Dr David Scholefield talks his role as CISO at Flexys
David, can you tell us about your background and career so far?
When I was 16 I went to work for a company called Aidcom International, based in Coventry who made a very popular handheld computer called The Husky. I wrote the operating system code for them and loved working there. People would bring in these Husky computers that they had dropped into the canal or run over on a building site and we’d salvage the data from them. Everything we did was innovation in those days, for example, we wrote barcode scanners from scratch. It was great fun but I realised if I wanted to get anywhere in computing I’d have to get a degree.
I went to Hatfield Polytechnic for an interview and even though I didn’t have the required entry qualifications they offered me a place on a Computing degree course. As part of the course, I worked for NCR developing the point of sale network for House of Fraser. I achieved a first-class degree and Hatfield offered me a lecturing post in Computer science and mathematics.
After a year of lecturing, I was offered a research position at The University of York where I could combine a research associate role with a PhD in computational mathematics. After my PhD, York University offered me a lectureship and I met my future business partner who was doing a degree in artificial intelligence not far away in Leeds. The internet was starting to get interesting and being adopted by companies so we decided to start a small business linking back-end computer systems with the internet. Apple, Toshiba and Lotus cars were some of our early clients.
After a time, we realised that there was a sizeable gap in the security of these systems, which I became really interested in. I’d always been a bit of a geek! I started to work in security consultancy, including at IRM and CSC. I gained CISSP and OPST certification and worked in this field for about a decade. We also designed, implemented and managed a business critical software-as-a-service system for a major distribution company to automate its retailer ordering system.
I now work with a lot of clients to achieve their ISO27001 and PCI-DSS compliance and I do penetration testing, hacking into their websites to test security. That’s my story!
What are the main challenges software development companies face today?
They face the task of maintaining security in an environment that is rapidly changing. Companies are adopting a fast-moving agile development cycle to get innovations out to customers while ensuring security is central to their practice. At the end of the day, security is about protecting your reputation by protecting the value of yours and your customers’ data. Externally, you also have lots of different competing compliance requirements that have to be worked through.
There is also the challenge across all market sectors and sizes of business, of ensuring staff have exposure to security knowledge and experience. In this sense, fintech startup companies are a good place to be as there is no place for dead wood, you get a team that are motivated, competent and very quick learners and the response to security issues is very positive. This contrasts with a tick-box approach adopted by organisations who don’t have the internal expertise or a pragmatic view of security. At Flexys, we have really switched on people, they care, they’re not just ticking boxes.
What does your role as Chief Information Security Officer at Flexys entail?
Flexys has developed a very technical online product that handles sensitive data and its reputation is one of its most important assets. As the company grows, security will continue to be woven throughout the company culture and practices of the business. The role of a CISO is to ensure that all the processes of the company, technical and non-technical, maintain a level of security that is concomitant with the value of the data they are processing. I make recommendations to the board as to where company resources are best spent to ensure a level of security appropriate to its operations. The CISO makes recommendations on where and how to minimise risk and provides guidance on the use of technology as well as genuinely enhancing the security knowledge of everyone within the team. The bottom line is that every pound spent on security should be guided by the maximum return on the reduction of risk.
What are the top three security habits a software development company should adopt and practise?
I would say to think about security risks as early on as they possibly can. There’s an adage that if you consider security early in a project it is orders of magnitude less expensive than if you consider it at the end. Secondly, be prepared that there may be a commercial impact on making the right security decisions. Finally, realise that the biggest security risk is people, not technology. The thing you can do about this is building defence in depth by creating an environment where issues are not amplified and there are values and stops and checks in place. What makes a good security professional is being able to explain to people the importance of what you are doing in a way that makes people want to work with you and not see you as a blocker or hindrance.
Finally, what do you do in your spare time, how do you like to relax?
I never relax! I make a lot of music, I play classical guitar and bass and until recently I played drums in a band. I do a lot of mountain biking, this area of the Cotswolds is perfect mountain biking territory and that helps me switch off. I also do quite a lot of rock-climbing and motorcycling. That’s how I relax generally apart from going to the pub with friends for a few beers.