As a quiet, introverted child who resisted change, Ian Golledge was not expected to have the career he now enjoys: a cyber security leader managing dynamic risk for global companies. “If you’d asked my parents 15 years ago whether I’d be doing this, and loving the variety and diversity of my work, they’d say ‘no way’,” admits Ian. “They had to kick me just to go to university; I was totally change adverse.”
It’s a good thing they did. Ian is now Head of Cyber Security at Japanese video game developer and publisher Square Enix in Europe and North America and has a decade of diverse and intense consulting experience on his CV, working with the likes of BAE Systems and PwC. Cyber security is an industry he finds “exciting” and was a career path that appealed during a Masters in Security Technologies and Applications at the University of Surrey, following a degree in Computing and IT.
That said, it has still been a challenging journey. “When I first became a cyber security consultant, it was really ‘sink or swim’” says Ian. “But sinking was not an option for me, so you swim, you have to.” He can now talk effusively about his ten years in the consultancy environment, relishing in the variety and intensity of the experience:
“You’re learning, you’re getting exposure, you’ve got variety, you’re in and out of different clients and the breadth of that is very enriching,” he says. “And you get to travel; I spent a year in Norway! When you’re on that rollercoaster of consulting, it’s incredible.”
That said, when his contemporary from BAE Systems Lachlan George suggested he consider the in-house role at Square Enix, Ian started to question himself. What did he really want to achieve through his cyber security work? “I realised that what I really value is being able to make a difference and have an impact. That experience is quite limited when you’re in a consulting position,” he explains. “You just advise. You never quite see it through, and so you never get that validation.”
He was also intrigued by the gaming industry, which he had only experienced from the outside as a teenage gamer. “The complexity of games today is on another level. When you’ve got millions of people online, that is a huge risk, and there is a huge back-end element to it. There is much less risk around a disc like I used to play,” he explains. “It’s a great opportunity to learn.”
He is now three months into his new role and is discovering a range of other benefits of working in-house after so long operating in the fleeting world of consulting. “I value having a little bit more time to think,” Ian says, “which is really important when you’re in a leadership position.”
“In consulting, you’re supposed to have the right answer immediately, so it’s refreshing to now be more open about what I don’t know. That’s the beauty of having a team: these are capable people and I work hard to engage with them. I think that makes a good leader, although I am still getting used to this ‘head of’ role. I’m not a natural leader, I’m just taking the responsibility for it as best I can.”
Consulting set him up well for the communication demands of his role: “I’ve had exposure to both techies and high-level management. I’ve learnt how to read cues and tailor the message to best suit the person.”
This helps, believes Ian, to reduce the levels of stress for the CISO. “It’s my job to articulate the risk properly to influence what I think is the right outcome, considering what the business is trying to do. That’s all I can do. Other people then have to own that risk, so the responsibility for that decision doesn’t lie with me.”
He describes it as “unfair” when organisations scapegoat the head of cyber security over a cyber incident. “You will always have an incident, even if you are the best CISO in the world. I just ask myself, ‘have we done enough?’ And that comes from consulting; I was very aware that clients were paying for my time and I had to do the very best I could.”
An awareness of the inevitability of cyber incidents also helps Ian direct his energies more efficiently. One of his principles is to focus on the top five risks that would have the biggest impact on the business. “This resonates more with your stakeholders then too,” he explains, “and you do your preparation around these things, for example having press releases ready for certain breach scenarios.”
Being prepared is probably the main reason why Ian has been able to (almost) always leave work promptly to see his three-year-old daughter before she goes to sleep. “These early years are so precious; you can’t get them back, so it’s been my rule to always try and be there before she goes to sleep” he says. “This new job definitely gives me a better work-life balance, which I really value.”
You would be mistaken for thinking that Ian’s life is now settled, with no more demands on his hard-won ability to change. “My wife is from China, and her parents are in Shanghai,” he says towards the end of our chat. “First time I went there, it was a bit of a culture shock. And I was getting fed all these weird and wonderful things…duck tongue? It was hard to start with, but it’s all part of opening your mind, right? It’s brilliant.”
Read more CISO interviews on our blog, including Nandos’ Lachlan George, Revolut’s Paul Heffernan and consultant Phil Huggins. Download Nominet’s recent CISO report, Life Inside the Perimeter: Understanding the Modern CISO.