View Show Notes and Transcript

Episode Description

What We Discuss with Stu Hirst:

  • What was your path into CyberSecurity?
  • Coming from an Engineering background, what was the biggest skill transition required to get to the CISO role?
  • What do you see as a change in the CyberSecurity industry that has bought through COVID?
  • Are Board more aware of CyberSecurity now?
  • Do CISOs need to be from a Technical background?
  • For a CISO listening what are some of the strategic Security Road Map in 2022 they can plan for?
  • Fun Questions

THANKS, Stu Hirst!

If you enjoyed this session with Stu Hirst, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank Stu Hirst at Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at

Resources from This Episode:

  • Tools & services, discussed during the Interview


Ashish Rajan: Could you share a bit about yourself and how’d you get into CyberSecurity?

Stu Hirst: Yeah, sure. So I’m currently the CSO at Trustpilot, which is a as a leading review site, across the globe offices in Edinburgh, which is where I live, London, Copenhagen, which is where the company was formed various other offices around Europe.

We’re in New York and Denver and also in Melbourne where you are. So yeah, I joined that in March last year. And to, so build out the team, say about. My history from a security point of view has been about 10 or 11 years now in the, in the industry across various tech companies. But yeah, so my background actually was kind of I’ve, I’ve done this on a few talks, but, I left school at 17, so I don’t have a degree.

And I joined IBM world bank of Scotland. 1998. I joined as a mainframe developer. I was doing COBOL and PCL and a few other things that I’d long since forgotten.

And I spent about 12 years doing that. And again, it’s work. I’ve done previously at another event. Valve into some of the things that happened during those times and where that path led to. And it was mainly during my twenties. And the reason I wasn’t afraid good is that I lived for the [00:01:00] weekends, like lots of, lots of people at those ages do, and I loved music.

You can see guitars and things behind me. I absolutely loved music. I was my, and still is my one main love in life. But for my family, obviously so I kind of left for the weekends and my job was just a job. It was just. There was a way to pay my mortgage and beer money for the weekend. So I guess I hadn’t really found what I wanted to do career wise.

At that point I wanted to get into the music industry. I really, really wanted to earn a living doing, doing that. And then at the end of my twenties, I couldn’t the financial crash happened. I got offered a redundancy. So I got offered a year’s salary basically for for taking redundancy so I can snap the hand off really.

And I spent a year in the music industry and DJ then made records for people. And I had a radio show at the time and yeah, a few, a few other things. I traveled a lot. Which was great. I got to see some of the world and had a good time. Definitely had a good time. But then I sort of ran out of money. Is that there’s the long

Ashish Rajan: and then after that,

Stu Hirst: yeah, I sort of, I took it, I took a real risk by doing that and going into the music industry and trying something different.

And, I don’t think I’ve made the same, well, I think I [00:02:00] would make the same decision, but with a little bit more fought to it. I just assumed that it would work out in a, in a naive way. It kind of. I didn’t actually really enjoy that industry either. I found it quite quite strange to try to earn a living from music.

So long story short. I applied for lots of jobs at the end of that year when the money was running out because I needed to get back into, into work. And I was basically trying to get back into what I’d been doing previously. And I ended up at a company called the train line, excuse me. And that was in sort of system support and then third line support.

So, yeah, more kind of making sure applications where we’re running and kind of staying, staying up.

Ashish Rajan: Also hardcore engineering background as well, then I guess, so deejaying and then moving on to engineering and then cyber.

Stu Hirst: Yeah, I actually, I had a lot of skills in those days of making music. So I used computer applications to make music.

So for those, anybody that makes music here for the night logic and Cubase. And so I was quite good at those things. But again, I still, I still hadn’t found my sort of niche. I didn’t, it was a great job and great company, but I didn’t quite feel like it was. I wasn’t as enthused by it all still. Right.

But I had a really good [00:03:00] boss at the time who asked me to take on it was PCI compliance by then. So it wasn’t necessarily a sort of full security role, but it was to get the train line through PCI compliance. I really, really enjoyed it. I mean, I ended up going on security courses and starting to get involved in the industry a little bit and learn more about it.

And I really got enthused by it and I no complaints. A little, a little tricky at times, but I just thought I, within about a year, I would say, I felt like I’d found something that I really enjoyed doing. It was interesting. Yeah. Weirdly. And it just opened me up to the biggest security piece, you know?

Cause I was to about cryptography

So I ended up at Skyscanner. I think anybody knows me, knows a bit about that journey. And, and then, not deliberately. Specialized in cloud security, but just sort of ended up there, which is a bit of a theme for a lot of security people’s careers anyway, in certain places at certain times. And again, I first got into cloud security.

I really didn’t know very much at all. Quite happy to be vocal about how little I knew about it back in some of those, those jobs. And just felt my way through it, like everybody does in, in, in these areas and up-skilled and dealt with big incidents that happened that you’re [00:04:00] learning. So that was kind of the, the bulk of my time.

