In this edition of CISO Conversations, SecurityWeek talks to two very different CISOs in the legal sector – Alyssa Miller, CISO at Epiq (headquartered in New York); and Mark Walmsley, global CISO at Freshfields Bruckhaus Deringer (headquartered in London).
Alyssa Miller had a common entree into cybersecurity – she was a curious child. She took things apart at home to see how they worked. When she started elementary school, she came into contact with early home computers – and she wanted her own. She took on a paper carrier job, and saved her earnings.
“When I was 12,” she said, “I took my savings to a store and bought a computer and a prayer; and took it home.” But this was still the early days of home computing. A rudimentary internet existed, but not today’s web. Access to the internet was via subscription to services like America Online, Prodigy and CompuServe – and new computers usually came with a free 20-hours subscription to at least one of them.
“I did that. But I’m 12 years old. When the credit expired, I didn’t have a credit card or parents who would pay for more. So, I basically figured out how to get into the service and use it without paying – my first hack.” Miller’s introduction to cybersecurity was through the back door.
From there, it became more traditional. She transferred from pre-med to computer science while in college. Her first job on leaving college was a programmer in financial services, where she worked for nine years.
The cybersecurity team beckoned (it was information security in those days). It wanted someone able to do penetration testing. She didn’t know what that was, but accepted the challenge and found that penetration testing was a natural fit for a natural born hacker. Miller’s career in cybersecurity had begun.
From there, she says, her career evolved as a series of happy accidents, and “By luck or whatever, I took advantage of them.”
Walmsley’s route could hardly be more different. He was a qualified lawyer already at Freshfields before he entered cybersecurity. He had some IT experience, but not as an engineer. Prior to Freshfields he had an IT project management background. “I was involved in private investigations for corporates as well as some government work,” he explains.
Then he joined Freshfields. Around a decade ago, supply chain issues were coming to the fore. Clients began asking how Freshfields, as a critical supplier, was managing cyber and information security risks. Barclays was the first major client to go into details, and Walmsley found himself developing a strategy for managing client expectations and defending Freshfields against the emerging threats.
At the end of this process, he was simply told, “Right; you wrote it, you do it.” Since then, from an unsophisticated beginning, he has grown a specialist cybersecurity team of around 20 personnel.
Working in cybersecurity is different to being a leader in cybersecurity; so, the transition to leader is important. For Miller, it was a step by step process. She became a team leader at a consulting firm – the owner of the of the program services practice, which was focused on building cybersecurity programs.
“So now, I was starting to interface with executive levels,” she explains. “It kind of progressed from there.” This was an excellent background for the first big step. “I joined S&P Global as a business information security officer (BISO), leading one of four divisions in a $4 billion dollar business” she said. S&P still had a central cybersecurity office with a central CISO, but by now she knew that being a CISO was the next step. It took just 18 months before she became CISO at Epiq.
Walmsley was in a management role before cyber, but not in a leadership role. “The cyber gig opened that door to me and opened it very quickly,” he said.
In both cases, becoming CISO made the leader – but it is doubtful whether either could become CISO without having leadership qualities. At Freshfields, Walmsley noted that all candidates for a C-level role went through a full day of psychometric evaluation with HR and an external psychologist, testing resolve and problem solving, and the ability to lead and communicate.
This raises the perennial question for all aspiring executives: is leadership an innate quality, or can it be learned; that is, self-taught. Both Miller and Walmsley have almost identical views. “It’s a bit of both,” said the former. “It’s both,” said the latter.
Walmsley expanded: “If you don’t have the desire to lead and help people somewhere in your DNA, it doesn’t matter how much training you’re given – you’ll never quite make it.”
Miller believes you need the desire to lead. That part is innate; but she adds, “Leadership, even in the tech space involves a different skill set than the tech jobs that usually lead to it.” Just as you learn new technical skills as you move up the ladder, so too must you learn the new management skills including leadership. “You can’t just change your title and jump in as a natural born leader: it definitely doesn’t work that way.”
