This is part of our Humans of Cyber initiative, a series of in-depth interviews with key figures and leaders of the Canadian cybersecurity ecosystem.
This month, we are honoured to welcome Phil Armstrong. Phil is an internationally-recognized leader in financial services, capital markets, emerging technologies, insurance, cybersecurity, IT governance and risk management. His most recent experiences were as the Executive Vice President and global CIO for Great West Lifeco and the Chief Digital Technology Officer for Sunlife Financial. In 2020, he was inducted into the CIO Hall of Fame as its first – and only – Canadian-based CIO and InsurTech Magazine described him as the world’s third-most influential insurance tech leader.
1) Elevate the cybersecurity discussion to the highest level within the company by establishing an executive cybersecurity committee.
2) With the board and the executive cybersecurity committee, create a “target state” – a multi-year plan that is used to socialize and educate people on the cybersecurity maturity journey and secure funding. This helps to break down the IT and non-IT silos and get executive buy-in into the recommendations your security team is making.
3) Leverage the taxonomies and standards created by C-suite councils that consist of peers in technical C-suite roles. These frameworks can help you show a measure value in your technology operations and your technology investments.
ISA: Oh, it’s great to have you. Your career track record proves that even long-established companies with extensive legacy systems can undergo successful digital transformation. What advice would you have for legacy CIOs on embarking on similar journeys?
PA: Yeah, similar journeys! Yeah, for sure. I’ve worked for a couple of companies that are well over 100 years old. And so they had sizable legacy debt; investments that have stretched back 50-60 years in technology. And I think my advice would be – to sum it up in one sort of snappy little phrase – strive for progress, but not perfection. My advice would also encompass things like, you know, you really have to learn the business operations of these type of large, complex companies; you have to understand how they work in detail. And you have to understand probably about three important factors. How does your company make money? What are your customers’ expectations? And what are your company’s aspirations and try and align your actions and your team’s actions with those important factors. I think it’s important for CIOs these days to try to create a technical environment that’s responsive to customer needs, and supportive of existing and new revenue and growth opportunities. And you have to look at your portfolio holistically, with an eye to continuous improvement, and specifically seek out those automation opportunities. We’re all striving to create a scalable, flexible, cost-efficient, and safe ecosystem that matches your company’s risk tolerances.
ISA: Right, I do hear stories are where people will jump in and want to start boiling the ocean, right from the beginning. But it is important to really, truly understand the business and then start making iterative changes and improvements as you go.
In the financial sector, cybersecurity is a regulatory matter, as well as smart business. What strategies did you use to keep security front and centre in your initiatives?
PA: Well, I tried a few that didn’t work [laughs]. And over all my years of experience, I think I’ve homed in on the formula now that certainly does work. And the first thing that I like to do when I come to a new company, is to establish a cybersecurity executive committee. Elevate the cybersecurity discussion to the highest level within the company. I managed to do this at the last two or three companies that I’ve worked at. And the last one was co-sponsored, actually by myself and the CEO, with all of the executives, the management committee in attendance, and we briefed them on a couple of things: what’s happening in the industry, trends and patterns and breaches and companies that are in the news. And also what’s happening, what we were seeing within our own company – how we were being attacked on a daily basis and who was attacking us, ranging from sort of amateur hackers right through to state-nations. And so it was quite a wide variety of attackers. And unrelentless! – the volumes we educated them on, how they were trying to get in and what weaknesses they were trying to exploit.