It just. Which is a big sort of takeaway delivery company around the globe now. And then got offered the opportunity to come to Trustpilot and I’ve moved. I’ve stopped still, quite heavily involved in the cloud side of things. But yeah, taking on the CSO role is obviously the breadth of building out all of the functions and all of the, the pillars we’ve got here.

So still heavily involved in the cloud side. I still love love of that side of it. But I’ve sort of gone back to being a bit of a generalist across those different areas. So if I had to get back in into AppSec a little bit and yeah, risk and compliance things that maybe I’ve not, not had to do for, for a little while.

Ashish Rajan: Oh, fair enough. Well, I think that’s sort of interesting background as well because to what you were saying as well, a lot of people who may be listening in and may have an aspiration to go down the CSO path and maybe cloud security engineers right now, or cloud security tech leads or even a principal of cloud security engineer, I normally find it’s a very delicate skill set, being a CSO to your point, you’re more of a generalist in north technique now ignored real technical.

You’re still technical, but not technical to the point that, you know, what happened yesterday in [00:05:00] AWS, like know unless someone has told you about it. So what was that thing that you had to either let, go off or pick up on when transitioning from an engineering to like a leadership kind of role in cybersecurity?

Stu Hirst: . So we have a balance really of trying to keep on top of technical things in the industry and trying to keep your knowledge up in those areas, but then having that, that wider view. So I suppose what, I suppose my advice to anybody looking to take on seat on what we’re looking to progress, the CSO roles is maybe an understanding of what these roles consist of.

And it is far more around, you know, budgets and recruitment. Yeah, I worked for a public company now, the IPO didn’t in March. So there’s more around audit compliance.

Ashish Rajan: It’s a good question.

Stu Hirst: And it’s kind of, you need a little bit of an understanding of all of those different areas, again, as opposed to specializing in certain areas.

I suppose one of the things I’ve I’ve had to work quite hard at is knowing what to get involved in and what not to get involved in. So I’ve got a small team and as much as I want to. Look, continue to learn some of these areas and stay on top of the technical side. I also need to know when to remove myself from that and let them get on with it.

And so that, that can be a bit of a trade-off, [00:06:00] especially when it comes to cloud, you know, how fast cloud moves. Yeah.

Ashish Rajan: And it’s to your point, it’s funny. Even if you, when you were deep in the cloud space, you still feel, you’re not you don’t know enough outside of it. You feel like even more like, oh, like I remember you talk about imposter syndrome.

And I always come back to it because I always feel that it is such an interesting thing in cybersecurity. No matter at what level you are, there is always an imposter syndrome that the restaurant in the corner now, even more with how fast the technology is moving. So like, oh, you feel still feel the imposter syndrome.

Stu Hirst: That’s a really good question. And I would love to do a followup to that talk. Yes, I do. And certain, in certain ways, but I also think I’ve probably gone on top of it quite a lot over the last few years. And the reasons for that is having moved around a little bit and got different experiences in different places.

Good and bad things have not gone well, as well as some things have gone well, and then just being comfortable with what I do know versus what, I don’t know that I don’t know if you can teach anybody that I think it just happens naturally where. I know that I no longer feel like I have to sort of make things up or pretend that I know something.

If I don’t know it, I’ll just say, I don’t know it and I’ll go away and try and find out. I’m [00:07:00] lucky I work in environments where I’m given that space to go and do that. So for example, I got in. I’m on an audit committee with the board now. So the first real experience of dealing with, with board level people, and I give them whatever information I feel they need and answer their questions.

But if I don’t know, then I don’t know. I don’t try and sort of make it up so that that’s helped with the imposter syndrome thing, but I definitely still get it. I still.

Sometimes I I’m still uncomfortable with the area that I moved into to a certain respect that I don’t know whether it’s deserved at this point in time. So you sort of feel like, you know, other bad people out there who could do a better job. But I think it’s nice to have a little bit of that. It keeps you grounded.

It keeps you kind of humble too, to a certain extent. And that’s the same with the technical skills. If you always feel like you’re learning and you, and you need to learn when you know that there shouldn’t be an arrogance that creeps in or,

Ashish Rajan: anything like that. Another question now since you still have your fingers in the cloud world, maybe, but not as fully into the pie to use an Australian analogy, but, well, how do you define cloud security these days? And there might be a lot of people who may be security leaders or CSOs probably taking on that role in a cloud first company where they don’t know what [00:08:00] on-premise was like, whereas people like you and I would have had a lot of years in, on premise as well.

Did the hard yard and maybe when your data centers as well, not that these people that don’t have to work hard, they still have to work hard, but probably even harder. But where do you find yourself defining cloud security as now versus when you were more of a technical person was versus a leader.

Stu Hirst: So I think it’s come a long way in the last four or five years. If I look back to 2017, when I probably started getting far more heavily involved. There were only a small amount of people that I could reach out to that I felt had really solved problems in, in AWS, particularly actually back then. Now it feels like there’s thousands of people globally that have, you know, some real skillsets and the great stuff you’re doing on these kinds of things to evangelize.

