CISO OF PINSENT MASONS CHRISTIAN TOON SHARES HIS PROFOUND CYBER INSIGHT, INCLUDING HOW SUPERHEROES CAN DRIVE INFO-SEC THINKING. WATCH THE FULL INTERVIEW HERE.
WHAT'S YOUR GENERAL PHILOSOPHY WHEN IT COMES TO BUILDING A TEAM?
So, for me, building security teams is probably one of the single biggest things that will apply to anyone's security strategy, and for me, it's really personal because as security leader, I'm personally judged on my team's efforts and abilities, and performance, but also for me, I feel it's my responsibility to ensure that we're fostering and nurturing the right levels of talent, and individuals that can help then grow across security in their chosen career paths. It's difficult, it's not easy, my kind of my secret source, if you will, is kind of comic books, and the importance of using the superhero kind of context about building these teams and bringing them together. There's a sort of concept around a cyber skills shortage in industry at the moment, whilst might play a part because there are far more vacancies than there ever have been than there are candidates, but actually finding the right people is where the challenge is, and I think it's less a skills shortage and more attitude shortage - attitude gap - because the way we've traditionally hired roles before is not right for the security industry now. And for me, kind of using my sort of insight and interest in comic books and superheroes has really helped me sort of bring that team together.
HOW IS IT THAT COMIC BOOKS HELP YOU WITH RECRUITING?
So I've grown up with superheroes. I've been very fortunate with that experience - I know I only look 28! - but remember comic books when they were just in print, now we've got movies and franchises that have spawned millions across the globe. So you've got like The Avengers with Iron Man, Hulk, Thor. You've got the Justice League with Batman, the Flash and then you've got other sort of separate standalone superheroes as well, or groups like Fantastic Four. When you look at those groups of those superheroes, nobody looks the same do they? Everyone's got their own little talent, everyone's got their own little skill, their own nuances. I mean, of course, everyone wants a Hulk on their security team right? But actually having a Black Widow and a Wonder Woman or Captain Marvel are all vitally as important and I think people miss that because whether it be in recruitment bias, or just thinking actually ‘To do more of what I want to do, I need more of me.’ But if you look around your security team and everyone looks like you; in my case: male, 28 and kind of why, then I'm not getting the best of what society has to offer. So for me I really draw on those comic-book superheroes and try and build my superhero team because ultimately that's what security is about right? It's about protecting the organisation, it's about going over and above to save the day in some cases, to bring those people together. There's a quote from one of the sort of Marvel franchises that SHIELD - the kind of thick sort of character group there- that talked about bringing people together in a time of need or crisis, that can do things that no other people can do and for me that's how a security team should be. Not necessarily just at times of crisis though, but actually bringing together all those different skills and looking for them at the interview process, through the selection processes, to see what makes people tick and almost putting aside the post-nominals that you get in CV’s or the extensive experience that everyone's had and actually, kind of, put that to one side for a second and look at the individual, look at that how they operate, their belief system, their culture, what they believe in, what was important to them and from my point of view then, what behaviours that they can demonstrate.
Yeah, I guess the idea is that an Iron Man will… Take the Avengers; Iron Man, Hulk, Thor, Black Widow and they're all very different. Now I'm not saying we're going out looking for an Iron Man, a Hulk, a Thor, although it would be quite good to go and try and recruit one of those directly, but if I look at my own security team that we built over a relatively short period of time here at Pinsent Masons; my person who leads on our security engagement is very different to the person who leads on our technical security, and again, very different to the person who leads on our supply chain risk, and we feel that we've brought in the behaviours that have actually kind of embodied that superhero for the greater good. We're all here to protect the firm and our clients, and actually capitalising on that, we’ve got passion across the team which is fantastic. You can't buy that, you can’t teach it, but we’re really inspired people. So for me, it's not so much a leadership role that's kind of done that, it's more the concept, the philosophy, or the vision that we have as a security team that we're here to save the world, as far as Pinsent Masons is concerned right, but actually we're doing the best we can in that field.
WHAT ADVICE WOULD YOU GIVE TO SOMEONE JUST BEGINNING THEIR CAREER IN CYBER SECURITY?
