Life as a Chief Information Security Officer


This is the third and final one of these series (1st one is HERE, 2nd one is HERE), where I get the views of various IT profressionals across the UK, to understand their roles, their challenges, adapting to the changing technology landscape and the difficult challenges with the ongoing pandemic . This time its a chat with Howard Pritchard, Co-Founder of AVORD and a man with over 10+ years of being a CISO.

Round 1: About you

Name: Howard Pritchard

Role: Co-Founder and Cyber Security Consultant

Business: AVORD, Security as A Service

Hidden Talent: I’m still looking

Favourite thing to do outside work: Enjoying motorcycle riding

Guilty pleasure: Steak Pudding and Chips with a slab of peas 

Round 2: Your job

Plenty of people are keen to get into Information Security, and you’ve spent a good percentage of your career in various roles within the InfoSec arena. Can you share some of your experiences of your various roles and pass some advice on to people eager to further their careers in security?

My first involvement with anything related to electronics was watching a television programme show casing a device that with the movement provided an ‘X-Y’ position indicator for a screen, the ‘X-Y’ later known as a mouse for some unknown reason of the day, but it caught on. I was then introduced to a friend’s ‘brown box’ (many of my generation will know this as the Magnavox Odysey1), one of the first games console to hit the market, this blew me away.

Megnavox Odysey1, released in the UK in 1973

To think, one week before it was about who could make the fastest bogie using sourced silver cross wheels, wood and a piece of string to steer it around the streets, the next it was the ‘brown box’, electronics and the future.

Sometime later as a present I was introduced to my first games console, this being the Binatone MK1 console playing the first generation of ‘Pong’ on a black and white television (paddles and a ball going across the screen). I was brain washed to the monochrome gaming and Information Technology.

Binatone MK1 console

My career started in the early 1980’s where business computers such as the IBM XT and Unisys (Sperry) were all the rage. Networking was based on a pair of wires connecting a local LAN using a daisy chain method to a Unisys (Sperry) server with a massive memory of 512kb and hard disks of eye watering storage of 16mb. This is where I was introduced to Security of the physical wiring of a LAN, the introduction of physical computer security and Dil switches. Physical security of machines were the buzz words of the day, securing data had not been widely publicised in the business or media circles. That was the start of my ‘Security career.’ I have been lucky to work in most countries around the world. My favourite being the Middle East.

For those looking to get into Cyber/Information Security in today’s climate, there are so many fields to enter and Cyber/Information Security is a very broad field, so choose the area and focus on it – there is no silver bullet.

Which was / is your favourite role, and which one would you loath to do again?

Throughout my career I have been employed in various Information and Cyber security roles, that is why I am passionate about the subject and paranoid at the same time. Every role has been exciting, challenging, frustrating and rewarding. So not one sticks out more than the other.

Nowadays your focus is on AVORD, the worlds first completely online testing platform. Why did you decide to move from the customer to the vendor side of security and has it been challenging??

My roles have allowed me to work both sides of the coin supported by clients and vendors. A change of circumstances provided me the energy to challenge the traditional way security testing was performed. This was generated out of sheer frustration of the years that suppliers had not changed the way penetration and IT security health checks were performed, but at the same time maintaining an inflated pricing structure not to mention the bullish attitude. AVORD was already in the thought process when I was asked to join and co-founded this exciting and revolutionary project.

The journey has been exciting, not to mention the challenges of keeping the design and development under wraps. 2019 was the year that AVORD went live. What a ride and its only just begun!

What is the your favourite part of your job nowadays?

Seeing the astonished looks of clients when we take them through our online demonstrations, understanding how AVORD can provide a truly agnostic management platform and at the same time save up to 40% of their current security testing budget amongst other benefits. This gives me a great feeling, a buzz to be able to give back to the client.  I still provide Cyber Security/CISO support, sometimes pro bono, as I believe the many years of experience I have accumulated should be shared for the good.

Is there anything you miss about the day-to-day of being a CISO?

A bit of Trivia: The Role of a CISO first dated in 1994 after the Citigroup suffered a series of Russian hacks. The bank decided to hire Steve Katz under the title of Cybersecurity Executive Office.

Who was the Russian hacker – Vladimir Levin for all those fellow Security nerds.

Being a Chief Information Security Officer (CISO), was, 15yrs ago a privileged position, one that Senior stakeholders and colleagues would look to for advice, the go to person, the person that would be responsible for establishing and preserving the corporate vision and strategy including the estate program to ensure that ‘information’ assets and technologies were securely protected through the likes of compliance and regulatory requirements and owning specific Cyber and Information Security budgets directly under the CEO. Over the years this has become a role of conflict especially where reporting into the CIO or CTO owns the overall security budget, even for the CISO, functions become like a tethered goat situation. As one eloquently put it.

“The CISO runs the risk of becoming the guardian of an empty shell because most of the assets are being moved elsewhere and the guardian of a variety of uneven relationships with suppliers, with little control over the way information is protected.”

Warwick Ashford, Computer Weekly 2018

To sum this up the following shows the differences that a good friend of mine described many years ago.

