Challenge Accepted is a podcast from Arctic Wolf that offers listeners information and insights around the real-world challenges organizations face on their security journey.
Hosted by Arctic Wolf’s VP of Strategy Ian McShane and Chief Information Security Officer (CISO) Adam Marrè, the duo draw upon their years of security operations experience to share their thoughts and opinions on issues facing today’s security leaders.
In this episode, our two hosts are joined by Mark Hazelton, Chief Security Officer of Oracle Red Bull Racing. In their conversation, Mark shares his path to working in cybersecurity and what it’s like to oversee securing a world champion Formula 1 race team.
You can subscribe to Challenge Accepted via Apple, Spotify, Google, RSS, and most other major podcast platforms.
Transcript
Ian McShane 0:25
Hi, everyone. Welcome to the latest episode of the Challenge Accepted podcast here from us at Arctic Wolf. My name is Ian McShane, I’m VP of Product here.
Adam Marrè 0:35
And I’m Adam Marrè. I’m the CISO of Arctic Wolf.
Ian McShane 0:38
Adam, do you like F1?
Adam Marrè 0:41
You know, it’s funny. I did not really like F1. This was years ago. And then I like so many other people that Netflix show and just absolutely got sucked in had to learn all the rules. And then I started following and it’s just been amazing. And then you add to that a few years ago when I joined Arctic Wolf. And then we made the announcement of sponsoring the Oracle Red Bull team. It just made me even more of a fan so yeah, that’s my story. What about you?
Ian McShane 1:17
Yeah, almost exactly the same during the ’90s. Showing my age as usual. Everyone was pretty big in the UK. We have folks like Nigel Mansell, you had Michael Schumacher, some pretty famous racers, but for some reason, it kind of tailed off. And then like you, I think, during COVID, when the Drive to Survive show was on Netflix, I ran out of things to watch, just like everyone else, and was like, ‘Alright, okay, I’ll get into this.’ And I was just blown away by how interesting it was how the characters were in almost like the soap opera, like the real soap opera approach to the storytelling was great. And then like you I started to get really interested in the technology side of things. And then of course, when we became a sponsor of Red Bull Racing, I kind of dived into it even more.
Adam Marrè 2:01
Yeah so I know, for me, my favorite sports are those where each competition, there’s a lot riding on it, right. So in the US, I really liked the NFL, because, you’ve got 16 – 18 games. And that’s it. It’s not like baseball here. And I don’t know, maybe cricket is the same way. But there’s like 1000 games, and each one means so little, until you get to the playoffs, even the NBA is getting like that with basketball.
But what I love is around 20 races. And not only that, but you only have each team, there’s 10 teams, each team has two drivers, you only got to know 20 people who are out there, and maybe a few others that can be swapped out. But when you can really grok the entire field of play that way and understand how each event is meaningful. That’s when you know, I really, really enjoy sport. So downhill mountain biking is the same way, there’s a few events each year, I just really like that. So that’s one of the things that sucked me into it. And then, obviously, today, this opportunity to talk to how they’re securing everything that they do to make those races happen and to do all the research and development that they do. I mean, it’s just, I can’t imagine what that’s like.
Ian McShane 3:18
Yeah, there’s so many parallels with with cybersecurity in general and not least of which every second counts, or every minute counts, right, the faster you’re around the track, the more successful you’re going to be. And I think there’s some interesting parallels to be had there with cybersecurity. So I’m delighted today that we’re able to have a nice conversation with the CEO of Oracle Red Bull Racing, Mr. Mark Hazleton.
Mark Hazleton 3:42
Hi, Ian. Adam, thanks for the invitation.
Ian McShane 3:43
No worries. So you are the CISO for Red Bull Racing. But before we get into what that really means, one of the things that we like to talk about on this podcast is how folks end up in cybersecurity. So maybe you could give us a quick summary of your journey to being the CISO of Oracle Red Bull Racing.
Mark Hazleton 4:01
Yeah, sure. I pretty much fell into working with computers, straight on leaving school with a Unilever. Back in the days when we were putting reel to reel tapes on tape decks and taking 12 inch listing paper off printers. And I was there primarily to run around with the tapes and run around with the listing paper. Quickly moved into operations with that batch scheduling jobs and so on. Running a shift pattern running the big old HP MP machines.
