CTO Sessions: Paul Farrington, Veracode

CTO Sessions: Paul Farrington, Veracode

Name: Paul Farrington

Company: Veracode

Job title: EMEA CTO

Date started current role: March 2019

Location: London, UK

Paul Farrington is EMEA CTO at Veracode. Prior to this role he was the Director of Solution Architecture at Veracode, he ran his own IT consultancy and was CTO to Barclays Business Banking Innovation Unit.

What was your first job? I remember that becoming a teenager seemed to coincide with getting a paper round. I think that job remains the toughest job to date. I joined Barclays management development programme at the end of the 90s. We all thought we were the bee's knees, and were going to change the world in the first week.  

Did you always want to work in IT? No, I consciously decided against going into IT even though I was always interested in tech. As a graduate, I joined Barclays on their marketing stream. I worked in a market development team, in press office and later as an Internet banking product manager. The dotcom boom was in full-flow at that stage. I resisted the temptation to go and join the bubble, but did complete a Masters in E-commerce at the University of London, so was clearly interested in the phenomenon. At the turn of the Millennium, I went to take care of Internet strategy for Barclays Private Clients. Technology had got it's hooks into me again.

What was your education? I did my GCSEs and A-Levels in Lancashire. Some of my best friends went to Edinburgh to start their degrees. I soon followed in their footsteps and fell in love with the city, but deliberately chose a course not in Computer Sciences. I thought people would be very interesting in psychology and human biology classes (they generally were), so I spent four wonderful years in the amazing Scottish capital, leaving with honours in Physiology.

Do you hold any certifications? I hold an Advanced Certificate in Marketing from the Chartered Institute, Prince 2 Practitioner from APM Group, CISSP from ISC2, TOGAF Enterprise Architect from The Open Group, and MSc in E-Commerce (Tech, Computer Science & Management).

Explain your career path. My CV shows that I'm quite loyal to my employer. I spent 11 years at Barclays in various roles. During my time with the bank, I made the leap into a fairly safe start-up (Clearlybusiness.com), which Barclays had once joint owned with the ISP ‘Freeserve'. The bank had taken a controlling interest in the JV and they were re-floating the business strategy. Initial prototypes of a business software package had shown lots of promise at the time of my joining, but the team needed to productionise and scale the product offerings. We had to build a Software as a Service (SaaS) platform from scratch. AWS or Azure was not an option at that stage, so we did this the only way we knew at the time, doing everything ourselves, assisted by a boutique development partner called L-Shift. With the help of Barclays selling muscle, we hit a sweet-spot and sold millions of pounds of software subscription packages. During my time with the bank I was responsible for product development and later became the CTO of the business unit, which was part of the Business Banking division.

I learnt how to use agile development methodologies to ship software quickly, and how to make product trade-offs to maximise bookings. Being a product manager is almost as hard as having a paper round! I would often find myself devoting resources to security requirements, never really feeling that we were doing enough. There remains a constant friction with the business, that can't always fully appreciate the benefit of hardening the software or paying-down technical debt.

When the global financial crash hit, I left Barclays and started my own firm as a technical delivery consultant. I had developers working for my company and was also leading a team of around 50 engineers offshore. That was a particularly lucrative time being independent, but it was a period when I worked too hard and didn't hit the right work-life balance. Then I started my journey at Veracode in 2013.

Did you take any detours? Deciding not to start my career in IT was the first detour. In my heart, I think I knew I wouldn't be able to escape the allure. A more recent meandering, has been to work in pre-sales for the last five years. I never expected to do this. Veracode seemed like a really interesting company and I just fell under the spell of the firm's culture. I didn't expect it to last though. I thought I would get found-out pretty early on. I learnt that if you're selling properly, you're not telling… you are listening. I like asking questions and guiding customers to the real reason they think they need a solution. I've made lots of mistakes, so having previously been on the other side of the buying relationship helped me to bridge with people. Now if someone asks me for advice when they don't know what to do in their careers, you'll often hear me say… ‘why don't you give sales a go?'. If you want to run your own firm, or make the case for a department budget, you need to know how to sell to people.

What type of CTO are you? Much better than I would have been 20 years ago. We are striving to make the business as strong as it possibly can be, to achieve specific outcomes. Those goals are not necessarily relevant to each individual, so you have to identify the personal motivations of colleagues, and align to these. At scale, that means that you are coaching others to do the same with the people they lead. A former CEO of Veracode (Bob Brennan), would often remind his leaders that it's more important ‘to seek to understand, than to seek to be understood'. If you can make sense of people's stories, and what has brought them to a moment in time, it's far easier to ask them to trust and to follow you.

Which emerging technology are you most excited about the prospect of? I'm both excited and cautious about artificial intelligence (AI). I think we will need to develop legal frameworks to help protect users from the unintended consequences of AI being employed in use cases that may cause harm. Many firms have already put Machine Learning (ML) to work in their organisations and this is helping them to automate the processing of large amounts of data. We use ML at Veracode to help discover vulnerabilities in Open Source libraries. I'm most excited by the transformation occurring due to the use of containerisation and orchestration technologies such as Docker and Kubernetes. These approaches are helping to democratise how developers interact with infrastructure - making it dramatically easy to build and scale software.

Are there any technologies which you think are overhyped? Why? Blockchain. The value of blockchain is tied to its basic properties as an immutable, transparent, distributed ledger. These have real benefits in computer science. There are many examples where being able to prove the integrity of a contract between different parties along a timeline is incredibly important. That being said, blockchain is all too often a solution that is often looking for a problem. The crash of the crypto-currencies market is symptomatic of this. Furthermore, whilst the underlying blockchain cryptography of the currency might be sound, the asset does need to be stored. Too often the digital wallets that hold the currencies are hopelessly insecure. Binance is a recent example of things going wrong with pretty disastrous consequences.

