Addressing Security Challenges, Opportunities in M&AsAsh Hunt, Global CISO of Apex Group Ltd., on Harmonization and Consolidation
Companies that grow quickly through mergers and acquisitions often face an array of unique security risk challenges - as well as opportunities - said Ash Hunt, global CISO of Apex Group Ltd., who is helping to shepherd his organization through such a transformation.
"I've got a very global team and get to work with people all over the world," and that can bring diverse approaches and value to information security work, he said. "But at the same time, it is also challenging as we bring on new businesses and try to get ahead of the game and ensure what we're purchasing is secure."
In this video interview with Information Security Media Group at RSA Conference 2023, Hunt also discusses:
- Other security challenges and opportunities involving mergers and acquisitions;
- Harmonizing people, processes and technology post-M&A;
- His role as global CISO at Apex Group Ltd.
Hunt has worked extensively across U.K. government departments, FTSE/FORBES organizations and critical national infrastructure, in addition to authoring the U.K.'s first quantitative framework and actuarial model for information risk.
Tom Field: Hi there. I'm Tom Field. I'm senior vice president of editorial with Information Security Media Group. My pleasure to welcome to ISMG Studios, Ash Hunt. He is the global CISO with Apex Group. Ash, after all the virtual discussions we've had, it's a pleasure to meet you in person.
Ash Hunt: Likewise!
Field: Tell me a little bit about your organization, your experience first.
Hunt: So I'm global CISO of Apex Group. So we're a financial services organization, company and fund administration. But we have lots of interesting parts of the business. We have the European depository bank, for example, as well as blockchain companies. So it's a pretty diversified business in that sense. We've got about 12,000 users. So my scope is global. And I look after a number of areas, right through from identity privilege, access management, the internal global operation center, tech rescue, all these other bits. But it's great because some of my scope and purview expands way beyond traditional information security to cover many aspects of the technology environment, particularly when it comes to assurance. So it's definitely an interesting role. I was CISO of an FTSE 250 asset management company that was bought by Apex. So it's been interesting to kind of go through that acquisition process. Apex itself also does quite a lot of merger and acquisition. And this is probably a backdrop to a lot of the strategic initiatives that I've got moving forward. But one of the key things that we've been focusing on in particular is really bringing the whole organization together. So over time, Apex has grown pretty dramatically in quite a short space of time. And so it's really incumbent upon me and other technology leaders in the business to execute a kind of very much concerted focus on culturally bringing the organization together, as well as just from a technical and a process standpoint. So that's definitely the forefront of my strategy at the moment.
Field: What brings you to RSA Conference, and what have been your impressions of the event so far?
Hunt: So it's my first time. I would say my impression is, Europe has nothing on this scale. It's a roadshow like I've never seen before. So it's pretty eye-opening. But as they say, most of the key meetings take place on the periphery. So it's been really valuable to me to kind of catch up with a lot of my sort of U.S. colleagues in the profession, in the industry, but also, to get some face-to-face time with vendors. So you know, particularly some of my stack that are headquartered out here, I don't tend to get to meet the sort of senior leadership very often. So it's a great opportunity to kind of talk shop and run over some of the work that I'm delivering at the moment in Apex.
Field: Excellent. As you say, Apex is going through a significant transformation, being in so much merger and acquisition activity alone, you're sort of in the petri dish of cybersecurity issues, how has all this transformation impacted your security landscape?
Hunt: So I think the security landscape, and our risk landscape really has probably began to evolve now and is changing at the moment, which is different from I think it's historic profile for the business. So Apex has gone through quite a dramatic increase in its size in a relatively short space of time. And the byproduct of that is you don't necessarily have the development of understanding, you know, protection and things like this. That kind of organically grow in lockstep with that organizational growth. So you're kind of playing catch up, which is really tricky, particularly when, in the M&A space as well. You've got people from potentially different geographies, different corporate cultures all being sort of brought together very quickly. So when I came into Apex, about six months ago, one of the key drivers for my strategy was creating an organizational design for information security that did bring everyone together. So things like having a global internal SOC is really valuable. Because if we acquire a business, and I pick up an analyst in maybe Australia, or South America, they can fold into that structure really easily and understand the kind of defined purpose in what that brief is driving for information security and for the business. So you know, in some senses is got a, you know, a lot of challenges. But on the flip side of it, it's also a lot of opportunity. I've got a very global team. I get to work with people all over the world, and which have, you know, it's very cognitively diverse, very different approaches. And that only adds kind of diversification of value to the work for information security. But at the same time, it is also challenging as we take on new businesses, and we will still continue to do that, to try and get ahead of the game and ensure that you know, what we're purchasing is secure that they can fold into a common operating model. So, again, six months in, it's not only just that people normalization that we're doing, but it's also the same with the tech stack as well. It's trying to get us consistent set of solutions that are harmonized, working well, working in an orchestrated manner, so that when we do acquire a business, they're set patterns and tools and people and processes that they can fold into.