And then I worked with the board and the executive committee to create a “target state” environment; we had a multi-year plan that was used to socialize and educate people on that journey and secure funding. And then also a loopback process – a feedback process – that we could track progress towards our goals and show how we were strengthening the organization’s cyber resilience. We took an interesting approach at my last company: we were highly decentralized. And so I pushed cybersecurity into each of the business units, making them all responsible for their own cybersecurity agenda, investment, roadmaps, progress, status, and their own sort of capabilities. And I think if you’re operating in a global model in multiple countries, with multiple maturities in those businesses, that really is the only way to go, and then centrally govern that. We had regular meetings and briefings with regulators globally in Europe and the U.S. and Canada and OSFI was very, very hands-on here in Canada, in terms of being interested in what we were doing from a cybersecurity perspective. And I plugged into the cybersecurity communities of vendors and like-minded people in different companies in different countries. And it’s interesting: we were competitors, but when it came to cyber, there was a lot of cooperation, especially in financial services. So: worked hard to establish trusted partnerships with vendors and companies, and worked with companies like ISA to complement and augment my already, large and sophisticated cyber team. And I think having a fallback of trusted partnerships was a really credible ingredient in some of the success that I’ve had.
ISA: It really does need to be a team effort for sure. Now, you were quoted recently as saying, “It’s becoming difficult nowadays to tell if you’re a business person, or an IT person”. Can you expand on this, and tell us a little bit about the benefits of breaking down the IT and non-IT silos?
PA: Yeah, for sure. I mean, it’s a bit ironic, because for decades, I think IT professionals have been trying to align with the business, and trying to educate the business on the power and the opportunities of technology. And as technologies become more pervasive in our society – we all carry little computers around with us – with the advent of the cloud, and 5G and software-as-a-service, and mobility, and even things like agile development, open APIs, and now moving into things like low-code and no-code solutions. It’s a lot easier for business executives and business colleagues to participate and lead the solutioning process. But as that pendulum swings, it can swing too far. And it can get to a point sometimes where it’s a bit dangerous, where you’ve got business folks making technology decisions, or leading technology development opportunities. And you end up having these breakaway teams developing solutions in isolation. And what I mean by isolation is that it’s highly aligned with what the business wants, but perhaps it’s not as integrated into the common architecture patterns or security designs that you have to have in your company. And that provides gaps and weaknesses for cyber criminals to exploit. Generally, I’m of the opinion that having more tech-savvy business leaders and engagement is a really positive step forward. And I’ve been advocating for this for decades. But I think having that healthy balance between educated and savvy business leaders, but involvement from technology professionals who do this for a living and know the larger picture and what the larger security patterns and designs are – having that sort of tight cooperation between those two groups is essential. So that’s what I’m seeing.
ISA: Right. Having the governance piece is still very important, no matter how easy it is to do these kinds of quick deployments. In addition to your experience with the global enterprises, you’ve recently been speaking more and more about cybersecurity for SMBs. How can they decide how to set priorities and get the best value for their next cyber dollar when every dollar may be so scarce?
PA: Yeah, it’s a real tough problem right now. A lot of small to medium-sized businesses rationalize their security posture with their size. You know: “The cyber criminals are not after me, I’m too small,” or “I don’t have enough resources to have a fully comprehensive cyber plan – I’m not some big global enterprise”. So there’s a lot of rationalization going on in the conversations that I’m having with small to medium-sized businesses. But it’s a bit of a double-edged sword, because the facts actually suggest a different story. The cyber criminals are looking at small and medium-sized businesses as, quite honestly, easy pickings, due to their lack of sophistication in their defenses. And so the cyber criminals are organizing on the dark web. And they have these, what I call “pre-stamped models”. They’re formulas, using technologies and processes that they can repeat across industries and across countries. And they’re very, very successful. And they find ways to penetrate through email, onto corporate networks, loosely-defended corporate networks, do lateral transitions, and then implant ransomware – sometimes taking months to do this – and then coordinating an attack and then ask for ransom. And for them, it’s a scale game. They can do this so many times. The ransom doesn’t even have to be that high. But the numbers that are involved are quite large, because of the scale and the amount of times that they do this. And again, because the ransom isn’t so large, a lot of the small and medium-sized businesses are paying the ransoms and not reporting the crimes, because it’s not that large to them. And they go unnoticed. I mean, I think the effort involved in going after a big fish, you know, a Fortune 100 company is enormous for these cyber criminals. The payoff is big. But a lot of times if the payoff is big, then the FBI or CSIS or other agencies are involved in tracing who did this. And so they’re going for the least risk, and the easy pickings, where the ransom is low. And it’s a tough, tough problem for these small companies and medium-sized companies to handle. But it’s one that they have to do. And they have to perform a risk assessment. They have to create a plan with a set of defenses that are appropriately sized and maintained for their business model and their risk appetite, and quite frankly, their budget. And if warranted, they have to even look at cyber insurance.
