A Secure Environment Where People Can Be Their Whole Selves
February 15, 2021 • Caitlin Mattingly
Our guest this week is Simon Hodgkinson. He’s a security professional with over 35 years of experience in the space, most recently as CISO for BP.
In our conversation, Simon shares his thoughts on the evolution of the cybersecurity space that he’s witnessed over the course of his career, and how we might address the industry skills gap that’s leaving millions of jobs unfilled. We’ll get his take on threat intelligence, as well as his advice for folks who are looking to pursue a career in cybersecurity.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 196 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Our guest this week is Simon Hodgkinson. He’s a security professional with over 35 years of experience in the space, most recently as CISO for BP. In our conversation, Simon shares his thoughts on the evolution of the cybersecurity space that he’s witnessed over the course of his career, and how we might address the industry skills gap that’s leaving millions of jobs unfilled. We’ll get his take on threat intelligence, as well as his advice for folks who are looking to pursue a career in cybersecurity. Stay with us.
I started 35 years ago in IT. I started on mainframe technology back in the mid-eighties, initially working in operations. I then joined a company called Ingres, it was a huge relational database company back in the day, big competitor with Oracle. After that, I joined Sybase, another big relational database company. In both of those organizations, I was a technical consultant, and then I made the leap into investment banking and joined Lehman Brothers to run their Unix and database engineering and operations. And in 2000, I did a .com and it was creating a fixed income electronic brokerage platform. Sadly, it wasn’t successful.
And in 2002, I joined BP and I’ve been with BP for the last 18 years and had nine different roles at BP. And the last one was chief information security officer. And the one prior to that was running all of the global infrastructure, so everything from hosted networks and user-compute field services to kicking off their cloud transformation program.
Well, I mean, from the breadth of your experience there, you’ve really seen the evolution of the space. What strikes you in terms of how things have changed from those early mainframe days to what we’re dealing with today when it comes to security?
So it’s a really interesting evolution, actually, Dave. IT typically goes through numerous technology cycles. I think the one thing that is consistent is the pace is increasing. If we go back 30 plus years, cyberattacks were an issue, but obviously not a massive issue back in the day. And they’ve been exponentially increasing within the environment. And I think that’s a couple of things, really. One is the low cost of entry for cybercriminals. Sadly, the chances of the cybercriminal being caught are pretty low. And the other thing is this ever-expanding digital landscape. If I go back 35 years, it was a very niche thing to digitize business processes. Now, if you’re not a digital company, you won’t be in business.
Yeah, that’s fascinating. I think back to the mid-eighties accessing computers with dial up and private networks and so on and so forth. And these days, everything is hosed up to everything. The range and rate of connectivity is just a different world.
It is fascinating. I recall working on mainframes, I used to do some systems programming and I’d often get called in at night to fix some problems. And it was always a debate back in the day. Do I jump in the car and drive to the office, which was about a 30 minute drive away, or do I try to set up my modem at home, which had a 2K connection back into the office and try to work through the problem from there. And now connectivity is just omnipresent. There are very few places you go in the world now where you cannot connect and work successfully from and equally, as you travel throughout the world, countries, cultures are just being digitized. It’s just incredible growth.
And what has your experience been when it comes to security intelligence and threat intelligence? How has that changed over the years as well?
So I think, again, it’s followed a similar path to the cyber crime marketplace, really. I think if you look at what’s happening today, there is an enormous amount of attacks going on all of the time and they tend to be low sophistication, high volume, so not targeted at companies or nations or organizations, it tends to be fire and forget, scatter-gun type attacks where a criminal throws out millions of attacks and hopefully successful once or twice and they make some money out of it.
I think where intelligence is really critical is the other end of that spectrum, where you’ve got highly sophisticated, highly resourced organizations, whether that’s, again, criminal gangs, whether it’s nation states who really do target companies, and they tend to be more espionage type environments. So not really for financial reward, but looking for intellectual property, perhaps confidential information about acquisitions, marketing plans, et cetera.
That’s where, for me, intelligence becomes really, really important. When you’ve got a very sophisticated attacker, knowing their techniques, tactics, and procedures, knowing how they’re pivoting those techniques is absolutely critical for two things. One is really so that you can do your best to actually defend against it. But the second is to hunt for them in your environment. That constant feed of intelligence allows you to go and look in your network for those adversaries that may well have been there for a while. And I think there’s two … I love the quote, there’s two types of companies, those that have been hacked and those that don’t yet know they’ve been hacked. And I think that ability to consume intelligence and go look for who’s in your network is really important.
As a CISO, and thinking about the role of CISOs today, how do you go about dialing that in? How do you go about choosing how much help you get from outside? How much you staff internally, how do you turn those knobs?
So I think the capability question within cybersecurity is really, really fascinating. It’s such a broad topic. There are so many different sources of intelligence you can consume and you can get flooded by intel. And what’s really important is to target the right intel, to help you protect your company. And I think that tends to be a variety of ways of doing that.
One is building my … I bought my own internal intelligence capability working with strategic intelligence within the company as well. So there’s this constant convergence of what’s happening in the physical world, with what’s happening in the cyber world. So geopolitical intelligence is really, really important to link with cyber intel.
Then there’s working with some fabulous third-party companies that are truly experts in their field that can provide you not only the real-time intelligence that you need, but also resources to come in and help you when perhaps you need somebody to help with things like hunting, et cetera, or how do you systematically codify intelligence into your environment?