And I really quickly realized that there was a world of opportunity for automating things and I taught myself COBOL and we started doing a lot of automation of systems and taking out the mundane tasks where we could and that enabled me fairly quickly to move from IT operations into development. And I ended up at tender age of 21 looking after the financial ledger systems for pretty significant Unilever company, which often often surprised folks that I was talking to at the time.
And from there, I moved into a couple of different development roles primarily with COBOL ended up in little software house developing code for all sorts of distribution companies and interesting outfits. And as part of that exercise we turned into a bit of a one stop shop. So we were replacing old legacy systems with Solaris based Unix systems. So we go in, we deliver the kit, we install all of the systems necessary. We deliver the software and the training and so on. And we go and bring these companies up to date.
And as a side effect, sort of moving across from software development into Unix systems administration, so I had to go out and get a bunch of accreditations in order to be able to provide the services that we were provisioning. And that enabled me to jump after a number of years across into working for my first jump into motorsport really was with a Indy car manufacturer, Reinhardt, I guess, Adams going to be pretty familiar with Reinhardt going around the big ovals and so on in the US.
So I was there for four years and went from Unix systems admin and CAD systems admin and ended up my time there as IT manager. And then that all went wonky, after the sort of the financial markets disintegrated a little bit for Indy car manufacturer, et cetera, after 9/11. And I did some contracting with the likes of pro drive and a few other organizations, British American Racing, and Honda etc, that were on the on the site we shared with Reinhardt. And from that, I got a job working for Jaguar Formula One, looking after various systems and things there. And that was it.
I joined Jaguar on a three month contract to do some review of their IT department and I’ve been there ever since when Red Bull took over some 20 years ago. I’ve been working my way through various positions with a company since then. Initially looking after an implementing new CAD and ERP systems, then through managing the service desk and race team, outfits, but a managing software development team has a stand in for a year or two. And then finally, 10 years ago, we recognized the world was changing. And we needed to do more from a cyber perspective. So we started really ramping up what we’re doing from a cyber perspective. And it’s just, it’s been nonstop since then, I think the world’s become more and more complicated. I’ve gone from just me, purely focusing on security to a small team of three, that manage the governance risk and compliance side of things with the rest of the company helping me in most cases.
Ian McShane 8:24
I got so many questions. Number one, like how much of your original COBOL stuff do you think is still in production?
Mark Hazleton 8:33
Surprisingly, I think there’s there’s a fair bit of it, it’s still, I think, with one of the little software houses, certainly we modernized what we were doing with COBOL and changed all of the sort of user interfaces and stuff like that. So it was really rapid for each day what we’re doing, we could have one of these small spin offs, pizza boxes running a company of three or 400 people with almost instantaneous stock control and invoicing etc. I imagine some of that still on the go.
Adam Marrè 9:06
Yeah, we’ve had problems in the States obviously, with COBOL out there, and no one knows how to fix it. So we still need those folks. I got a question for you Mark about your career. I’m just curious that you know, it seems like you started out in computers, and you just kind of took every opportunity that came and jumped around. And many of us I know who are of, the more mature variety, have similar similar stories. My question is, what do you think is different about when you came up through your career to folks that are looking at it today? I think a lot of our listeners to this podcast are a little earlier in their career. And then I’m wondering if what you see today, you can apply, how’s it different and how is it the same from sort of how you came up through your career to get where you are today?
Mark Hazleton 9:55
Yeah, sure. I think when I joined I was taught to read punched cards when I was eight or nine years old, I think. So I had some familiarity with these newfangled computers coming along.
When I started working with the mainframes, etc, it was really early days, and what we were seeing was we could go and spend a couple of weeks writing code and replace a whole tranche of manual process, etc. So it was the dawn of a lot of these organizations becoming computerized and that I think, in some ways, made things very, very easy.
