Amid the increasing evidence and warnings of CISO burnout, Joseph Da Silva of Electrocomponents is rather unique. Alongside his demanding full-time work as CISO and his commute, he finds time for 15 hours of studying each week for a PhD – and is hugely contented. “The studying never feels like a chore – I enjoy it so much,” he says, “plus it is incredibly relevant to my job, and I think it will be useful both to me professionally and the industry in which I work.”
Relevancy can’t be overstated: Joseph’s doctorate will be on the purpose and structure of cyber security functions within organisations, an area in which there is “very little research but lots of opinion” he says. “And it’s vastly complicated – every time I pull on one thread, so much more unravels. It’s fascinating and touches so many different disciplines.”
While there is one non-negotiable – that “cyber security is fundamentally about risk and about people,” – the function of the cyber security department often varies from company to company, depending on the industry, the internal cultures and corporate structure, staff expertise, the size of the company and the growth stage of the business. “There are so many different answers about what this function should be, and not all companies know what they need from the CISO,” he says. “I’m impatient to get into my field work and start finding out more.”
His PhD will take around six years to complete part-time and is a task “well supported by the management” at Electrocomponents, Joseph confirms. Likely the company will have recognised the implicit gains for them as their CISO undertakes this intensive period of professional development and research, not to mention adding to the discussions and debates across the industry. For Joseph, the satisfaction will come from burrowing beneath the surface of a role and topic he is passionate about.
A need to ‘look under the bonnet’ stemmed from childhood. “As a child I was introverted, very scientific and questioning,” he explains. “I would pick locks and take things apart so that I could understand how they worked.” Notably, he recalls being drawn to finding flaws and vulnerabilities simply for the “intellectual interest of it”, describing himself as a “an active participant in life. I don’t trust things implicitly. I need to verify; then I trust.”
Little surprise, then, that his insatiable curiosity led him towards the sciences at school, albeit without any idea of what career he was aiming for. He applied to study Biochemistry at University due to a fascination with genetics and because “it was the combination of my A Levels in Maths, Biology and Chemistry”. However, upon graduation he was keener to start earning money than pursuing a life as a technician “in a windowless lab for little money.” He adds: “the area was conceptually interesting, but the day-to-day job would be dull. It wasn’t for me.”
His route to cyber security was a circuitous one. He moved from finance to telecoms, gradually nudging into IT. He spent a memorable four years with IBM – “the best two things I did career-wise were joining and leaving IBM” he says – and took opportunities as they arose, moving from business analysis into architecture and becoming involved with security along the way, particularly with regard to infrastructure. This piqued his interest in cyber-security as a profession and so he armed himself with qualifications and eventually got the CISO job at British Gas.
“It suddenly seemed right,” he says of that first leadership role in security. “Being a CISO really seems to be a perfect fit for me, but I don’t think I would feel that if I hadn’t taken the professional journey I have. I wouldn’t be as capable, and I think all my experience in business has given me a useful viewpoint to inform my work now. You need breadth over depth as a CISO; you can’t possibly be an expert in everything.”
He is eighteen months into his role at Electrocomponents and still finds the job “exciting”. He recognises the potential for burnout in the CISO role, especially if the demands are unrealistic, but suggests that some of “it depends on how you deal with the pressures.”
He continues: “Yes, I have a huge amount to do, and not all the resources I want to do everything I would like to do, but I work with what I’ve got, plus I have strong support from the leadership team. One person’s stress can be another person’s excitement, and I do think that if you are feeling very stressed, you need to change something, whether that is the environment, the job, or yourself.”
His own method, employed at the organisations that he didn’t find supportive, was to alter his mindset to enable him to withstand discomfort for a finite period. “I would set myself a time limit on working there – say two years – and commit to learning and gaining as much as I could from the place before I left.” Such strategies have equipped him with a wealth of skills and nurtured an ongoing capacity for learning, the latest installment of which could help reduce some of his contemporaries’ stress by helping businesses better understand the role.
“Some of the CISO stress comes from employers being mismatched to employees, and companies not knowing what kind of cyber security function they actually want and need,” says Joseph. He hopes his thesis will become part of a growing body of academic literature analysing the challenges and developing blueprints for solutions.
Read more CISO interview on our blog, such as with Mark O’Hare of Mimecast. Download Nominet’s latest research report ‘Trouble at the Top: the boardroom battle for cyber supremacy’.