ISA: Now you mentioned cyber insurance. Is that a strategy that you’re seeing a lot of companies pursuing in order to prepare for the worst?
PA: I wouldn’t say a lot, but it’s certainly gaining in popularity. I would encourage companies to have meaningful discussions around certain scenarios, and get on the same page around what they want to do. But cyber insurance I think is becoming more popular and becoming more comprehensive in the way that it can be applied. There was some ambiguity in the way that it would qualify and be applied. And the contracts are getting better, the firms are getting more sophisticated as they understand the risk that’s involved in the insurance policy, and for certain firms it makes a lot of sense. It depends on your business model and your exposure. But for certain firms, yes, I am seeing quite a lot of interest and the rise in companies taking out cyber insurance.
ISA: Just changing gears a little bit: in 2020, you were inducted into IDG’s CIO Hall of Fame, becoming the first and only Canadian-based member out of 162 honorees. Could you tell us a little bit about how that all came about?
PA: Yeah, well, quite by accident, to be honest. But first of all, what an honour! I mean, it was a surprise. It was probably one of the most intense processes that I’ve been through, surprisingly. Lots of interviews. I think there was a 400-page, detailed dossier from those interviews on my career which was a trip down memory lane for me when I read it. But such an honour. The criteria to get into the CIO Hall of Fame are exceptionally tough. Candidates are measured across multiple facets. I was nominated by one of my vendors, and the phone call came in to me, and a person that I’ve known for decades, and we’ve worked with for decades said: “By the way, Phil, I’ve just nominated you for the CIO Hall of Fame. Good luck!” And that was about the first I’d heard of it [laughs].
When the interviews started, I was surprised at the rigour of the process. There were some entrance criteria that were steep. They required decades of experience, at the CIO level, managing very large IT teams. There was a minimum headcount number that they were looking for. They looked at your portfolio, and the annual dollar spend – there was a minimum dollar spend that was quite high, over a number of sustained years. They required that you’d worked in so many countries; that you had global responsibilities; and that they assessed the impact that you had had – not only advancing the CIO profession; they wanted to see examples of that. But they wanted to see if you had any patents or inventions; what innovations that you’d spawned within your industry; and the industry impact that that had had over a number of years, and they were quantifying that. They wanted to see if you were involved in any charity work and community involvement. Also mentoring IT professionals and advancing the IT community. So it was quite broad, and extensive, and quite demanding and thorough. I became a CIO at 29 years old, and I’ve been in the industry… this is my 43rd year in the industry. And I think you mentioned I’d worked in 49 countries. So I was delighted to be the first Canadian-based CIO to be inducted into the CIO Hall of Fame representing in Canada. There’s one other Canadian in the Hall of Fame, but he was the CIO of Coca-Cola in Atlanta at the time when he was inducted. So I became the first Canadian-based CIO to be inducted into the Hall of Fame. Very proud.
ISA: Well, and you should be – it’s a tremendous honor, and fascinating to hear about the level of detail they go into, so thanks for that. So could you tell us a little bit about your latest venture, Macanthium Ventures?
