Interviewing CISO’s On Potential Pitfalls And How To Get Buy-in From The Board

Interviewing CISO’s On Potential Pitfalls And How To Get Buy-in From The Board

The Chief Information Security Officer role (CISO), is the most senior cyber security role in any organisation. With more customer data gathered and stored than ever before, the risk of implementing a sub-par security strategy effects every level of the organisation.

In situations where customer information is compromised by malicious actors, the reputational damage to the business can prove fatal to the CISO’s position.

With significant risk comes significant responsibility. With this in mind Acumin Consulting – premium cyber security recruitment provider to FTSE 250 organisations caught up with Howard Pinto and Bryan Littlefair about their previous CISO stewardships in organisations such as QBE, Vodafone and Aviva to find out what really kept them awake at night in this high-pressure role.

If we consider the CISO as the most dangerous job in security, what motivates those to take it on, and what is required to be truly successful in a senior management role in security?

“You’re a custodian, responsible for protecting the face of your business and trust of their customers as they engage with your organisation. It’s a tough job being a CISO if you compare to other roles in the business. You still have processes and programme delivery to manage whilst you are trying to stop people trying to hack you. Every day something different happens, it’s the variety of that type of role that is rewarding” – Bryan Littlefair

Being agile in response to threats whilst keeping to security programme deadlines is near impossible without significant resource that comes with sign-off from the board. Aligning security strategy to wider business strategy is undoubtedly complex; but necessary to have real impact;

“With buy in from the board you are able to do two things;

  1. Be a trusted partner to other executive decision makers in the business.

  2. Be a team ambassador – providing value for the business agenda. Without being able to foster a good relationship with the board the security team suffers, they can be limited by the allocated resource and budget, and feel like an undervalued silo not aligned to business strategy. This is where the reward for this job lies. Having the buy in from the Board because you are trusted will add value to the business, and motivate the security team – this is what makes it worthwhile.”  – Howard Pinto.

Influences on the CISO’s design of security strategy comes from organisational and market factors, as with any executive role. We are living in an increasingly challenging world for security professionals, threats are developing and the rate of digital transformation within organisations is only increasing the surface area for attack. Regulatory changes such as GDPR have also more recently had a large effect on organisational approaches to customer data protection.

As organisations are moving toward a more mature model of managing risk, many are still acutely aware of the increasingly sharp teeth of the regulators, especially for businesses within banking, financial services and insurance. As regulators are looking for and more integrated strategies, the disciplines the CISO needs to manage diversify to more and more areas of the organisation.

“Boards are now accountable for their actions personally, so managing security effectively has their interest peaked. This comes with a balance, as budgets for security increase, this invariably means another function of the business has less. With additional funding you have to deliver value, else it will not be awarded again.” – Howard Pinto.

Ensuring the sustained interest of the board is likely the key challenge most CISO’s recognise that impacts the effectiveness of their team, especially in organisations split across multiple locations or countries.

“The challenge was going against the status quo when I joined Vodafone. The business had been around for numerous years and was of significant scale. Delivering a security process of that size and scale doesn’t come cheaply. We went from a team of 8-10 to a global team of around 700 security staff.

“Part of the challenge with board relationship management arrives when you are asking them to invest in security. It’s like asking them to take out an insurance. If you’ve invested in that insurance policy before something happens it will protect you. As Vodafone placed a lot of value in providing a great customer service, we had everything we needed to integrate a global cyber security strategy. This provides a different challenge in managing the board. We couldn’t go in and blame a lack of budget or limited resource for any ineffectiveness. You had to be sure of the strategy, and that you were approaching each stage of the process at the right time.” – Bryan Littlefair

CISO’s face a potential pitfall as organisations wake up to a need for a significant cyber strategy – how that works with not only the board, but the wider executive team.

It is important, and it’s a trap many CISO’s and security teams can fall into – not being seen as the team that only becomes useful in times of crisis.

Every business needs to be able to take risks, otherwise they don’t advance. For many CISO’s making sure security is not a barrier to progress is a personal challenge.

The tug of war between insuring that relevant risks have been identified, and the right approach has been taken in managing or mitigating them, while balancing with business needs is challenging. The impact of a negative opinion of a CISO that is prohibitively risk averse, can derail relationships with executives.

Whilst every business area will submit a risk appetite statement, these have to be aligned with the board’s priorities. Quantifying the value of cyber security risks is an important consideration that CISO’s should consider if they want their needs met.

“What should keep a CISO awake at night? Is there an effective risk management programme? Yes or no. The CEO and Board should know what the top 5 risks are in the organisation at any given time” – Howard Pinto.

Traversing who should be responsible for security risks in the organisation needs a Swiss army knife approach. For many security teams, there is an appreciation that security is not just the responsibility of the CISO. As all businesses are acting in a dynamic landscape, ­­­unless you have effective education at every level in the organisation you can’t beat the myriad threats out there. Every organisation is at risk from being taken advantage of by a hacker, their ability to execute that depends on how staff react, not just security teams.

