ESORMA Mastermind: Michael Macpherson
New to the role of CISO with surprising career observations
Hello, It's David White here. Thanks for joining me on this Mastermind call, and the Mastermind we have with us today is none other than Michael Macpherson, an ex military guy who now finds himself in a security role. Information security role. Well, I guess quite a track record. In security, IT, and all those good things is that right Mike, are you with me?
Does Your Employer Provide Opportunities For Growth?
25s. Michael: Yeah. Hi, David. Many thanks for letting me join on the call today. It's great to be a part of the Mastermind call. Yeah, it's been quite a quite a career journey. Like you mentioned. I spent 14 years in the British Armed Forces as an engineer starting off and then had many different roles in the forces. And I think that gave me sort of an appetite for learning new things and moving on up skilling myself all the time and when I left the military in 2011 I jumped into what it's my first official commercial role as a network engineer and since then, it's just being a roller coaster ride and you know, most people look at my career history and think that this is an issue somewhere because I keep moving on, but it's nothing. Nothing like that at all I've still got great relationships with my first employers that had many years ago, and it's just a case of the I. I was looking for something that I couldn't find, and it's an unusual one because I think when I worked with Rackspace, the managed service provider, I was there for a good 3.5 years. And I think it's because I had that, you know, like a safety net in a working environment where I felt that I could grow and accomplish different things. There were many challenges there that were keeping me engaged in. I think that's where I have moved on it's because I haven't had that opportunity to grow, are being challenged, and it's not kept me interested.
David: Funnily enough, quite a lot of people have got a similar experience. Having spent a few years somewhere like Rackspace, where there are a number of challenges and you want to complete the complete them. But then in a career you don't have to move on, and sometimes it's the only way to kind of really get the experience that you need isn't it.
Michael: I think it's an individual element as well as you. No one knows. Everyone's got their own goals in life and everyone sets their own their own ambition, their own drive to do things. Some people are extremely content in the roles they are in, I don't knock them for that. I think that's great. Unfortunately, I seem to be one of those people that is never satisfied in their roles. It's one of those things that I seek new challenges all the time, and I think if the role is not challenging me enough, I'm going to look elsewhere eventually and you know, so far, so good. It's only a month into the new role, but I can see that this is a long, long road ahead of me. So being it's a CISO role so, yes, it is. I think it's all individual. It depends on what you're looking for in life, I guess
David: I went down the contractor route and I ended up having a very diverse career as a result, going from one minute I was working for chip manufacturers, like AMD. The next minute I was at Mars Money Systems. Next minute I was doing something else in defense. The next thing I was designing power supplies for laptops. For nearly a decade, I spent time releasing data to help people to get their data out of database systems and then in the course of the last decade. It's been much more about security and keeping data in.
Embrace Your Inner Imposter
3:10. Michael: It's interesting the contractor route if there's one thing I've done very in a very limited capacity. And, I think there was always that inner imposter syndrome in me thinking that I wasn't good enough to be a contractor. I needed more experience before I stepped into the contract world. And ironically, a lot of my peers who are contractors would look at my career history and say you may as well have been a contractor the amount you've moved around, the job stints is for six months, nine months, six months and it's been sometimes it's been a challenge to actually explain to organizations that no, I was actually a permanent employee. I just chose to flip the hiring model on its head and in my opinion, probation works two ways. You know, it's not just about whether or not you good enough for the company is also whether or not the company is a good fit for you.
David: Let's talk a bit about security. You got opinions about leadership. I understand.
4:03. Michael: I do, Yeah. I think I've been very fortunate to have some amazing leaders in my military career. Yeah, and also my commercial career, who have put their faith in their trust in me to actually excel on kind of just give me the autonomy to get on and do things. But then there also there is a safety net to actually, you know, make sure you're doing things correctly and, you know, encouraging you to grow. And I think that the security industry in particular suffers from a lack of leadership in the sense of that. You know, there are some great leaders out there in the security industry, and you know, I've got peers, who are those leaders. But I've also worked with leaders who just they're not leaders in the truest sense they are more managers and have gone managerial capacity. And I think it comes from a lot of there's a lot pressure involved with the role. As I'm finding out in the new CISO position, I think it's also it's down to the personal mindset, and I think a lot of people find themselves in these leadership positions by default. So they may have been promoted from grassroots organization if they've had a long tenure there similar to military. You know, you go up the ranks and you've seen is an expert in your field. I think it's it's that that's the problem. Now it is over. I don't think many leaders in securities especially have actually had the leadership training they may require to manage their teams. Again, it might not be a full of their own it might be. The business is not thinking abstractly, you know, and supporting their newly managers or leaders in that role in one of my previous rolls recently I was brought in to be the conduit between the traditional security team and the development team who are innovating the new product and that's what I just leveraged. I think one thing that needs you need in securities. You need to have soft skills you need to be, so you know, corporate social engineers. If you want a better term, you know you need to be able to talk to people at many different levels. You need to, you need to empathise with them as well. I think there's a great deal of empathy that's needed in the industry. And I found myself quite, very quickly. I was embedded with development teams and I ended up doing the work of the developers and I realized what a headache it was. And, you know, the only code I knew until last year was my pin code, you know, if it sounds ironic, but I was I was never a coder. You know, I have always been a hands on engineer, you know, a network engineer. Yeah, but I think just showing that willingness to to get stuck in and roll your sleeves up and, you know, do the work that they're doing. Yeah, and then explain what it is you're trying to achieve. I actually found developers were coming to me with security problems and they weren't saying Hey, how do I solve this? They were saying I found this and we've solved it. So they actually done my job for me. And that was such a rewarding experience. There is. The industry is fast. And there are a number of legacy organizations that to do that would take years.
