Secret CSO: Ben King, Symantec

Secret CSO: Ben King, Symantec

Name: Ben King

Organisation: Symantec

Job title: Chief Security Officer, EMEA at Symantec

Date started current role: May 2018

Location: London, United Kingdom

As the Chief Security Officer for EMEA at Symantec, Ben King leads a high performing team at the Global Security Office (GSO), delivering cyber and physical security services for the organisation's people, customers and assets. King also leads Symantec's Global Security Assurance function that helps customers, lines of business and suppliers maintain and improve the high security standards expected of them.

What was your first job? I kickstarted my career as a consultant at PwC, in a systems integration role. Working at a large consultancy was great because it allowed me to hone my technical skills, developing in Java and SQL, as well as those business-critical softer skills, like communication, which help you become a more rounded, more effective professional. 

How did you get involved in cybersecurity? During my career I've worked across consulting, finance, and IT. I spent 11 years at the Commonwealth Bank of Australia in a variety of technology roles, including project execution, risk and governance, as well as investment development. It was here that I became well acquainted with the security team and had the opportunity to work with Ben Heyes, the inspirational CISO of the Commonwealth Bank. I joined him as part of the Digital Protection Group (DPG), helping keep the bank and its customers safe from theft, losses and risk events. In this role I leaned on my strong background in technology and projects, while learning the ins and outs of cybersecurity from the world-class team the bank had established.

What was your education? Do you hold any certifications? What are they? I completed a combined degree in Economics and Electrical Engineering at the University of Sydney, with a broad set of majors including Finance, Economics and Software Engineering. The combination of technology-enabled business has always captured my interest. An added benefit of working at large companies such as PwC, IBM, CommBank and Symantec is their understanding and commitment to continuous learning, including plentiful internal and external training across a variety of subjects.

Explain your career path. Did you take any detours? If so, discuss. My career has spanned consulting, finance, IT and cyber security - in multiple team leadership, management and executive roles. This background gave me the opportunity to gain broad experience and work with clients across a diverse range of industries. It was my passion for technology that led me to cyber security, initially in strategy and business case formulation, then project execution, then as the Head of Cyber Security for Europe at the Commonwealth Bank. It's worth mentioning I also took time out to go travelling, which is great for a career reset - discovering new ideas and rejuvenation. My current role at Symantec was a logical next step, why work defending a single organisation when I can influence cyber defence more globally - from governments and huge corporates all the way down to individual consumers protecting family computers.

Was there anyone who has inspired or mentored you in your career? I'm fortunate to have parents who have been great mentors throughout my life and have taught me the importance of having a strong work ethic. They have always been able to provide me with a different, valuable perspective. I'm also lucky to have had multiple business mentors throughout my career, from memorable team leaders wise beyond their years to influential partners or business leaders at major organisations. Rob Mazevski, Dave Curran, Peter Rohde and Ben Heyes have all gifted me memorable experiences and quotes which to this day form some of my continual inner monologue. These mentors are huge influencers on my decision making, and one of the reasons I still find my job so fascinating and rewarding.

What do you feel is the most important aspect of your job? Ensuring our customers are protected against an evolving threat landscape - as well as managing and motivating my team, helping to ensure that they're happy, productive, performing, and perhaps most importantly, always learning.

What metrics or KPIs do you use to measure security effectiveness? I've heard cybersecurity referred to as taking the "anti-elephant pills", meaning if there's no elephants here then the pills are working! Point being, measuring success can be nebulous and difficult. Does a lack of incidents imply good security? Absolutely not. In fact, the opposite is true, better security will yield more incidents as overall visibility improves. Cyber security is about minimising business risk. We measure ourselves on the basics, are we getting done what we should? In a timely manner? And producing a quality output? This can apply to everything we do, and I can be certain we are influencing our risk profile for the better.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? The skills shortage definitely makes it more challenging to find the best people to bring on the team. At Symantec, we're seeing this competition across all roles, but I'd say peaking in the blue and red teams working across defensive and offensive security respectively. That said, within the UK - and London especially, there's a large pool of highly experienced and skilled security professionals, particularly in governance and compliance roles. Over the past 12 months this has made it a bit easier than usual as I've built my team.  

It's not just the skills shortage that's making life difficult though - even if it does compound things. Increasing regulation, better-equipped attackers, the increasing complexity of the digital estate and thousands of automated security alerts going off simultaneously are overwhelming cyber security leaders and their teams. Symantec's recent High Alert research finds that four in five security leaders across France, Germany and the UK report feeling burned out, with roughly two-thirds thinking about leaving the industry or quitting their job. We also discovered how the high stress levels cyber security professionals are dealing with is affecting their ability to make good decisions - a quarter of respondents admit they've already suffered an avoidable incident.  So, these issues are clearly impacting enterprise security.

