“I sometimes feel like the one of the Old Guard,” says Shan Lee, CISO of TransferWise. “I have been working with computers since back in the day when most people didn’t have them. I was lucky, to be honest, that my all-consuming hobby has turned into a job I love.”
Yet it wasn’t his first choice. Despite a boyhood enthusiasm for computing and technology, Shan had only one option in his mind: “All I ever wanted to do was join the Royal Air Force,” he says. Consequently, when he was medically discharged, he struggled to find an alternative vocation.
If only he’d paid more attention to his hobbies. It wasn’t until Shan was into his twenties and working as a salesman that a friend pointed out he was acting as unpaid tech support for everyone he knew – and enjoying it more than his day job. “’Why don’t you just make it your career?’ he asked me,” says Shan. “It was the best thing I ever did.”
His 24-year career progression from tech support to CISO has been alongside the very concept and discipline of cyber security itself. This has given him a unique perspective on such a fast-changing landscape: “The whole industry moves so rapidly. The biggest surprise for me has been the speed of growth, the rate of change and the massive complexity,” he says. “But then the constant change is what keeps you interested. No two days are ever the same and I still learn something new every single day.”
One thing he has learnt more recently is the importance of self-care in a role that has an alarmingly high incidence of burnout due to stress. “People are finally starting to talk about it, and people I really respect have spoken out about their own issues – one was my friend Thom Langford. That really came as a wake-up call for me. I’m think I’m probably just lucky to have never had any problems myself. I’ve worked so long in this industry that high-stress has almost become normal.”
He recounts a time in his career when he stayed at work for three days straight to respond to an incident. “It sounds crazy, but at the time you are just riding on the adrenaline,” he explains. “I think security people love the rush that comes from an incident response.” Today, he is far more mindful of his own wellbeing; he actively encourages his team to take breaks and recently went on holiday without taking his laptop “for the first time ever. I felt like I’d had my leg cut off, but when I got back to work I realised how much I had needed that break.”
He is quick to credit his team for managing in his absence and admits “working with a team is the best bit of the job. And that’s what I worry most about: losing my staff. They worry about the serious threats and I worry about losing them. Today, I think the challenge for those of us in security is building a good team and keeping them, especially as this industry offers some lucrative opportunities.”
Creating strong security teams is something he is well-versed in, having been the first security guy on the ground in Europe for Sabre and at JustEat as they grew from a startup to a public company. He relishes the pioneering challenge and has learnt a lot about identifying priorities, and the importance of creating a culture supportive of robust security.
“You train hard then fight easy,” he says, “and rule number one is always, ‘don’t panic’. That means no rash decisions. Preparation and planning are key. We run regular exercises so we know how to react when things happen, and even then it is with urgency and not panic. We respond in a measured and deliberate way.”
He is also a firm believer in the power of culture and the importance of people when it comes to security. “If people aren’t educated properly they can become a point of vulnerability, but if you train them carefully and promote awareness, people can be your best defence. I really strive to promote this at the organisation – we have an amazing security team and all the technical controls we need, but at the end of the day, people doing the right thing is what matters.”
This extends right up to the top of the business. “You have to have a completely integrated cyber security program,” says Shan. “It needs to be part of everything you do as a business, all the way through the lifecycle, or else you will always be playing catch-up. You’re never going to win.”
He recognises that there was a period when CISOs were “being thrown under the bus” and Boards would close ranks against the security team, “but I think those days are past. The industry is waking up to the inevitability of cyber attacks and recognising the benefit in having a CISO with experience of managing them. There is more understanding today.”
For a life-long computing aficionado, Shan embraces the changes that technology is bringing to the world. “We can’t sit still, but every advance has its own peculiar problems, so there will always be more to do. It keeps people like me in a job.”
And when he finally comes to hang up his boots, “many years from now”, Shan has a list of non-security related hobbies that he wants time to explore. “I’m a Land Rover fanatic,” he admits. “I have three different ones and I love overlanding in them when I have the time.” That said, even the thought of retirement makes him a little uncomfortable. “It’ll be hard to leave security completely,” he admits. “I might have to work part time as a consultant. I just love what I do too much.”