They say there’s a first time for everything. For me, it was visiting an airport for a purpose that involved no air travel at all. Instead, it served as the location for this interview.
Airports seem to arouse some sort of latent anxiety in me (the inner, incessant soundtrack of “where’s my passport, what time is it, do I have all my bags?…”).
However, my angst settles fairly quickly after meeting my relaxed and affable interviewee, Matt Gordon-Smith, CISO of Gatwick Airport. Over tea, we discuss cyber security.
Like many other cyber security professionals, Matt’s route into the industry was unplanned. After graduating from Loughborough University, he enrolled on the graduate scheme at IBM.
So why cyber security?
By his own admission, Matt “loves a challenge and enjoys helping people solve their problems.”
He rejects the old-fashioned “Business Prevention Department” security approach of “it’s a lot safer just to say no”.
“If employees are going to go down that path anyway, how can I put the right and appropriate controls in place so that they’re happy they can do it within an agreed framework, and I’m happy that we’ve put the appropriate controls around the risks?”
It is essential, he says, to consider the following questions: What is the business trying to achieve? Where does the organisation want to be and by when?
Matt’s LinkedIn profile states that Information Security should be “balanced, transparent and directly support the organisation’s objectives.”
I ask him to elaborate.
“That’s a sort of mantra that I’ve set for myself; if you don’t over-complicate things, then you make it easier to manage security controls and you make it easier to report and demonstrate the effectiveness of those controls. The more complex things are, the easier it is for people to get in and compromise them,” he explains.
The “balance” is about that risk approach; having enough control that you’re mitigating the risk, but not so much that you’re driving people into shadow IT, or driving people towards the wrong behaviours.
The “transparency”, he says, is about “understanding that anyone can come and challenge you at any point, and say, why is this control in place? And you have to be able to justify it.”
Visibility in the dark
Visibility – or lack of – keeps Matt awake at night. “I think the issue that bothers me the most is how many things I’m trying to do at once. As much as I’m able to manage my own work and the work of my team quite well, I always think, maybe I’ve not got enough visibility of something to realise just how much of an issue it might be,” he admits.
So how to get round the visibility problem?
“I always go for people, process, and technology, in that order.” He thinks tools are useful for providing information, however without a process outlining the next steps or people who understand the process, then none of it’s going to work.
As well as the headache around visibility, another challenge is talent retention. Not an uncommon woe to hear about – train someone up, only for them to leave for a higher salary elsewhere.
Matt thinks that if we define a clear role and we understand what the responsibilities are of that person, then it’s not just a body that we’re shipping in to come and fulfil a pile of work. Rather if employers state: “We need to achieve these things, we’ve got these projects that we need to do and we’ve got these objectives we need to meet,” then you’re empowered to go and do it. In that way, you also feel part of a bigger team.
With regards to his own team and how they operate, Matt’s found a system that seems to work. “We have a daily stand-up in the security team every morning, and we share what’s happened in the last 24 hours. We’ve got a bit of a Kanban board; we’ve manipulated it to suit our own needs and it helps us to track what’s going on.”
Matt’s team is small which has its benefits because everyone can contribute. Whether it’s the junior analyst or the GLC manager, they’ll all sit and contribute in the same way. He even encourages contractors to participate. It’s a style that he’s found to be very motivating for the team as everyone is involved and they all feel part of the “security journey”.
Matt is a big fan of regular one-to-ones, even if there is not much to cover in the meeting, he thinks there is value in sitting down with individuals to understand what drives and/or worries them.
The board: plain, simple and relatable
Communicating with your own team is one thing, but arguably it’s more of a challenge with the board.
Success for Matt lies in “speaking plain English”.
“They’re not IT people. They’re not security people. They’re business people. And you have to understand what it is that keeps them awake at night as well. They’re worried about reputation, shareholders and the financial standing of the company. So what could impact those things? You address these issues from a cyber perspective and tell them how you’re doing in those and how you’re performing.” It’s essential to give them that peace of mind.
Matt says that “using analogies” aids him in communicating security to the uninitiated.
He likes to bring it “back to the home”, because at home everyone is a “risk professional”. “When you go out to the shop for 10 minutes to buy a pint of milk versus when you go on holiday for two weeks, how differently do you think about the way you leave your house?”
He says that there’s a different mindset from there. “I’m going to set the lights to come on and off at different times, I’m going to make sure there’s someone who can pick up the mail and I’m going to make sure that it looks like there’s someone in. You naturally think about the security of your house. That’s where your most expensive assets are.”
So essentially it’s about highlighting those thought processes that you naturally use but you don’t realise, and bringing them to work.
Matt adds that it’s also about understanding what the value is of the thing that you’re doing. “What’s the value of the data? What’s the value of the system? What’s the operational impact if I do this thing or don’t do this thing?”
Security awareness: a natural process
Matt focuses on “behavioural change” to create a culture of security. He ponders the following questions: “How can we move people in the right direction and how can we use different approaches, different media, different interactions with people?”
He is keen on creating a “champions network” for security. Instead of the security team approaching all the different departments, each department selects their own security ambassador. So it works two-ways as “someone who’s our person on the inside, or their person in security.” The ambassador can report issues to the security team and report back to their team. It’s a neat way of building bridges between departments.
Bringing the human to cyber
As part of the relationship-building, Matt also gets out and meets people face-to-face.
“Emails can be so easily misinterpreted or ignored – even telephone calls. I’d much rather speak to someone face-to-face and see how they react. Do they look shocked when I say something? Or is there a chink of acknowledgment?”
Relationship-building is, in fact, part of Gatwick’s ethos whereby they call themselves the “Gatwick Family”. As one might imagine, there are innumerable risks (insider to supply chain, adversarial to terrorism) associated with airports – and as they serve as a hub for third parties – communication between all parties is key.
“There’s a massive supply chain, and we have to do assessments on that supply chain to understand who are the critical suppliers, who’s critical within the Gatwick family and who are then those sub-providers of the supply chain?”
“We’re as reliant on each other to continue operating effectively. And I think that’s a really good thing, because you’re not in this traditional customer-supplier relationship. It is a real partnership. We have to work together really closely.”
Podcasts and people
How does Matt switch off and unplug?
He says that although he never mentally switches off 100%, “there are lots of capable people in the company who can handle things in my absence.”
Other than enjoying spending time with his children, he’s a podcast junkie. He listens to a wide variety: The Today Programme for current affairs and No Such Thing as a Fish for comedy. But above all, it’s the science programmes that inspire him the most and feed his enthusiasm for problem solving and figuring how things work. Crowd Science, The Infinite Monkey Cage and 13 Minutes to the Moon are among his recent favourites.
As our conversation draws to a close, I ask Matt for any advice he has for others working in cyber security.
“People come first. They need to have a construct in which to work, and that construct is enabled and supported by technology and tools. But it’s the people first,” he asserts. Instead of writing long policies, sending out emails and making edicts, “go and talk to people, find out what concerns or drives them and what they need to get done. And help them to do it in a constructive and controlled way.”
Once the interview is over and we’ve said our goodbyes, I board my train back to London. My initial airport angst has been replaced with a calm, positive feeling that it’s going to be alright.