I think traditionally intel fraud has been relatively slow. And I think now it needs to speed up and be at Y-speed, which is a challenge because you’ve then got to consume that intelligence and you’ve got to then apply it to what’s happening in your day-to-day operational situation, as well as then look backwards. So as you receive intelligence from intel companies, governments, et cetera, being able to have the capability to apply that immediately, but also look backwards for many years to check whether there are any signals the adversary has been in your environment is critical.
What was your management style like? How did you go about finding the people to fill those positions and how did you manage them once they were on board?
So I think it’s really important that you really invest in that cyber expertise. There are numerous external reports that talk about over three million vacant positions in cybersecurity, globally, which is an extraordinary, extraordinary number. So the competition for cyber capabilities is really fierce. That comes from the top down from the CISOs. There’s many vacancies for CISOs and CISOs tend to move quite rapidly. So it’s important that you have great development plans and really strong succession in all your roles within cybersecurity.
And once you’ve attracted capability, you’ve got to create the right environment to retain it as well. So it’s really important to create that highly inclusive environment where people can bring their whole selves to work, they can be at their very best all the time. And I think we absolutely need to invest in developing a pipeline outside of our companies as well, so working with academia, working with different talent pools. I think there’s one area that we really have done a poor job in cybersecurity, and that’s on diversity. And I think there’s a lot more we can do collectively as an industry to improve diversity in all of its wonderful forms.
The most obvious being gender diversity is pretty poor in IT and cybersecurity sadly. But I also think there are pools of talent that we have yet to really take advantage of and things like that. The neurodiverse talent is a pool that we had just started at the end of my tenure, we’re starting to look at within the company as to how we onboard neurodiverse talent into the environment.
So I think you have to look at it from how do you develop the talent pipeline, how do you, pre coming into your company … so we’ve all got a role to play more broadly in society, in generating that talent. And then within the company, making sure there’s the right development plan that gives people experience, exposure, and education, as well as good succession planning to make sure as inevitably you lose great talent in a highly competitive marketplace, you’ve got the right capability to bring through. So, you know, I’d say my job was entirely about capability development.
It’s a really interesting point because I hear a lot of folks say that one of the frustrations for them is that it doesn’t seem like a lot of companies are investing in those entry-level people and then training them up within the company. There’s a lot of competition for the people who come in fully baked. If you’re someone who has that experience, you’re in high demand, but it’s harder for … That’s what companies are looking for. Do you think that’s an accurate assessment of where a lot of folks find themselves?
I think it is a fairly accurate assessment of the marketplace today, but I just don’t think that’s sustainable. I mean, three million vacancies, whether that’s true or not, it’s a big number. And in order to address that and to make sure that companies continue to be able to fulfill an increase in demand for cyber expertise, they’re going to have to have programs to bring people in entry level, train them, create formal development paths so people are clear about what it takes to get to the next level and make sure you invest.
I’m a big believer in experience over education. So making sure that that experience and exposure is given to people from the outset so they can develop in a role, whether that’s your level one SOC analysts moving up to forensics, or what have you. Being clear about what it’s going to take to be on that journey, and then making sure that you’re constantly looking to bring in that talent at the entry level and continue that cycle. I think that’s the only way we’re going to fulfill this skills gap in cybersecurity, which will continue to grow.
I’ve spoken to some folks who have been out there looking at, as you say, diverse people to fill positions and talking to people like musicians, artists. I talked to someone who said musicians are great because they’re used to working in teams in real time, reacting to things, adjusting on the fly. There’s a type of training that their mind has been through that could lend itself to cyber and we need people coming into the business with all sorts of different ways of thinking of things.
Yes, spot on. And again, I’ll come back to, I think there are many different talent pools that we haven’t yet tapped in the industry. I mean, one great SOC analyst we had came from a finance and accounting background, he was just great with numbers and patterns in data and trained up really, really quickly in cybersecurity and has done a great job. So I think if people have the right mindset and are curious, you have to be really curious and you have to be very, very tenacious as well. So if you come in with the right mindset, then you can typically pick up the skills of the trade and as long as you’re got the right development paths to coach you through that learning and then you can be a great cybersecurity expert.
Now, I think ex-military is another area that people are starting to look at a little bit more. Just again, a really good mindset to bring in. But I think it is about having diverse teams. I’ll come back to, I think, the very best teams are always teams with diversity of thought to fix really complex challenges and problems, which cybersecurity has enormously complex challenges to deal with. Bringing in that diversity of thought in an environment that is inclusive, where people can be their whole selves is going to be the best environment for people to be successful.
What is your advice to that person who’s thinking about a career in cybersecurity, either someone on their way up, or maybe thinking about switching careers? I think there are a lot of people who think that the requirements might be too much for them to be able to handle. Maybe they don’t consider themselves good at some of those things that we traditionally think of with cybersecurity, computer science or math, those sorts of things.
So again, I think it comes down to mindset and having the right attitude. I think if you are curious, really curious, very tenacious, you’ve got agility, learning agility, so you can pick things up pretty quickly. And I also think the SOC is a great place to learn cybersecurity as well because you tend to see real time what’s happening. I think being able to bring people into that environment is relatively easy with the right mindset. And then we can teach the technical side. Now, not all organizations have the luxury to be able to do that, of course. Everybody’s in a slightly different position, but I would encourage people. It’s just, certainly in my 35 years, that running the cybersecurity function has just been the most fun, challenging job that I’ve ever had because every day is different. So if you like somebody who likes a fast-paced, agile environment, then cyber’s the place to be. It’s great fun.
Our thanks to Simon Hodgkinson for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.