There’s so many more people who’ve gone on that journey. I think that’s great. And I think that’s globally kind of shifting. The knowledge and the the chat about it. I’m probably a little bit, and I suppose in a little bit of a bubble, because I’ve worked for companies over the last X amount of years that have been mainly cloud cloud-based and trust violet is, is almost [00:09:00] completely cloud based infrastructure whatsoever.

Apart from firewalls in offices. So maybe my perception is that far more of the industry is, is getting towards that kind of space. And I actually don’t know when I try and recruit for people in the cloud security space, it’s definitely getting better. There’s definitely a bigger pool of candidates, but there’s also definitely a lot of people who are promoting those traditional network backgrounds of data centers they look after,

. I’ve got somebody in my team just now that I’m transitioning into a cloud security engineer and he’s like super excited to do that. Cause I think he sees how, how exciting the whole area is, how fast it is what your ability is to, to be successful and to learn and to, to have job opportunities and things.

So I think it will only continue in the, in the way that it has been. In terms of the growth and the this all global skillsets, seeing a huge amount of cloud security knowledge coming out of areas like India and, you know, various other parts of the world. Or it’s interesting to see obviously how I don’t live there, but you can just sense how big that kind of communities becoming and how their organizations will be moving into cloud if they’re not all there [00:10:00] already.

So yeah. I think we’re in through continued interesting time in the, in the cloud space. It’s weird how I don’t feel like there’s been any there’s no, that there’s been no big player disrupt the market for a few years. It has been Amazon Google as your you’ve got sort of maybe IBM Oracle, various others on the periphery.

Alibaba, I guess, and China and whatnot, but who’s the next one to come? Is there going to be another one is or are we sort of settled into the. There was major vendors. Now we, is it a market you can disrupt? Really? I don’t know that we’ll be,

Ashish Rajan: I see. That’s an interesting one because you almost feel cause HashiCorp tried a version of HashiCorp cloud.

And there are other players, but they are not as big. And they’re probably targeting a very niche audience as well, I run a, training for SANS , I came across this really interesting person in my class one day where we were talking about Oracle Cloud,

and this gentleman was from Saudi Arabia. And he said Ashish shall tell you this, that if Saudi Arabia wants to look for a cloud provider, there’s actually no cloud provider there apart from Oracle. So people who cared about that data soverignity. And they don’t want one data leave Saudi [00:11:00] Arabia in this context, the only choice they have is to be working with Oracle cloud, no matter how bad or how not so amazing it is and how everything is the custom code and people have transitioned from Oracle cloud to AWS.

To your point, I dare say seven, eight years, AWS started the market, then Azure joined in Google cloud.

But for a few years there was no one at the player. Like you will not even think of, like, I can’t even still think of which one would you go for a certification unless you asked you better go for a very specialized company.

Stu Hirst: You want that to be a mix of these things? Cause you don’t want a monopoly in that area and you don’t want one, just one company kind of running the halls of cloud,

At the same time, the more of these that you introduce in the more cloud platforms you have, the harder it is for us in our roles to sort of try and keep on top of it.

And even that global spread of, yeah, me and my little bubble thinking the world is kind of all like Ws and GCP. There’s all these other parts of the world who for their own reasons are using various , different things.

Ashish Rajan: Talking about COVID and in terms of like the priority from a security perspective what’s the newer [00:12:00] challenges that you have to tackle,

Stu Hirst: so there’s a few really from a, from an industry point of view. I think obviously the remote working thing has been huge. I was remote working before the pandemic and I’ve been a big vocal supporter of, of the ability to do. And I think there’s a huge amount of positives for, for people to be working anywhere in the world, as they see fit lots of good reasons to do that, but there’s also some downsides to it as well.

I mean when we opened our offices, The feedback was almost entirely positive around people sort of re-engaging and getting that sort of physical relationship one-to-one thing back with people, which they just couldn’t get on zoom. I know there’s a lot of. Virtual fatigue. So kicking in for a lot of people as well.

So we’re going to see that continued hybrid model, but I think what it did was it forced a lot of companies who may have historically been a bit nervous about this kind of thing to really embrace it very, very quickly because they have no choice. I remember the days of, you know, if you said you were working from home, there would be an almost comedy distrust that you weren’t doing your job that day.

And I think that’s changed, which is a good thing. And that’s what we can do in a small [00:13:00] workforce is to work as, and when they, they need to. So there’s that, I suppose the thing that worries me, and I don’t want to go into any kind of politics here for obvious reasons, the weaponization of data and information, I think.

Just globally, I think is extremely dangerous. And I think we’re in a very strange transition at the moment around the world about how we deal with information. And I think that eats into what we do for a living. Depending on what industry you might be, might be a part of, you know, if you’re in government work or you know, within the financial sector, maybe where you’re dealing with some really sensitive things.

I worry about that. I worry about people’s ability to see through some of the information that gets shared online. You know, it’s, it’s th th there’s a lot of nonsense out there. And that’s, that’s going to continue to be a bit of a battle for all of us in our industry, but how we, how we move it forward.