PA: Yeah, Macanthium Ventures, Inc. I decided to retire from corporate CIO life in March 2021 of this year, during the pandemic; after the pandemic, actually, for many of us in IT. I’d managed to get through that initial scramble and the movement of everyone working from home and implementing tons of technology to allow for the business to continue. And it was an exhausting process, you can imagine the amount of hours we were working to do that. So I wanted to ease up a bit. I’d been planning this for a while to be honest with you, but the pandemic gave it a little bit of a nudge. And I wanted to stay connected with the technology community and the technology industry, but work considerably less hours. So I created Macanthium Ventures Inc. as an advisory business where I could participate on boards, advise boards, and work with boards and executives and companies on digital transformation, information technology, leveraging information technology, and cybersecurity around the strategy level, and the integration with business plans. And then I also have spent some time facilitating industry forums, which I really enjoy, and then investing in select technology startups and opportunities. And so I started this company about two, three months ago. And the response has been overwhelming. I’m as busy as I want to be – I don’t want to be any busier than what I am right now. So I’m not looking to grow my company with staff, etc. I’ve managed lots of staff in the past – it’s going to be a mighty company of one. And I’m really enjoying it. And so I’m working with some really fantastic global companies and sharing my advice and adding value.
ISA: That’s sounds terrific! And I do have to ask, where does the name Macanthium come from?
PA: Yeah, there’s a bit of a story around this one. So, you know my surname Armstrong is a Scottish clan; although I’m English, it’s a Scottish clan and it sits right on the border of Scotland and England. And going back in history, the Scottish king at the time was demanding loyalty from all the clans and the Armstrongs – being fiercely independent – did not want to pledge loyalty to either the English king or the Scottish king: a problem when you’re sitting between two countries. And so there’s a place in Scotland called Mangerton, which is the home of the Armstrong clan. And there’s a tower there, which was the sort of stronghold of the Armstrong clan. When this disagreement happened with the Scottish king, he decided to try and eradicate the Armstrongs from Scotland – from the face of the earth actually – Game of Thrones style. They actually based that plot within the Game of Thrones from the Armstrongs, which is the King of Scotland invaded all the heads of the Armstrong clan to a banquet and then he closed the door and slaughtered them all, or tried to eradicate them – that famous scene from Game of Thrones. They drove the Armstrongs out of Scotland, and they trashed the tower, and so it’s just a bunch of ruins now. And the Armstrongs scattered all over the place: to Ireland, England, the U.S., Australia, and I jokingly say the Moon [laughs].
And near the tower was growing some Scottish thistle, and at the time I applied to create my new company called Mangerton. And when we did the word search, Mangerton had been taken – there was a company called Mangerton already, and it’s coincidentally owned by Armstrongs [laughs]. And so I was looking for a new name. And it’s very difficult these days to find a unique name for a company. And so the Scottish thistle that was growing near the tower, the ruins of the tower, the Latin word for Scottish thistle is acanthium. And so it was my wife actually, that came up with some creativity here: she took the “M” from Mangerton, and added it to the Latin name acanthium, and when we came up with Macanthium. So it is a concatenation – it’s a made-up name. When we did the name search, of course, you’re not going to find Macanthium referenced anywhere, so it was unique. And that’s what we did. When we created the logo for the company Macanthium Ventures, you’ll see that there’s a tower there, which is also a homage to the Mangerton Tower and my heritage as a member of the Armstrong clan.
ISA: That was very cool – I’m glad I asked him about that. That’s a great story.
PA: A little bit of history [laughs]. Yeah, sorry for the long history lesson there.
ISA: Oh, no worries. So, just some of the other ventures you’re working on: you’re also the chairman of the board of the Technology Business Management Council. Can you tell us a bit about the TBMC and their activities?
PA: Yeah, fantastic organization. I started as a board member, and recently at the start of this year, became the chairman of the board. We have 24 board members. We’ve just recently launched sub-boards in Europe, Asia and Japan, which kicked off a couple of weeks ago. 10,000 members of TBMC: some phenomenal organizations that are members like MasterCard, and Enbridge, Stanley Black & Decker, Wells Fargo, Intuit, State Farm, Verizon, just to name a few. And we create a taxonomy and a set of standards that you can use – free of charge – that you can use to run IT more professionally; to run IT like a business. And then to also create value, and show a measure value in your technology operations and your technology investments – something that boards and executives are clamouring for today, especially in times where they’re creating agile work teams, and so we’re moving from project-based to product-based, and where cloud has come in, and it’s changed from more like a utility computing model. How do you show your value, because a lot of people have bought into the cloud and are finding that it’s more expensive than when they were running it in their data centre. And so how do you harness the value of the cloud? And how do you show IT being a lever for business value, as opposed to a black hole where you’re pouring money in year after year. So this TBMC Council has formed globally, and we’re creating best practices and taxonomies that people can use, especially CTOs, CIOs, CISOs, to demonstrate the value of that investment. Fantastic organization, really proud to be the chairman of the board for that organization.
