Matt Holland

Co Founder & CTO,

With many years CISO experience under his belt, our own CTO offers his first hand experiences on how to be a great CISO

Who are you, what do you do, and how did you get here?

My current role is as co-founder and CTO of seedata. I’m responsible for all things technical, and take a strong role in product definition, using my experiences as a security leader to help shape the service we are building.

Before this role, I spent over 20 years in a range of roles within the security space, from solution architect and project delivery roles in consultancy engagements to Global CISO roles in large organisations. 

My childhood career aspirations were largely related to motorbikes. I trained as mechanic, did some racing, and studied product design with the intention of becoming a motorbike designer (an education that has become useful again in my current role). 

Like many, I got into security indirectly. It was the mid 90’s, the internet was new and shiny and my motorbike career had somehow been swapped for a role with a large consultancy helping them work what this “internet” thing was all about. This led me into IT security (as we called back then). I loved the counter-culture aspect of it, breaking things, defending against unseen enemies; it was exciting, there was so much to learn and was clearly going to become a growth field. I was hooked!

“An ex-CISO who loves designing products (and misses motorbikes)”

How do you define the scope of the contemporary CISO role?

“We are now doing less operational team management, and spending more time informing risk conversations.”

The CISO’s role has changed over time as new practices and strategies have surfaced. It also varies based on organisational size, maturity and objectives.

Largely, it used to be that all things security (and sometimes wider) were under the CISO. Now, we see a more business-aligned operation of functions that might have strong historical ties to security; things like Identity management and access control being run by service desk / IT Ops, but under a design and process that has been informed by security requirements. 

Personally, I see this as the right direction of travel. It reduces overlap and duplication of management effort, and places budget and mandate for managing the risk with the team that would suffer the impact if an incident were to happen. It’s a clear embodiment of business risk alignment, plus it frees the security function up to stay focussed on the topic of security in detail, rather than dilute effort into operational tasks. 

What skills are important to you as a CISO, and how do you hone them?

Somehow, a CISO needs to simultaneously be a board-room savvy diplomat, and a cloud-native technical svengali, otherwise they risk not getting the buy-in required to get their job done. It’s not adequate to be great at either one individually. So, skills that important are diverse. Three that I value highly are;

 – Analytical skills: Not just asking questions, but structured, planned research, with methods chosen to match the task, quality checks on your inputs, bias recognition and regular feedback from your intended audience. Important decisions are taken on the back of a CISO’s contribution, and they deserve more than opinion and rhetoric. I look at how this is done in academia, and consider it a skill that really improves with practise. 

 – Interpersonal skills; You’ll get nowhere fast if you don’t understand how your interactions are impacting the actions of those around you. Anticipate how others might percieve you, be self aware and introspective, look for unconcious, subtle feedback you’re getting, and respond with necessary adjustments. 

 – Wide Technology Awareness; Most teams in most organisations will employ technology in some capacity, many to a very sophisticated degree. While you can’t be an expert in all things, it’s not sufficient to limit your technical knowledge to just those areas within your immediate area. Taking deep-dive conversation with a wide range of technology teams is essential to understanding how a business works. 

“Be a leader, interacting effectively by providing quality inputs, but remember your roots are in technology”

How do you work with senior leadership effectively?

“Agree in advance when and how you will provide updates, and deliver your news with consideration of your audience’s concerns”

Paramount here is remembering that in these conversations, security is typically only one of many concerns being discussed. Security itself is not the priority, but rather the wider business. 

To be effective here means helping senior leadership understand the implications of your input, relative to the input they are receiving from your peers. So, I adopt two practices that are mutually reinforcing.

 – Establish a timetable and method for regular updates; this will vary based on the individuals, it could be a monthly email monthly, or a daily phonecall; either way, get it in place, and stick to it, and fill it with the content they need to hear, so that you get opportunity to ask the questions you want to ask.

 – Establish a language for conveying importance; It’s all to easy to come over as obsessive when you’re very close to the detail. Everything becomes urgent, and more urgent than anyone else! Avoid this, by taking the perspective of your senior leadership before reporting to them, and use terms they will understand. 

How do you get the best from your team?

The same soft skills that will help you with senior leadership will be valid when managing your team, albeit in different applications. 

 – Step back when you’re not the expert; Your team should have more knowledge and skills than you. Getting the best from your team starts with giving them room and resources to exercise those skills.

 – Exchange information freely; It’s vital that your team share the same vision and set of objectives, along with an understanding of what each other are working on. Take an example from engineering teams working on complex deliveries and embrace a few Agile ceremonies; use standups, sprints and retros, do show and tells.    

“Keep them informed, and give them space to be brilliant.”

What stats / indicators / red-flags do you take seriously?

“If you’re out of touch with the business, or they’re keeping secrets from you, you’re not going to be working at your best.”

A dashboard that’s flashing like a christmas tree will happily and easily provide the SOC clear indications when something has already gone wrong, but as a CISO, I would rather know when something is going to go wrong, and give myself the opportunity to avoid it. So, I look for leading indicators.

If I find I’m hearing about projects that my team arent already involved in, it’s a signal that connections and collaboration with the wider business is failing us. The same can be true if security incidents are being covered up. Cultural breakdowns like this are self-destructive, and require quick intervention, both to understand how they originated, and to build bridges and reverse the situation. 

What technique / tool / approach do you recommend everybody in cybersecurity should employ?

I’d be missing an opportunity if I didn’t shout loudly about the benefits of deception technology and threat intelligence, especially when delivered combined in our own platform. I strongly believe they offer high value in so many different scenarios, and think all organisations would benefit from adopting such capabilities within the security program. 

Taking a wider view though, and with a lense on budget reductions and resource availability, I would encourage a strategy of outsourcing or automating operational tasks. As an industry, we’ve moved on from the idea that all security tasks need high expertise, and we should remember to embrace that when designing process and teams, moving simpler or non-essential tasks into other teams/software. 

Use deception technology and threat intel to level the playing field a little. Use automation and outsourcing to keep your team focussed on the important stuff.”