What’s the right way for us to sort of use the internet from an information point of view. We’re probably still feeling my way through that anyway, from an internet point of view, but then this, this has kicked off. It’s difficult sometimes when you read things online these days, it’s difficult to know what’s true.

And what isn’t and that, that fundamentally can’t be a good [00:14:00] thing for society. I don’t want to go too deep on this. It can’t be good. So our industry has got a part to play on that obviously as, as cyber professionals. How do we try? And I wouldn’t say police the internet, but what, what’s the right way to move all this forward.

And I don’t, I don’t have the answers to that. So I think there’s a couple of things. There’s obviously the sort of physical element of working from different places and, and COVID has accelerated the remote work and globally. That’s great. It’s great for job opportunities. And the idea of I’m doing it myself this year.

I think where the idea of just going somewhere for two weeks, where I don’t even need to use any holidays, I can just work from somewhere else and my kids can go and play around the pool for a week. And I’ll, I’ll sit and work somewhere. That’s really, really powerful. I think in attacking. But then yeah, I worry about the sort of societal elements of, of what the internet is morphing into.

Ashish Rajan: It’s funny, you mentioned that because I’ve been kind of looking at the whole Roblox than metaverse thing as well. How, like a lot of kids are kind of going out and to your point, I still feel it’s relevant to the 2022 conversation that we were having as well. Someone said this once to me that what you see kids doing these days is what [00:15:00] be professionals face in a few years time.

And at the moment, there’s definitely a theme there where kids are in this immersive worlds in on the internet. With the remote working and being locked downs and all that people are being forced to be at home. Kids have been forced to be at home. So they’re even more in these immersive worlds of metaverse roadblocks conversations as well.

So, yeah, man, I think it’s definitely a very nerveracking world. We’re moving towards.

Stu Hirst: We need to, I guess we need to continue to embrace it. I’ve been this, I’ve got a couple of young children, a two year old and an 85 year old and we’ve tried. Not shield them from technology, but introduce it at the right time.

So at Christmas day, that was the first time they’ve had their own kind of iPads. Right. Which we’ve been quite keen to avoid those as early, as, as possible, encourage them to still do traditional. Yeah, reading and writing and things on it on paper, but you’ve got to understand that their world is going to be different from the one I grew up in.

And the one you grew up in, there’s going to be an even bigger part in their lives. I grew up without the internet. Right. So remember that they’re not going to have that the internet is going to be the main place that they, you know, they do lots of things. But I just think we’ve got to be [00:16:00] careful with it and, and it shouldn’t replace a lot of.

Yeah, human to human. And in certain ways, even this last two years, I don’t know about you, but my own personal journey has been interesting. So yeah, everything obviously moved online and we got very used to socializing online for a period of time and I’ve kind of gone full circle on it. Now I don’t go on social media in the way that I used to.

I’m happy to do these kinds of things every now and again, but even then, I’m not doing very many of them. Yeah. Been back in offices as much as I, as I can just to try and get that contact again. So I’m probably going full circle on some of my, my views about it. Some of my thoughts about it, I guess we’ve just missed that.

We’ve just missed that, that physical connection with people and the relationships that you can do. Yeah, that’s

Ashish Rajan: I’m with you on that one , kids and everyone should embrace everything new that’s coming up. We probably living in a world where metaverse real, and there is no hologram, which looks pretty nice, but they may grow up in a world and we’ll be like, what our parents used to be with Microsoft office.

Like you would have never, as you may, I know AWS, or at least I knew, used to know AWS and it would be like a given knowledge. They would [00:17:00] know exactly what AWS is, all the services and everything. And I, I definitely feel, because the information is easily available to your point earlier as cyber security professionals, we have a responsibility to be at least raising awareness for what’s coming in the industry and what we see watch out for this one.

Stu Hirst: I remember having a conversation with my wife before Christmas, over dinner, and I put some thoughts out about where. Well, technology is leading to you know, kind of finger in the air, guesswork about some things that I thought would happen. And I said within 50 years, but probably less certainly within our, our lifetimes, if we live that long, you know, cars are already driving themselves to a certain extent.

And maybe even in 20 years, every car on the road will drive itself. Right. My father was in hospital for an operation recently, you know, performed by, by surgeons in 20 years that we’ve performed by robots. Right. Generally we’ll just take over all these areas that it isn’t fully embedded in yet. And that on the one hand, that’s correct.

Fascinating. I’m looking forward to seeing where that all goes, but it sorts of framing, right. And our roles as security people for N to the, the world that is about to come because it’s it’s unavoidable, right. Technology is going to [00:18:00] play that part in. In Madison in travel more than it has been. Things will, planes will fly themselves fully.

It’s just the way society and technology is moving. And it’s not that far away. Really, if you think how the internet has grown even over 20 years or so. And who knows where it would be in another 22 wow. Currency and things, which I was very naive about up until. Where’s all that moving towards, you know, what, what kind of weird society we, we shifting into there is going to shape.