And if you look at the kit, and the technology that was available, I think, coming up through operations, and then into development and having a particular interest, when we were taking the machine out of of use, I’d come in at the weekend, and I’d sit there writing code and try and break the thing, etcetera, trying to work out exactly how this thing worked, how could I make it stand on its head. And I sort of think, I probably knew a vast amount about that all of the functions that hardware and software combined could do for us.
And if you look at what we’ve got now, I think I know, so little about the overall capabilities of cyber and computers and so on. At one time, I could have done everything with one particular type of hardware or operating system. And these days, it’s a bit like Microsoft Word, it’s got 1000 functions, we only ever use five buttons.
So I think things have changed an awful lot over that time. I think the thing that remains a constant in IT is get stuck in really, find your niche, my transition from operations through into programming, and then sort of systems admin and stuff like that. You can sort of naturally find your own way, there’s so many different opportunities, even in one department get your foot under the door, work hard. And those opportunities are likely to present themselves. I think there’s more diverse opportunity now than ever before.
Ian McShane 12:28
Yeah, I agree. I think one of the constants that I’ve seen, is, has really been around curiosity. And I think we talked about this one on a previous podcast, Adam a lot of folks I work with they their career path has been, has really been because they’ve been curious about how things work. How other areas of the business work, how things function, and just really try to not stick within their comfort zone and sit around doing the same thing over and over again, and really trying to figure out how things work or how things can be broken, especially in this industry.
Adam Marrè 12:56
Yeah, that’s what really strikes me as so many people have that story of going in on the weekend and trying to break something or it did break. And now I have to earn everything that I didn’t know about whatever it is that where it was. So it seems like a lot of your education was on the job Mark, but did you have any? I know you said you jumped into it straight from school. Did you have any formal education? I know like free and and I there was fewer formal education opportunities back then. But I’m just curious. There’s any education since maybe?
Mark Hazleton 13:29
Indeed. Yeah. At school and me didn’t generally get on and I often came out with an A level in art and that was about it really. But I was ever eager.
So I think from a young age, I’ve been working if it’s not, not at the local farm, it would be in a carriage nearby and I was doing MOTs on cars and things like that from the age of 14 and, and forever. For, as you say curious about things and doing work. So didn’t really come out the school with anything in the way of a great cause.
Did I even touch a computer at school? I’m not so sure that I even touched a computer at school to be honest. When I came out and started working, it was another world I remember very early on in my time with the Unilever company. Going off on a training course the very first professional training course I’d done, which was all around administering these financial ledgers. And that was a real eye opener to me and it was easy. The computer stuff seems to come really easily.
So yeah, from early on, I was lucky enough to partake in quite a few training courses and big group courses. So we had a big migration from one manufacturing system to another and that required all of the developers in the team and a couple of related businesses to get together and go and learn to use the same language. Not the same programming language, but the same language around how we’re going to do the migration, how we’re going to develop, et cetera. And that was a real eye opener for me. So I’ve done all sorts of things.
In the meantime, I’ve done some business analysis and various things on different operating systems in the early 2000s. I did all the Solaris certifications for Sun, Sun 2000, et cetera, bunch of Microsoft stuff, etc, project management things, all those usual things. But in more recent years, I’ve gone on and done the CISM and the CISSP, certifications, etc. And I think that’s pretty much where I’ve come to a bit of a dull stop in terms of training, not not quite sure where I go from that point on, but I need to do training just to get the CPE credits if nothing else these days.
Ian McShane 16:09
Yeah, I hear that. It’s one of the one of the interesting things for me, if I think about F1 in general, and you know, what you see on TV is these hulking great trucks full of IT equipment. And so in a world where most organizations are planning to have a distributed organization or moving things to the cloud, or trying to keep things off premises as possible. It feels like F1 has the best of best of both worlds, or the worst of both worlds, in that you’ve got to ship a lot of stuff around, which is almost on premise, but it’s also got to be tied into into the cloud somehow. So maybe you could give us a good example, or a bit of an explanation of what it takes to shift or the IT infrastructure around the world and how you manage to secure that on a traveling circus kind of scale.
