“It’s exciting, frustrating and challenging – it’s like having lots of puzzles to figure out, and sometimes the pieces don’t fit,” muses Richard Starnes, an experienced cyber security specialist currently working as Chief Security Strategist for Capgemini, when asked about his profession.
“And yes, it’s stressful at times, but that’s because a significant liability comes with being responsible for a business’ cyber security. It’s easy to forget that a big company is supporting a lot of people – a lot of families – so when they suffer a breach, everyone is impacted. One of the things I like about the role of CISO is that I bear responsibility for all those people and I work for them every single day.”
As his industry hand-wrings over the mental and physical toll of being a CISO, Richard’s acceptance of the magnitude of the task is unusual but not unwelcome. This is a man driven to make a difference in the world around him and who derives pleasure in working hard to make others’ lives better.
Growing up as the son of educators in Eastern Kentucky, Richard studied political science and sought a career in law enforcement, despite having a serious interest in computing – and a talent to match. “I was fascinated by technology and the possibilities of what could be done with it from a young age,” he says. “Those were the early days when you really had to figure things out for yourself. My friends and I used to order computer parts and build systems to sell to college kids. It was a nice little business, but never more than a serious hobby.”
It was his grandmother who inadvertently set him on his path into the tech industry. The matriarch of an education-focused family (“everyone has at least a Masters” he says of his kin), she was the first woman to study physics at her university and worked as a social studies coordinator for the county. “Her work took her all over the world and her stories of all these exotic places used to fascinate me. I knew I wanted a job that would do that for me.”
She had also studied at Royal Holloway, University of London and compelled him to look up her old institution when he visited the city. “I did what I was told,” he says, “and then I spotted that they did a Masters in Cybersecurity that was just what I was looking for, more operational than theory.” He secured a place, moved to the UK and set his life on a new path.
“It was the turning point in my career,” he says, “and marked the shift into IT and cyber security.” He returned to law enforcement for a time – as Cyber and Financial Crimes Investigator for the Franklin County Sheriff’s Office – before moving into the roles that were precursors to the CISO job, such as Director of Incident & Response for Cable & Wireless.
“Those were heady times,” he says of his experiences during the early 2000s. “Cyber crime was a fairly new phenomena and lots of companies didn’t have any sort of process for dealing with it. We were trying to develop ways of reacting.” Despite the vast progress in the two decades since, Richard believes “the maturing process is still taking place and we still have further to go.”
One of the developments that he is keen to see is the establishment of a regulatory body for cyber security professionals. “We have them for doctors, for lawyers, for the engineers. We regulate those professions because not doing so would harm society; isn’t the same now true for cyber security professionals?”
He sees the shortage of skills as another area of concern. “The number of cyber security people we need is growing but the pipeline is not,” he says. “There is the added complication that people are coming up having done a course but without real experience. It could be one of the reasons why there is such a high CISO burn out rate. The experienced people we have in these roles are being pushed harder because of a lack of resource.”
The myriad issues faced by the profession will only evolve as the industry continues engaging in what Richard sees as “the Cold War for our generation.” The analogy suggests that it’s a battle with a potential end point, an optimism that Richard admits to. “If I could figure out a way to secure systems 100% forever, of course I would do it. It’s like the police would love to retire if there were no more criminals. It’s what we are working towards, ultimately, even if it might not happen. You have to aim for that.”
It’s a drive that keeps him at a job that “is never boring,” he says. “There are new challenges and new things to learn every single day.” He is also involved in mentoring young people, an aspect of his life that he greatly enjoys. “I think when you get to a certain stage in your career it’s important to give back and I love helping people at that early stage of their professional lives.”
Any remaining time is spent with his partner and her three children, going clay pigeon shooting or indulging further in his lifelong love: technology. “I am a total tech geek,” he admits, “I love it all. I’m the guy with 16 devices plugged in at my desk. I love all the good things technology brings us and all the possibilities it opens up. Yes, we have to take the bad with the good, but it’s worth it.”