To move out of this state of overload, we have to ensure cyber security professionals are empowered to collaborate as much as possible. Security leaders must set an example of operating methodically and deliberately: don't try to move too fast, take time to understand the problem, break it down into its components and tackle each one with the resources available. Defining your organisation's risk posture will also help you spot the gaps and minimise mundane tasks in favour of more proactive, higher value work. Lastly, it is imperative to recruit a diverse range of talent to help tackle the skills gap. Real disruption can come from diverse thinking, which stems from people with different cultures, experiences and backgrounds - regardless of age, gender, ethnicity or sexual orientation. Monocultures make for weaker, less competitive companies.

Cybersecurity is constantly changing - how do you keep learning? The dynamic nature of cybersecurity makes our industry an attractive place to work. The flipside is that it's very difficult to stay up to speed, remain focused, invest time in solving the problems that really matter and invest time in the people working for me. Communication and collaboration are the keys to overcoming these challenges and filling the gaps in our knowledge. When you listen to your peers, understand what they focus on and what they are excited about - that's what helps you figure out what's worth paying attention to. Then you can choose the most relevant and insightful conferences for you, find the experts you want to work with most, develop a list of your best industry podcasts, blogs and whitepaper authors. A rich mix of these elements are essential for staying informed.

What conferences are on your must-attend list? Every year, I try to attend RSA and BSides. These events offer in-depth perspectives on the cyber security landscape from different angles and personally, I get the most value from attending. There's always some hit and miss given the diverse audience conferences cater to, but I usually find the presentations insightful and really enjoy networking with genuine thought leaders in the industry.

What is the best current trend in cybersecurity? The worst? I'm fascinated by how machine learning helps computers automatically improve and refine themselves, so they can monitor networks 24/7 and respond to what's happening in real time. Cyber criminals are already using this technology to probe networks themselves, searching for undiscovered vulnerabilities. We're using the same kinds of ML-based technology to defend that they're using to attack, so it's an incredibly interesting area of our business.

For example, threat identification systems now use machine learning techniques to identify entirely new and previously unknown threats. That's an exciting shift - we now have to keep learning and moving faster than our adversaries.

Quantum Computing is now on the horizon for enterprises too (or perhaps, the horizon over the horizon!). Quantum physics was one of my favourite areas when studying for my Engineering degree, it's another area of technology and science I'm fascinated by. I think we are at least a decade away from seeing industrial application of this research, but enterprises should be investing now understanding how it works, what the benefits may be, and what new risks this will generate.

What's the best career advice you ever received? Fred Balboni, my first Partner at PwC told me to "push the boundaries until you learn where they truly are". This is something I've aspired to ever since. To me, it means feeling uncomfortable and out of depth sometimes, but I believe we can't perform at the maximum of our capabilities until we understand the landscape and boundaries around us, whether social, corporate or technological.

What advice would you give to aspiring security leaders? Start with the basics. There's a lot of confusion around advanced technologies such as machine learning and blockchain. Aspiring leaders should focus on getting a handle on the basics of cyber security first, such as knowing their business and critical assets, understanding vulnerabilities, risk and keeping patching up to date. Don't try to move too fast - your career is a marathon, not a sprint. Be patient and invest in the people around you, these are the people that will help you succeed. In fact, I've found that the best way to succeed is to help those around you succeed.

What has been your greatest career achievement? The most memorable achievements for me are the green-field builds: when I've created something from nothing. I've been lucky to do this a few times in my career, including building the cyber security function for the Commonwealth Bank in London, and now replicating that for Symantec. I'm proud of so much we've achieved, but really the most memorable thing is building a team of like-minded people, enabling them, watching them learn, grow and deliver against a strategy we've worked on together and are all behind. 

Looking back with 20:20 hindsight, what would you have done differently? I've learned we are the sum of all our experiences - as the saying goes, "Good judgement comes from experience, and experience comes from bad judgement". So, I make a conscious effort not to regret my decisions. But for example, with hindsight, I wish I had signed up for the debate team at school. So much of business is communication, and I certainly didn't invest enough time developing my communication skills as early as I could have (I was far too busy with math and sciences). The best ideas in the world are worthless unless you can communicate them and learning to communicate, and influence takes time and experience.

What is your favourite quote?"We are what we repeatedly do. Excellence, therefore, is not an act, but a habit." - AristotleAnd a more cyber security focused quote I'm currently fond of using is: "In your thirst for knowledge, be sure not to drown in all the information." - Anthony J. D'Angelo

What are you reading now? I love science fiction and fantasy. Reading is a great way to take a mental break frommy day-to-day responsibilities. Three books I'd recommend are: Sapiens by Yuval Noah Harari (human philosophy), Burke & Wills by Peter Fitzsimons (about Australian colonial exploration) and The Ancillary Justice series by Ann Leckie (classic Sci-Fi)

In my spare time, I like to… read, run, swim and spend time with my two daughters.

Most people don't know that I… studied Kung Fu for years during and after school. Very little of those lightning fast reflexes remain.

Ask me to do anything but… Karaoke! I'm exceptionally non-musical.


« Clumio seeks to SaaS-ify backup and recovery


CTO Sessions: David Moss, Blue Prism »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?