Navigating Cybersecurity Leadership w/ Simon Brownhill, DWL Partners

Simon Brownhill: I've worked on NHS contracts, Tesco, Sainsbury's, people like that doing PCI compliance. So, I have a few war stories and a few scars, but I won't show you those.

[Voiceover]: Simon Brownhill is a cyber security expert. After nine years as a weapons engineer in the Navy, Simon is now spearheading the delivery of cyber security solutions for major organizations.

In this episode, he will tell us his story and give us an insight into leadership in cyber security.

Andy Ash: Where have you had to try and convince a bot about something critically?

Simon Brownhill: That's a good question, because I was going to say everywhere. I think it's more around my approach, which is…

Andy Ash: What is the logic playing game for AI?

Simon Brownhill: There are enough indicators out there for us not to create a whopper or, you know, create one of these machines that is going to try and take over the world.

Andy Ash: Hello, this is the Cybersecurity Sessions podcast with me, Andy Ash. The CCO at net to see. today we're gonna be covering a number of topics around leadership in security, and a person's journey from, pre-security to CSO lv. So, I'm very excited to welcome Simon Brownhill, a director at DWP Partners.

Simon, do you want to wanna give us a quick intro please?

Simon Brownhill: Thanks, Andy. Yeah, Simon Brownhill. I started my illustrious career in the military, for about nine years as a weapons engineer, came out and started into cyber security very long time ago in 96, then sort of ended up on a myriad of a trail and, ended up at LV for a Contract.

So, one of my first contracting gigs and yes, that will be part of the story is how I went from a lowly, consultant to the CISO, and what that entailed for me, since then I've worked on NHS contracts. I've worked, Tesco, Sainsbury's, people like that doing PCI compliance. So, I have a few war stories and a few scars, but I won't show you those.

Andy Ash: Oh no, feel free. thanks Simon. So, we always ask this question at the beginning, obviously at Netacea, we, we're kind of AI based and, we, we, want to know people's opinions on, on, on AI and this, this generally helps. So, on a scale of one to ten, what is the logical endgame for AI in human society? One being that we succumb to our robot overlords and enter an age of servitude, and ten being that humanity is freed from the shackles of earth and goes off to explore the universe in peace.

Where do you stand on that Simon?

Simon Brownhill: It's like we've rehearsed this. I, I, I'm a seven out of 10. and I use the same sort of analogies. So, my view was one would be Skynet and all the entailed from that, you know, the T one eight hundreds. and rather than us, using good logic and testing, we ended up with poor results and, war with the computers.

On a scale of five, I sort of had, you know, 2001 Space Odyssey, where logic has deemed us as not fit for purpose. and, you know, we have that manic, evil mantra of, I'm sorry, Dave, I can't do that. Where I sit is sort of seven, which is that sort of Wall-E, sort of, compassionate collaboration, without getting too happy clappy, you know, solving problems like climate change and, you know, the world's problems.

but again, I think with that, there will be privacy and some sort of breaches, which is, you know, Good for us in cyber, but, you know, we, we can, at least don't have to hang up our cyber hats. And I think, lastly, you know, going to a 10 would be, and this is where I might be at hung by geeks, but, you know, it's the Star Trek or Star Wars sort of, analogies of, tripping off to warp speed across the universe, making everything smaller and giving us a really good sort of, enablement with, with the, with the technology and, you know, even having a little R2D2 sort of robot there as your, philosopher and guide.

So I think my takeaway from that is let's avoid number one and You know, aim for number seven, and well, if we hit it, that'd be good, but if we could get to ten, that would be brilliant. But as long as we don't, in the meantime, set up our coffee machines to make coffee and end up with a T 800 trying to deliver it, I think that would be good for us.

Andy Ash: Yeah, I mean, as an ex-military pilot. Obviously the, the application of AI in, in, in the military is, that worries me. And, and the way that, so that in the start of Zuckerberg coming out, basically saying that, all mid-level developer jobs will be able to be done by AI systems this year. I think he said this year or within a year.

