The youthful CISO

15th March 2019

Sarah Rees headshot

Sarah Rees

Paul Heffernan

Best to start with the obvious: Paul Heffernan, Group CISO for fintech unicorn Revolut – and formerly for Unipart – is incredibly young considering his job title. “I usually get asked if I’m a student,” admits Paul. “When I get invited to speak on panels I always wonder if I’m just the token youth.”

Yes, his thirtieth birthday may still be someway off, but it wasn’t Paul’s tender age that earned him the job of setting up the security function for one of the most talked about digital banking companies, nor was it the reason he was made Unipart CISO just six years out of university. He possesses the prodigious and powerful mix which is fast proving necessary for the modern CISO: technical understanding, innovative thinking, communication skills and agility.

His technical skills were honed via a degree at Coventry University in ethical hacking and computer security (one of the first of its kind). The area of change management was explored during Unipart’s “rigorous management training scheme” that he joined as a graduate, plunging him into a vast and complicated enterprise in which he was very much the young upstart.

“I found myself in a factory in the West Midlands doing a performance analysis of the making of exhaust parts,” recalls Paul of his early days at Unipart. “I was standing with a stopwatch next to a worker who had been in the role for about 25 years – and he wasn’t too happy about me being there.” It was a sharp learning curve, but invaluable in allowing Paul to recognise the value of holistic culture change over attempting forced behaviour change. And the importance of diplomacy.

He eventually moved into the cyber security team where, under the inspired tutelage of a man he still describes as a mentor – Harry Winstanley, the firm’s CIO – Paul’s entrepreneurial instincts could flourish. He created a cyber security product and division that was sold externally, to organisations such as the NHS, and Harry swiftly promoted him to CISO.

“I was lucky that he and the wider board decided to take a risk on me, and I owe them a huge amount of gratitude for that,” says Paul. “I was really chucked in at the deep end though – suddenly I was in front of the board, and it was incredibly overwhelming.” Thankfully, the validation of a respected senior early on helped Paul keep the imposter syndrome at bay – that and his tenacity, which proved valuable in securing his current role.

“I always had an interest in the financial sector, as it’s seen as the pinnacle in terms of cyber security,” Paul explains, “but when I told a recruiter that, they just laughed off my perceived inexperience. So I thought, ‘fine, I’ll show you’.” He bided his time, eventually finding his place with a financial business like no other. In September 2018, he swapped a weighty enterprise for the dynamic, relentless environment of a lean, rapidly evolving unicorn, led by two ambitious thirty-somethings.

“It’s really fast paced but good fun,” he says of working the digital banking disruptor Revolut. “I’m developing innovative security features that we can plug straight into the banking app. And it’s agile Dev Ops here – we push into production 50 times a day. Speed matters.”

Such dynamism is exciting, but challenging in regards security, especially as the number of customers using Revolut’s app tops 4 million. “You can’t check every product update manually, but we lay down security principles and automate so that defects are removed before production. We can also design things so that it’s impossible to make errors in the first place.”

He is also grappling with other unique challenges of Revolut’s approach, such as how to scale security in an organisation that operates solely on the cloud, while trying to keep pace with “truly organised” cyber crime that has surprised even him. “On the dark web, people are selling credit card details for as little as $2, and they even have a refund policy for stolen data that doesn’t work! It’s unbelievable.”

Considering the high-risk stakes, it’s something of a relief that Paul doesn’t face the common CISO difficulty of trying to change the internal perceptions of security. “I was ready for the challenge of trying to change the culture of the business if I had to, but it’s a receding problem at Revolut. Security culture is well built into the organisation, so I don’t ever feel I am playing catching up to the product.”

That said, communication skills remain the top weapon in his arsenal, more crucial than technical understanding to the modern CISO, Paul believes. “You can’t be adversarial; you must be an influencer and an advocator,” he says. He also avoids holding his cards too close to his chest, sensing that the cyber security community will only develop through collaboration, breaking down the problem together to build new and innovative solutions.

“I think I’ve always been fascinated with the way things work,” he says. “I was the child who stripped things down – and I developed a bit of an obsession with picking locks.” He was labelled disruptive at school, a teacher phoning home when he took apart a mouse and a keyboard in his IT lesson. “But my parents were great,” he says. “They embraced it, making sure I had access to a computer so I could learn. After that, it didn’t take me long to get into ethical hacking.”

He relishes his role as CISO, especially now he works in an environment that supports his entrepreneurial interests and embraces his innovative solutions, even if the demands can be high. His work days are long, but his ebullience and enthusiasm is plain to see – he loves it, he asserts. “I’m living in this moment for now,” he says. “I’m just hoovering it up, learning lots – and it hasn’t been as stressful as I thought it would be. If I’m honest, it doesn’t feel like work.”

Read our report into ‘Life inside the Perimeter: Understanding the Modern CISO’ or find out more about Nominet’s cyber security services. Meet another modern CISO, Lachlan George, Group CISO for Nandos, on our blog.