Awareness programmes and staff education play a large factor in this, as does limiting the ability of staff to fall foul to attack via access rights. Getting buy-in from executives and senior managers can be difficult if the evidence for such an extensive risk mitigation strategy is yet to be proven necessary due to an incident.

“The perception of the CISO can be that they represent something of a roadblock and hinder progress. I had an experience where the relationship with the CEO was difficult at the start owing to that perception of the former security team. This changed when the CEO needed help with a particular situation, and then understood the solution, so he could see the value that an effective cyber security programme brings” – Howard Pinto

Cyber security management has a much larger role in the organisation than being a foghorn for threat announcements, and the ways in which CISO’s interact with other execs is significant.

“A real challenge for any CISO, and one that can become overlooked in the relationship with the executive team. It’s a lot harder to get time with the executive team, comparative to the board. Without having the exec’s on your side, your strategy will fail you. You need to allow the CEO, CMO, CFO and other execs to challenge your strategy, they need to be able to understand the importance of your role in the business, so you can actualise change.

“Being upfront about budget and metrics is key to that – a CISO that rises above the stigma and challenges of the role is one that can be upfront. You need to be visible, be transparent and be effective with the wider leadership team in your company” – Bryan Littlefair

One relationship that can hinder a CISO’s security strategy is that with the business’s CIO. In most businesses, the CISO reports into the CIO, or they interoperate to a significant extent. For many organisations, budgets and priorities between these two executive positions are not aligned. The ability for a CISO to collaborate is vital.

This can come into practice with simple processes such as patching where delays mean security issues could arise, but the CIO is directly incentivised by limiting downtime and ensuring the delivery of products to the business, and customers.

“Reaching a practical and pragmatic balance with the CIO is important, to ensure both programmes are run collaboratively” – Howard Pinto

It’s clear the CISO has a great many strategies to consider, not least in managing internal relationships. Finding the right executive culture that recognises security strategy as integral to business growth is increasingly important, given the industry landscape of increasing regulations and diversity of threats.

Understanding what skills are necessary to drive strategy through every level of the organisation is a difficult challenge for those looking to hire their next CISO. The role is no doubt in part a communications role. The value of the CISO is in their ability to translate risk into something that resonates with the receiver.

This is particularly relevant to talk about considering the amount of CISO’s in position with a non-technical background. In the case of the two CISO’s interviewed here, their technical experience is the backbone of their career tenure. The extent to which these skills are strictly necessary is debatable. Influence is what is clear to drive results in the boardroom; and with fellow executives.

Acumin works with organisations to hire the best cyber security talent in the market, with a particular emphasis on global executive search. To learn more about our approach to recruitment in security, visit us here.

About Acumin

Established in 1998, Acumin has grown with the cyber security industry. Over two decades, we have become the first choice cyber security specific recruitment consultancy for some of the world’s leading brands. We provide the expertise to protect your most valuable assets.

Our highly trained consultants are subject matter experts, who provide an advisory service tailored to your requirements.

To learn more about our Global Executive Search services, visit our website.

www.acumin.co.uk

0203 119 3333

marketing@acumin.co.uk

Our accreditations & Partners

  • REC Member
  • VTC - Virtual Technology Cluster
  • RANT Events
  • Bloom Nepro

Thanks

Success

Thanks

Success

Thank you for signing up to the acumin alerts.

Send CV

Send us your CV and have our recruiters match you to the ideal opporunities

Do you already have an account with us?

Log in

Want to have an account with us?

Register

Want to just send us your CV?

Upload only doc, docx, odt, pdf format file.

By submitting your registration and CV to us you are agreeing to join our database and to be contacted about relevant jobs industry communications. Please read our terms of business for more information.

Password reset

If you need a reminder for your password, fill out the field below

Log in

Access your account to edit your contact details, job alerts or to upload a new CV

Thank you

Success

Thank you for successfully uploading your CV.

Acumin Alerts

Success

Thanks for registering for Acumin alerts.

Acumin Alerts

Unfortunately your CV could not be uploaded

Please make sure your CV is one of the following file types: doc, docx, odt, pdf, rtf

Acumin Spam

Unfortunately your submission has been declared spam. Please try again.

Vacancy

Success

Thank you for submitting your vacancy.

Register

Create an account to register your contact details, sign up for job alerts and upload your CV

Success

Thanks for registering for Acumin alerts. To get the most out of Acumin's service why not register with us?

Upload only doc, docx, odt, pdf format file.

I agree to the terms and conditions and to be contacted by recruiters:

I agree to receive marketing communications relevant to my job search:

I agree to receive Jobs By Email for the following professions:
- Business Continuity Management
- Counter Fraud
- Cyber Security
- Executive Management
- Governance & Compliance
- Information Security & Risk Management
- Penetration Testing & Digital Forensics
- Sales and Marketing
- Sales Engineering
- Security Management
- Technical Security
- Information/Risk Assurance
- Identity Management
- Application Security
- Security Architecture
- Dev/Sec Ops
- DV & SC Cleared Jobs
- Programme & Project Management
- CISO/CSO

Submit a Vacancy

Use the form below to submit a vacancy