Trustpilot’s Stu Hirst is an experienced information security professional whose motivation lies in using a range of tools and techniques to keep his online business safe and secure from external predators.
“The internet is such a wild, wild place that trust is an imperative for traversing your way through it,” says the chief information security officer (CISO). “Cyber security continues to play a massive part in protecting not just data, but the experiences people have and their trust of the products they use.”
Having previously worked in security for Trainline, in the cyber leadership team at Capital One UK, and as an acting interim information security director at Just Eat, Hirst joined consumer review website Trustpilot in March 2021. He says providing the security platform for a fast-growing business was an appealing proposition.
“It was the mission – creating the trust layer of the internet and focusing on how security fits into that,” he says. “I joined just before the IPO, so the company was moving from a private to a public company, with all the requirements that entails, including from a security point of view. It was a chance to come in and really drive things forward.”
Taking the reins
Trustpilot was founded in Denmark in 2007 and, after floating at the beginning of 2021, is listed on the London Stock Exchange. Hirst, who spoke to Computer Weekly from the ScotSoft annual tech conference run by trade body ScotlandIS, explains how he has a range of roles and responsibilities as Trustpilot CISO.
“I am accountable to the board and, every quarter, I present the current state of play for security,” he says. “On a day-to-day level, I’ve been focused on building and scaling out the team. I’m also part of the product and tech leadership in this company, so I often find myself getting involved in other aspects of the business.”
“The internet is such a wild, wild place that trust is an imperative for traversing your way through it. Cyber security continues to play a massive part in protecting not just data, but the experiences people have and their trust of the products they use”
Stu Hirst, Trustpilot
Hirst’s security team covers four main areas: security operations, which includes threat hunting and incident response requirements; cloud security across the firm’s Amazon and Google environments; product security, which includes coding, testing and finding vulnerabilities; and risk, compliance and auditing, which he says has become a bigger priority in the past 18 months.
As a further addition to his role, Hirst took on responsibility for site reliability engineering recently. He says Trustpilot has now combined the security and site reliability teams because of the “day-to-day synergies” between their work.
After working his way to the top of the security profession, Hirst says becoming a CISO is his dream job. “I love taking companies on a cultural and technical journey. I also love the leadership aspect of security and trying to build and motivate teams,” he says.
“I like solving problems that haven’t been solved before, whether they’re industry-specific or to do with the wider internet economy. I feel like security is still quite new across a lot of the IT industry in general, even though we’ve been around the block a bit. I feel like we’re solving some pretty niche issues in cyber security.”
Developing strong capability
After 18 months in the CISO role at Trustpilot, Hirst says his major achievement so far is building and scaling the internal security team.
“One of the main reasons I joined was that I was given the ability to tell the board what I thought we needed from a manpower point of view, a technical capability point of view, and how all that focus on security should be embedded into the organisation. We’ve made some great progress but we’re still on that journey,” he says.
“I love taking companies on a cultural and technical journey. I also love the leadership aspect of security and trying to build and motivate teams. I like solving problems” Stu Hirst, Trustpilot
Hirst has managed to snare the in-demand capability his business needs through a variety of means. As well as tapping into industry contacts, he plays a big role in the Scottish cyber security community. Hirst says this strong network means he receives good applicants for new opportunities on the team.
Right now, the security team at Trustpilot is focused on two key areas. First, security incident and event management, which involves putting in place the right tooling to identify threats that might be happening across the company’s infrastructure and applications. Hirst says his team uses some “market-leading products”.
The second key area of work centres on product security, which involves scanning code for vulnerabilities and bugs before anything gets pushed to a production environment. Once again, the team uses a market-leading tool, but Hirst says the work is reliant on embedding the technology into the general coding practices of the business.
“That’s a bit of a journey,” he says. “It doesn’t happen overnight. You’ve got to upskill engineers, so they understand what some of those coding practices mean, and you need the security team to work alongside them to help navigate through the noise.”
