- How are you creating a better-integrated security ecosystem in your organisation?
My recipe to create an integrated ecosystem is to merge technology (operational and infrastructure) with business value(process) and culture(people). The internal ecosystem must be complimented with external partnerships and we need to start working together to redefine our end goal and purpose as a security professional. These elements help the organisation relate to the impact of their day to day jobs with what we drive as CISO’s.
- What would your advice be to a new CISO when seeking to establish a foundational personal brand of credibility and leadership?
Start with understanding what drives the business objectives, both at a strategic and operational level. This sets the foundation for defining an appropriate strategy to manage the security concerns that will help protect the business. The other is stakeholder engagement and CISO’s or security professionals need to earn credibility and not take it for granted that your title / role automatically gives you a seat at the table.
- How can CISO’s align their strategic priorities with C-Suite executives?
You must make security “real” to the other executives and align to what they can relate too. Never start the discussion with cost or budget requirements and always have a discretionary and non-discretionary cost in mind. Bring the conversation down a few levels and the language we speak must be non-technical. Our priorities as CISO’s should not be defined in isolation of the business’s strategic objectives.
- What are your Top 5 strategic security priorities/investments for 2020?
(1) Optimising the investment made in current tools and technologies. A lot of investment has been made in point in time solutions and we need to make the technologies work together.
(2) Cloud Security and defining the controls and decision tree around moving workloads to the cloud.
(3) Human security – awareness and communication. Cyber security goes beyond protecting ourselves in the workplace as we live in an ever-expanding digital world. We need to create a link of the impact of security at an organisational level and personal level of the employees.
(4) Identity and Access Management – covering all angles from people, process and technology. However, the approach needs to be associated to the risk profile of the users and organisation before one makes use of technology tools to solve this issue.
(5) Security Analytics – using AI to gain visibility of the unknown across the technology landscape and protection layers.
- How Would You Describe a Strong Organization Information Security Program?
If the program progress features on the Exco and Board agenda on a frequent basis, that is already an indication that you on the right path to success. Creating a security strategy is the simple piece to put together, however without a risk-based approach and scenario planning, the strategy will not be taken seriously. Make the security problem real to your business by defining the worst-case scenarios and what plans / controls are in place to manage it effectively.
In My View…
- What personal achievement are you most proud of?
I’ve spent 11 year out the country living in London working for one of the largest financial institutions globally. It was a risk at the time but one that worked out well when I was appointed VP: Technology Head for EMEA Private Banking, within a 2 year period.
- What project that you have built are you most proud of?
I was involved in a global technology re-platform project in the UK and played a key role on how to prevent / minimise card payment fraud. Had to become hands on and personally designed a solution which reduced fraud losses by 500,000 GBP per day.
- Why are internal threats oftentimes more successful than external threats?
Organisations have gone down the path of investing in a lot of tools and technologies to protect the outside-in risk. However very little effort has gone in awareness and monitoring of the people and human security risk.
- For Industry Peers who are considering a career move from IT General Management to Security; What skills do they need to move up the ladder?
(1) Stakeholder management is key to ensure we provide solutions that always meets a business need and one our stakeholders can relate too.
(2) Don’t spend all your time convincing the board or exco that they need to invest in security. If your time is being consumed with this activity, then maybe it’s time to move on and relook at your priorities.
(3) Self-awareness – sometimes CISOs and security professionals think they are “The Invincibles” and isolates themselves from the rest of the organisation. This will not get you very far and you will soon become an operational individual.