I guess advice for somebody wanting to get into cybersecurity that was perhaps in the under-20 age bracket, because I guess, I don't want to kind of alienate people that perhaps haven't gone to university, or haven't gone through higher education because that's not necessarily the route in. YouTube, the internet have got a plethora of resources available that will help you to pick up the tips, the tricks, the technologies, the understanding of how to do cyber related technical stuff. They're not so good at helping out the soft skills but that's kind of another comment. For me, for an individual in that space is learn, open your mind to what is out there. You need to kind of, I guess almost be Jedi-like and there's probably a bit of a movie theme here to the answers right? But be wary of the dark side. So the kind of altruistic, kind of criminal side of cyber can be quite Hollywood and attractive, but actually it's not where you want to play. Actually you can still do all of that great stuff, breaking into places, highlighting holes and vulnerabilities and kind of proving your worth but you can do that for the greater good and you can do that on the good side and get paid for it at the same time. The route to success is probably a little longer, but actually the skills are the same. So for me, that's kind of a big focus area is just nothing should be off the table, use that creative freedom that you have when you're that old, just explore and work out what you enjoy doing and learn whatever you can. I also think there's a really good community in InfoSec across the globe. Whether it be sort of practitioner conferences like B-sides, or something a bit more established like RSA, and all the practitioners that kind of associate with those events or those organisations that reach out to the community and get involved. Whether that's locally, or internationally, use social media, there's some great accounts that are worth their weight in following to get an interest and idea as to what the real world looks like.
I think cyber securities is an Industry people can move into later on in their careers, but it's hard. It's not necessarily hard for that individual because it's something that they've done, it's hard because organisations aren't necessarily geared up to deal with that change, to respond to the needs and demands of that individual, that they want that polished practitioner because of a mature candidate would kind of assume one would have 20, 15, 10 years worth of experience doing a similar related field. But, actually the field that I've spent my career in is completely different to where I am today and organisations don't like taking those risks because they want a safe pair of hands, so it's going to be hard because you're going up against a lot of bias pretty much, because the whole recruitment process is driven towards recruiting conditioned, experienced individuals. But actually what you need to then demonstrate is your passion, your drive, the positivity, all the right behaviours that will make you a right fit for that organisation. You can teach the technical stuff, if it's a technical piece that the role is, the candidate is looking for, but the behaviours, the integrity of that individual is something that you can’t, and it's really important to get that across during that selection process.
WHAT ARE TWO OR THREE ATTRIBUTES THAT HAVE HELPED YOU ACHIEVE YOUR SUCCESS?
For me, in kind of building this team quite successfully over the last few months, I think the the main thing that’s really kind of driven me is empathy because I'm kind of - we're all human, I'm human and kind of understanding that we've all got jobs to do, but we've all got personal lives outside of work. So whilst we've got our business objectives, and kind of security direction that we need to take, actually being supportive of a candidate that we took on board, as an example, that was retraining, hasn't been in cybersecurity at all, self-funded themselves through a Masters program in cyber following a career in risk management in the NHS. But actually recognising they've got a young family at home, to get to the office is a two-hour commute, that we've gone against the grain in our more traditional working hours and kind of allowances, to enable that person to work more remotely at home, to save them coming into the office. Sort of, I guess, concept of work is something that we do, rather than somewhere we are. But I appreciate that, and I feel I can get the best out of my teams by kind of being - demonstrating empathy with them.
WHAT ARE SOME OF THE FUNDAMENTAL BEHAVIOURS YOU LOOK FOR WHEN RECRUITING?
So, I think some of the… - for me - the behaviours that I guess, we look to recruit and retain, attract for the future positions that we hold, there's probably five or six of them I think that I would really call out. Energy, so an individual needs to have energy and certainly in this field, boundless supplies of it. What we do at times can be very hard and very demanding physically as well as mentally, so to have that kind of ‘get up and go’ constantly, day after day after day needs to be there. Yeah there’s time off for good behaviour and all that, but actually somebody needs to be highly motivated and have that energy that comes with it. A can-do attitude, that nothing should be off the table. It's far too too common to get kind of like a pessimistic security practitioner that, “nobody will listen to me. The business won't want to do this, therefore we're not going to do it.” And positivity or a positive outlook, it is absolutely key because it doesn't take long for that kind of negative kind of vibe to then spread to other parts of the team, other parts of the organisation. The honesty, I think is fundamental. The fact that what we do is very integral to the core of any organisation and to have a position where you can be upstanding in character, have the integrity and the ability to sort of be honest with the organisation in terms of what you will get involved in, what you will see, will be highly sensitive, highly confidential and people need to trust you, so you need to be of that sort of ilk. Another behaviour I think is gonna be quite key the willingness to learn. As I've mentioned before, I'd much rather hire on behaviours, if the technical skills weren't right there. I will quietly spend time and resources training the right candidate in the relative field whether it be working