  • IT Security
    • Measures and controls that ensure confidentiality, integrity, and availability of information system assets including hardware, software, firmware, and information being processed, stored, and communicated.
  • Information Security
    • The protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
  • Information Compliance/Assurance
    • Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities

So, to answer the question, I still enjoy providing cyber security/CISO support and strategy direction to organisations, who have an appetite for security. 

Round 3: Security

Howard, its fair to say the security landscape has changed a hell of a lot over the past 10 years. There are far more businesses out there offering ‘security products’, and the media is full of reports of business falling victim to various hacks, malware and viruses.

Why are these breaches seemingly more frequent, or have they always happened, but the media are now more interested?

Since the start of the Technology revolution, unscrupulous characters have looked to hack systems, I believe Konrad Zuse created the Z1 Computer in the 1940s, however some say that “Captain Crunch” John Draper was hacking computers back in the early 1970s. At what level was it deemed ‘hacking’, I will leave it to those who love a debate.

Data breaches have and will always be with us, if we look back over the decades, data used to be in the form of written documents, such as patient data, financial records. A data breach was as simple as viewing the individual’s information without consent or authorisation for use against that individual or organisation. This has steadily risen over the decades and more so in the 1980s through to the present day. Organisations rely more and more on digital data, cloud computing and the ability for remote working. Some common causes are related to weak credentials or even shared ones, application vulnerabilities (patching including security and critical patching), malware, phishing campaigns, insider threats, poorly trained employees causing insider errors. The list is endless. Where there is human interaction you inevitably have potential breaches.

Where there is human interaction you inevitably have potential breaches.

Howard pritchard, avord

Do you think the education and awareness of end users is paramount to ensuring businesses stay secure?

Absolutely. End users including board level and external partners need to be aware of the potential impacts and consequences of not securing their data, therefore continuous training must be maintained.

As a new business owner, you must come across some innovative security companies. Other than AVORD (of course), is there any product or service that sparked your interest?

AVORD is very innovative, thank you. There are so many innovative security companies out there competing for the slice of the pie, but none as unique as AVORD (was that my 2 seconds sales pitch allowed). I am a little bias towards UK companies, I would not like to name one above the other, as it is like a game of football – a game of opinions.

OK, a few quick fire ones now…Password Manager or Post-it notes?

Being a paranoid Security person – password manager, but I do like keeping a stack of post-it notes.

What’s the most secure: Google’s Android or Apple iPhone?

Okay that is a techie question, some like the Android due to the ease of the functionality others like the iPhone for simplicity. Apple has been a secure platform for many years, whereas now the Android platform is up there as well. It becomes a preference, I am an iPhone user, I think the mobile phones make calls as well.

Biggest mistake made by most business when it comes to security?

My personal view and concern is that some Senior Executives will have cyber security, risk and compliance as headings and a time slot of between 20-30mins to discuss at the regular board meetings, but is this just a tick box exercise to keep auditors and the shareholders happy?

Lack of budget is the most common mistake, followed by not understanding the organisations business and operational strategies, therefore not agreeing goals and objectives.

Revenue comes first, before protecting the company’s assets, including ‘DATA’.

Another failing is to cut corners and not follow the ‘Security by design’ principles due to lack of resources or pressure to deploy the latest application or services.

What’s your mother’s maiden name? 😉

She’s too old for you

Round 4: Covid-19 Pandemic

Like everyone worldwide, I have no doubt you’ve have your own challenges both personally and professionally due to the social distancing / isolation measures put in place over the past month or so.

So my first question around this, is what changes have you had to make within your business to ensure everything stays operational?

The good thing about the AVORD platform is it is a cloud based solution, this means no disruption to the services being offered to our clients. From a Client perspective, this has ultimately changed from face to face to now online conference calls, apart from the lack of hand shaking and travelling to the clients site all parties have embraced the technologies to protect lives in this current situation.

I’ve seen plenty of comments on Twitter and LinkedIn in recent weeks about Cyber Security teams being reduced in size due to the Covid19 pandemic. What are your thoughts on business adopting this approach?

It’s a hard question to answer, the reason being that we don’t actually know their operational issues, these may have been there before this pandemic happened, some organisations may use the cover of the COVID-19 as the reason to reduce numbers. However, it must be noted that organisations would not be acting correctly if they reduced the Cyber security teams in this current situation, as these resources have far fetching operational experience above the normal IT operational resources to support and protect the organisations business and operational requirements.

Given the downturn in business and the economy over the past couple of months has got to be challenging, particularly as a new business. How are your team keeping going during these particularly difficult times?

AVORD is a unique proposition, I am delighted by the fact that clients are seeing the exciting benefits that the platform brings. To the clients it really does not matter if it is a face to face meeting or conducted as an online meeting. From a team perspective, they all work remotely, therefore maintaining operational exposure to all our clients.

That’s me all out of questions Howard, and I think I’ve plugged AVORD enough – hopefully enough to earn me a beer or two once lockdown is over. Have you got any final comments or shoutouts you’d like to make before I click the ‘Publish’ button?

As always, it is a pleasure chatting with you. Keep the energy going, it’s great.

Leave a Reply