Matt Lemon, the Chief Information Security Officer at China-based Huawei Mobile Services, comes from an extremely technical background. He has a master’s degree in computer science from MIT, and a doctorate in cyber/computer forensics and counterterrorism.
He also thinks it’s important for CISOs to have a broad range of experience so they can understand enough about the technicalities.
But what he’s always subscribed to is to hire smart people and let them do their jobs.
“I don’t get involved in their day to day duties. I let them go on with it because they were hired because they’re good at what they do,” Lemon said. “My role is more to set the strategy and to look after the personal and professional development of all those people that I’ve hired.”
Emerging from the pandemic, CISOs have had to learn a whole new set of skills because they’ve had to be a lot more empathic with the teams they manage because people have been sick or had issues working from home.
“The ability to support your team at a personal level is something that I think is definitely a requirement for CISOs now,” Lemon said. “Another thing that we probably over the last few years have gotten to grips with is the fact that security isn’t a siloed operation. We need to be good at building relationships with different stakeholders, whether that’s finance, marketing, HR, whoever. They all have security concerns, and they don’t necessarily bring those to you unless there’s a trusted relationship there.”
Lemon’s been working in the industry for 25 years. Today, a CISO’s role is really more of a business one, to make things as secure as they need to be rather than as secure as possible, he said.
“Everybody wants things to be secure, but you can just keep throwing money and time at security endlessly, almost,” he said. “You need to be aware of what the business goals are and what their risk tolerance is so that you can define your security plan accordingly.”
At Huawei, where he’s been for three years, he’s built a team pretty much from scratch. On the sidelines, he’s studied Chinese and done a law degree.
“It’s useful having the degree, looking at contracts and data privacy and that kind of stuff,” he said. “It’s a big advantage for me in this role.”
Before Huawei, Lemon was chief information security officer at Ulster Bank, and CISO for Saas cloud security and a partner in the cloud security practice at IBM. He served as chief information security officer for the government of Ireland in the late aughts, and afterward was one of the pioneers in providing managed security services.
“Security was really just in its infancy,” he said. “The smartphone had come out and things were just being connected. People were scrambling to try to find anybody that knew anything about security to hire them.”
Lemon commands a team of about 700 people. His biggest challenge now is recruitment.
“It’s almost impossible to get experienced people,” he said. “It’s easy to get people straight out of college, but they don’t have the experience and the knowledge to step straight into a role and contribute from the start. They need six months of handholding and mentoring before they become productive.”
Retention is another problem because of the talent shortage, he said. “I could offer somebody $100,000 to do a job, and then after six months time, somebody else is going to offer them $150,000 to work somewhere else.”
The lack of qualified staff is driving a big push toward automation, Lemon said.
“We’re trying to automate as much as we can,” he said. “We’re especially concerned with fraud prevention, both financial fraud and fraud using our customers’ accounts. So we are spending a lot of time and effort in getting up to speed with artificial intelligence and machine learning so that we can automate as much as possible the detection of fraud and any anomalous activity.”
After a number of years where budgets weren’t hard to come by, spending is now being cut or frozen industrywide.
“Because money is under more scrutiny, it forces people to become more innovative in the jobs that they’re doing and the tools that they’re trying to use,” Lemon said. “If we can’t get approval for a particular project or a tool, then it makes people think whether we can repurpose something that we already have to do something it wasn’t necessarily designed to do.”
His advice to younger CISOs: Try and get the broadest understanding of all the domains of IT so you can help your team with personal and professional development.
Ransomware is one of the external attack threats that his teams spends the most time on. “We’re not so concerned as we used to be about the iconic kid in the basement, in the dark, hacking away,” Lemon said. “We’re more concerned with state-sponsored attacks and ransomware attacks than anything else.”
“I spend quite a bit of time having one-to-ones with not only my direct reports, but their direct reports as well. I probably spend 50% of my time in meetings like that.”
Lemon lives in the countryside outside Dublin. There are forests on his doorstep, so he likes to go walking. Because of the large amount of travel he used to do and the commuting, he’s gotten into audio books.
He also keeps two donkeys, Clinton and Cobham.
“When we moved into the house that we’re in now, there was about an acre and a half of field that was seven feet high, really tall grass and brambles. So we got two donkeys from a local rescue center.
“They’re great, real characters,” he said. “I can go in the field and chill there with the donkeys.”