Ashish Rajan: Cause you’ve touched on something really interesting. You and I grew up in a time when there was no internet and I still remember going on the Yahoo and going ASL, pls I age myself, as I say that. But to your point.

It’s really interesting. If within our times we have moved from going online remaining online 24 7. And going to office being online, they’re coming back home, being online. They’re now staying at home and being online and using these virtual worlds. You connect with people like you and I can go one on a very, very long conversation about what possible Megatron things, but I I’m [00:19:00] with you on that one, but as a to bring it back to the CISO conversation, then, I think that we do have a social obligation.

From a company perspective, the whole remote working definitely makes sense as well. Digital transformation, expediting quite a bit. You’ve sort of mentioned that you’ve been trying to talk to the board as well.

Are there things that you’re finding that at the leadership level, there are conversations it doesn’t have to be Trustpilot, but at a broader scale, you find that. The awareness of cyber security is higher now. Like I think it’s not just like, how I remember seeing beams that aren’t be bored.

Doesn’t know what cyber security is, but I personally haven’t felt that my board doesn’t know cybersecurity. They totally know and get it. Like I get messaged before them about log4j, like, Hey, did you look at this? And like, yeah. So do you find that same in your circle?

Stu Hirst: I’m very lucky in that respect.

I’ve got, there’s a fantastic board at Trustpilot. That’s been put together some very, very smart people. They’re very, very interested in it. As, as a topic and as a subject. And you know, they’ve given me a lot of ability to, to build the teams that I need to build and have the budgets it’s right up there from a risk point of view.

The major risk for, for, for businesses. So, again, again, I can only really look at [00:20:00] these things with my own experience. If boards aren’t taking it seriously still, I don’t ask the old cliche and then I don’t understand why because, and the log for J thing was, it was a prime example. There is the biggest security vulnerability that ever been, frankly.

I mean, struggled with something that’s been more impactful than that.

Th I don’t, I just don’t think anything has rivaled it yet. And, can’t think there’ll be too many organizations haven’t been impacted by it in some way, depending on the tech stack or the they’ve got all of that will be filtering up to their boards. So we keep saying it don’t, we, every time there’s hacks or every time there’s a big vulnerability is people need to take it more seriously.

But my own experiences, I work with a brilliant bore to a very, very engaged in it. Very interested in it. And I have quite a close relationship with them actually. So that’s really good. That’s really important. Their views on things and what they’re very good at as well. It’s because they’re generalists just across businesses, not just my world.

They ask some really interesting questions that other people may not ask. So they don’t have the technical knowledge particularly, but they want to know certain things at certain times. And, I suppose what I’ve found from them is they just [00:21:00] want to know there’s a plan. They want, the thing is moving in the right direction.

And that is. Yeah, it’s getting the Fort and the support that it, that it needs.

Ashish Rajan: Did you find that having a technical background coming from an engineering side, was that helpful getting into a role like this in a, being a CSO in a cloud hosted company, .

Stu Hirst: Yeah. For these kinds of companies, I think, which are super fast paced, agile cloud cloud businesses I’ve talked to other events about the need for technical skill in insecurity in general.

It depends what your role is. Right. You know, if you’re working in risk or compliance or something, then yeah. You probably don’t need to know Pifer and how to automate things or whatever. So I think it depends on the, on the role I’ve worked with very, very technical senior people, and I’ve worked with very non-technical senior people and it’s a mix of skillsets really.

My shift into the CSO role from something more technical word, it means that I’m back to doing a lot more of the day-to-day management and the leadership, the coaching, the mentoring, you know, there’s lots of, kind of, I wouldn’t say politics, but you know, you’re trying to. Get involved in decision-making and areas that you wouldn’t have naturally [00:22:00] been in.

So involved in that technical conversation and more in the strategic side of where where’s that moving towards, what’s coming down the line in six months in 12 months, what do we need to solve that problem? What’s going to break, you know, in a year or as soon as we, as we grow, how do we scale it all with the, with the business, it’s all those kinds of conversations, which I find fascinating.

And I’m learning my way through how to do that. But I think having some technical skill is definitely. Worthwhile. I think you can then hold a conversation with different areas of the business beyond, beyond what you might have had previously. But again, it’s, it’s a trade off, right? I don’t want to be sitting writing code all day anymore and that’s not a, it doesn’t, it doesn’t float my boat.

And I do, I expect the CSOs to be doing that. Not really, unless you’re maybe in a small startup and you’re the only person or, you know, you’ve got to get your hands dirty. Sometimes I expect CSOs to be strategically setting out the plan and the, the the mission and the roadmaps of where, where you’re taking it to rather than necessarily building things.

Ashish Rajan: Coming back to what we were talking about earlier, where people who may be looking at getting into a CSO role, like the whole strategic conversation around they may [00:23:00] be already working on automating something in cloud security or AWS or whatever, like what are some of the examples that you can share?

Like they can think from a, Hey, if I’m in my company right now, what are some of the examples of roadmaps they could be looking at as a test exercise for a future.