Pushing change quickly
Hirst says the effective use of DevSecOps, which involves introducing security earlier in the software development lifecycle, is a crucial tactic in his team’s work. “It’s about eliminating things as early in the process as you can because then it tends to not come back and bite you further down the line,” he says.
DevSecOps tends to be a popular practice at fast-moving companies like his own, given that these agile-led organisations push code anything from 10 to 100 times a day.
“You find those environments are changing almost constantly compared to the way it probably was 20 years ago,” says Hirst. “And you’ve got to try to find a way to embed security into an environment that is changing every minute and every hour. DevSecOps is around embedding as much of the security elements as we can into the development of the product or code.”
Gartner also recognises DevSecOps as a growing trend, with new techniques continuing to emerge. The analyst firm says more than 70% of enterprise DevSecOps initiatives will incorporate automated security vulnerability and configuration scanning for open source components and commercial packages by 2023, which is a big increase from fewer than 30% in 2019.
“It’s very code-specific, generally,” says Hirst, referring to his company’s DevSecOps efforts. “So, lots of automation, such as code scanning and trying to iron out bugs. And some of the work is more about the cultural aspect – doing things at pace, embedding DevSecOps into agile environments, and maybe not doing some of the more traditional things that a non-cloud environment company might do.”
The company is a heavy user of Amazon Web Service (AWS) and Google Cloud Compute, so security across cloud environments is also crucial. Hirst’s team avoids convoluted processes and tries to push change into its IT environments as quickly as possible: “We’ve got to find ways to either see what’s happening or deal with it at the time.”
Dealing with challenges
Hirst recognises that all CISOs face a never-ending battle when it comes to information security. “The evolving threat landscape is what keeps me up at night because I don’t know what I don’t know yet,” he says.
“The evolving threat landscape is what keeps me up at night because I don’t know what I don’t know yet. Sometimes you’re just trying to react to things as they happen. Things you thought about a year ago are either now not top of the list or something else has happened that changes your priorities” Stu Hirst, Trustpilot
“Sometimes you’re just trying to react to things as they happen, rather than having the foresight of what might be coming. Things that you thought about a year ago are either now not top of the list or something else has happened that changes your priorities. That’s the main concern.”
Hirst says another key challenge is being able to understand what the new threat is and what it might mean for the business: “Sometimes, until somebody else suffers an incident, you’re not quite sure who’s coming after you or why.”
More generally, all CISOs face an increasingly complex security environment right now, especially given wider macroeconomic conditions and geopolitical and security concerns related to Russia’s invasion of Ukraine. Add in the continued demand for talent and Hirst says all CISOs have a packed to-do list.
“There is a level of attrition going on in the tech industry and people are moving around a lot. There have been some upsides to these things, such as remote work and the ability to have talented people from all over the place now, compared to where they would have been located historically,” he says.
“But the global climate continues to make things tricky. We also talk about a skills shortage at times, and there are some more niche areas of security that are quite hard to fill. That can be difficult. And we still have a diversity problem that is going to take a long time to solve.”
Embedding security practices
Hirst’s role is to help his colleagues at Trustpilot meet these challenges head-on and to overcome whatever obstacles stand in their way. His aim over the next couple of years is to ensure that information security is at the core of organisational activities.
“Security is not just a technical aspect – it’s culturally important across the business” Stu Hirst, Trustpilot
“I want to get to the point where security is truly embedded in everything we do,” he says. “And that’s not just the products we build, but that every employee is truly thinking about security as part of their day-to-day job. I want it to be part of the planning cycles across different teams.”
Hirst recognises he’s fortunate to work with a board that supports his vision. Even before he joined Trustpilot in 2021, the company recognised the critical role of security. Hirst’s aim is to ensure that his team provides the right processes and policies to reduce potential risks.
“I aim to give them the right information at the right time about what the challenges are and what we’re doing about them. They like to see a plan. They want to know that you’re dealing with whatever’s emerging and that there’s a plan in place to do something about it,” he says.
“Security is not just a technical aspect – it’s culturally important across the business. I want us to be able to position ourselves to deal with whatever the next 24 months will throw at us as a business and to navigate those challenges successfully.”