I haven't seen the full interview, but then none of Mark Zuckerberg's clips are designed to be watched. They're designed to be seen in extremely small clips. So, he's saying that for a reason. There's something, you know, the, the, the next gen is, is already, is already on the way. and in military terms, that worries me slightly, but I, I'm sort of, I'm still on the positive.

I can still see, I can still see the, the application of this being positive for, for humanity.

Simon Brownhill: So, yeah. And I think we are hopefully. There's enough, there are enough indicators out there for us not to create a whopper or, you know, create one of these machines that is going to try and take over the world.

So, as long as we keep the safeguards in place, and I think, you know, whilst, whilst I was in the military, it was more valve technology and bubble jet memory. I think, yeah, people are sensible and they understand, you know, the, the, the need for four eyes or, you know, two keys or whatever it is so that people can, there are safeguards in place.

Andy Ash: So, Simon, obviously, you started in the military, which service were you in?

Simon Brownhill: I was in the Navy for nine years.

Andy Ash: Cool. And was that, sea based, or were you…?

Simon Brownhill: It was a bit of both. if any of my friends would, would be on the call, they would tell you, I spent more time playing rugby or sport than I did actually doing any engineering.

However, I saw my fair share of the world. So, Arctic, Antarctic, went over to West Indies, met quite a lot and up to Norway and down to the Falklands. So not during the war, I'm not that old.

Andy Ash: But yeah. Oh, amazing. Amazing. do you want to take us through? So, you, you, you completed your time in the forces and then you moved out and eventually became the CISO at LV, which is obviously a significant, significant role and a significant journey.

Do you just want to talk us through that a little bit so we can get a picture of how we got there?

Simon Brownhill: Sure. I mean, I, I spent quite a lot of time, and I would say probably, 15 years since leaving the military to ending up working for myself as a contractor. so I had a myriad of jobs. Like I said, at the beginning, I was, working for a number of companies.

And I think that's where I learned my trade was, you know, you know, dipping into different things. So, I did some pen testing, I did some, consultancy. I had good mentor when I was first into cyber, a guy called Peter, who was a, an older guy who came from DWB.com. He or Arthur Anderson or something like that.

But he was a good guy, and he taught me, you know, carry a notebook, make sure that you write down stuff, ask questions and, you know, the proverbial things around two ears, one mouth, use them in that ratio. And they were all good things for me to understand. And it, as I, you know, put more, strings to my bow, I had a better idea of what I wanted to do because like everyone you sort of flounder around and before the internet was Google and you know AI based you couldn't finding these things was difficult. So, I kind of looked for the things I was good at and I think Consultancy is one of those things where I've, I've enjoyed.

So with LV, I was headhunted to go and help them to, set up that one of their third party consultancy divisions. Cause they had a third party, process for reviewing who was coming in. What were they doing? What was their security posture? And I went in, had a look and it was very manual. So, it was more around questionnaires and people answering those questionnaires and then for the consultant to ring up and talk to them and interview them and there were a couple of site visits and those sort of things, but it was very laborious and also the questions were very generic.

It was more around, what did LV want to hear from me as the supplier or the third party, so there wasn't necessarily any litmus test to see if what they were saying was true, and I think that's interesting. That's how I developed that part of the team was to ask more probing questions, to ask for demonstrable evidence rather than sending your policies, you know, talking to people who were delivering the service, which again, allowed us to streamline that process and to become more efficient.

And also, to roll it out to the project teams as well within LV. So it became an internal looking thing as well. So what are we designing? And before privacy, and security by design were, you know, buzzwords. It was one of the first steps we made into making sure that what we were doing, you know, almost that concept of eating your own dog food and saying, you know, are we doing the right thing before we go out and tell everybody else?

So that was the first couple of months. So I was there for Initially three months and it got extended out to six to nine months and then a guy joined who said, I want to set up a, as the CTO, I want to set up a design team and I don't have any experience. Now, as I've said, I've, I've, I've experienced with most things and architecture was one of the things I got my teeth into.

So I helped him and he was like, right, you can be the chief architect and I need somebody who's going to do all the security and those sort of things as well. So again, we spoke to the CIO and from there, it was just like, look, we haven't got anybody who can do this stuff. Could you? Run the teams, run the designs, and from there it was just a question of educating up and down and pulling both of those teams together, really.

