younger years encouraging me to continue learning that has given me the confidence to keep exploring new areas.

What advice would you give to aspiring security leaders? Keep learning, keep trying new things and if you don't know - ask and research. Be sure to understand your limits in your knowledge but don't stop expanding them. Not knowing should not stop you, but don't claim to be an expert until you know the field.

What has been your greatest career achievement? Seeing students I have taught progress to become experts in their own right and become professors in cybersecurity.

Looking back with 20:20 hindsight, what would you have done differently? I would have gone straight into electronics and computing instead of doing mechanical engineering. When I was a lot younger I was asked why do you play with computers? All of that ‘playing' or, as I saw it, being inquisitive, has now paid off.

What is your favourite quote?‘I have learnt enough to know I don't know enough'.

What are you reading now? I'm now re-reading some of the science fiction from my past, in particular, the Dune series of books.

In my spare time, I like to… I have two main hobbies … Build systems from a single board computer such as the Raspberry Pi and Arduino's that are often security related. I have built RFID cloning systems and miniature hacking drop boxes and wireless sniffers. As a break from all the computer stuff, I have for the last few years, taken up photography where I concentrate on macro photography and use focus stacking to build up detailed images of flowers and so on.

Most people don't know that I… Have been on TV as part of a World in Action programme and have crashed more cars than most people - having worked in a crash lab. We crashed cars and simulated crashes for aircraft, helicopters, trains and ferry seat systems. For a period of time, I oversaw the anthropomorphic test device (crash test dummies) which are anything but dummies with all the built-in sensors.

Ask me to do anything but… Basically, I will do most things but draw the line at anything illegal. I have been asked to hack into accounts by those who find out what I do for a living - but I reject all such requests!


« CIO Spotlight: Brad Morrison, San Francisco Federal Credit Union


CTO Sessions: Manjit Johal, AVORA »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?