David: But that has to start somewhere?
Michael: Exactly. And I think there's the trouble is, I think we a lot of the industry is built on commercial products, so someone will see a gap, and it's this the way sales works. So I guess you know, someone sees a gap in the market. They start selling something that's gonna fill that gap. But unfortunately, there's too many of those things. You know, there's too many technical tools. And what have you but (Yeah, the products) you mentioned as well about leaders moving up from previous technical positions, and I think it's important in this time as a leader in the industry, you need to be agile. You need to stay on your toes. I think it's relevant for this sort of the modern leaders in the industry to try and keep hold of his technical skills the best they can. But it doesn't mean you have to be coding every day where you have to be doing on configuration every day. But even just having the baseline understanding of what your technical teams are doing, you know, not just from a textbook, you know, just actually getting down, sitting with the teams and spending that time with them and so understanding their pain points, it will help you be a better leader.
David: A lot of people are very good in their CISO roles. You find they have an agile background that they have an understanding of project management and they are also reasonably familiar with the idea of managing administrative tasks as a lot of security is, however, saying that there is a key piece: being able to communicate colleagues because when they know what the objective is, which is fundamentally to look after them and the business, when they know that is the objective and you give them some idea as to how they can look after themselves and each other tend to be pushing on open doors, that they tend to be very willing, which is why your colleagues came to you and said not only have I found the problem, but I've also solved it, so that's a common experience for those that take that trouble. I was talking with a very experience CISO the other day, Mike Osman and he was saying, probably the biggest bang for Buck for a CISO is in spreading security awareness among colleagues, especially when you've entered a new role where there is no budget or when you have to fight for a budget when in effect, you are the budget.
Whose Train Set Is It Anyway
09:05. Michael: Absolutely. And I think for anyone going into a new role, as I recently have, you've gotta just coming in. So be pragmatic. You've gotta come in at least assess the situation. Don't come in going on. We need this tool here. This tool here I want I've got a great relationship with these vendors. Let's get them in. You know, just sit down, talk to the teams and get a bird's eye view of what you're actually looking at and what's important to your organization. I think that goes a long way because I've done a similar exercise here. Haven't got any tools. You know, I'm using the cloud native tools that we operate and I'm actually just defining the baseline. You know, one month in of to find a baseline. I'm just working out now where I need to put my energy into hardening the systems and what have you. But this is such I think it's a fundamental thing. That's missed and I think if CISO going into new roles, they kind of want to come in, you see this less in industry. But in the military's I see it a lot. When we used to have a new commanding officer come into the unit, they would they would come in and they would say: forget about all the old commanding officers rules. This is my train set. This is how I'm going to operate. They would just want to make stamp on authority. They want to shine to the board essentially to make themselves look better. And I think that's the problem. You know, they're not thinking about the people on the ground. They're not thinking about the actual the operations that are running, they just thinking about themselves and not everyone, you know, I'm not casting or tarnishing any brushes a little bit, you know, I have definitely seen that in industry and it's no, it's no great, not a good look. No, no, no.
David: Well, I call what you've just described as scoping, and I've got this little funny little set of words, which is, if you're not, if you're not scoping, you're not coping.
Michael: Awesome, I like that one
David: Because you should always be scoping and you've obviously come in a new role. The first thing you must do is you have to scope you gotta understand what it is. What trains have you got in your train set, for instance. That's what does a stop look like, you know, what path does it follow? Etcetera. Then what happens is firefighting begins. Yeah. So everyone starts by telling you how good everything is and almost, you know, your not needed. Here. Please move on. And then you deepen your scope and you start to spot a few cracks and a number of issues and some of which you're able to address really quick. And this is why you are a CISO because you have this experience, you'll be able to look at certain things and go oh I know what the solution to that is. I don't need a budget. I just need to know you know where the firewall is and tweak it. Minimise the port access, that kind of thing. Yeah, actually, the belt embraces the basics, and it's usually the basics that let most firms down. But then suddenly, someone or something jumps out that now needs to be dealt with. And it may be a client, or it may be a supplier or maybe a manufacturing process, so it may be a breach. But now you're into fireman mode and putting fires out, but you still have to scope. Yes, what's wrong with the industry? Lack of leadership, Um, as you suggested the industry managers to lead but who else do you need to lead? Who do you need to lead as CISO who is it that you're leading?
