Being a CISO in a company full of security experts: Deryck Mitchelsons job at Check Point is no ordinary IT role. He tells ITdaily how he does it: “We don’t need to bring in expertise from outside.”
In an average organization, the CISO is the go-to security expert. However, things are different at a company like Check Point, where nearly every employee has above-average knowledge of digital security. In 2022, Deryck Mitchelson took on the challenge of becoming a Field CISO and C-Suite Advisor at Check Point.
Mitchelson brought a wealth of experience as both CIO and CISO, particularly in the healthcare sector. We meet him at Check Point’s annual CPX conference in Vienna. With passion and a warm Scottish accent, Mitchelson talks about how he approaches his role and his vision on today’s security landscape.
ITdaily: What does the IT environment you are responsible for look like?
Mitchelson: “Just to be clear: I’m not directly responsible for the IT environment. That is largely the responsibility of our CIO (Alex Spokoiny, editor’s note), who has also designed our internal security policy. However, we work very closely together. He is always open to hearing my opinion.”
“My focus is more on external engagement: talking to customers about what they are working on and what their biggest challenges are. I was a CIO myself for many years, and I try to bring that experience into my role at Check Point when speaking with customers. That continuous interaction with external parties is extremely valuable. The IT and security challenges that companies face are about 90 percent the same across different sectors.”
What are the key priorities at the moment?
Mitchelson: “Protecting our assets: identifying potential blind spots and ensuring we have the right data to address them. Our challenges in this regard are not very different from those of other organizations.”
“A second priority is making sure that, first and foremost, we use the right technologies—but also that we use technology in the right way. At Check Point, we are convinced that we have the best technology, but that doesn’t mean we stop looking for ways to improve. The way we interact with technology today is completely different from a few years ago. For example, I haven’t opened my laptop once during this conference today. We can do so much more with our smartphones now.”
Does everyone within the business sufficiently understand the IT challenges?
Mitchelson: “The challenges today are similar across different sectors. We want to provide good security, but also a good user experience around that security. The conversation starts from a different perspective, but at its core, it is about the digital transformation of upstream and downstream activities.
“The big difference at Check Point is that a lot of knowledge and expertise is already within the organization. As a CISO, you don’t need to bring in expertise from outside because there is already plenty of it.”
Do you have access to enough people and resources?
Mitchelson: “Everyone talks about a shortage of resources these days. For me, it’s not about quantity but quality. You can hire people, but bringing in the right skills is often harder. The best talent has the choice of where they want to work. I have always looked at how I can develop talent within my team—who could excel in a different role? By focusing on developing talent instead of just hiring it, you build a strong culture in your organization.
Digital security, in my opinion, is the best industry to work in—let’s make it exciting again.
“At the same time, we shouldn’t overlook ‘raw’ talent. As an industry, we should invest more in training and internships to attract young talent to security careers. Politicians constantly talk about digital transformation. This should be reflected in education. Every company is becoming digital, so security is a priority for everyone.”
Does the future of IT environments lie in the cloud, on-premises, or in a hybrid approach?
Mitchelson: “A combination. We evolve in waves. The early adopters who fully migrated to the cloud have discovered that the cloud is very complex. There’s a lot to consider in public cloud—how you manage it, how you build capacity and skills. If your processes are not sufficiently automated and efficient, you won’t reap the benefits of the cloud, and it will end up being much more expensive than expected. That’s why many companies have paused their cloud migrations to determine what should actually go to the cloud.”
“During a roundtable for the banking industry earlier today, I got a question about this. I recommend moving digital services to the cloud but keeping the core of your IT environment on-premises. That way, there’s less risk for your customers. If a digital portal goes down, it’s inconvenient, but if your core systems fail, the impact is far greater. That applies across all sectors, including ours. It makes sense to split these functions.”
What impact do regulations like NIS2 have on security policies?
Mitchelson: “Regulation impacts every CISO. To some extent, we are all regulated regarding what we must do in case of data breaches, etc. I see a gap in maturity between highly regulated sectors like finance and less regulated ones. Regulation is a good thing because it drives conversations and improves maturity in detecting and preventing vulnerabilities.”
How does Check Point deal with the AI hype?
Mitchelson: “Our policy is actually simple: we eat our own food. We use our own technologies. It would be strange if we didn’t. The internal capabilities exist within the organization, so it’s only logical that we use them ourselves. We believe that if it works for us, it will work for our customers too.”
“I’m still amazed at how fast AI is evolving. This changes how we offer and integrate AI into our own security products. AI has great potential to bridge the skills gap in security. We encourage customers to use AI safely to improve security efficiency and effectiveness. Our AI technology is secured by design.”
“What worries me is to what extent this is true in other sectors. Many industries lack processes to assess AI risks within their organizations. If AI is not implemented securely, it can lead to vulnerabilities, fines, and reputational damage. Check Point wants to help companies navigate AI transformation safely. It’s complex, and not everyone has the expertise in-house. We solved it for ourselves—now let’s try to do that for everyone else.”
What are the key trends you are following for the next three years?
Mitchelson: “The evolving role of CIOs and CISOs personally intrigues me. Due to regulations and new technologies, the nature of these roles is changing rapidly. It’s interesting to see how we adapt to these changes. CIOs are becoming transformation leaders.”
“Everyone in the security industry will continue to talk about AI—about the new threats it creates and how AI can help solve them. Attackers are innovating too. While we aim to act ethically, attackers are becoming less and less ethical in their rush to exploit new technologies. It’s a worrying yet fascinating development.”
“I sincerely hope that organizations that haven’t yet introduced AI capabilities will do so soon. If attackers have more AI capabilities than you do, you’re an easy target. Every security leader will have to become an AI expert. You are the first point of contact for questions from the board.”