Mark Hazleton 16:57
A number of years ago, when I was managing the race team side of things, I think we did some calculations that said, we, the race racks, of which I think they were about five at the time needed to run the car. I think they traveled something like 270,000 miles a year. So in terms of challenges for that sort of hardware, they’re in a box that saw shock mounted, et cetera. But they’re in a truck, going to the airport, they’ve been pushed across a concrete runway, and all the vibration associated with that, and they’re at one particular temperature, depending where they are, into the holder of an aircraft, do the journey, and the same at the other end temperature changes, and all of that would go with it, and then they’re going into a pretty what can on occasions be a pretty hostile environment in the garage. It’s hot, it’s dusty, high frequency noise from the car starting up and every type of electrical challenge you can imagine from overvoltage, undervoltage, brownouts power cuts, etc.
It was a learning curve for us, as the technology for a long time seemed to be getting more capable, more memory, more CPU and all that sort of thing. But at times, it seemed also to be getting a bit more delicate, it didn’t like that sort of movement. So in many ways, the physical transport etcetera was a challenge. These days, we don’t do so much testing now. So we’re quite lucky in that we typically only have one set of equipment flying around the world, and that’ll be the race team environment. Whereas a few years ago, we would have had both race and test kits, and they would be leapfrogging each other from event to event. And of course, what you get then is a huge challenge around where you’re mastering your data. So in the early days, we’d have had ISDN, lines and so on, and we’d be trying to squeeze the crucial data back to the factory. And you’d have all of these weird synchronization things going on. But with modern comes, it’s not such an issue. So that’s a much easier thing now.
So the kit we’ve managed to find ways to make it pretty stable, your choice of technology for UPS and things like that can make a huge difference. And how you’re supplying the power at circuits and things like that, but we’ve come to a point where we can make it quite reliable. In terms of how we secure it, the environment that it goes into is very, very secure. So we can be quite confident that racks of kits in a garage are well protected. We’re very unlikely to experience unexpected visits from people with ill intent, shall we say, moving all of the staff around with all of their laptops etc.
Of course, everything’s encrypted and what have you. And they’re all very careful with our equipment, all of our staff are great and don’t leave things lying around. So it’s not such a huge challenge to get the kit around these days, but you spinning up a data center that any small to medium sized business would be proud of virtually every week, you build it up over four days, it’s got to be 100% reliable for the duration of the event. And then you tear it down and chuck it in the back of the van. And onto the next one. So it does it does have its moments.
Ian McShane 20:47
You describe it like a roadie, like putting on stage and then chuck it in in the back of the van. And moving on to the next.
Mark Hazleton 20:55
It’s surprisingly similar in places.
Adam Marrè 20:56
You answered my question, which was all I think of as trying to secure this is, I just increased my attack surface, or I extended my footprint into each one of these different locations physically, so I’ve got ports sitting out there, I got devices sitting out there who’s gonna come and try to do something, but it’s nice to hear that the security, at least in the inner circle is tight enough.
Mark Hazleton 21:22
We’ve also tried to keep it really simple. So most of the services will just come directly back to the factory. We don’t expose ourselves directly to the internet in many cases. So most of the traffic’s bounce straight straight back to the factory, and then it proxies out from the factory, using existing systems for other other technologies. There are some connections at the circuit for marshaling information and those sorts of things. But generally, we try and keep these things as straightforward as we can.
Adam Marrè 21:57
Yeah, so touching on that, given that you have that kind of connection, and everything can be back at home base, as it were, what is the threat landscape like for an F1? Team? I’m just I gotta be thinking, in addition to all of the attacks that everyone worries about, there’s got to be some interesting peculiarities to being an F1 team.
Ian McShane 22:24
I want to hear about corporate espionage as well, right?
Adam Marrè 22:27
Economic Espionage is of course at the top of my list, but I’m just curious what what you think what you were seeing out there, Mark?
Mark Hazleton 22:33
I think for the espionage part, that’s a conversation to be had over beers rather than publicly. Threat landscape is actually really, really simple. I like to think I’ve got two main threats. And that’s everybody inside the building and everybody outside the building. We’ve seen it change dramatically over the years.