I Think Of It As My Business
12:19. Michael: I try not to think of myself as a CISO although that's my title. So my role as the company CISO is to support the entire organization. I think the way I try and look at it, it is my business, and I don't want my business to fail, and therefore I'm leading trying to lead all the different business units we have. So everyone that I work with directly, everyone in the organisation, I just want them to realise that I am a point of contact for anything security related, and also if they need help with anything they do because it helps me understand their business area. If I can actually help do something for them. If I've got time to, you know whether it be produced client backs or for the client's success team or, you know, help the DEVs do some coding, if it's a quick fix, you know, and things like this. But also I'm acting as a face for the business as well. So I'm leading the business to the next level they want to get to. It's a challenge, you know. But that I think that's think so, like you say, the way I like to think of it is it's my business and I don't want it to fail. Therefore, I have to lead it, lead by example, essentially.
David: Are there any misconceptions that you can think of that people have? I mean, you've been a month in this role. Have there been any surprises, any misconceptions that you think exists for CISOs?
Where Is The Skills Gap? Exactly?
13:37. Michael: I think a lot of people on line have commented about the skills gap in the industry and that there's millions of personnel were short of millions of personnel. We need all these personnel. We're never gonna find them. We have to interview some. I've got a great network, and I've I see continuous daily updates of people that are looking for work. And I don't have a team yet. You know, I'm the only security person in the organization and when I do go to hiring. I'll be speaking to the HR department and making sure they understand my requirements. It's not all about certifications. For me I want some people I can work with well, and have a curiosity and a passion. And I think by if the skills gap existed, I wouldn't have had work. I wouldn't have found work so quickly every time I moved on. Then if you think this is my fifth role since 2017 not even three years, which is crazy, you know, by being able to put the feelers out very quickly, realize what works out there on groove into a role. And that's alongside the fact that I don't have any security certifications, either. You know, to get in the door to get into interviews with no certifications on paper and you know, only a couple of years security experiences is no mean feat. You know so I'm not advocating, not having certifications and things, but it's just something I have not done. Not through any particular reason is just being a more practical based person. You know, I like to know practically what I can and can't do. But I think this year the skills gap, there's plenty of people out there that looking for work. And I think the industry in itself offers so much, so many avenues for different people to persue. You know, ex military people, people looking for a career change. There's so many transferrable skills they can bring to the table. And I think the organizations and the industry in general, they start to get better. But they're very narrow minded. Focus. We must have these certifications, 20 years experience for an industry that's only been around for 10. It's these ridiculous asks and the job descriptions getting bigger and bigger and bigger. And even I Sometimes I was thinking, I'm not going for that job. There's no chance. You just you can't be afraid to fail. You just gotta try it and see what comes.
David: That's an interesting perspective. Certainly I think experience is a lot more valuable than necessarily getting certifications, although I do spend a lot my time helping people to get certifications. But I have to say that most people start where you have started from, which is we don't with extensive personal experience in the field combination of military and commercial, which is where you've been. And obviously it starts at a younger age in military and becomes commercial after you leave the military. I hate to say it, but to a certain extent, the certification is kind of a tick box exercise. I've seen it many times when people have been through the certification process. They recognize all the elements. But they've never seen all the elements put together before. That has a value, but you can get that by just buying the course books. You still don't need to certification
I Failed The Course, But The Study Was Successful
16:40. Michael: That's the thing I find I recently sat on a, I took a course it was an advanced Web application penetration, testing course. It was purely for interest. I had a credit left from the military. I was very fortunate and I used the education credit to go on this course. And it was It was fascinating, you know, actually getting hands on and learning how to actually attack Web applications and when it comes to the assessment at the end of the week. I wasn't I didn't pass, but I came away thinking that was fine. I enjoyed my course. I didn't I didn't go crying into my milk as it were because I didn't pass the course and then when I looked at it objectively, there was six of us on the course. I was the only non pen tester professionally on the course, and there was only two of the pen testers actually passed out of the other five. So it just goes to show that even pen testers couldn't pass the court. So it wasn't on what I didn't do too bad. I came away with some great insight as to what to look for when I go back to my organization and I'm very similar. I love to learn that that's one of my passions. I love to learn new tech and understand why things work and that comes from, you know, the engineering background. I think I spoke about it before on other talks that I was I think I was 3 or 4 years old when I dug through my bedroom wall with a screwdriver and my mum just put head in her hands and said: 'You're gonna be an engineer'. So you said, I think since those have never, never put one down.
