Today, Greg is a leading voice on information security and takes an alternative humanistic approach to security solutions.
He has over two decades of technical, management, and leadership experience in the field. A passionate speaker on visibility, care, and accountability to the Information Security industry, he breaks our industry’s current reactive status quo.
This is a great 3rd edition of Interview with a CISO.
What will CISOs look like in 5 years?
More business aligned and they will have more of a Business Leader role than the traditional security role we see today. The trend is already starting. Traditionally IT has had poor leadership. There is an opportunity to break away from that, in the same way many CIOs have become CEOs, because every business is now a tech business. CISO’s have this opportunity as well.
What three books would you recommend to aspiring security leaders? (does not need to be security-related)?
The Advantage by Patrick Lencioni
Cyber Security Leadership by Masur Hasib
Start With Why by Simon Sinek
You started as a prominent hacker in the 90’s and are now a renowned CISO. How has this affected your approach to security?
When you’re trying to manipulate systems to do something they’re not supposed to be doing, you have to look at the fine details – how things are actually built behind the scenes. As such, I have a desire to build things properly; and this includes company culture. Being one of the attackers, and by virtue of being surrounded by other attackers, made me realise how vital defence was, and now I scale that up to organisations.
What three things would you change about the Security industry?
How do you educate the board on security?
The board doesn’t pay me to educate them; they pay me to solve a problem for them. And to solve that problem, I need to have their trust; it’s all about building that relationship.
If you weren’t a CISO, what would you be doing?
I’d race cars all day, World Endurance Championship specifically.
What is your approach when hiring?
I take a collective approach and work to applicants’ strengths rather than boxing someone to the confines of a job spec. My approach is flexible. I don’t follow a cookie-cutter approach; why lose out on a talented team member and not utilise important traits and skills because they didn’t meet a rigid job spec? We are a team, and we complement each other.
Favourite security-related movie or show?
Hackers – Angelina Jolie