Lee Morton

Information Security Officer, On The Beach

Lee has been an long-time collaborator and early adopter of seedata.io. He’s a considerate people-manager with deep technical skills and a curious mind. His appetite for a good chat made him an obvious early candidate for our talking heads series.

Who are you, what do you do, and how did you get here?

I’m Lee Morton, the Information Security Officer at On The Beach

I’ve been working within security for 15 years. Prior to that, I was an IT manager. I’ve done lots of different jobs, from mechanical engineering, into civil engineering, IT, and then into security. So I have a varied range of skill sets behind me.

As a kid I wanted to be a policeman, but I also wanted to work in IT as I loved computers and programming. Eventually, I hit the role that fits my mentality; I am the person that protects and investigates, but I also get to use computers all the time.

I got into security as the company I worked at the time took on a project for the Department of Work and Pensions which required ISO 27001 accreditation. I joined the
project and found my way into ethical hacking. From there, I became a penetration tester, and eventually moved into Information Security management.

“As a kid, I wanted to be a Policeman, but I also loved computers. I’m now in my ideal role”

How do you define the scope of the contemporary CISO role?

“To guide the business on how to reduce risks, rather than blindly head into checkbox compliance activities”

I think the whole point of a CISO is to guide the business towards implementing secure systems for their customers, suppliers, internal staff, and anybody who interacts with the business.

There was a time when organisations would look to the CISO purely for compliance rather than implementation of security, more like a box ticking exercise. Times have changed now, senior leadership teams are more mature and expect better outcomes. I would see it as a red flag if I went into a new job as a CISO and heard the board using phrases like “we need to be ISO 27001 compliant” without first considering the wider set of cybersecurity risks they face.

Personally, I’m not a box-ticking kind of person. I will always look to raise security levels, pushing to make sure we get rid of as many of the security risks within the business as possible. I think the modern CISO knows they’re not going to fix everything, but accepts their role is to make sure they get the right level of security, and that the remaining risk is accepted by senior leadership. 

How do you work with senior leadership effectively?

Going back to my previous point, it is important to understand what senior leadership wants. Is it actually security that they want, or just to tick a box?

Once I understand their view and needs better, I make sure I have sufficient authority and appropriate reporting lines to do the job in hand. I find that if you put the CISO reporting to infrastructure or finance, it doesn’t work well as if they report directly into the board. This is because each have other influences on the delivery of security. An Infrastructure director may prioritise the of delivery of solution over the security of that solution and want to fix the security concerns later. A finance led security model may will decide based on current cost model and not the security benefits.

Ultimately, senior leadership needs to have input from security, but don’t have to “obey” what security says. This is the basis of risk acceptance, and it needs populating with credible information and to have risk decisions made by the relevant people; the CISO isn’t responsible for all risks. So, I spend a large part of my time making sure people are aware of the risks, and ensuring my team do as much as they can to reduce risk to on acceptable level. 

“Understand their objectives, keep them informed, equip them to make better decisions”

How do you get the best from your team?

“Give them space and encouragement to grow, create community for them to be part of, and experiment with new ideas”

One of the things I find important is to make sure my team feel that they’re learning all the time. I treat them like I would want to be treated when I was getting started, and I wanted to find out how things work, whether or not that thing is something that’s fully to do with the business, or something that may have an impact to the business in the future.

I also strongly believe in the benefits of creating community. For instance, me being a committee member of BSides Liverpool allows me to opportunities to get my team involved with a wider audience; it gets them out of the isolation that an office based IT role can sometimes bring.

Finally, I work hard on empowering and motivating my team. I encourage them to explore; let’s do a hackathon; let’s do something that we haven’t done before; let’s try products that are interesting and new to the market, like Seedata.io

What stats/indicators/red-flags do you take seriously?

It’s very hard to answer that, because it’s “everything”.

Yes, we want stats, and to provide data to justify why we’re spending so much on a security campaign. They’re great. And yeah, we’ve got the SOC that’s looking at incidents, but after many years in the industry, I have a healthy sense of intuition, and frequently sense something as being “not right” from the smallest of indicators.

I take these moments seriously and look deeper. Sometimes I’ll go down a rabbit hole, and find nothing, but there’s also value in proving there’s nothing there. That, to me, is not wasted time. I encourage our workforce to take the same attitude, when we do phishing training. It doesn’t matter if you don’t “know” why it doesn’t feel right, there’s often just something about it that’s wrong, and it’s better safe than sorry. 

“Everything can be important, but intuition and scepticism are often our best tools”