Ten years ago, it was all about insider risk. And of course, over the last six, seven years, we’ve seen that whole world shift with monetization of we used to get spam, emails and stuff like that, but and when people trying to do DDoS, for fun, and that sort of thing, and hackers doing things for fun, but as the malicious activities become monetized, obviously, you’re at risk from ransomware, and so on.
From that perspective, I don’t think we’re necessarily targeted that specifically. But whereas we’re much at risk as any high tech engineering company, anybody with a footprint on the internet, etc. It seems that our image on the internet doesn’t seem to do us that much harm in terms of driving malicious activity towards us, fingers crossed.
Over the years, we’ve had the odd, I’m going to describe them as hobbyists, that of course, there’s some little challenges but in general, the biggest risk to us remains falling as collateral damage to one of these other activities going on in Sweden. We see ramp up of malicious activity when sanctions are imposed against the country and those sorts of things when big geopolitical events potentially cause us to see a ramp up of traffic. But other than that, we’ve got the odd bit of activity going on. But in general, we don’t seem to be that targeted. In terms of industrial espionage, corporate espionage, we were we were good friends with most of the teams out there.
Everybody knows everybody that works for the other teams and now makes a bit of a closed loop and reduces risk. There’s a significant financial incentive and regulatory incentive not to copy, etc. And of course, we put our product on the telly every weekend. And it’s possible to work out what we’re doing with various things. And there’s a significant amount of staff movement between the different teams as well, which I think probably levels the playing field, a reasonable amount that but fundamentally, that isn’t a huge concern for us.
Ian McShane 25:27
Do you have across the different race teams have a shared intelligence kind of function? Do you communicate with the other CISOs regularly, the security teams keep in touch about what they’re seeing? And what might be bubbling up from an attack perspective?
Mark Hazleton 25:43
Typically not. If there’s something that does seem to be really focused on Formula One, if one of the teams has had a particular challenge, then that then does just filter through but from a day to day perspective? No, we’re not all in regular contact. Where we’ve seen a couple of direct competitors get compromised with phishing attacks and things like that, then we’re always immediately on the phone, of course. But there’s not that much interaction from a security or indeed an IT perspective, across Formula One teams, there’s a lot of interaction around logistics and things like that.
So all of the teams are generally working together around movement of parts the late and baggage movements, and all of those sorts of things, it’s probably a lot more well organized interaction between the teams than the motorsport friends out there, watching the races realize. It doesn’t tend to come up to a cyber perspective. Now there have been some discussions about putting something together with a well known agency in the UK, the NCSC. But part of the problem there is not all of the teams are in the UK. And I think it’s there for quite a challenge. We couldn’t do something with most of the teams, but not all. So I think that makes that sort of thing a little bit difficult.
Ian McShane 27:19
Is there actually a lot of it that’s mandated by the, acronyms escaping me, the FAA, they mandate a lot of what you have to do from a baseline of security?
Mark Hazleton 27:30
No, not at all. No, it’s weird. We have various sporting regulations. But from a security perspective, there’s nothing that drives what we have to do particularly beyond separation with different groups within our organization. So we describe ourselves these days as a Formula One team, sorry, as a high tech engineering company with a Formula One team effectively, and we’ve also got an advanced technology function, we’ve got power change functions, etc. And there’s some degree of separation required between them. So we don’t advantage ourselves. Other than that, we’re governed by GDPR. And so on. And that is pretty much about it. We’ve we voluntarily use some standards, we’ve looked at ISO 27k. And we’re generally focusing on the CIS standards, which happily, your organization sort of focuses on as well. So, other than that, no, it’s all it’s all self derived.
Adam Marrè 28:43
But what really strikes me as interesting about this Mark is, of course, for those of us who are Formula One fans, we think it’s going to be very different for Oracle, Red Bull or other organizations, and then to hear you say it, I’ve just heard this so many times, we think an industry is really different, but it’s really, we’re pretty much looking at after and trying to stop and prevent the same attacks that everyone else is dealing with. And then we might have a few peculiarities. The other thing I hear that you say, that’s really similar is there’s obviously intense competition between the different organizations, different teams, in F1, but the security folks have no problem sharing one with another. And that’s another thing, one of the things I love about the security community is our ability to kind of skirt those other prerogatives that people have, for our security prerogative to make sure that we’re sharing the information that we should, and as much as appropriate, across, different organizations, so, I’d love to enter those.