Field: Sounds good. I know it's a great theory, but in practice doesn't always work. So M&A, it comes with its own unique issues. Security often isn't involved upfront with that. Security can be an afterthought in merger and acquisition activity. What have you found to be the role of security in what Apex does?
Hunt: So I think historically, as a general rule of thumb that is absolutely true. It's always, you know, shifted, right, and you want to shift it left as much as possible. And one of the core things that we focused on in Apex is setting up a persistent team to really look at integrations so that we can have the same set of skills and the right set of skills, engaging with that company as early on as possible, you know, even around the transition service agreements, so that as they become on-boarded, we know exactly the exploit of limitation as to how much they're going to be integrated - when, into what tools. We have some advantages, particularly in our pocket of financial services, in that there's there are a lot of mainstream standardized solutions, but that also breeds its own challenges where, you know, the companies might be on a different version, and you know, they're not going to be able to map across straightaway. And you'd be surprised how much that can extrapolate. And then your timelines are going to increase and increase. But from a security standpoint, our intent is to get as far left as possible in that process, to be involved and to kind of, I guess, act as a handrail to the organization that's coming on board, because it's a challenging time for them as well, you know, I've gone through the process multiple times in businesses before and it's, you know, being acquired is not an easy thing. And there's a lot of peripheral factors that we have to kind of account for. And one of the key benefits that we've noticed, particularly over the last few months, bringing information security earlier into that conversation has been that organizations with perhaps a lower security posture, and perhaps not the same level of investment, are now going to benefit from a wide global enterprise set of solutions, people processes and technology. And so I think that's a huge boon to them. Because if they didn't have a lot of security in place beforehand, they're going to get folded into that structure pretty quickly.
Field: So Ash, you say, you're six months into this role. How do you see the next six months shaping up? What are your biggest priorities as a security leader? And how are you going to measure your progress?
Hunt: So I think for me, all I care about is loss exposure, and being able to quantify that, in financial terms and stress test any of the investments that I'm making as a CISO, and actually not just as a CISO. I really want that to be true for all of the decisions that we take in technology. You know, every business in the world runs on technology now. So it's really just operational risk, you know, the kind of concept of cyber risk just doesn't exist. And so, for me, I probably spend as much of my time trying to track down where our most frequent loss exposure is coming from being generated from. And so each time that we're taking decisions, because no one's got an endless budget, I need to be able to kind of validate that when I am going to the board and I'm engaging with ExCo, and we're asking for additional funds or funds to be redirected in a certain area, that we can actually demonstrate the return on investment for the business, both in financial terms, but also in kind of security value add and how much it's going to improve our posture. So for me instilling that kind of, you know, metrics-based, and data-driven thinking in the organization is really pivotal. And I'm lucky I look after technology risks where I can kind of infuse that thinking across the organization. But really, for me, it's kind of completing that half journey that I've done so far, ensuring that the function is still growing, you know, we're on a definitely a significant growth journey as a function in the organization, ensuring the rest of the stack is kind of normalized, you know, bringing together multiple external providers and tool stacks, etc. So getting that cleaned up and orchestrated well, and then finally working on process improvement enhancement, but ensuring that every decision we take is going to be one that gives us benefit at the end of the day.
Field: Well-said. Ash, thanks so much for taking time to speak with me. Appreciate it.
Hunt: Pleasure; cheers, Tom!
Field: That was the conversation with Ash Hunt. He is the global CISO with Apex Group. For Information Security Media Group, I'm Tom Field. Thank you for giving us your time and attention to that.