And that was, that was the sort of shortest version of what happened, and I was there for nearly four years. and yeah, it was a very enjoyable time. I enjoyed it immensely. And, you know, I know that the CISO now, a guy called Dan is, you know, he, he came across from their networking team to be, to learn about it and I know he's gone on to do, bigger and better things.

And, you know, he's, he's having this, you know, very successful time because, because he's gone back and, become the CISO there. So, yeah.

Andy Ash: It's really interesting that that person's come from networking. So, I mean, obviously, is it man versus food? And the intro to that is the guy says, I've done every job in the restaurant industry.

That's right, yeah. And I sometimes feel like, I mean, I've worked in infrastructure, architecture, service, security, you know, and I do feel like that could be a tagline I have myself. And it sounds like you have that background as well. You've got lots of different experiences.

Simon Brownhill: So my military career, I was made part of the defense cutbacks redundancy.

So I took the redundancy and I ended up investing that money into Novell C& E courses. So I became a C& E because I thought that's the wise money. So being an engineer, being logical, I looked at C& E and do you know what? This is far superior to the Microsoft offering. And, you know, if you look at them now, you know, Novell, where's that?

I have my own sort of view on that, that every time you turned your computer on, what was the first thing it said? Microsoft. And then it said, your system's protected by Novell and your network and that sort of stuff. So I think people just saw Microsoft first. And then, well, if you see it first, therefore it is first, therefore, you know, why would I buy this other system that isn't very, you know, it doesn't really say anything. They do one of these. So I think that was the problem with Novell. It was far superior, far, far more secure. And I'm, I'm sure people will comment on that.

Andy Ash: I work with Novell, Zen. So probably later iterations of application deployment.

Simon Brownhill: Yeah, I'm very old. It was 3. 11 and 3. 12 and then I certified in 4. 1.

Andy Ash: Wow. Yeah, that's good. That's awesome. So what do you think that amalgamation of experience across different disciplines of IT brings to a security role?

Simon Brownhill: With your experience, I think whatever it is, so, you know, if I roll right back, I was, before I joined the Navy, I started off as a flower salesman in Covent Garden Market. Wholesale flowers. So that's been a butt of a few jokes. You know, my daughter's suitors thought that I was Robert De Niro. Yes, of course, you know all about flowers. You worked in the military and you do weird stuff that we don't understand.

Have you got a lie detector in the basement? I think from all of this stuff, though, if you look at experience, whatever it is, life experience, whether it's, if you get your fingers burnt, and I say this about my teams as well. So let them make mistakes, let them grow. There was a lovely analogy I heard many years ago, and I don't know who I can attribute it to, but it's about teaching people to grow.

And it's like, you've got a toddler and they want to pour a cup of juice. You let them do it, and they'll grab the juice bottle, they'll tip it over, and pour it in, and some of it will go on the table, some of it will go in the cup, but they'll end up with a full cup of juice, and they'll wander off, happy that they've got this full cup of juice, and you're stood there with the rag behind your back, and as soon as they've finished, you mop up, wipe up, and clean it up, and over time, there's less mopping up to do, there's less of your input that's needed, but they have the experiences. And, and I think that's key to anybody is, you need to get your fingers burnt and have a few scars so that you can bring those to bear on new things and also watch out for those risks.

Andy Ash: There is definitely some muscle memory involved in risk management, things you've seen before.

My, my instinct is that most problems in IT have kind of from the same place. Most incidents come from the same type of behaviors or the same type of, technology deployments or whatever it might be. That, you know, the, there's inherent risk in the way that some companies operate.

Right. and if you've seen it before, it makes it much easier to, to identify and mitigate.

Simon Brownhill: I'm, I'm really glad you said that because I'm a firm believer than, you know, same badge. Oh, sorry. Different badge, you know, same day. All companies are the same. Most of the risks are the same. There are new developments and new, you know, you have ATPs, you have all of that sort of stuff.

Then you have WannaCry, which is Stuxnet, is it, you know, these things are very similar. They're doing the same sort of thing. I think they're the same things. You just have to be mindful about what it is and identifying that pattern. So it's not heuristic, but it is a, what is this thing doing to my network?