Mark Hazleton 29:46
There’s no point in inventing the wheel twice and where we can, we’re very happy to share as long as it doesn’t risk competitive advantage.
Adam Marrè 29:55
Absolutely. Yeah, that’s always the line. We want to be friendly, but not overly friendly. Right. But so I am curious about how you and your organization tried to create. I mean, you talked about that insider threat, which is, of course, something that I think all CISOs worry about. How do you foster that security conscious culture, like what are the techniques that Red Bull use? Sounds like you got a really efficient team there. I’m just curious how you do that. And then, is there any kind of coordination of that type of culture? Does that culture permeate throughout the different teams at F1, where everyone has sort of a similar idea of the threat you face?
Mark Hazleton 30:36
Yeah. It’s an interesting thing is it’s a bit of a double edged sword that an awful lot of our user base are extremely IT literate, and they know what’s going on in the outside world, they’ve all got their fingers on the pulse. And you don’t have to go far to hear about cyber risk. Formula One, given its highly competitive nature, there’s an understanding of the need to secure things just ingrained from everybody from day one. So from a physical perspective, as well as a cyber perspective, and so on, and that has been pervasive. Throughout my time in motorsport, it was the same before it came to Formula One, in the Champ Car World, it was the same.
Ian McShane 31:31
Does that make it does that make it harder or easier, though, if you’ve got a lot of IT literate things and I’m thinking, you get chuckleheads, like me going to Adam, thinking that I know better ways of securing things than he does.
Mark Hazleton 31:41
What we do have is a lot of people that are really laser focused on what they’re doing. So if they can find something that’s going to give them an advantage, if they’re going to come up with a piece of software, 10 o’clock on a Friday night that they need to install, in order to do a little bit of analysis that they think is going to win us the race, they want to be able to do that.
So we have to provide a pretty decent level of flexibility, but then have that sort of the midnight break glass thing where we catch up with things after the event, and so on. So we have a pretty open culture where people are able to do things, but then they come and tell us about it afterwards. With that focus comes the intent of getting the job done at all costs, they just got to get the job done. And IT security can’t stand in the way so where it is a challenge is, we always used to have this sort of motto that we’d say in it across the board, ‘anything we do is there to make the car go faster.’
And that was a bit of a challenge in IT, but you can get the principal with security, saying we’re only going to do stuff that makes the car go faster, that becomes even more difficult. But I think most of our user base sort of gets the gets our approach. So we were not so restrictive that they can’t get on and do things. But what we do try and do is is not the worst things. And wrap a little bit of process around some of the other bits where we catch up. Because ultimately, if we don’t give our engineers a bit of flexibility around what they’re doing, they’ll find a way to do it. And them finding a way to do it and then keeping it under wraps afterwards, et cetera can just make things worse. So it’s definitely a double edged sword. But in general, we, have very, very IT literate staff with with very good hygienic habits, cyber habits anyway.
Ian McShane 34:04
Sounds good. So that’s been a really interesting look at kind of the F1 side of things. Fom your perspective on what’s the thing you’re most passionate about in cybersecurity?
Mark Hazleton 34:18
This is where I become really dull. It’s doing the basics. Do the patching, do the vulnerability awareness, make sure you’ve got a recent modern OS in there make sure you think about what you’re doing, do a brief risk assessment, think about the implications, etc. So you know, we can all add sort of high end technology and so on but it’s all at the wrong end of the process for me so yeah. I’m a big fan of doing the basics and a big fan of doing the basics as well because a lot of sports perhaps don’t approve shape, the difficulty that goes with it the amount of time resource etc that can come along with patching couple of 1000 servers or 1000 clients, etc.
Ian McShane 35:14
It’s easy just patch it, don’t worry about it.
Mark Hazleton 35:16
Just hit that button, hit that button and have it done.
Yeah, for us, we were 24/7 operation and outage Windows really difficult for us so. And we’ve come from a land where we were getting every possible CPU seconder other machine and utilizing various features undocumented features, we say in some of the client machines, etc, when we’re presenting telemetry and so on, such that any patching, 10-15 years ago, any patching would kill the machines and render everything unusable.
