Getting to Know Ian Thornton-Trump: “There Is No Such Thing as Unprecedented”

We recently had the chance to chat with Ian Thornton-Trump, CISO of Inversion6, to dig into what’s going on inside today’s SOCs and boardrooms. 

In this article, Ian draws on decades of experience in military intelligence, policing, and executive leadership, exploring how MSPs found themselves on the frontlines, the shift towards intelligence-led, proactive defense, the growing battle for identity, and what makes the difference between a good reactive CISO and an effective one: resources and threat intelligence. 

How Did You Begin Your Journey into Cybersecurity? 

My journey into cybersecurity didn’t start in a SOC. It started on tour buses. 

Right off the bat, when I was in high school, I was a roadie. I was touring across Canada, playing rock and roll shows. The Canadian Forces paid for my university education, and I joined with aspirations of a career in military intelligence. At the time (1987 to 1991), there wasn't really cybersecurity as we know it today. But the fundamental ideas were already there: compartmentalization of information, signals intelligence, protecting sensitive assets, and predicting adversaries. 

Those principles defined everything that came after. 

A major shift came when I moved from military intelligence to military policing, spending a year with the Royal Canadian Mounted Police as a criminal intelligence analyst. This helped me really understand the crime side of things. 

One of the most transformative chapters, though, was becoming a public affairs officer. It equipped me with communication skills, which are pretty vital in the CISO role. Because if you can’t explain risk in a way that people understand, instead of leading, you’re just talking. 

When Did Cybersecurity Become the Front Line? 

In 2015, I moved to the UK to join a managed services provider right as ransomware was beginning to take off. 

I was one of the few people who recognized that MSPs, whether they liked it or not, were going to find themselves on the front line of cybersecurity. This was before ransomware became a billion-dollar industry, but the trajectory was obvious. 

I was researching, presenting, advocating for solutions, and conducting incident response. My policing and RCMP experience pushed me hard toward cyber threat intelligence. I’ve always asked: what can we do proactively, instead of constantly being on the receiving end? 

That intelligence-led, forward-leaning mindset is still how I view the CISO function today. 

What Skills Does a Modern CISO Need? 

Every CISO should be able to stand up in front of a board (or 200 people at RSAC) and speak with authority, particularly in enterprises, where you’re never going to have enough resources to fully discharge your fiduciary responsibility to protect the company. Security operates in a hearts-and-minds environment. In the military, rank gives you authority. In business, influence has to be earned. 

If you’re not well-liked or trusted within the organization, when a crisis hits, you’re vulnerable. Your ability to translate complex cyber risk into business language is how you win as a CISO. 

But communication alone isn’t enough. You need to be technical, at least enough to understand danger. 

You need enough technological depth to know what is genuinely risky. I talk about the “bell curve of legacy.”  

On one end, you have systems that are so old they’re almost unattackable. In the middle, you have widely used legacy systems with vulnerabilities that have been thoroughly weaponized. And then you have cutting-edge systems, where new technologies are being developed, and adversaries are racing to exploit them. 

If you put a security lens on digital transformation, your security posture can improve dramatically, often by spending somebody else’s money.

Where Should a CISO Start When Building or Rejuvenating a Security Program? 

If I were stepping into a new CISO role tomorrow, I’d start with the external attack surface. What’s exposed? What’s sitting in public DNS? What does a third party see when they look at us? Then I’d look for value. How can security add value and save money? 

I’ve seen organizations save hundreds of thousands by auditing unused domains, dormant SaaS accounts, and legacy licenses that quietly renew. Tightening up the leavers and joiners processes alone can drive significant savings. 

The CISO’s job is not to remove malware from endpoints. It’s to look into the future. That means reading threat intelligence, tracking regulator guidance, and constantly updating your threat model. Because every organization’s attack surface is unique. A multi-billion-dollar hedge fund with 50 people is a financial services entity, so is Santander. But they have completely different threat models. 

Why Has Identity Become the Biggest Battleground? 

Identity is now the battleground. Interoperability brings efficiency, but the compromise of a central identity system can cascade across backups, RMM tools, and critical infrastructure. Threat actors like Scattered Spider and Shiny Hunters have shown us this time and time again. 

That single pane of glass gets smashed by user ID and password, especially if it doesn't support or require MFA. I keep my backup far away from my remote monitoring and management tool. You don't want the bad guys to have the ability to breach a single tool, which can then tear down all the infrastructure and backups in one convenient place.  

There has always been a balance between security and efficiency, but the emergence of identity-centric attacks makes this more pertinent than ever. 

What Can a CISO Do Proactively, and What Resources Should They be Using? 

If you're not reading the ENISA report, or the Verizon Data Breach Report, or paying attention to what's coming out of CISA, and looking at the NCSC and using all the wonderful tools that Ollie Whitehouse has made available to us, you can do a great job.  

The starting point, practically, is simple. Get the organization onto a risk ratings platform, understand what it thinks based on all of the available data points, write that score down, and make improving it the mission. Then go into NCSC Early Warning, put in all your assets, and let it find the legacy issues you need to clean up on that external attack surface.  

Do You Have Any Last Advice to Share? 

The most dangerous thing to a CISO is naivety. Naivety from vendors who label products “secure” without scrutiny. Naivety in believing a single pane of glass solves everything. Naivety in assuming no one would target you. 

Also, there’s no such thing as unprecedented. It’s a word that should be outlawed in cybersecurity. 

I know that’s a bold statement in an industry that thrives on superlatives. But if you’ve been around long enough, you start to see patterns. Repetition. Lessons unlearned. Beneath the headlines and the hot takes, most of what we call “new” is just an evolution of something we’ve already seen. 

My resistance to the word comes from history.  

From Stuxnet to WannaCry and EternalBlue, digital weapons have defined eras. OT attacks didn’t begin last year. Nation-state DDoS campaigns didn’t start with the latest geopolitical headline. 

Everything I encounter might have a new twist, but at its core, we’ve seen it before, and we’ll see it again. We need less hysteria and more professionalism. Raise the quality of the debate.