Why is this thing happening? Identifying it and then having the recall to say, have I seen this before? Because That's pretty much what life's about. You know, you go to Spain, you use the same risk methodologies across the road as you do here, you're going to have a problem. But once you realize that cars are coming from a different direction, it's the same pattern.

Andy Ash: Yeah, exactly, exactly. So you've talked about, living the kind of security, Experience and get burnt and, you know, having experience and what, what advice other than kind of practice security? I think that's basically what you were saying. Would you have to anyone aspiring to progress their career to a senior position on top of that, do the job, be that person?

Simon Brownhill: When I first started out, and I'm, as you can see by the right hand side of me, I'm a proponent of reading, and learning, and studying, and I think there's nothing better than to learn, and I think the reason why I took to consultancy so late was because I enjoyed the technical camaraderie because I think that is one of the things that you can't get enough of.

So whether someone wants to mentor you or not isn't really their choice if you're inquisitive. So you will be mentored by people around you even if they don't think they're mentoring you. So, you know, I had a gang of people when I first started at a company called Peapod, and we all took the top of our computers off and looked at the inside, so we understood how it worked and ensured that we understood what component, talked to what component, and went over to each other's desks when we had a spare five minutes, ten minutes.

We'd have a coffee and talk about how does this file system work? So, you know, looking at Sun OS and things like that. So, you know, really back in the day. but having a technical conversation talking about, things that were completely out of my debt. So, could you go and fault find a problem up in, Newcastle and then end up on the phone with my colleagues back in London saying, right, okay, I've looked at this, I've looked at this, I've got a sniffer on the network and, you know, Getting it down to the fact that the company were using their own proprietary version of IP at the time.

So an IP version, it was called Chameleon. And somebody had set the MTU values at, and, and I'm really geeking out here now, but there was a problem. So the, the, they couldn't be compiled back properly and so they were losing packets on the network. And you know, like I say, it's, it's interesting and I'd never have got to that point if it wasn't for the people around me.

And again, that's, it's a learning curve. And now I know, you know, about CRCs and all of those sorts of things. And sorry if I'm losing people, but that was at the time I didn't have a clue. And that was the only way you were going to learn. And that's another thing that I'm a really, really big proponent of is get yourself into the level of water where your feet aren't quite touching the ground and struggle because struggle makes you grow and that's, that's what you want to do if you want to progress.

Andy Ash: Absolutely. Couldn't agree more. Could not agree more. How do you think, so there's, I mean, not wanting to highlight that that was probably, if you mentioned in SunOS, was probably quite a while ago.

Things have changed significantly, not just in security culture, but in working culture. So, you know, the rise of, we're both at home. We haven't come into a studio to record this. You know, the kind of online resources that you might want to learn from today. How has kind of the cultural shift in working practice affected that way that you're talking about learning?

Is that, is that something that you've adapted to as a consultant or?

Simon Brownhill: Yeah, I do quite a lot of work from home. Again, you know, I mean, when COVID hit, I was, the head of security, or I'd kind of say CISO at London Ambulance. So, I was doing a contract there. And we saw it coming as the cyber team and, and actually used our own resilience and threw ourselves away.

However, funnily enough, being a cyber security consultant, I've been working from home. For a long time, you know, even dial up working from home. So working from home wasn't new to me. I think the problem now for most people is that FaceTime, that, that actual being with other people and hearing that sigh of, oh no, what's that?

And you can turn around and, and, and be with that person to say, are you okay? What's going on? And, and, and, and you can develop that team. It's only with things like teams where you can say, I've got a problem or Slack, whatever you're using, you know, if, if you can talk to each other, there is that, but there is that no real time sort of connection and togetherness.

I think it is about a team. Whilst, for some of us who don't really want to be around people, you know, all the time, and I know there's a few geeky people in my life who really wouldn't want to see another person if they, you know, ever again, but it's important for people to be around people so that you can bump those ideas off people so you aren't, as I call it, technically lonely.

You know, you are part of a team and you're growing as a set of individuals. Because you all pull each other along, and like we said earlier on, it's about life experience.

