Building a Cybersecurity Program & Career with Stuart Powell, CISO of the Government of Jersey
As part of our Executive Career Insights Program, we sit down with executives all around the world to hear the journey that’s taken them to where they are professionally today and a few things they’ve learned along the way. For this installment, we talked to Stuart Powell, CISO of the Government of Jersey.
Stuart, thanks for taking the time to chat with me today. How did your professional career get started?
I left University with a degree in Computer Science and Mathematics, and without knowing what direction I wanted to go in. A short contract role became available in the Children’s Services department in the government focused on database re-engineering. Their business processes needed updating and their databases were rubbish, which made them quite unhelpful for managing caseloads. I came in and tidied up some of their data and processes. I got them into a good place in six months, selling myself a bit short on the one-year contract.
From there, a post-graduate government IT opportunity popped up where you spent six months in each of the core areas of IT, at the time: business architecture, IT operations, IT infrastructure and service desk. This experience helped me realize I quite enjoyed the IT infrastructure area, and it was where I wanted to focus. I worked in a junior analyst role and was able to cut my teeth on managing Active Directory, file services and data administration. My path to security was very much through IT infrastructure.
I then became responsible for all government file services and domains and drove a centralization effort. We began focusing on identity computing and transitioning from multiple physical servers to multiple virtual machines. In the last ten years we’ve moved to a shared services platform. I got to the point where I hit a ceiling and was at the top of what I could achieve technically without moving into a management role and was thinking about leaving the public sector for a more challenging role in the private sector. It was about that time when information security in the government started to become a huge focus and was becoming its own separate function.
I applied for the information security officer role that opened as I saw the work as a growth area for me and an opportunity to make a real difference in the way that government services are provided. As a civil servant your real duties are to the population of your community and you get a sense of reward that your work is serving humanity. In 2017 I became the first Chief Information Security Officer of the Government of Jersey.
What was your first step as the Chief Information Security Officer?
The first thing I did was take a step back and survey what needed to be done. Our technology was robust, but had room to grow. I wrote a strategy that laid out what we needed to do and how we were going to do it. I then commissioned an independent risk assessment using ISO 27001 and a Carnegie Mellon maturity assessment, and with this blended approach I secured funding to bring in consultants. This documented the current position and backed my strategy outlining the steps the government needed to take to enhance its security posture, leading to us securing funding for the proposed program.
In 2020 we set out to mobilize the largest change program the government had ever seen in this space, and we did, within a remote working capability. The program is comprised of identity and access management, governance, managed security service provider, people security, and asset management. These are the foundation of the security capabilities an organisation of this size and complexity needs.
As soon as you start a role in information security you need to take a step back and see the bigger picture – the use of the technology. As a technician you only see the technology. By seeing how the technology is being used you can see how it can be exploited and your eyes open to information security at large.
How did you go about getting the support you needed to get this program off the ground?
It’s about using the right language for the right audience and educating the wider organisation. I shared the risk assessment with anyone who would listen (on a need-to-know basis of course). It started with my leadership team and as we went through restructuring, and there’s changes in stakeholders; I made sure I got a chance to present the journey and the risk assessment to the new incoming interim CIO, including the current state and the intended state. I convinced him and he took it forward into the planning cycle with my support.
In government we have a duty of care and are subject to regulation, and in not addressing areas of risk we’re not upholding our duty of care. If we don’t implement controls and improve our maturity in these domains, then the likelihood of having services irreversibly damaged or breaking the law to the point of criminal prosecution is a possibility. Approaching the conversation from the risk aversion perspective seals interest from the leadership team. They are not IT problems; they are business problems and talking in the language of risk resonates with them.
Another approach some take in the industry is scare mongering, but it doesn’t give your audience the ability to make informed, risk-based decisions.
Where does identity security fit into your program strategy?
If everyone in the world followed the rules, there wouldn’t be a need for security. For example, you wouldn’t need a firewall, because no one would attack you. If people followed the rules, they wouldn’t send things to the wrong people and you wouldn’t need data loss prevention technology. The emphasis on people and their education is so important because if you can get your workforce to reduce the risk that they bring as humans, the technology side of it is easier and becomes the enabler that it should be.
As you move to cloud, and set out on a modernization journey, perimeter security is thrown away and that now becomes your identity. You can access any data, from anywhere, on any device and the only thing you can do is control who can access is – identity security. That’s where SailPoint really proves their worth and place in getting security under control, and that’s why it is a foundational pillar of our program.
What type of people are best suited for cybersecurity?
You can be a cybersecurity professional and know nothing about technology, but a lot about human psyche, culture, behaviors, and aptitude. If you were building a huge security team you would likely have about twenty different personas on your team. If you look at who the biggest government agencies, like the National Security Administration or Britain’s Government Communications Headquarters are trying to recruit, they are not looking for techies, they are looking for linguists, people who are spatially aware, who think outside the box and are creative.
The security industry is broad. There’s a whole raft of jobs that are equally important. You can be someone in compliance and risk and know nothing about technology and the people aspect of it, but a lot about the probability, likelihood, or the monetary and reputational impact. I’m an example of someone who knows the infrastructure and how technology communicates, the channels that open and close, and how you can jump from one to the other. You leave one door open or fail to address one component of the program and you open up risk. Your attackers are looking for the easiest way to enter, not the hardest which means you need to make sure you are equally covered in all your avenues. If you have the best technology and fire walls in the world (implemented correctly), bad actors won’t try to break through that. They will try to social engineer your staff because that’s easier. If you have a robust training program and your staff are bullet proof, they’ll try for your web interface or supply chain to comprise you somewhere else technically. It’s all about having a comprehensive suite of controls that cover the entire landscape of security.
As you hire cybersecurity professionals, what are you looking for?
There’s always a path to steer towards working in cybersecurity. The irony is security is common sense and the principles are simple. It’s just understanding the basics and making decisions that support the basics. When I’m recruiting, I am looking for aptitude, personality, a good fit for the team, integrity above all else, an inquiring mind, and the ability to be a self-starter. To me, security is not about having a bunch of highly skilled people in a room. What I’m looking for is individuals that can work as a team, with different skills and share their experiences – everything else can be taught.
Cybersecurity is not going away, getting any smaller or less important. As the world puts more dependence on technology it will only become more important. This reliance on technology means that security should be at the top of the priority list for all organisations. With that, I advise people to keep security in the back of your mind as a career option. Wherever there is technology there will be a security requirement.