I have spent almost all of my working life (22 years) as a civilian member of staff with the Police Service; first Grampian Police and latterly Police Scotland. Recently I made the move from public service to private and today I’m Chief Security Officer at Converged.
There’s a Twitter account called @AccidentalCISO; an appropriate handle given that their bio states “I accidentally became the CISO”. It struck a chord because you could probably say the same for me.
While I have amassed the skills and experience required of any modern-day Chief Security Officer, I’m certainly not your traditional CSO. In fact, some might say I’m about as far removed from what most would believe a CSO to be. But I’m certainly not alone in my unconventional route to the role. As technology continues to seep into all areas of business, the scope of many IT teams has grown exponentially, and the result is a need to inject transferrable skills and experience into the team.
Robbie Ross, CSO
My unconventional route to the role
My Police career began in the Criminal Investigation Division before moving to the Corporate Communications Department. In 2008 I joined the Energy & Protective Security Unit as a Counter Terrorism Security Advisor or CTSA. It was here that my passion for cyber security took hold. The role of a CTSA is to provide protective and counter terrorism security advice to all businesses, both public and private. I found myself engaging with a whole host of organisations from energy firms and laboratories to shopping centres and companies that provide vital functions to the running of the UK.
It became clear to me pretty quickly that although physical security was very important so was electronic security. And so, I started to dedicate more and more time to studying this lesser covered area of security and really building up a true understanding of how these particular set of risks were impacting the businesses that I worked with.
In 2018 I jumped at the opportunity to move to the Cybercrime Prevention Unit which is part of the Safer Communities Department. Here, as a Cybercrime Safety, Prevention and Resilience Liaison Officer (is that the longest job title in the cyber world?), I worked with businesses, public sector organisations, charities and schools delivering cybercrime security information. My key objective was to influence the behaviour of both the individual and the wider business to improve their resilience in tackling the threat of cybercrime.
Now, up to this point you’ll notice there are a few things missing from the typical career path of a CSO. There is no ethical hacking degree, cybersecurity or computer science degree or even a senior IT management position.
So, what is it that makes me qualified to be a Chief Security Officer?
The saying ‘The sum is greater than the parts’ fits well here. At Converged we have the most technically skilled engineers and technicians that you will find in any local, if not national, IT company and they have all the hands-on expertise required to keep your company safe. My job is to ensure that we make cyber security easy for you, analyse your existing security, develop a plan to attain compliance and also to maintain those standards.
Teamwork makes the dream work
As already mentioned, cyber security can benefit from various different skillsets. I was fortunate to hear Ciaran Martin, CEO of the National Cyber Security Centre, speak at the Scottish Police College and he stated that businesses need to stop seeing cyber security as “techie” and “geeky” and he is absolutely right. I am a proud geek. Yet I am not techie in the true sense, and I don’t need to be because those skills reside elsewhere in my team. Tiffany holds a degree in ethical hacking and John is our accredited cyber security assessor and GDPR expert. Quite frankly anything John doesn’t know about CyberEssentials & IASME governance isn’t worth knowing.
As for me, I know exactly how cyber criminals think, how to identify business risks and how to mitigate these. I’m very comfortable engaging with all levels of personnel, a necessity really when I’m out delivering staff awareness training and supporting cultural change on a regular basis. The bottom line is that I am experienced in keeping businesses safe and believe that is what companies want. Incidentally, it’s also the role of a CSO. As a team, our process and technical skills are a force to be reckoned with.
Cyber security is everyone’s responsibility
The world is changing and like my accidental CSO status, many others have found themselves in a similar situation, with cyber security, data protection or cyber training responsibilities being added to their job spec. And as cyber security is everyone’s responsibility this is no bad thing. The difference is I bring existing skills and experience to the table, and I will be using these to support anyone with security responsibilities, no matter whether they’re new to the role or a veteran.
To sum up, my name is Robbie and I’m proud to be an Accidental CSO. This Accidental CSO is looking forward to leading a team of cyber security experts on our quest to better protect our client’s business.