CSO Spotlight: David Smith, Nuix

David Smith is chief information security officer (CISO) at Nuix, an Australian technology company that produces a software platform for indexing, searching, analyzing and extracting knowledge from unstructured data. His goal is to improve and maintain all facets of security from InfoSec to physical and personnel security. He focuses on educating and encouraging the active pursuit of security best practices. Before joining Nuix, David specialized in computer forensics and electronic crimes investigations for the FBI. Here he shares his views on the current cybersecurity trends, the battle against cybercriminals and how he keeps up with the everchanging cybersecurity landscape.

What was your first job? My first full time job was working as a computer operator and analyst for the FBI. 

How did you get involved in cybersecurity? I was involved early in computer forensics and electronic crimes investigations, so when cybersecurity began as a dedicated field it was a natural fit for me.

Tell us about your career path. After spending a few years as a computer analyst at the FBI, I started my career as a Special Agent for the U.S. Secret Service. During my time there I worked in computer forensics and electronic crimes investigations. From there I transitioned into the early days of cybersecurity management and information governance. I spent seven years designing and teaching cybercrime investigations and forensics training courses for law enforcement. Then I moved back into cybersecurity management and information governance.

Was there anyone who has inspired or mentored you? I have been very fortunate to have had plenty of great mentors and leaders, both within the forensics/cyber world but also in other areas of leadership. Chris Pogue has taught me a lot and has been a good influence. There are too many other people to mention by name, but all of them have definitely helped shape my career.

What do you feel is the most important aspect of your job? The most important aspect of my job is to improve and maintain all facets of security for my company, not only information security, but also physical and personnel security. Part of that includes leading and encouraging everyone to be active in following security best practices.

What metrics or KPIs do you use to measure security effectiveness? I use a variety of metrics depending on what particular security category is in question. Some aspects of security are easier to measure than others, of course. For many security categories, I borrow some of the ideas behind the U.S. Government’s Federal Information Security Management Act (FISMA) and the associated Risk Management Framework (RMF).

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? I am fortunate that my organization takes security very seriously, at all levels of the company. Speaking in general terms of global cybersecurity, not just for my company, the greatest skill shortage tends to be in the newest areas of technology, such as cloud computing security. There is often a gap from when many organizations adopt a major new technology to when colleges and major training organizations are able to develop specific training to discuss the security of those new technologies.

Cybersecurity is constantly changing – how do you keep learning? I attend traditional training courses and conferences, I read a lot of newsletters and blogs, but most importantly I talk about cybersecurity issues with as many people as I can. 

What is the best current trend in cybersecurity? The worst? The best trend is the rapid catch-up of law enforcement and judicial systems around the world. More and more police and law enforcement agencies are dedicating resources to cybercrime investigations, and more nations are trying to improve their cyber-related laws and judicial processes to keep up with the rapidly changing world of cybercrime. We have a long way to go, but the progress in the past year or so is very encouraging. The worst trend is the tendency of some people and companies to spread “cyber hysteria” rather than meaningful information. 

What’s the best career advice you ever received? Wow, I have received so much good advice in my professional career from so many great people. If I had to pick one, it would be from a friend of mine who is an executive leader in the U.S. Secret Service. He said, “The minute you think you are smarter than the next guy, you have lost.”

What advice would you give to aspiring security leaders? Organization and focus are critically important to being a successful security leader. It is so easy to spend every minute running around putting out security fires, real or imagined, and before you know it you are not really making progress on your information security goals. Devise a plan and specific processes to execute that plan and stick to those processes with everything you have.

What has been your greatest career achievement? I am most proud of the fact that I provided cybersecurity training to thousands of law enforcement personnel from over 80 countries. There is no better feeling than having a detective who attended one of my classes from a distant country email me to say that my training led to the arrest of a major criminal.

Looking back with 20:20 hindsight, what would you have done differently? Honestly, I would not change anything.

This interview is part of CSO’s regular Spotlight series, which focuses on the career paths of security leaders. If you know someone (or are someone) with a story worth telling, please contact kate_hoy@idg.com.