Stu Hirst: So I’ll give you the, I’ll give you what I’ve done here. Right? And, and this has been with the help of other people that I’ve worked with that, you know, it’s probably too many people to name check, but people like Kevin fielder when I was adjusting, been a big help for me, because I got to see how he built those teams out and how we engage with the board and learn a lot from people like.

I’ve been lucky to work around some, some really smart people. And then industry-wise, there’s also just some really cool names that do talks and, help kind of strategize some of this stuff. What I tend to go back to, and it’s not rocket science is risk. Right? What if I was anybody trying to give advice to somebody going into a CSO role your first three months in a CSO role?

Right. Just take it back to basics. What are the risks to the business from an InfoSec? It doesn’t have to be an exhaustive list of things, right? What are the five, six things that you really, really care about? Right? Is it, is it [00:24:00] ransomware? Is it compliance? Is it kind of misconfiguration of cloud environments?

What are those things that are going to cause really, really nasty things? Data breaches, major incidents are real, real pain point. And then what are you doing about them? Right? What do you have in play just now? And that’s what people process technology, the usual stuff. And if you don’t have those things or where are you going to take it to?

And what are your focus areas? The one battle I’ve had, I think since moving into this kind of role is I have a hundred things to do, and it’s always a trade off between what I don’t do. And that’s the harder decision. Why am I doing that piece of work or that piece of work? Why is that more important than that?

And it all comes back to risk. What risk am I trying to reduce by doing that piece of work? Because if the other one is less important, Albeit it’s still important. That’s my trade off then. And I use things like this framework for you know, the five pillars of nest, and just anything that will kind of help add some of those frameworks into to help you.

You don’t have to make this stuff up on your own, that the information is out there. There’s some cool frameworks to use from a risk point of view. There’s frameworks within cloud, which available. I know we all talk about CIS and [00:25:00] a few other things. There are starting places for you to investigate how to get these things off the ground.

If your company doesn’t have them, in play, but it’s like any job in life, right? Sometimes you don’t know until you’re just in there and you’re dealing with it and you’re trying to, to move it from one place to another. You can watch all the talks in the world, but until you’re in the environment, dealing with the day-to-day.

You’re not quite sure how you’re going to handle it. And sometimes you don’t know what the answer is. You need to go and figure it out.

Ashish Rajan: Yeah. I think that’s a good point as well. Like you can, you can watch all the talks in the world, but when it comes to it, like actually executing it, you’re like, oh, oh, wow.

How do I? What’s the right decision here. Yeah.

Stu Hirst: Even moving company. Things that you’ve tried previously, you’ll find one work. I mean, I’ve had experience of that with bug bounty and a few other things where I’ve tried to replicate pieces of work and it failed massively because the environment’s different.

The culture’s different, the level of maturity, you’re just not quite ready or, or those clashes of personalities or budgets or whatever it might be. There’s lots of different things that can impact. Impact some of these things. So even taking things that, you know, have worked previously into new [00:26:00] environments sometimes just don’t work or they’re not the right thing to do.

And that’s my learning curve as well. And yeah, in the last nine, 10 months, I’d be really wary of that. I’m not just trying to copy what I’ve, what has happened somewhere else. So just eat was a great example of that really great teams are really super-talented people. I could replicate that entirely in this role, but would it be the right thing to do?

Is it what the business needs is it what the risk appetite that demands

Ashish Rajan: To your point about transitioning from a security leader role in one company versus the other, that basic framework, approaching it from a risk perspective. Big the top five even go down the path of if they know AWS, Azure or Google cloud or whatever, big data as a part for, Hey, how good are we with detecting security here?

Are we at the level that I can detect when something like, I don’t know, scenario X happens, but it’s an un-encrypted volume or whatever. And like, that could be a benchmark. Like, I mean, you can, you can set your own benchmark at that point. And that could be the risk level that you may be working with.


Stu Hirst: for me, it was around kind of what are the start with the big things, right? Start with a real company impacting events that could happen. You know, there’s a, there’s [00:27:00] only so many of them will be working in, there’s no point trying to fix 200 things at the same time and all this kind of real niche people tend to right.

Going down the niche route because it’s interesting and it’s new and it’s exciting. But you might have a massive gap over here that you’re missing and it could be simple things around how you’re, how you’re configuring environments or where your data is and who’s got access to it. And, can you even see what’s happening in some of these environments?

That’s why I’m building. I’ve got, I’ve got an awesome person in building out sack ops here at the moment, and that’s one of the major pieces of work at the moment is, well, can we even see what’s going on in these environments? If I can’t see it, I don’t know what’s happening. So therefore. I’m sort of pissing in the wind, if you excuse the swearing.

So yeah, take it back to basics. And we use lots of them all the time and security don’t we, but the complicated, if you can solve those five, six major things or get to a nice level of understanding of them and where you’re at the rest will flow from there. But if you run off in tangent straight to fix very niche things, I mean, sure.

