Today we chat to Ed Tucker, CIO of DP Governance. He explains why AI is overrated, why a customer centric back to basics approach is important and reveals who in cybersecurity he admires the most. He also told us that in a film of his life he would need to have someone tall and with a big nose to play him.  

Why did you become an CIO?

The natural next challenge I suppose. My interests have always been beyond security. I think to be effective in security you have to have a broader spectrum of knowledge than just purist security. Of course, security, and the CIO roles are not just technology either. Humans, processes, inter-relationships and dependencies, business outcomes and a little bit of technology on the way. In every role I’ve done I’ve wanted to see the fruits of my labours, good, bad and indifferent. I’m not the type to set direction and then scarper before reality of it hits home. You have to see things through and recognise the impact you’ve had and how effective it was. If you don’t then how do you ever learn? I’m not one for chasing buzzwords either, so I might be a bit of an odd CIO in those two respects.

When did your interest in cyber security begin?

Crikey! Years and years ago. I’ve always been interested in how things work and also how it is possible to make them work to your advantage, both good and bad. How to bend things in your favour. The natural synergies into how adversaries work just interested me even more. It is a really interesting area if you’re a bit of a nosey parker, which I am. From there I just studied, read and asked bucket loads of questions of people I found along the way. I still do to be fair. You soon begin to realise that there aren’t that many people in security who really know what they’re doing or how to be effective in doing it.

Within your organisation, what is the most significant digital achievement of the past 12 months?

In the new one probably actually getting off the ground and getting base software and functionality embedded with our core methodology. Prior to that in the old role I’d say reducing phishing emails by half a billion through the implementation of DMARC. That was quite good if you ask me. Though the other side of the same piece of work was improving email delivery rates from 18% to 98%. Ooh security as an enabler! Who would have thought it! Mind I would say that as I did it.

What will be the most significant development in cybersecurity over the next 12 months?

Hopefully a focus on a customer centric back to basics approach. Sadly, that won’t happen and the industry will continue to spend money chasing buzzwords and marketing blurbs whilst failing in perpetuity. Sound positive don’t I? You cannot buy security, it doesn’t work like that. And if you’re not in with your customers you’ll never realise how effective, or not, you are in your job and how what you do can be a negative and positive impact.

What’s the largest barrier to becoming a more effective CIO?

Knowledge, both in the role and in the teams. There’s, much like security, too much chasing of buzzwords coupled with too much focus on technology first, business problem second. We need to do big data, the answer is Hadoop, now what’s the business problem? Data is a classic. Much better to hypothesise, build conceptual data models, ontologies, analytical constructs and then technology. Most people won’t get that and so they will buy technology, probably mixed is the misnomer that is AI and categorically fail.

What’s the largest barrier most companies currently face in meeting GDPR compliance?

Having a clue. In terms of what is required, how to go about it, where they are today and how to build a pathway that improves that position with actually effective remediations, be it policy, process, contracts, risk management, technology, countermeasures, controls etc. Add to that the raft of expertise available to them who will help them achieve the square root of not a lot because they’re not actually experts. No one person has the full body of knowledge. Don’t hire a case law expert and expect them to do all of GDPR. They will not have a clue about effective controls, or technical measures that work in business practice. Likewise, don’t get an encryption specialist to look at case law. Choose experts that actually have demonstrable experience in the particular problem that you are solved. And that problem should not be as wide as GDPR compliance in its entirety in one go as that’s just dollar signs for any consultant / SI / technology. Break it down into smaller problems and solve them. And look for people with real world experience, not theorists.

Ed chose Liam Neeson or Danny DeVito to play him in a film of his life.

If you have one piece of advice for other CIOs or IT Managers, what would it be?

Start with a business problem. A succinct business problem, not a novel! That comes from understanding your customers (internal and external), your business operations, its lifeblood and vision. Don’t chase technology. Don’t do something just because the analysts at Gartner, Forrester, whoever say so. Don’t do something because the media says it is the future. Chase solutions that actually solve the succinct business problems that you identify. You don’t always have to buy them either. If you don’t know then get people in who can actually help you. Check their actual credibility. Have they ever done it, or simply consulted on the theory. Chose the woman or man who has the battles scars from getting it both right and wrong.

Who in cybersecurity do you admire the most and why?

There’s three. I’m very fortunate to know Ian Levy and Paul Chichester, from the NCSC, and to call them friends. They are just awesome guys! Really top level. Knowledge is right up there and then some, but they are also really down to earth guys who like a good laugh and joke, and maybe the odd pint, with the best of them. The other one is Shawn Riley. The man blows my mind with how smart he is and how far ahead of everyone else in the game he is. He’s just a genius!

If you were given £30 million to spend on digital transformation within your company, where would that money go?

Depends how long I’ve got to spend it. If it is a normal budget cycle then I’ll buy loads of magic beans and achieve very little. I like to focus spend where it is necessary and where it will have the greatest impact. Key areas, fix your foundations and mop up after projects inevitably deliver the future without decommissioning the past. Lots of logging and the right analytics to make IT ‘run’ easier and more effective. Though I think the best digital spend is in bringing people together and getting them to understand they have the same goal and need to work hand in hand to achieve it. That often makes them uncomfortable as they are oft pitched against each other. I could do that with a decent bar bill.

What is the most over-hyped digital innovation in cyber? Right now it’d have to be AI. There is just so much utter nonsense talked about AI. There is some great stuff out there, like DarkLight’s expert system, which has transparent and explainable deductive inferences, scientific knowledge management and reasoning. All into the semantic interoperability space. However most of what is actually badged as AI is really just discovery algorithms. Its deductive reasoning vs inductive reasoning. Most of the AI you hear about only gets as far as tentative hypothesis. It’s not going to do what you think it is going to do. It is a bottom up approach, when what you need is top down. Start with hypothesis and work down to confirmation. I’d do the same with big data.

What is the most under-rated digital innovation in cyber? Being customer centric. Seriously. Everything is about the customer and yet security often still sits in the ivory tower, writing policies that nobody reads and are wholly ineffective anyway, getting awareness wrong, not understanding the disjoin between what they say and what actually happens within business operation. Equally with controls and technology. Everything works fine until you put it into business use, firewalls being an awesome example. Just keep adding rules until your firewall does nothing but heat your datacentre. Security has to get in bed with the business and its customers. Those who do are by far the most innovative and effective.

And a few non-digital questions for fun…What’s the worst job you’ve ever had and why? My first job, which was a temp job at Dillons the Bookstore’s head office. I literally filed paperwork all day every day. It drove me nuts, but it was a wage.

If you could travel back in time to meet one person, who would it be and what would you say to them? JFK and I’d tell him to duck!

What’s the last song you listened to (be honest!)? It was Chateau by Angus and Julia Stone, from their new album Snow. They’re playing the Royal Albert Hall in June 2018 and I’m already giddy with excitement!

What’s your favourite piece of technology at home and why? Sadly my phone as I spend too much time on it, but I start getting the shakes when I’m without it for more than ten seconds.

If you could have any other job, what would it be? Beer taster, or professional rugby pundit, rather than amateur armchair pundit.

In a film of your life, who would play you? It’d have to be someone tall and with a big nose, so Liam Neeson. Either that or Danny DeVito.