Over coffees at London’s Wellcome Collection, CISO Paul Watts shares his thoughts on leadership, kinesthetics, balancing risk and reward and pizza.
Paul Watts has the film War Games to thank for his career. That and an instinctive passion for cyber security.
Since watching the 80s cult classic – where high school student David Lightman (Matthew Broderick) unknowingly hacks into a military supercomputer while searching for new video games – Paul developed “an interest in an industry that didn’t really exist yet”.
He also credits Peter Sommer’s (alias Hugo Cornwall) The Hacker’s Handbook and Data Theft to have been particularly influential in shaping the direction of his career; Sommer foresaw how computer systems could be exploited and how information would be a commodity in future. Growing up with these cultural stimuli, Paul was intrigued by this unknown world.
After reading computing at Loughborough University, Paul’s first job was at the Automobile Association as an operations research analyst in the member services division. His experience since then has been wide-ranging from business intelligence to e-business consultancy, project management to IT service management, business continuity to cyber security.
Furthermore, he’s worked in various sectors; financial services, retail, critical national infrastructure and now the quick service restaurant industry as CISO of Domino’s Pizza Group PLC.
Also of interest: Interview with Cath Goulding, Head of Cyber Security, Nominet
CISO of Domino’s: more data than pizza
Paul describes Domino’s Pizza Group as a data driven business with pizza at its heart. “We do things from IT to marketing to supply chains to food manufacturing and security cuts across all of that,” he explains.
“Our shopfront is predominantly a technology platform. Today, well over 80% of our customers only order via our website or our mobile app. So from a cyber security perspective, we recognise that to disrupt that shopfront has huge ramifications for our business,” he adds.
After GDPR’s changes to marketing “opt in, opt out” consent, Paul says an even greater responsibility is owed to those customers who decided to opt in. “They’re now looking for a return and saying, ‘I’m giving you consent to know, learn about and build a relationship with me’. We absolutely recognise the value and the importance of protecting that data and information,” he states.
Also of interest: GDPR Special: myths, realities and how not to be a git!
Situational awareness: analogue vs digital
With the spectre of a possible data breach always looming over his shoulder, Paul worries that our obsession with digital innovation has outpaced our ability to make it secure.
“We now find ourselves as citizens in a world where our digital persona is, in some cases, more valuable than our analogue persona, and yet we have no capacity to manage it in the same way,” Paul states.
He says that we need to think about “situational awareness” in the digital world, just as we do in the analogue.
“You’re walking down the street in the dead of night. If you see somebody with a hoodie on, standing on the side of the road deliberately standing out of the light, your instincts immediately kick in and you’ll make a decision. You’ll cross the road, you’ll turn away, or you will accept the risk and you will walk past them and hope for the best,” he says.
Paul stresses that people need to adopt that same mindset in the digital world. “When you receive a suspicious looking email – that email is a metaphor for the person standing in the dark, wearing a hoodie” he states.
“I want people to say, ‘I don’t like this set of circumstances; something instinctively isn’t right. I’m going to step away and delete that email’.”
He continues, “If we can build that mentality in society, it doesn’t solve every problem we have in cyber, but it starts to mitigate a lot of the predominant reasons why we have an issue with data and information breaches because we always exploit the individual behind the screen.”
Also of interest: How to stop your breach hitting the headlines
Communicating the message
I ask Paul what’s the best way to get the message across. He says it’s all about the simple concepts of “think and feel”. “You’ve got to get to a point where the ramifications of poor cyber security hygiene are translated to a kinesthetic and emotional response,” he explains.
“If I ask, have you ever had your credit card cloned? Yes? Yes. How did that make you feel? Suddenly you feel angry. You’re feeling angry? Yeah, I’m feeling angry. So what are you going to do? I’m going to fight back and do something about it.”
Paul recounts a lesson learnt when he worked on a cyber security campaign for the railways. Initially, they launched some presentations and some videos about why security is important. The project fell flat on its face.
The messages failed to resonate with the average rail employee. Furthermore, considering the many different demographic groups within a massive organisation – what works for one person doesn’t work for another.
After some feedback from a communications’ specialist, they changed tact. “We took the core messages but we translated them into different demographic groups. Suddenly, we had engagement. It’s about making the message personal.”