with particular technologies, firewalls, products, networks etc. infrastructure. I always find the soft skills quite harder to teach because some people have a natural kind of draw to it, others it's kind of a bit of a challenge. Timekeeping, I think that's just the OCD in me because we need to kind of manage our own time. We’ll have a lot to do, there'll be lots of deadlines that need to be met and kind of tied with that, I guess, it's a bit of punctuality. In a business environment, when we say we're going to be somewhere at a particular time we need to be there. If we've committed to delivering a piece of work by a particular date, we need to deliver and that whole time management piece is really key. From a recruiters perspective, it's very hard. It's finding the right individual to kind of to fit the role that's kind of being recruited for, that fills those attributes we've talked about it. It is really difficult. Not to mention the fact that the security recruitment agencies and industry has exploded with the whole kind of cyber boom. It was almost kind of like our Y2k, then the GDPR, the demand for cyber expertise has just exploded. As a result of that, you've got people coming into the industry, either new into recruitment, or that have kind of done more traditional recruitment before, trying to capitalise on this, and I get that, right, it's kind of the way the world works, but actually I think that security professionals recruit based on relationships, and for me, the secret source for the recruiters, they need to then have those relationships as well. This isn't just about kind of doing a keyword search against your CV database and going ‘you've asked for cyber security, London’ and sending raft-loads of CVs. People want to know about the people right? So this varies from roles whether you’re recruiting at junior security analyst level, all the way up to kind of security leaders across the business. I don't want to hear about the latest and greatest CV that you might have, I want to hear about the person you've got that you think is going to be right for the role. So, in terms of the advice I’d give to the recruiters, and the recruitment industry, it's about bringing those relationships that you do have- because they do exist, right?- cause that's the way the world works, that's the way the industry works, is bringing that to the clients and bringing that to our attention as the hiring organisation or hiring manager and saying ‘talk more about the people’. And for me, that's where you'll differentiate yourselves, because the new entrants into the market, they won't have those relationships, they'll be farming, kind of searching on Linkedin and doing those keyword searches and just throwing people almost under a bus in some cases because the bad recruitment processes are the ones that people talk about. They don't necessarily talk about how the great ones are, the good ones that help people get people into business. So for me, it's very much around those relationships.
HOW DOES RECRUITMENT STRATEGY DIFFER FROM CYBER SECURITY TO OTHER SECTORS?
I joined the Legal sector 12 months ago, coming in from sort of Big Four consulting in Financial Services, insurance, investment, and I tell you what, it's been a big breath of fresh air. It's been hard, bringing the organisation around to what it is we need to do here, but actually a lot of that work was already done. My business case, I put to the board, my board, our partners, equity shareholders within the organisation, the owners of the business. So I'm talking directly to the decision maker who has the view and the authority to take a decision on what we do with this organisation. In the Financial Services space, certainly based here here in London, it was a lot more governed there, there was a lot more risk management there, there was a lot more kind of committees and process, to actually get to the point where you needed to sort of get that decision saying, “yes, have some money, have some budget and resource, have some support to go away and do this” and it wasn't always forthcoming. So I was very fortunate our board are very switched on, they're aware that cybersecurity is a massive risk to the industry. The NCSC have just published guidance around legal sector cyber risks as well, so there's a lot of focus on us at the moment, and we take pride in protecting the clients, of protecting the partnership which is what we need to do. So, from a security point of view, for me it's been very much kind of like a unicorn security role, that you've got that board support from the top down, you've got teams from the bottom up that want to do security because we want to protect the clients, we want to protect the partnership. The culture here is very much, it almost feels my family sometimes because everyone's just here for the right thing to do for the firm. So, with that the top and that at the bottom, and I guess information security in the middle, it's just refreshing that we've just got that wholehearted support to just get on and do the right thing.
WHAT THREE THINGS CAN PEOPLE WITHIN THE INDUSTRY DO TO EDUCATE AND INFORM THOSE OUTSIDE THE SECTOR?
Okay, so probably the three things to get people more involved from outside the sector, I think if you’re on social media, make it known on your profile that you're willing to talk to people, that you're approachable and will give that advice, and that's not that time-consuming, it's not a big thing, but that will mean a world because people will look at your profile before they even kind of make contact. Schools and education is a really important one. Your organisation will be ecstatic that you want to get into the community and give something back. Go and find some local schools in the area and go and offer to do some career advice and talks to some of the kids and students coming through. I think it is an equally important thing and helps with the kind of societal impact, and kind of the importance that organisations are driving forward now. I think the third piece is actually push yourselves out of the comfort zone. So don't just attend a cybersecurity conference, go and attend a conference for procurement managers and contracts, or agriculture and industry, just to go and meet some new people because that variance and flavour that you won't get, from you being in that particular field. Likewise, they won't get from you and that cross-fertilisation is really important.