You’ll, you’ll move the needle a little bit in those areas, but you’ve got to be missing major, major things and forget it for most companies, I think is data applications to be running all the time and you need data to be [00:28:00] available and not expose to the internet. So that to a point that it can be, it can be weaponized.

That you know, they’re the company impacting things generally.

Ashish Rajan: Yeah. Yeah. If you’re looking for new ones, you can also search cyber security breaches and you get like 10 more scenarios, ransomware data breaches,cloud misconfiguration. You can, I mean, to your point, you only a handful there, not that many.

Stu Hirst: What does this very little that comes out from a hack point of view? It’s kind of nation state stuff, or you think that that’s really niche, you know, and that’s really, that’s the same stuff. Okay. There’s been some movement over the years when in cloud and cloud’s become a major attack vector, but we’re still seeing ransomware.

We’re still seeing fishing. You know, fishing has been around decades now and, you know, insider event, it’s the same stuff. And I don’t actually think that’s going to change particularly in the next five to 10 years. You’ll see more. Well, then the surface is just getting bigger all the time. We use more applications, more things are connected to the internet.

That’s where everything’s moving to. But from the mental underline risks that you’ll be protecting against. So don’t think you’re going to change massively again soon. I don’t, I don’t see what the next big disruptor is in [00:29:00] technology now that we’ve gone to cloud. I’m not, I’m not sure. I’m not sure what that would be, frankly.

I think we’ll just automate more and we’ll consolidate. And certain places and we’ll do things faster. I’ll continue to be what we end up.

Ashish Rajan: I’ve got some thoughts there because I feel like cloud was an abstraction based on automation on existing data centers and the next layer, after that, I see companies coming up where certain things, even the part of deploying IaC, Infrastructure as Code and automating that, like they’re making that into a platform.

Like I know so many companies that have platforms. Just their job is just to manage the car platform and the toolkit for the platform. And to your point where they may be a plane bed, it doesn’t matter if you’re an AWS Azure, Google cloud, IBM or a Oracle Cloud, whatever is the layer on top you care about is more of a what’s the word like a pass.

All you’d have is a platform. I want to put a data project in there, or I will put something else in there I go, SaaS. I can’t imagine IaaS lasting for that long. I don’t know what he taught on that are.

Stu Hirst: Yeah. But it will still be in that cloud area. And I think that’s where the major [00:30:00] continued, Yeah, progression will be.

I think,

Ashish Rajan: There’s all like next frontier, for lack of a better word. Like, I mean, at least not visible so far, even cloud native still has cloud in it, so it needs to run somewhere. She needs to run somewhere like a cloud platform, either in Google cloud or AWS somewhere.

So, or it’s running on premise, then you’re going back. You probably don’t wanna go. ,

Stu Hirst: this is where the log for J thing was particularly interesting. And fraught has been an interesting one for all of us in the industry that, you know, we’re using so many applications these days, there’s so many SAS things and so many kind of you know, platforms that we can use and, and third-party dependencies and et cetera.

It’s just huge now. That particular vulnerabilities spanning so many potential components or. Or things that you might use is I don’t see, don’t know what you can do about that. Obviously there’s nothing you can do about zero days anyway, cause there’s zero days for a reason, but how do you reduce? So supply chain risk is probably one of my major risks, you know, for, from a company point of view.

But I continue to struggle to think what you can do about that. I mean, sure. You can interrogate that POS. Religiously if you want, but it’s not going to stop something like the [00:31:00] log 4g thing, at this point in time, and I don’t know what the answer is there to try and reduce those.

Ashish Rajan: All of us in the industry may know that there’s a log for J but the supply chain you’re working with would be too small.

There are no security in your marriage. Are you affected by Lockwood? No, we’re not. And then next day someone has she OVR. I was like, oh, sorry. Yeah, we are effected. And like, what you’re telling me do live later, I’ll call everyone that we are not being affected. And like I imagined it was like that coming out of this as well.

Well, and having

Stu Hirst: a vulnerability that affected so many major applications, I don’t want to sort of pick on anybody here, but you know, it w it was a reasonable number of major application providers. Yeah. And some of those are the best in the world, and those are the best. These are the best tech companies in the world and they couldn’t find their, they didn’t know it existed.

And I just think we’re, we’re setting ourselves up. That there’ll be more of those. I think I, I think we should brace ourselves at the next few years. Hopefully not relentless. We should brace ourselves for continued supply chain where it affects pretty much everything that you do and that you’ll have to down tools for weeks to, To deal with those things.

I [00:32:00] think the more connected we are, the more apps we’re using, the more, you know, the more we spread data across different places and more of that’s going to become a, of. Are they’re interesting problems to solve, right. Because

Ashish Rajan: it’s, I think so. Yeah. Well, I mean, I know we’re we’ve actually done a lot of interesting topics, so, but I imagine there would be good enough food for thought for a lot of people listening in to go, actually.

Yeah. I haven’t thought about that from my company perspective or personal perspective actually. Cause I’m just gone to the context of the time that we spent so far as well, because. They were very close to the end as well. And I think I’m glad we kind of closing off at least the main questions around the parts where this is kind of where the future is going for CSOs in a cloud world.