Andy Ash: Yeah, yeah. And the technical camaraderie is massively important, and it's something that we managed to foster at Netacea through the pandemic, and now we are remote first.

So it can be done, and it takes It takes more effort, like you say, the kind of head hitting the keyboard sound that you hear, if something's going wrong, and everyone's, you know, if you have that camaraderie, everybody immediately wants to know what it is, because that guy, or that person has just discovered it, and it's like, oh, I want to know what this is.

And everybody gathers around and suddenly everyone's talking about the problem and it starts to get fixed. It's more difficult when people are remote, but it is possible. Alongside the learning piece, alongside the learning piece and mentoring. We need to move on though. So in, in kind of, in kind of your roles, you know, your most senior roles, relationship, the CISO relationship with the board is something that comes up quite a lot in terms of conversation and, and, and other, other podcasts and webinars.

Do you think board C security in the role of the CISO is kind of intrinsically valuable or a cost center or only there to deliver bad news, right?

Simon Brownhill: Yeah, I think with that it's complex and I think it's down to the CISO to control that relationship. So, if you start off with the, you guys are the bad news bearers and, and you are bringing bad news to my door every single time I see you and everything's a problem, or you are an overhead, you are a cost, you know, you're not bringing in any value to my organization. That firmly sits with the CISO. The CISO is there to change that concept and it's a double-edged sword, I would say, as in the CISO needs to challenge the board back, as to say, what are your risks? What keeps you up at night?

What stops you from sleeping? If the lights went out today, what would you do? How would you cope? And again, I'm a proponent of Cyber 101. Let's go back to risk assessments. If it's driven by risk, and people understand what the risk is, and then what your appetite is, because that's a totally different thing, then you can move forward.

And without the fostering concepts of privacy by design, security by design, companies won't or can't have a view on it unless the CISO helps them to establish that view. So what can we do to mitigate these risks? And appetite is the big thing, you know, I've worked for a number of organizations and one of my first contracting jobs or working for myself, one of my first customers was a company that had a lot of spare cash, you know, they have money in the bank, they were produced, you know, selling plans and those sorts of things. And being able to… They had a good reserve of cash. So when I came up with some risks, they said, how much is that risk? And it was, they're about a quarter of a million pounds. That's fine. We've got that in the bank.

I said, you're kind of going to have to show that to an auditor when they come in and say, yeah, that's fine. But people will work to the worst-case scenario in their own head. So unless you talk to the board and say, what are you accepting? What are you, what can we just take on board, and what do we have to find controls for, that aren't accepting that risk, it's a lot easier and it's a lot easier to communicate that issue or the reason to spend money on those to the board than it is to, just come up with mad capped ideas that you think, well, that, yeah, we'll just do that.

Andy Ash: And having that kind of risk assessment quantification of cost associated to the risk or potential loss associated to the risk genuinely helps. It is difficult because a lot of security risks or ransomware puts the entire value of the company at risk. And that's always going to be, that's either, it's always going to be a big number to the people that you're reading it to.

So that always will come up, come up to the top, but, yeah, in, in terms of your interactions with boards, obviously quite often CISOs, and I know I have done this, the perception is that you come in with a shopping list, and nobody really wants to sponsor a shopping list. So where have you had to try and convince a board about something critical related to a risk? And how did you go about it to make sure the right outcome was achieved?

Simon Brownhill: That's a good question because I'm going to say everywhere.

And I think it's more around my approach, which is, before you go with a shopping list, okay, you'll have your shopping list. It doesn't matter, you know, day, day two or three, you'll have a shopping list. But the thing is, furnishing the board with good metrics and showing them where the holes are. So risk assessment, metrics, success stories, those sorts of things will help the board, but also educating them as well.

So you can't expect to go in to somebody and say, you're going to have to spend thousands of pounds on an issue when you don't know how much problems going to cost them. So if they're informed and educated and they know a 10 problem takes a pound to fix, it’s a lot different to saying, you got a 10 problem, it's going to cost you 50 to fix that.

Andy Ash: Yeah.