ISA: And when we post this interview online, we’ll make sure to include a link to the TBMC for those who are interested in learning more.
PA: Yeah, that’d be great. Thank you.
ISA: So looking ahead: what cybersecurity trends do you see emerging in 2022? Will it be another record-breaking year or have the massive breaches that we’ve all read about in the headlines over the last 12 months finally grabbed enough people’s attention to effect real change?
PA: I’m sad to say it will be another record-breaking year. It’s going to be more of the same, with increased sophistication from the cyber criminals. I see email as the beachhead into most organizations. The model of just use email; embed malware into attachments or links/redirects; an increase in ransomware; an attack on vulnerable VPNs, especially with people working from home and using VPNs more frequently; identity theft; get onto the corporate network: lateral movement, infect as many devices as you can, and then hit them with a ransom, maybe even some social engineering. But the way that they do that, it’s a well-known attack chain. There’s lots of defenses that you can break up that the attack chain, but those defenses are under attack for circumvention. And I think the way that they’re doing that is using artificial intelligence in the malware itself. And so we’ve seen things where malware has been activated and the first thing it does is it checks its surroundings, to see whether it’s in an artificial environment, which tools use to inspect. And if it’s in an artificial environment – a virtualized environment – it just goes back to sleep until it’s actually hid its payload. So it’s becoming more and more sophisticated in avoiding detection. And so with this going on, this fight that’s taking your established tools and prevention tools to a point where they’re not really operable anymore, they’re not effective anymore.
That’s why companies are really shifting. And I think you’ll see across the industry, a massive architectural shift, where business architectures and cyber architectures and technology architectures start to align more towards a zero trust model. We’re seeing adoption of zero trust, just widespread. And it’s interesting how Gartner and Forrester are dreaming up these new acronyms every single day to confuse the marketplace. But we’ve gone from zero trust which is, in my opinion, an architecture with a zero trust engine at the centre of it to now a SASE (which is Secure Access Services Edge), which is a sort of an all-encompassing acronym that Gartner is throwing around: the SASE/Gartner combo. And that really is more of an ecosystem. And so people are getting confused between: Is SASE an architecture? Is zero trust an ecosystem? But SASE and zero trust are here to stay.
You’re starting to see more collaboration with the cyber criminals on the dark web. There’s cooperation, they’re creating toolkits that you can buy for $50 that has this sort of pre-conditioned set of tools that you can, again, attack these small and medium-sized companies. And we’re seeing that the targeting of utilities as well, and companies that have sort of low latency, low response times like hospitals and pipelines and fuel supply; and if they do get breached, they have to react very, very quickly, which leans more towards paying the ransom. And that emotional content, like hospitals and long-term care homes that are getting their technologies crippled, and so they have to pay the ransom very quickly otherwise it’s putting human lives at stake. So that’s what we’re seeing. It’s not getting any better. And I think we’re gonna see a lot more of it, because it’s quite profitable for the cyber criminals, and they can hide behind the dark web and anonymity and escape prosecution. So that’s what we’re seeing.
ISA: In the wake of the pandemic, do you see other changes in the cybersecurity world coming in the next year?
