In our last article covering the first half of this recent panel discussion at Insecurity Europe 2016 we gained insights from industry security leaders on what skills the modern-day CISO requires to be successful and how new skills can be acquired.
In the second half we learn what impact the CISO can have on the culture within a brand and discover what it takes to cultivate the next generation of CISOs to ensure the security industry continues to thrive.
“Where does culture fit into the role of the CISO?” asked panel host Adrian Davis, regional managing director at (ISC)2. “As leaders are we the people who define culture, is that one of our key roles going forward?”
“Culture is at the top of everything I do, setting that good culture” answered Trainline’s security director Mieke Kooj. “So they chose someone that could do that and saw that skill in me. I know I’ve influenced the way they do what they’re doing.”
“There is a part of culture that we definitely do control, and that’s the culture within our own security team,” added Cory Scott, CISO at LinkedIn. “How you select the people that are on your team. First, you want to look for people who can dream big; second is that you need to know how to have fun, because particularly in our line of work having a sense of humor and how you engage with people is incredibly important; and third is to get stuff done.”
Interestingly Lee Barney, head of information security at Marks & Spencer disagreed, arguing it’s not the role of the CISO to set the culture of an organization but instead it’s their responsibility to understand the company’s culture from the perspective of the colleague, find out what’s relative to them and try to sell security back to them.
“When I’ve done that, I have been more successful than when I have tried to change the security culture of the organization,” he said.
Moving the conversation onto the challenge of cultivating the next generation of security leaders in the industry, Davis asked the panel for their thoughts on how best to go about this.
An essential factor in developing the next batch of CISOs is looking for talented individuals within your existing team, said Barney.
“Look at your own people and work out who is best going to replace you, and then develop them and give them the opportunities. Sometimes it’s best to take a step back and let them lead,” he added.
“When you work with your team members you want to figure out what their next play is going to be,” explained Scott. “People typically last between three to five years in a particular role and then move onto the next play, and our role as managers is to help prepare our staff for that next play; ideally it’s a good tradeoff between career development for that individual and benefit to the existing organization.”
“So looking towards the future, the skills we have today, are they still going to be relevant in five to 10 years’ time?” asked Davis. “How do we as current CISOs evolve ourselves for those challenges?”
The CISO of the past was skill-based, answered Barney, with a full understanding of technology and the network. The CISO of the future, especially over the next five years, needs to understand the business from the perspective of the business and not just focus on technology.
“The CISO’s role is going to be more about leadership; more about delivering rather than just a person flicking switches,” he added.
Mark Hughes, president of BT Security, explained that to continue to evolve as a CISO you have to have a firm grasp on relevance.
“There are ways of doing things, lots of new technology, new controls that need to be put in place to match the threats, but they have to be reflective of what is relevant to the organization to allow it to move forward.”
To conclude the discussion, Davis asked the panel to sum up the piece of advice they would give to prospective CISOs looking to forge a career in the cybersecurity industry.
“Know the business,” said Kooj.
“Get stuff done”, added Hughes.
“Start by telling everyone you’re going to be a CISO,” and then do it, Barney said.
“Determine what type of leader you want to be and work on developing that,” Scott added.