And we don’t know what the next frontier is, but at least whatever it may be. For the moment cloud seems to be the popular one and cloud native into the popular one. So hopefully no more law for J no more, a level of 10, issues for the next few years. Wait, we still can go back and enjoy our work from home holidays.

I mean, work from home.

Stu Hirst: It’s certainly more than Christmas if they can avoid the biggest vulnerability of all time, the week before Christmas. So

Ashish Rajan: I think that would be a pretty [00:33:00] amazing if you can just drop that in the ether, dig the whole year. Why are you focused on just for that, for that time period?

It’s funny, but so this is kind of like the final quiz and you have gone through the fun question before, so, I think I’m going to change a few, so we’ll see how you go with the fun three questions that I have towards the end. Would the first one being, what do you spend most time on? You’re not doing any work on technology or cloud, but I imagine your answer has changed from pre COVID.

So what, where do you spend most time on now when you’re not working on cloud technology?

Stu Hirst: Yeah. Do you mean outside of work? So my, my kids two little kids who eats up all of your remaining energy. Great fun. Yeah, mainly that I wish I had more time to do things like playing instruments and reading. I used to read a lot and I don’t get the chance to do that as much these days, just for the age of the kids.

It’s just about betrayed. Yeah, I still got the music stuff on now that now that things are back open, so go to gigs and festivals, take the kids to the halls. Yeah, that’s that’s, that’s probably why.

Ashish Rajan: Okay, good. And next question. What is something that you’re proud of and is not on your social media in the last two years that you’ve not been here [00:34:00] before?

Cause I mean, I’ve obviously heard the first one, but I want to, when the last two years, what have you done? Something that you’re proud of, but is not only socially.

Stu Hirst: What am I proud? I mean, frankly, just, just getting through it, right?

Ashish Rajan: Yeah. I mean, instead of is a big fee to come out, like show positive and smiling, and there’s definitely.

Stu Hirst: Yeah. I mean, I suppose I changed jobs during this pandemic and you know, I’ve got two year old, so we didn’t have another child just before the start of it all. I think just bringing them up and trying to keep it as calm as possible and yeah. Trying to keep a smile on my face. I was kind of proud of. Yeah.

Yeah. Just, just getting as I’m sure. We’ve all tried to do.

Ashish Rajan: I think I definitely appreciate that. All the parents during the lockdown periods, When a lot of people were just like, oh my God, there’s no daycare. There’s no childcare, none of that. And you have to just find ways to do your actual job and engage kids who are in the house, basically ripping the roof apart.

But you’re going to have just like figured out a way to. Balance the two. So kudos to all the parents who had to go through this exercise and probably still going through them is that I hear there’s still a few countries in the world, which has good [00:35:00] going through curfews and lock and stuff as well. So everyone’s going through that.

I definitely shout out to them as well, last but not least question. What’s your favorite cuisine or restaurant that you can share cooking. Now I have more at home. Yeah.

Stu Hirst: So definitely Indian balls and Mexico, and my two sort of favorite cuisines. There’s a place in the UK called issuem, which is a sort of bond

Edinburgh. They actually released the the recipe for the, one of the couriers that I learned to cook at the start of lockdown. And it’s just amazing. The food is absolutely phenomenal. That’s probably me. Yeah, it would probably be a family. Music, they job food in my

Ashish Rajan: well, that’s probably a great habit to have as well. So she ended up having family. Number one is definitely the best one as well then. Cool. That’s why we had time for him and I think, but I I’ve enjoyed that quantitation as always. And I also would love the fact that we touched on like, what’s the possible future for other people who may be looking into this as a, from a CSO.

I’ve gone to the court Cristo theory thing. Thank you as well. Thank you. She seems to appreciate the time taken for this chat and sharing. This is great insight. Thanks Krista. Hopefully that was helpful as well, but I definitely found [00:36:00] that I imagined a lot of people took food for thought for what else they could look out for in this new cloud world in a COVID normal world, as they, as they would say, where can people reach out to you if they want to have a for, for the conversation about these.


Stu Hirst: Got me on LinkedIn these days. I’m not, not doing Twitter as much as I used to, but I’m still, I’m still available on that. She wants them for say yeah, LinkedIn, if you want to connect. I do have to mention by the way we’re recruiting. So just now, London, Edinburgh, Copenhagen, there’s going to be a cloud security role.

In fact, two cloud security roles coming to. So we’re going to build that out a little bit as well. So keep an eye on that, get, you know, get me on LinkedIn, if you want to chat about any of those. So, sorry. That’s the, that’s the pitch. I’ll

Ashish Rajan: definitely be commenting on this to get some eyes on that as on that role as well, man.

So yeah, it definitely would be a great person to work with for whoever’s. Awesome. All right. Cool. Thanks everyone. I will let you go with that one. I will see you back on our weekend episode, we will continue the identity and access management month that we are having at the moment with , but otherwise I will stay safe and I’ll see you on the weekend.

More Videos