Simon Brownhill: Well, nobody's going to do that because, but if they're educated, they’ll definitely know that, you know, because you're, you're telling them, right. And, and if you use metrics, you can demonstrate these things and metrics are good and they're good for board reports and, and to give the board. The information that they can go back to, and as long as it's, again, I caveat this heavily, it can't have too much human interaction with those numbers, because as soon as they do, there's bias.

And if there's bias, there's doubt. And if there's doubt, you're not going to get your pennies. So that, that would be my... That would, that would be my guidance is that whatever you produce, make sure that it is solid, because if it's solid, it can't be argued because as soon as there's an argument and you can't go back to actuals, so somebody might be doing you a favor and, and just upping those figures so that you're having more probes against your network.

You're having, the statistics are higher, you've shot yourself in the foot. So it's got to be open and honest and without bias.

Andy Ash: Cool. So kind of the last topic for the podcast today, Simon, this is kind of your leadership style and leadership versus management. I'll kind of roll a couple of questions into one.

And I think that, you know, how involved with your team do you like to get? And what is your approach to nurturing skills within those, within those teams?

Simon Brownhill: Yeah, I'd go back to my orange juice analogy. Anyone who's ever worked for me, under my leadership, will know that I stop people from that computer says no sort of mentality, cyber, no, no, you can't do that.

I want people to come over to us and talk to us and I'm talking about that office environment again. But I want people to come to you and say, I want to do this. And rather than saying no, say, “Okay. Yeah, okay, what is it you're trying to achieve? Because if I understand what you're trying to achieve, you're not bringing me a solution to your problem, you're bringing me the problem. If I understand the problem, I can see if it fits with what we've already got on our, in our portfolio, I can see if it's something that we can just sideline into another program of work. I can build it into the budgets. And when I say I, I'm talking we. We can, as the security and cyber team, develop a solution for you, because if you understand the problem, you can come up with a simple solution.”

And I'm a big proponent of KISS, because I think, you know, keeping it stupid, or keeping it simple stupid even, keeping it simple is, is the key here, so that everybody understands what you're doing. And that's what I kind of push into my teams. Don't go in with a negative mindset. Just look at the art of the possible.

If you can't do it, then say, I can't do it and escalate it. And that's the point of being in a team is it doesn't matter who you are, you know, even if you're the CISO, you'll have your own network of people that you can ask without, you know, without dropping yourself in it. And I think that's the key here is to grow your network, grow your experience and grow your learning, but also to mentor and teach your customers, whether they're internal clients or external clients. Everyone needs to grow and everyone needs to understand what you're doing because if you do the same stuff every single time, it's boring. If you teach somebody else to do it, then they do it and they come and ask you a really good question.

And I say this to most of my customers and most of my prospects, my job here is to teach you how to do this stuff yourself, so that the next time we engage, I may have to get one of these books off the shelf and to research something, because I want to be stretched as well. I don't want to be doing this, that boring stuff, because everyone wants to do something new and learn something new and to grow themselves.

So that's pretty much my ethos with people is, why would I want, you know, you want to grow? Let me let you grow. Let me let you, you know, let me help you to help yourself. Go make mistakes because as long as you, you know, we don't kill anybody or we don't, you know, lose lives or, you know, millions of pounds that go down the drain.

It's not really a big problem. Go design something, bring it back to me. If it's good, we'll let it fly. If it's rubbish, we'll start again. So that's pretty much my view.

Andy Ash: Giving people their heads sounds like the synopsis of that, and it's something I agree with wholeheartedly.

Simon Brownhill: I think you can't be dictatorial or dogmatic with this stuff because, again, that person may have the idea that actually becomes something brilliant for your organization, actually changes everything that you do.

And they may be a junior person, but if you didn't let them try, you'd never have known that, and you'll carry on doing the same stuff every single day.

Andy Ash: Simon, thanks so much for joining me today. It's been brilliant. If you have any questions for us, or there's a topic you want us to cover in a future episode, either leave a comment if you're listening via Spotify or YouTube, or you can email podcast@netacea.com. Please make sure you do subscribe wherever you get your podcasts. And finally, thank you for listening. We'll see you next time for more Cybersecurity Sessions.