If Andy Jones was the sort of man to be intimidated by high stakes and risk, he wouldn’t have lasted past his first tech job. As a physics graduate with an interest in computing, he was hired as a programmer for British Airways and started working on the engineering systems that manage aircraft engines. “I was told that if a plane was to crash, they would reverse engineer the code and be able to check if I caused it,” he recalls. “That really focuses the mind.”
But he recounts the story with a chuckle, betraying himself as one who maintains a cool head under pressure. It’s surely a necessary skill for someone who has worked as CISO at two of the largest multinationals in the world, Unilever and Maersk.
“The CISO role is interesting, almost unique in some ways, as you have visibility over the whole business and really understand it strategically,” he says. “But no one is pleased to see you, and a good day is just one in which nothing bad has happened yet.”
He recognizes that the intensity of work as a CISO carries a high risk of burnout, although he never experienced it himself. However, there came a point when he knew he needed a change “for my own sanity,” he says. “You never switch off as a CISO really – holidays are just work in exotic locations.” This ‘change’ involved escaping the front line to work as a Distinguished Analyst at the Information Security Forum (ISF), a role he has recently returned to for a second stint.
“It was great to do some research with the ISF, and then head back into business to put the ideas into practice,” he explains. “Now, it has been good to come back to the research after having been in business, knowing how things work in the real world and what issues need to be explored further.”
The ISF, a member-owned company, employs around 40 staff to conduct international research into cyber security. As an analyst, Andy will spend months delving into a topic and meeting experts from all over the world, before distilling the findings to be read by an international audience. “The writing is a crucial part of it and getting each paragraph right can be a considerable effort. “It’s hard work, but incredibly interesting. It’s still quite intense, but it’s the change I was seeking after Maersk.”
He refers to his experience working as Maersk CISO when the $50bn multinational company was “taken down in just 15 minutes” by the devastating NotPetya ransomware attack in 2017. “We were sat around a table with pen and paper thinking, ‘how do you restart a company with over 2,000 systems? Where do you start?’” he recalls. “I was a little nervous.”
The enormous task was managed, and he deflates some of the media drama by pointing to the fact that all companies have a level of risk that they deem acceptable; cyber is just another, with the CISO hired to ensure that this risk is properly identified, and that it is properly considered.
“The cost of the incident was estimated at $300m which, while a significant sum, needs to be considered in the context of a $50 billion business,” he says. “Cyber just gets a lot more scrutiny because it is a high visibility risk – breaches and attacks will always be in the papers. But there is no perfect solution. In cyber security, you are always on the back foot, always behind the curve. There are some scenarios in which you are never going to win.”
The Maersk experience reinforced his pragmaticism about his discipline, while his immersion in cyber issues and digital innovations has showed him that often “there is nothing new under the sun, and that many of things we think are innovative in the digital world have a long history. For example, passwords date back to at least Roman times, yet we still put a lot of faith in them.”
Andy also doesn’t believe in the infallibility of the tech surrounding him:
“It worries me that we are building this digital world on legacy systems created years ago, some probably coded by me in the 80s. It’s fragile, and we shouldn’t take it for granted – but we do. And what about the digitally disenfranchised? The people who can’t do things because they don’t have connectivity, or don’t have a smartphone? Life becomes very hard for them. My old colleagues used to call me an analogue man in a digital world”.
In some ways he is: Andy has a passion for music and plays the guitar (he owns six). He also loved English at school, but computing captured his interest and has provided him with a career that simply didn’t exist when he left university. “Cyber security has been such a big part of my career,” he says. “and it continues to change, presenting new challenges and demanding different skills of those working within it. What is irrefutable, however, is that there is still a lot to do. I guess that’s why I love it.”