Wow. It's been a long day, I think, to some extent, and particularly when I started in my e. T security career 25 years ago, there really waas There wasn't a huge amount of education around i t. It certainly wasn't a huge education around information security in cyber security. And so I think to some extent it was a little bit of luck how I got to our AM today. I joined an apprenticeship program back in England's back into the mid to late nineties, sort of the mid nineties, purely because it was national news that there was an I t shortage in the country. And so you had a headline news. It wasn't enough I t people. And so that was really a motivator for me. Is that as a young individual wanting to find, you know, decide what the right career is for myself thinking, this probably sounds like a good idea. We'll give it a go. It didn't It didn't help that companies were offering some pretty good incentives like company cars and mobile phones. And you know when when, when you're young and you don't have any money, those sort of things very appealing. But there was a really valuable opportunity for me because not only do you get the education, but I got the experience and so that that got me into different I t functions into support roles and gave me a lot of exposure to different, different aspect of I t what I liked and I was able to establish what I liked, what I didn't like, really as my career progressed and I sort of joined different companies and got those different experiences. Then there are other elements that really went into how I progressed to where I've up to today got a good portion of my career, was at one company, and it's pretty difficult to progress from relatively junior state to a very senior level in a single company over a period of time, without a lot of tenacity and hard work. And and so a lot of the advice I give to people is understand. What do you want to go next? Understand what your long term goals are and work with mentors work with your management work with whoever supports you on how you get toe those particular positions because you rarely in your career gonna have somebody present you with your next opportunity. You have to know what it is and go after her on DSO. I can think back over most of 20 plus 25 year career of the key moments in which I sort of had this obvious of step of progression. If you do, you'll get used to a lot off and you'll get into a position and you'll stay at that level. You may change roles a little bit. You're kind of at a level and you may do some lateral movements. But then there's something will happen, will progress you significantly to to the next level, whether it's sort of more seniority into leadership positions or exposes you into a different area or discipline that you never had exposure before. And I can think back in my career of those steps that I've taken that have broadened my appreciation of what I'm doing, broaden my experiences have helped me grow or I've had, you know, an opportunity to do something different, that I really didn't understand that it was hard at the beginning and I look back six months a year later and I realized how much I've grown from it or I had a really strong a manager or mental that has smacked me around the side of the head and told me I did something terribly and at the time not reacted well to that and only in retrospect realized that they were doing the right thing and really helping me grow. And I learned from that and that helped build some of my experiences as well. But ultimately you put all those pieces together. You add a big sprinkling of luck, big Sprinkle of being in the right place at the right time and owning what you want your career to bay and driving that yourself, not expecting somebody else to do it for you. And that's kind of how I where I got to today.

Okay, So So as as a chief information security officer for a company. There's typically only one of you in that company doing your job, and you have to look at it as if anything related to security happens within your company. You are ultimately accountable for it, and so that's a pretty difficult and very broad scope of responsibility. And it's the broadness of that responsibility that makes it challenging because security touches everything touches. You know, if you have products. If you write software, if you just have infrastructure ifit's externally facing if you have customers, if you have clients, you have employees. All of those things. Everything has security implications to it, so you can't control all of that. So you have to think about. You have to think about what are the things that are most important within the company, and so you start to look at you have certain responsibilities. But really what it comes down to is, do you understand what the big security risks are to your company? How are you managing those risks and how you appropriately mitigation, sometimes I like to think about is do you understand what the risks are Are you helping the organization consciously manage those risks? I think some some great feedback I got early in my career when I became a chief information security officer. It waas we expect you to know where the risks are. We don't expect you to fix all of the risks you succeed if you know where all the risks are world, the security issues are, and you raise those up to the organization and we can talk about them as an executive leadership team and make conscious decisions on that you fail. If you miss the risks, we now get hit by one of those risks. When the risk that realized we won't wear it, you have failed. You don't necessarily fixing everything is that awareness and bringing it to our attention so that we can make conscious decisions on what we do about them. So when I opened Metron organization, I tried to look at what are the big risks? What other things that we care about think about that concept of crown jewels or high value assets. They're the things that really matter, because you could go chasing all these different things from a security perspective that don't mean a huge amount, and then you can go focus on two or three things that are really impactful. I like to use the analogy of a building where, if you think about I'm trying to protect my company is a building. And within my building there are doors and there are windows. If I come in and I'm gonna look around yes, if my brand new building I've been brought into secure and I walk around it on the ground floor, the back door's wide open and there's no surveillance cameras. And on the ground floor there's some windows that pushed open with a wedge. And there's way haven't hired security guards to do anything more than a 2 a.m. For one hour. They do a walk around. Otherwise they go home. There's no fence around the perimeter of the building. That pretty obvious big risks. He also could look up and say, Well, on the 37th floor, there's a window open things, cracking the ventilation system on the 53rd floor on the skylight. I've seen so many teams were so focused on trying toe build a ladder, the outside to get to the 37th floor. That's really, really hard forgetting that. Well, let's first worry about the open door in the back of the building and the fact that we haven't installed the video surveillance cameras. We haven't hired security guards. Let's start with the basics. Is there really, really obvious? Then you know, if we ever get to that level of maturity now, we'll worry about the window on the face. Seventh floor. There's understanding those things. Um, my bi weekly hours. Very massively. They can be for eight hours. Occasionally, they're more like 50 to 60 hours. They could be 80 hours. It kind of varies a good amount, depending on sort of the situation. The time of the year, what we're working on, where I am in my particular organization. Um, there's there's really no set hours. The mindset I have is I'm always available. I'm always on e never go far from, you know, least this device because I have to be contact able and available. And so a good week it's it's not too bad on a bad week. It's pretty crazy

I think the biggest pain points are particularly in my job. Specifically, it is managing the relationships with other business leaders. So if I am identifying issues or risks, I'm after, not the person that then goes and fix system. So say, for example, a really good example is, you know we have, you know, in a company where we build products and some of these products are very sensitive and they have they go through extensive security code analysis and code review to make sure there's no vulnerabilities in that product before we ship it. Well, many situations I've been in the past where we've found lots of issues with our products. But the business teams don't want to fix those issues because now you know their deadline is they need to launch this product tomorrow because it's a important for the company. But we're saying, Well, there's a bunch of on your relatives in there. You need to address those that could delay product Six months now we've got a highly contentious situation where the business is now about to miss a major deadline, which has a real revenue impact for the company. We're trying to slow that down so they can address some of the most severe security risk. That's a perfect example. Another, another challenging example is way. Identify vulnerabilities in infrastructure and we need those things to be remediated. They require down time. And now if we're gonna take them, maybe we've got a big online presence. And again, you know, tight because you always think about how this ties back to the business and what impact this has on the business for us to go and to patch something. Yeah, that's a fairly easy fix. But if you've never got to coordinate several hours of downtime in an environment which for every minute you're not online, you're losing revenue. That's a very difficult thing to go negotiate. So there, probably a few that obvious pain points that we go through.