David: There's a story, your poor mother. Okay? But I think if you put it very well when you say you said earlier, you, far as I'm concerned, are taking on this role of my role is that my business will not fail. It's certainly very easy to get far too technical, technically orientated in security when ultimately it is actually about the business. What else do you think? Within industry do you think should be fixed? So magic wand time?
Michael: Magic wand time? Well, I think I have talked about lack of leadership. I think we need to, we need to sort of move away from the ticking boxes so every organization, department, this one because I'm actually leading the charge on this one. The organization that worked for is all about meeting regulatory requirements, and I understand from a legal perspective and a regulatory perspective, they're necessary. You know, I understand that. But we don't have to take boxes to meet those requirements. I think my biggest bugbear is where auditors have come in we've been hit with a barrage of questions. We scramble around trying to find evidence. The auditors leave and then we take a sigh of relief and that's it, you know, until next year. And that's not the way it should be done. I've at first, you know, my first early stage in my career, I thought that was the way it should be done. But then I started thinking about this. This can't be right. Why are we doing this? You know, why are we looking? Every time we get due diligence questionnaire while we filling in the same information all the time, Why are we not just using one public facing Web link? We can share with people that have seen on platforms, you know, But I think that the taking box exercise has to stop because I think if you can actually shape your security around your organization and what's actually going on the organization, you can then map it to these frameworks. Yeah, And I did it. I did a similar exercise in my first security role without actually realising that's what I was doing because I knew no different. But I got tired of seeing 20 page documents about security policies. So I condensed them into one document and then used abridged policies and then mapped them to NIST and 27,001. And everything else, they're still using that framework today. So but that's what it needs. It just needs a practical approach to the security you actually need and then write policies around the controls so that your business units understand them as well because, you know, the last thing you want is a tech person going what's this policy about? UI don't understand it? It doesn't even apply to us. I think a lot of people forget that these elements of the ISO that have statements of applicability and what have you. You just need just need to think objectively.
Michael: David: They can be customized can't they?
Michael: exactly. And that the advantage. Right? I think if you if you can take your business and look at the security controls and then map them across. It's gonna you're gonna meet the requirements naturally.
David: Yeah. I mean, there's a lot to be said for following the 27 K and the NIST frameworks. What's for you, for the future then? Been there for a month you are not about to leave. Enjoying it so far, where do you go?
Building Security In By Design
21:18. Michael: So this is an interesting topic because I was interviewed last year and I had just moved into an architectural role and the lady interviewing me asked me, said So what's next? Would it be? CISO And I said, No, no, I don't want to be a CISO I'm quite happy being an engineer. And here we are a year later, in my first CISO position. And so I think for me, I just want to continue doing what I'm doing because I've actually found my niche in the industry. And I think that's is just enabling different business units to actually achieve good security standards. And I think if I can grow with Insurwave, then that would be amazing. Just get them to because we were try with an innovative organization you know, we're changing the way insurance has been handled for risk owners in the marine industry. And I think if we can do that successfully and in a secure manner with security by design, then it's gonna be a great stepping stone for the project.
David: Well, thanks very much your time. Michael, it's be really interesting talking to you, Really interesting to understand a little bit about your past, then your career history and how you being able to kind of leapfrog along to where you are unexpectedly. Now, by your own account, I think,
Michael: yeah, very true
David: How fascinating you're finding it. Your ability to identify some of the short comings within the industry. But that also tells you areas where you can excel. Got any advice to anyone else or anyone?
Michael: I think my only piece of advice that I'd give to people is just to not be afraid to fail, you know, don't think because I self identify with imposter syndrome for many years, and I think it's held me back from actually doing bigger roles. But then I think in the time that I've had. It's actually given me the opportunity to sort of sit back and learn what I actually needed to do for the role I wanted to be in. So just don't be afraid to fail just because you don't have certifications or you don't have the experience. You more than likely have transferrable skills that can be used in the industry. And, you know, to quote Simon Sinek he knows, if you if you said he is think about the infinite game, you know it's not a, Security is not a sprint, you know, it's an infinite. So if there's no solution to security, it's always going to grow is always going to change. And I think if you think with that sort of mindset, then there's always gonna be work out there for people. And it's just just gonna keep changing.
David: All right, well, that's very inspirational. Thanks very much. Very positive view on the future, and I wish you all the luck for the future, Michael. And thanks very much for being our Mastermind today.
Michael: Thanks very much, David.
David: My pleasure. Thank you. If you're listening to this Mastermind recording and you would like to hear more like this. Some of the other conversations Masterminds that we've had. Just pop over to esorma.com E S O R M A look along the top navigation for the word Mastermind and click on that link and it will take you to the masterminds page where you could choose from a couple of the recent Mastermind conversations. Thanks for joining us. I hope you have a great day. Thank you.