PA: Yeah, I mean, most CISOs and CTOs and CIOs are struggling with after the pandemic, or as the pandemic continues, we’re now starting to see the shift that was trying to get everybody working from home, and now it’s “I have to create an ecosystem where I have a network, where people can work from home, work in the office or work at both”. They have to be able to do that safely, and they have to do that in a way where the user experience is good. And so from working from home, a lot of people have started using cloud applications. And the cloud application experience is far different than the data centre/legacy application experience where you’re signing on to the VPN, and then you’re signing onto the network, and then you’re signing on to the application. There’s three different sign-on experiences, and it’s very flaky and cumbersome. So we’re trying to raise the bar on the user experience, make it more like a cloud experience. And that’s why I think people are going to the zero trust model, having a zero trust engine and getting rid of expensive MPLS clouds, they’re getting rid of the VPN technologies and multiple sign-ons. And they’re really leveraging off the ecosystem, the SASE ecosystem, which brings in identity management, safely connecting users with the resources, the applications, and the tools that they need, that only they need. So detaching users from the corporate network which does not allow lateral movement is a priority for cyber professionals right now. And that combination in a cost-effective way that supports business growth and business usage patterns -that’s really challenging. And so I think most people are gravitating towards zero trust as being the architecture that’s emerging as the leading architecture, that’s going to tick a lot of those boxes that I just mentioned.
ISA: For sure. Cybersecurity isn’t the only battle between good and evil in your life. Could you tell us a little bit about your career as an author of “The Dream Cane” and “Tamworthia” fantasy series?
PA: Sure. This started well over a decade ago. My wife is an avid reader. And with me working in technology, I’ve been very fortunate that it allowed me to travel to many, many different countries, and experience different cultures, and go see some amazing places all around the world. And so, for a birthday present, I decided to write a novel, a fantasy novel, and it was called “2 Promises”. And it sort of incorporated fictional characters, and a fictional plot, that was grounded in real places. And these places were interesting places that I traveled to and I’d visited. Someone had read a couple of my books and said it’s a bit like Dan Brown, where you’re sort of mixing together fantasy and real world. And so I created this novel and gave it to my wife as a birthday present. I thoroughly enjoyed the process of creating the novel and doing the writing. At that time, I was doing a lot of traveling, I was on airplanes, sometimes 16-hour journeys on an airplane going to Asia. And so I would use the travel time to write, and it was a way for a relaxation and distraction for me.
My novel was quite successful, and I approached a couple of publishing companies, and they wanted me to go on book tours and do book signings and dedicate a lot of time to supporting their investment in publishing the novel. And I just didn’t have that; as a busy executive, I just didn’t have that time or the inclination. So I started and founded my own digital publishing company, and self-published my works myself. Since then I’ve written 11 books. I’m working on my 12th right now, as a way to relax and share. And the “2 Promises” book was really the tenet of my publishing company 2Promises. The first promise is that I’ll write entertaining novels, and the second promise is that I won’t charge for them, so they’re free of charge. So you should never pay for one of my books, they’re always free. I’ve managed to distribute my books on book distribution outlets, like Smashwords, or Apple Books, Indigo, some of the leading companies around the world, and they’re all at a zero price. So you can download my books for zero price, I make no profit from this. But it was the start of a hobby that I really enjoyed. And the good versus evil is a little bit ironic, too, because I’ve spent a career working in technology, and you could say that technology can be used for good or evil as well. I’ve seen technology being used in some really innovative ways to advance humanity. And then you could make an argument that some of the technology uses that we’ve made have really eroded morality and some of the social aspects of being human, and has not really helped us. So I’ve taken that good and evil, a subject which is classic and never goes out of style, and incorporated that theme into almost all of my novels.
ISA: Thank you for that. Well, Phil, it’s been a fascinating discussion. Thanks so much for your time today. For those people who are interested in keeping touch, is LinkedIn the best vehicle to follow your activities.
PA: Yep, for sure.
ISA: All right, so when we post this, in addition to some of the other resources, we’ll make sure to put a link to your LinkedIn page as well.
PA: Absolutely. Yeah, I post regularly. Those people that are connected with me know that I’m a fairly frequent contributor to LinkedIn. That’s the social media platform of my choice. I’m not on the other social media platforms, so stay “linked in” with me and follow my progress. Yeah – be happy to post updates on what I’m up to.
ISA: Okay, terrific. Well, thanks again, Phil. And that’s a wrap for today. We’ll see you next time on Humans of Cyber!