What is one unique initiative that you've employed over the last 12 months that you're really proud of? Veracode has adapted rapidly to how modern software is being developed by changing the way in which we meter usage of our service. Just a few years ago, applications tended to be written as monoliths. Defining what constitutes an application was relatively straightforward. With the advent of microservices and cloud native architectures, we've had to ensure our approach pricing is progressive and delivers maximum value to the customer. We've developed a technical and commercial approach that allows us to be flexible in how we customise the value proposition for customers, based on how they want to work with Veracode.

Are you leading a digital transformation? If so, does it emphasise customer experience and revenue growth or operational efficiency? If both, how do you balance the two? Veracode was founded in the cloud, some 13 years ago, but before platforms like Azure, Google Cloud and AWS had become prominent cloud-native options for enterprises. We recognise that our ability to scale is linked to us leveraging the elasticity of AWS, and making fuller use of the native services that are part of the platform environment. Put more simply, we'll be able to give more customers precisely what they need, when they want it and at a value that makes sense for them by completing our digital transformation away from co-location datacenters. We have witnessed an exponential increase in the level of scanning of software undertaken by our customers. The economics we offer actually incentivises this behaviour, and we encourage frequent scanning as the data shows it's linked to risk reduction. The reality is that we can only meet that explosion in demand by taking this strategic path. I'm one of many, leading this effort.

What is the biggest issue that you're helping customers with at the moment? Without a doubt the biggest issue is directly aligned to the reason that Veracode was originally founded by Chris Wysopal and Christian Rioux - helping customers  make software secure. It's actually relatively uncommon for an application to not contain vulnerabilities. In fact, 87.5% of Java applications contain at least one security defect on first scan. Less than one in five applications pass a common security standard, called the OWASP Top 10. So, developers actually have to go out-of-their-way to code securely, and generally it doesn't happen without deliberate intent. However, there are reasons for optimism. We are seeing a strong relationship with scan frequency based on automation, and security defect closure rates in software. DevOps teams that embrace security into their culture and processes, seem to do better.

How do you align your technology use to meet business goals? I think you have to perceive the forces acting on customers, and how they might choose to respond to these. If we think about application security, the balance of power in the decision-making process has started to shift away from the traditional security expert, and is now in the hands of developers. Software engineers want a very strong say in how a solution works, and therefore how the underlying technology delivers required benefits to users. That's an example of a dynamic that is important to understand and represents a major shift in our space.

Do you have any trouble matching product/service strategy with tech strategy? I think every business finds this a challenge, but it also provides positive creative tension too. If a strategy is too rigid in any domain, then the adjacent domain may be adversely impacted. Let the pendulum swing too far in the other direction, if say product managers are too willing to morph the solution to meet the needs of a user group, both customer service and technical execution can become distressed. You want the respective strategies to have sufficient backbone, but also the ability to flex to meet the needs of the market. I believe in technical diversity. A heterogenous approach. Yes, you need to strive for consistency and organisational fit, but I also think it's important to promote experimentation and a desire to adapt. That will result in failures, but also the ability to identify the optimal path.

What makes an effective tech strategy? Effective technical strategy could be measured in so many different ways, ultimately though I think it has to be through the lens of the stated business objectives. Often that boils down to how the tech initiatives elevated bookings, lowered costs or reduced risks for the firm. There will be other factors that are important, such as agility, resilience, customer satisfaction, but generally these are subservient to the three I mentioned. If you can't identify how the technical strategy relates to these, then you could make the case that the plan has room for improvement. It needs to speak to how a business is going to survive and thrive.

What predictions do you have for the role of the CTO in the future? The role will have to deal with nuance and a loss of control in how technology is created, purchased and leveraged in an organisation. If you go and speak with any large drug company for example, and ask how many developers the organisation has, you might get a figure of those that either work for the CIO or CTO. Ask the question, ‘does anyone else write code?' and you'll quickly receive the answer ‘of course, we're a pharmaceutical company, so much of what we do involves data and the ability to model complex interactions, most people write software here'. If you think about how that bio-research software gets written, deployed and protected - that completely changes the way in which any technology officer has to think about leading their organisation. Increasingly the role will offer guiding principles that help achieve objectives, where power is more devolved to where the technology adds the most value. Constraining and prescribing technology will often run counter to the interests of the business.

What has been your greatest career achievement? I'm most proud of the impact I've had on other people's careers. To see colleagues gain confidence in their ability to lead others and believe in themselves is the best reward. I'll admit, I could be better at celebrating my own successes.  

Looking back with 20:20 hindsight, what would you have done differently? Wise people often talk about not looking back and seeking to change things that are out of your control. By definition something in your past is no longer within your ability to change. Your mistakes and triumphs got you to this point, however flawed and dreadfully imperfect you are. If I have to answer the question though, I would say resisting my instinct to hurry the pace of change when the conditions were not favourable. Sometimes you can paddle hard, but not make progress in the water because you are just pointing in the wrong direction. Make a course correction, or just delay your strokes, and everything can fall into place. I think back to times when I wasted energy trying to affect change, when in truth, the timing wasn't right.

What are you reading now? Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations. By Forsgren, Humble & Kim

Most people don't know that I… Smashed that window with my football at aged 13.

In my spare time, I like to…Be with my family, run, cycle, snowboard, paddleboard, geek, and play with neopixels.

Ask me to do anything but… Karaoke - I can just about bang out a Wonderwall.


« Secret CSO: Jill Allison, Kudelski Security


C-suite careers advice: Jo-ann Olsovsky, Salesforce »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?