And of course, you can’t have that when you’re trying to get the car out on the track. So everybody, all the engineers have grown up around this thing where updates and changes are bad. And we’ve currently with all of our clients we’re patching pretty much real time, but it’s really good what we’re doing now. But that transition from patching, maybe we’d sort of patch everything once a year, then we’d run it through our final integration test suite. We’d simulate everything as though it’s at the race track. And we test every single component to make sure it’s all stable. And going from that to pretty much patching everything. As soon as patches are available.
It’s been a bit of a culture change. We’re not quite there on the server side of things. But we’re getting there. And we’ve got good support from the organization and so on. But the patching process is getting much more reliable compared to where it was. And we’ve just got to try and keep that keep that chain running.
Adam Marrè 37:03
Yeah, it’s funny Mark, it took the words right out of our mouth. That’s what we say all the time, do the basics. And it’s not, it sounds like if you said do the basics, that sounds like it might be easy, but the details always get you but that’s where the most value is, we think so its interesting to hear the same thing. And I hear the same thing from so many different cybersecurity leaders. So, as I, as I said earlier, in the, in the podcast, we do have a lot of people who are earlier in their career who listen to this podcast, I’m just curious, what, what advice would you have, for someone like that looking to get into cybersecurity, whether it be straight out of school earlier in their career, or someone looking to make a career change?
Mark Hazleton 37:48
I guess that comes in two parts, really. So if it is somebody really early in their career, I always tend to direct people towards the help desk, or service desk, because I believe they’re known these days. And get some experience, get some experience across the organization, understand what makes the business tick.
I really recommend people get away from the standard IT approach of they’re just there are computers, and you’re just a user that will use it and so on it’s how do you provision that service for the user? And how do you go around not giving the user necessarily what they asked for, but give the user what they want or need, and so on working out that difference. So it’s understanding the business, understanding what drives the business and so on.
Getting that breadth of experience, I think is a critical thing to being able to go on to move into cybersecurity and make it make that transition sensible. I think, for somebody later on, in their career, perhaps focus on a particular area in cybersecurity, of which there are many. D you want to go into management? Do you want to go into threat hunting? Do you want to go into pentesting, or red teaming and so on?
It’s still a relatively new industry, I guess. And the roles are constantly evolving. So pick the thing that works for you focus on that, rather than going for something too broad and perhaps not making it focus, focus all of your time and effort on one area, get your foot in the door. See if you like that particular thing, and then maybe you can move laterally from there.
Adam Marrè 39:44
Yeah, that’s, that’s great. Totally agree.
Ian McShane 39:46
Yeah, I feel the same way about tech support as well, because that’s where I came from. And they exposed me not just to the technology, but the human side of things and having way more way more empathy for not only the end user, but also for the folks that work in the the 24/7 misery that can be tech support?
Mark Hazleton 40:05
Absolutely. Ultimately, it’s we’re there for the user. So all of the services got to be there for the whole point is for them. So I think that’s a really good place to start the focus. Although a number of my users might not agree that that’s how I focus things, but there’s always one or two outliers.
Ian McShane 40:28
What do they say about the CISO role, you can’t please anybody? You can’t please, everybody is one of the two right you can’t say something like, ‘yeah, brilliant. ‘well, Mark, it’s been really interesting hearing, you know, how you and your team secure a world champion F1 team. So thanks so much for the insight, and really appreciate you being here today.
Mark Hazleton 40:46
No problem. Thanks for the invite. Good to meet you, Adam.
Adam Marrè 40:49
Thank you, Mark. Great.
Ian McShane 40:53
Yeah, so everyone listening, be sure to like and share and subscribe on the podcast platform of your choice. Thanks again to mark Hazleton. Any last words from you, Adam today?
Adam Marrè 41:03
No, I’m good. That was fascinating. I just love. I love to hear that. Even though we may be in very different organizations, we’re pretty much all fighting the same fight, the same kind of problems and that really makes me feel like we can do it. We can make this better. So thanks, Mark. Thanks Ian.
