Mark O’Hare, CISO for Mimecast, has found a good way to offset the intensity of his job. “I think I self-medicate with exercise,” he says, “and I have way too many hobbies.” The list of his extra-curricular pleasures includes squash, hiking, triathlons, kitesurfing, mountain biking and running. Most recently, he took part in the joBerg2c, the ‘longest mountain biking stage race in South Africa’ that saw him cycle 950km over nine days. “I love anything that gets me out and about and breaking a sweat.”
Luckily, sweating is not something he does too much of in his role at Mimecast, where he has been working for nearly half of his 22-year IT career. He has built a capable team and fostered a good relationship with the executives and the board, as well as between departments as “the teams who are operationally-focused can sometimes see the security team as a blocker to their own activity”. Collaborating effectively and communicating clearly can ease some of the pressure that CISOs face, Mark believes.
“It’s definitely a stressful role, and more so than any others I’ve had in my time,” he says. “Often there is a large expectation on the security team from the business, but the support you receive doesn’t always match that. It’s vital that the security team is seen as collaborative, approachable and on the same team. We’re there to help the organisation, after all, and if you have a high level of trust between teams, it works well.”
Yet even with good relationships between business units – as Mark had nurtured after eleven years at Mimecast – the role itself will always involve uncertainty and an elevated level of stress. “CISOs live with the constant worry of, ‘is today the day we have a security incident?’ There are some days when I would quite like a predictable flow to my day to allow me to get through all the unread emails in my inbox to be honest!” he says.
Deep down, however, Mark has no regrets over his career. “I enjoy the dynamic nature of my job, and how it keeps me engaged and on my toes. It suits my personality. I love the fact that I’m still learning new and interesting things every day,” he says.
Self-improvement has been a constant throughout his life, even if the initial focus was not on technology but sport. “I was sports crazy and wanted to be a squash or cricket professional,” he says of his early years. “Even as a young kid I remember being extremely dedicated to practice as a way to improve my skills, and I think I have that same drive today. The principles of discipline, focus and hard work that I learnt through sports have been a great help in my career.”
He studied Sports Science at university in his native South Africa, but when he arrived in London as a graduate, he changed his mind. “It was 1997, the time of the Y2K bug, and it was driving a huge surge in IT-related jobs. I had kept my hand in computing during university and it felt like a good career path to take, so I did some courses like Microsoft’s MCSE as well as Cisco and Checkpoint firewall courses to make myself more relevant.”
It was through this that he discovered his area of interest within information technology: “I tended towards the networking and perimeter security side of things as I found I really enjoyed connecting and securing networks,” he says. “I think studying and implementing firewalls led me into the security world to a large extent.”
Over two decades in the IT sector followed, during which the industry and its risks have changed enormously, as have the challenges faced by the person responsible for security. “Back in the day, security was mostly an afterthought and even a tick-box exercise, while engineers were suspicious of the security team,” he recalls. “This has changed significantly now, especially at Mimecast.” If the internal relationships are managed well, the main challenges are the changing demands of fast-evolving technology.
“With many companies adopting different models, such as Agile or DevOps, there are challenges around inserting security at the right times in the development process to give the appropriate level of security oversight, considering the velocity of changes in the environment,” Mark says. “The proliferation of Shadow IT is also a big challenge for security teams – you can’t secure services you don’t even know exist in your organisation.”
Considering the complex demands on a CISO today, what does Mark feel are the key attributes for someone taking on the role? “Being approachable, a good listener and patient, with a good technical background and a solid understanding of risk,” he lists off. “It’s also about being collaborative and not a silo-builder – you need to help people understand the ‘why’ behind decisions. If you can get people to buy into the decisions, you will be more successful”
Having a highly skilled team who understand the mission is important too, not least for the CISO’s own wellbeing. “I now have a very solid team under me and I feel confident leaving things in their capable hands,” says Mark, “although I don’t think I can ever completely switch off from work.”
His children help distract him, and it seems likely that a 950km cycle is a good way to leave work behind, albeit for a relatively short time. “A physical challenge like that is a great way to decompress,” he says. There’s nothing like a healthy dose of pain and some beautiful scenery to clear out the cobwebs.”
Read more interviews with CISOs on our blog, including from consultant Thom Langford and the CISO from Square Enix, Ian Gollegde. Download our recent CISO research report on the website or find out more about Nominet’s cyber security services.