Also of interest: Honesty, humility and humour with Thom Langford, CISO at Publicis Groupe
The next generation of CISOs
The need for cyber security professionals has seen a huge rush from educational institutions to create cyber security degree courses. However, Paul thinks much of the syllabi is too technical and fails to provide training in the soft skills needed to impart those technicalities into the business.
“If the chips are down and I desperately need a resource, and I have two people standing in front of me – one of them has spent five years in the industry learning from the ground-up and the other one has spent three years in education and gained an MSC in cyber security, I’m probably going for the former because they’re going to hit the ground running because they understand security, how to apply it to achieve business outcomes and they understand the politics of corporations which can be a security professional’s nemesis,” he concedes.
Paul says most security professionals now need to have that ability to translate the technological aspects of their work into business terminology and back again. They’ve got to understand the fabric of how business works before they can add any sort of value at business level.
He cites energy, passion, patience, as well as creativity and emotional intelligence – among the softer skills needed to be successful in the industry, particularly for the leadership positions.
Also of interest: Could veterans be the answer to the cyber skills shortage problem?
Switching off as a CISO, a defensible position
“How do I unplug? With great difficulty, if I’m honest. This is in my blood. I’ve been a security professional since the ’80s, I just didn’t know it,” he reveals.
“My defensible position is being able to demonstrate that at all times our organisation is at the top of its game,” he states.
“When we are compromised I need to be comfortable that we’ve done everything humanly possible to prevent it in the first place. Furthermore, when it does happen, that we detect it in good time, and that we act swiftly to limit the damage,” he explains.
However, Paul feels there is a degree of empathy coming from the world around us now, albeit slowly; an awareness that things have moved so quickly that organisations cannot be reasonably expected to be able to protect everything.
“But not even trying, or getting the basics wrong, is no longer tolerated by a society finally waking up to the realisation that they are not completely in control anymore”, Paul remarks.
Also of interest: How to turn your people into your best defence
And in the rest of his time?
With two adolescent children, Paul does what any other father does, “I ferry my children around and try and manage their increasingly complex social lives,” he says.
Other than that, he finds working out at the gym a great release. “I have to now because you’re never more than five metres away from a great piece of pizza!” he adds.
Which leads me to the most important question, how much pizza does Paul actually eat?
Paul smiles. “I think I’ll plead the fifth on that one. My wife might read this, and work out why I’m never interested in eating dinner when I get home!”
He has a particular passion for music and admits to being “quite promiscuous in style”. He enjoys discovering new tracks through Spotify because “the best piece of music you’ve ever heard is the piece of music you haven’t listened to yet,” he believes.
Paul tends to read a lot of nonfiction, recommending Jane Frankland’s book InSecurity: Why a Failure to Attract and Retain Women in Cybersecurity is Making Us All Less Safe and The Chief Data Officer’s Playbook, by Caroline Carruthers and Pete Jackson.
Also of interest: How will cyber threats evolve in 2019?
The path ahead: we are going too fast
Paul worries about the future. “I find it sad that we have allowed technology to become so tightly integrated into the way we interact as a species. I look across a busy restaurant these days and I see a young couple in love, a family on a night out, a group of friends meeting up after work – and they are all face-down in a Smartphone! I’m not sure we ever meant it to be like this did we?
“Technology was supposed to enrich society but instead we find it disconnecting us from the real world. It feels like the tail is wagging the dog and we are out of balance. As for innovations in technology the pace of change is just incredible. And scary. I don’t think we’re in control right now. I think AI and Machine Learning are great, but I’m not sure that we’re ready as a society,” he muses.
“We’re so driven by reward and less driven by risk. It’s going to come back to bite us on the ass in spectacular fashion, very soon,” he predicts.
“I do believe that we’ll get into a situation where AI and Machine Learning advancement will occur so rapidly that they’ll change society so quickly and increase the opportunity for threat and peril to such an extent that – legally and criminally – we’ll lack the capacity to provide consistent judgement on whether those behaviours are good, bad or indifferent,” he says.
Paul says that we can’t stop innovation but a conversation is needed. “Let’s make an informed decision as a society, as a species, as a planet, and just recognise that there is a balance to be had between risk and reward,” he adds.
Paul will be speaking at TEISS2019. More information can be found on our events page.