In February 2020, Don Randall MBE, former Bank of England CISO, joined METCloud as a senior advisor to the board.
Information Age spoke to him to find out about his new role, his view as a former CISO on cloud security and what was expected of him during his time as the Bank of England’s CISO.
Why did you join METCloud?
I met the CEO, Ian Vickers, around 18 months ago. He talked about METCloud’s vision, concepts and philosophy have met cloud, particularly relating to cloud security and and all the demands that that creates.
The first reason I joined METCloud as an advisory board member was because I supported the above and I liked Ian’s attitude to cloud security. Speaking as a former CISO, cloud security is important.
Rightly or wrongly, the cloud and digitalisation is the future. But, security of the cloud has been a debatable subject for some time and there are many views about that.
The reality is the cloud is here and we need to provide security — in that regard I liked how Ian was pushing this initiative forward.
In the middle of last year, he approached me and asked whether I would like to be a senior advisor to the board and I agreed.
Cloud security: The latest thinking, a guide to implementing cloud securely
What does your role entail?
My role is similar to the one I had at the Bank of England, where I was the cyber Ambassador or CISO.
It’s clear by virtue of being an advisor to the board that I’m an ambassador and endorser of what they’re doing. I’m not a salesperson. Instead, I give guidance to the executive members about where I think value could be added, introduce them to people who I think would find a benefit from their service and also provide structural advice when appropriate.
What skills and experience can you bring to METCloud?
I’ve been in the security industry for over 30 years, both in the public and private sector.
From that point there has been an evolution of criminality from bank robbery to fraud to cyber. I’ve experienced these three streams and how criminal activity has migrated from one state to another.
I’m not a technically skilled person, but my cyber awareness and the role and responsibilities I had at the Bank of England combine together well for this advisory role.
“Think like a criminal to beat them at their own game” — Frank Abagnale Jr
What’s your advice as a former CISO on cloud security?
Today, you can’t avoid the cloud and there are several initiatives out there that are committed to securing it.
For example, the relationship that METCloud has with IBM is phenomenal.
IBM has a massive platform. It’s difficult to monitor and secure. But, METCloud’s platform has soft capabilities that allow the security operations centre to know what’s happening.
The security operations centre is designed to provide daily abnormalities. As a CISO, I want to know what are these abnormal abnormalities — the security operations centre provides that awareness of what’s happening so the CISO can take action by identifying what is normal behaviour and what is not.
If you choose the right security operations centre you will be able to identify actual attacks and attempted attacks. Combining both with threat intelligence, will allow you to identify the suspicion of attacks.
The key thing with security is to understand the motivation of the attack. Why is it being done? What’s caused it to happen?
Apart from the interface between the IBM and the METCloud’s principle platforms, the inbuilt security operations centre capability is crucial for effective cloud security.
But… a lot of multi-million businesses this security operations capability, which where I think the METCloud model stands out.
The roles and responsibilities of the CISO at McKesson
What was expected of you as CISO of the Bank of England?
At the Bank of England, traditionally, there wasn’t a chief information security officer or CISO. But, in the summer of 2013, Mark Carney arrived he did a number of things.
First, he appointed a COO, which the Bank of England historically never had. He made some changes to the CIO role and asked me to carve out the CISO role for the bank.
The bank’s executives were keen, and I support this philosophy, that the CISO should not report to the CIO, in very simple terms of ‘marking their own homework’.
A CIO identifies business needs, provides that business needs, solicits that business needs, implements that business leads, supervises that business needs and deals with the daily issues that come from the technology of the business needs.
Based on this, if you end up with a CISO, who is technically the the police of the business’ technology, how that person report into the CIO?
To get around this we created the Information Security Division, which had four elements:
1. Policy and standards.
2. Training and education.
3. Investigations, intelligence, forensics and everything to do with the effects of the attack vector.
4. CBest — threat led penetration testing launched in 2014, which was a consequence of initiatives that were coming from the Cabinet Office and the Treasury that is now a global standard. The threat intelligent participants (the Bank of England and nine others) and the penetration testers had to meet these CBest accredited standards.
Overall, my role was create the Information Security Division that adhered and practiced those standards, while working in harmony with the IT department and CIO as a separate entity.
We both reported to the COO.