The security team
The quality of leadership is most clearly seen in the security team: a CISO is only as good or as effective as the team supporting the position. There are three foundational elements to this: finding and recruiting talented cybersecurity specialists in an age of severe skills shortage; the balance (diversity) of the team; and then keeping that team despite the temptation to move to other companies offering better terms (which could be position, remuneration or even environmental).
Methods of finding and recruiting talent vary between different companies, and include recruiting potential from within the company, using recruitment specialists, and scouring schools and universities for interns.
Walmsley has almost entirely outsourced the problem – most of the legwork is transferred to a third party organization. He may impose some preferences, but basically leaves it to the third party to make staff recommendations. “We don’t require specific qualifications nor a particular type of university – we want people who can problem solve and have languages.” The latter requirement is important for a global firm.
But the recommendations are not immediately given permanent employment – they are contracted for two years akin to the old-fashioned apprentice model. “We bring them in on temporary contracts and train them, and if we like them, we keep them. We convert about 50% of those contractors to permanent staff after the first 18 months or two years – or we release them and take on the next individual. It gives us the ability to test the resolve of the individuals, and see what the fit is like. It’s one thing to have a great individual who understands the subject matter, but if they don’t work well within the team or within legal as an industry, they won’t be as effective as we need.”
He gave an example. “One of the contracts that we recently converted was a Spanish teacher, and her languages are a good fit for our needs. But she’s also got great problem-solving skills. So, we use her existing skills, and have taught her cyber skills. We’re open to anyone if they’ve got the right attitude, learn quickly and like problem solving.”
Most CISOs recognize the advantages of diversity within their teams. The asymmetric nature of the ‘warfare’ that is cybersecurity means the attackers come from different cultures, ethnicity, locations, motivations, politics, and socio-economic backgrounds. Defenders need to match this diversity with the ability to see problems and solutions through diverse lenses.
“Diversity is more than gender,” says Walmsley; “but we actually have a 50/50 split between men and women.” This is in a team of 20. “We have people who have gone to university and not gone to university. We have people who are introverts, and extroverts. We actually do exercises every year that look at Myers Briggs mapping for every individual and we get people to work with the alternative personality type, so they can understand how they can better work together within the team and within the business. But we’ve got people who come from all sorts of ethnical backgrounds as well.”
He doesn’t choose people just to tick the diversity box but accepts that diversity builds a stronger team.
“Diversity is mandatory,” says Miller. “Cybersecurity is problem solving, and you cannot be good at solving problems if everyone in the room thinks the same way.”
She cites many examples based on things like gender and religion, but takes it further. “If everyone is straight or hetero, they won’t understand the thought processes and life experiences of someone who has lived with the trials and discrimination of being LGBT. The reality is that diversity in demographics brings diversity in thought.” The alternative, she suggests, are limited, monochrome solutions with no subtleties.
Getting a talented diverse security team is only part of the problem – that team must be retained. It is often said that people don’t leave companies, they leave managers. Whether this is true or not, it is the CISO’s responsibility to ensure that all of his team wish to remain and are not forced to leave through mental illness – such as burnout.
“You need to focus on your team – the people and their careers,” says Miller. So, remuneration is part of the issue because that’s why people work. “You need to keep people engaged. Keeping them as a team is about understanding their needs, addressing their needs, and giving them interesting work to do. And the biggest part of this is empowering them.”
She believes the biggest mistake a leader can make is to feel, ‘I’m the leader, I’m the expert, and I can’t be wrong.’ “Well, the first thing I tell my team is I am not the All Knowing Oracle of Cybersecurity. You are the smart people who keep this ship afloat. My job is to get the obstacles out of your way, so we can do our job as easily and effectively as possible. I invite them,” she continued, “to share their opinions and tell me when they think I’m wrong.”
Walmsley has a very similar approach and boasts a 90% team retention rate. His methods are well explained in his attitude toward burnout. “It’s a real thing in this industry among all professionals primarily because the volume of work is going in one direction – business diversification, geopolitics, the financial crisis, and the arrival of large language model AI – while resources are going in the other direction.”
For his team, he operates a reverse mentoring scheme. “I will ask the team to feed back on me. I ask them to be direct if they think that I am making bad decisions or if I seem stressed or unbalanced.” This process helps both sides by highlighting areas of stress on the team and within the CISO – and enables both sides to understand where stress resiliency needs to be improved.
