Wagestream Team Spotlight: Clair Phelps, Chief Information Security Officer

With nearly 20 years behind her in the information security game, Wagestream ’s CISO, Clair Phelps is a pioneer of the field with a career spanning back nearly to the origin of the industry as we now know it. In this piece we look at the information security industry as a whole over that period, to see what’s changed and what you need to consider if you’re thinking of heading into that space.

Tell me your major career highlights??

“Working at a big four firm for 14 years was a very eye-opening experience that gave me the footing into information security. All those years ago ‘information security’ was not two words that people said. It was about ‘IT’, the security element became a buzzword after quite a few high profile data breaches and from there the specialism was born.?

I’ve been very lucky to be a part of the first ever internal information security team for one of the big four firms, as well as being able to help with external engagements too. Looking back, this was a particularly challenging time, coming back from maternity leave as it was a little unclear on what my future looked like; this was a new space and really helped define my future career.?

My first learning curve was becoming an expert in ISO27001, and the same will go for anyone looking to specialise in this area. ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardisation and the International Electrotechnical Commission in 2005, revised in 2013, and again most recently last year.?

Back in the day, the problem was, most companies had implemented ISO 27001 with a limited scope (e.g. just the IT department). I played a major role in the project to extend ISO 27001 across the whole UK firm.? This was an extremely varied role, from running round offices making sure everything confidential was secure and locked away, literally locking screens, to talking to people to make sure they were ready to speak to an auditor - it was all really good face-to-face awareness with 22 offices in scope; but as you can imagine, it was an enormous challenge.?

When the ISO standard moved from 2005 to 2013 I led the project to transition to the new standard, rewriting the information security management system from scratch. That’s where I found my feet, starting from scratch having managed it for a few years, I already knew what needed changing from things like the risk register; and that greenfield exposure was invaluable.

My time in information security has flown, and I still absolutely love it. It’s one of those things, when you think you’ve got everything under control, something out of nowhere crops up”.

What are your key considerations for someone looking to step into Information Security?

“The journey from Assistant Manager at a big firm to a CISO has been a hard journey, so dedication is a must, but I think I owe a lot of what I’ve achieved to the fact I really enjoy it, and if you have a genuine passion for what you do, the rest will follow. It’s cliche but I’ve learnt more because I want to know more and I've got involved in as many new areas as possible because I love learning; that’s key for this career pathway and many others alike when it's a forever evolving field. If you enjoy it, the motivation follows; you will struggle if the genuine interest isn’t there.?

Another essential is being broad, I don’t specialise in one area. I cover the whole breadth of skills from technology, governance, to policy and awareness - you need that exposure to be full bodied in this role and that can only come with experience, so put yourself out there into new areas.?

Security is an interesting field because you can come into it from a lot of different directions. I started in risk management, ethics and compliance but all sorts of pathways work well, such as Software Development".

Any tips to offer aspiring female leaders operating in male dominated disciplines??

I open myself up to my team's interests and I find they do the same, especially at Wagestream. A claim to fame of mine is that I won the fantasy football league cup a few years ago. You need to build rapport and find common interests in all your working relationships, so put yourself out there, show a genuine interest in your team's passions; that will bring about closeness in all your working relationships.?

I love all sports, I have run the London marathon, I love my golf but I'm also a mother to four children and I'm building a house from scratch so I like to think I can chat about an array of different interests, and that’s important in a team culture. Differences aren’t a problem, putting in the time to learn about people is an opportunity.?

I’m passionate about supporting the next generation of CISO’s. I’m an active mentor to other Information Security professionals, helping them sight their next steps of development, not just qualifications but situational exposure. Continual learning is crucial, I got my CISSP qualification last year alongside my day-to-day work. If you lose your sharpness with technology you can’t write up-to-date policies.?

I’m professional when I need to be but I also like a joke, earning myself several nicknames over the years. To name a few, ‘Magic’ from my Legal & General days; I was sent onto a call in a difficult situation where it was unlikely we were going to close the situation but I managed to solve the issue before the other members of the team even joined. Another more formidable title I earned while at KPMG was the ‘The Rottweiler, “soft and cuddly in audits but then I would bite with the difficult questions””.

Having embarked on maternity leave at different stages in your career, what does someone looking to do the same need to consider??

"Having a flexible employer like Wagestream is key, but also managing expectations properly both at home and at work, ensuring you tick the boxes of what your requirements are. You can't sugar coat it, it is hard bringing up four children while growing a career so you have to be up for that fight. I’m a council estate girl, coming from some very poor times as an eldest of three so I know sacrifice".

A CISO’s remit is quite broad and usually very different depending on the company, what does your role look like at Wagestream?

"As a CISO your role will vary, depending if it’s a start-up or enterprise environment. The biggest thing to implement very quickly is the governance but how you do that is specific based on size - this will be a suite of policies designed to provide the minimum security levels appropriate for the company. If it’s a startup environment these have to be manageable usually with a smaller operating team. You’ve got to consider the cloud environment, controls around supply management as well as day-to-day technical controls - in a big corporation you have the whole suite of them but one of the biggest risks is internal threats on both sides. Governance is key such as your acceptable use policy and information classification policy, from that you then put together a suite of policy statements.?

Each control has a policy statement and? the tolerance level of the policy statement is governed by the company and their risk appetite; that's the biggest change between a start-up policy and enterprise.?

The remit is so broad, you’ve got a technical CISO, a 1st and 2nd line CISO, and then a triple threat that does all three that sits like a CTO or CRO.?

I'm not super technical but that suits my approach, I like to talk to people. If you are able to talk tech to the engineering teams on their level, asking questions around the development cycle, they’ll light up and tell you where the potential breaches could come from. It’s about being able to communicate effectively with different levels across the business, that's where you develop the policies, off the back of those conversations.?

The depth and breadth of knowledge is so wide relating to a number of the ISO standards, SOC 2, Cyber Essentials Plus, GDPR, the SWIFT customer security controls framework? and PCI-DSS. If you specialise in one particular area, you have to rely on other team members. So a good level of self-awareness tied with collaboration is a major part of the role and key to our success at Wagestream".

The position of the CISO is a candidate-short space, why is that?

"You can't learn it from a textbook, there isn't a masters degree to be a CISO. The technical knowledge is there but what you need is the ground time. So with more and more startups popping up the market is struggling to match the demand, that’s why you will see certain CISO’s offering their expertise to more than one company at one time on a part-time basis. To off-set this issue a lot of companies have great security operations centre? teams to cover threat intelligence, responsible for identifying, applying, and testing patches for vulnerable enterprise systems and software".

What do you need to be successful in a startup environment?

You have to understand the culture and adapt your style accordingly. My style is very different compared to my corporate days. But that said, you need to be able to do both in the startup world depending on the task, especially if it's an externally facing situation. So my biggest advice would be to observe and learn to adapt your communication style.?

What major industry shifts have you witnessed in information security and what do you predict for the future?

“Security is now a priority for most companies, so the big change is budgets. When I started out you were given an miniscule amount to operate with but now we’ve stepped into multi-million projects to cover higher status threats and the advancements in technology that you now see.?

More and more firms will tap into AI due to threats being much more prevalent but with AI taking more of a role that brings new problems. That said, the economy has a big effect on practices to ensure processes are as cost effective as possible”.?