He has a personal coach he speaks to for his own resiliency, while the company has mental health care workers and has them aligned to the security team. “There are lots of safety nets,” he said, “that just help people rebalance. Do you really need to do that? Is it critical? And, hey, I’m giving you permission not to do it.”
Businessperson or techie
A CISO is required to guide the business on secure methods for achieving business ends. That requires an understanding of the business and the ability to communicate technical matters to business leaders in a way they understand. CISOs are necessarily becoming more conversant with business – which raises an important question: should today’s CISO be more a businessperson or a technical guru?
Miller reports to the CIO. This alignment works because of the relationship they have and the security-supportive nature of the CIO. But she does believe the CISO role is becoming more business centric. If she is asked for advice from an ambitious person, she says, ‘go and learn business administration skills’.
For herself, she doesn’t have personal access to the security controls. She cannot personally go into the SIEM to add or edit a rule. “I don’t have to be able to build a Kubernetes cluster. I don’t need to be able to deploy an AMI to create a Docker image. But it does help me if I understand the concepts of how all that works.”
For Walmsley it is almost an academic question. He was never an engineer, although he understood the basics of technology-based projects. More to the point, however, he is both CISO and a board member. He doesn’t just have a voice at the business table, he is part of the business table – and could even be a case study for the SEC proposals on increasing cybersecurity expertise at board level.
All top leaders have learned from the advice of mentors. Sometimes this advice is business-related and sometimes it is personal. For Walmsley, it was business-related – and he calls it ‘bridging the gap’. The gap is the one between technology and business.
“You must be able to take complex technology problems and communicate them in the simplest terms with a recommendation,” he explains. “If CISOs can do that, business leaders are more engaging, because they understand. The world is becoming more complex, with SaaS, PaaS, IaaS, and new AI technologies coming on stream. Lawyers [and business leaders in general] don’t understand this terminology. The ability to communicate plainly, explaining risks and giving recommendations, is the deciding factor on whether a CISO succeeds or fails.”
Miller’s advice was personal, and came from the simple question, ‘What is your weird?’ “What is it that makes you unique? That’s your brand. Know it and own it.” It’s a form of being true to yourself and excelling in it. For Miller, it kicked in around 2019. “I think it accelerated lot of things I’ve been able to achieve in personal development, and it accelerated my career.”
Of course, becoming a CISO reverses the role: success makes mentees into mentors able to give advice. Miller sticks with the advice she received. “Find that thing that makes you unique and make it your selling point – that characteristic that makes you the badass talented person you need to be. Everything about your life will change when you can do that.”
Walmsley’s advice is for new leaders: don’t be afraid of other people’s talent. “The best thing you can do,” he explains, “is surround yourselves with brilliant people with specialist knowledge. Give them the freedom to be able to express that – and trust them. I call it air gapping. You should give the people who report to you clear air space between their role and your role so they can grow. If you do that, they become advisors to you, and everyone benefits”.
The primary purpose of the CISO is to protect the business from cyber risk. This requires understanding existing threats, but also keeping an eye on new or expanding ones.
Walmsley sees five threats. The biggest is the continuation and expansion of ransomware in its various forms. The second is the growth in attackers’ use of AI, which will manifest in increased speed, scale, and focus of attacks. The third will be API communications. “Rather than compromise the organization at either end of the communication, attackers will go for the connection between them.”
The fourth is the insider threat. Networks are becoming more hardened. “The easiest attack route is to have somebody inside the network who already has access,” he comments. The fifth is regulation. “We’re finding that regulations globally are becoming more restrictive at a time when business requires greater flexibility. The concepts of rigidity and agility just don’t go hand in hand.”
“User apathy,” says Miller. Partly, this is because we have abused technology. We’ve reached the point where users think, ‘They already know all my information anyway – why should I bother protecting it?’ “So much of the phishing and scams that lead to breaches leverages that apathy. You might think the greatest threat comes from nation states and cyberwar, but it’s not – it is literally the apathy in society toward cybersecurity and privacy.”