The route to Chief Information Security Officer is a winding, twisting path that many who take security or risk positions will set their sights on.
There are many routes to the top of the technical security mountain but these career stories from CISOs and Cyber Security Directors were brought together to help those with CISO aspirations plan their next steps.
So how do you become a CISO? Let’s ask those who are already there.
Andrew Rose is the SVP and CISO of Mastercard company Vocalink. With a long and distinguished career, Andrew also had the opportunity to work as a Security and Risk Analyst and study the roles of CISO’s around the world.
“I got into security when computing was popular and security wasn't.”
Andrew started out by getting a job in a User Admin team performing mainframe user admin, setting up accounts and administrator privileges in the IT department of a large insurance company.
“Within about 18 months of joining the team, the organization grew and consolidated. They gave me another user admin team to look after and I started working more closely working with the corporate information security team at that point. Before that, I've never really thought about security.”
While working with the security team, Andrew started to really enjoy the types of projects they were working on. Naturally, this pushed him closer and closer towards the CISO who was in charge at the time.
“I went to the CISO and asked: what do I need to do to work with you? And they were surprised. Back then they didn’t get many people saying they were interested in security. They were more than happy for me to come and join their team. So I went back to my boss and told him that, sort of by mistake, I've got another job. He wasn’t very happy.”
Andrew was made to wait a year before he could leave the user admin team and join the security team. As soon as he made the move, he started studying and getting an idea about the certifications he needed. He joined the security team and stayed there for the next couple of years. During that time, it became evident that their security practices were not always effective.
“There were individuals in that team who relished being that good old department of ‘no’, where they would refuse things and people would actually then just go around them and do it anyway. And it's was quite clear to me that security wasn't best served by that mode of delivery.”
From there, Andrew found his next role as a Security Analyst at a Law firm. This role came with a particularly inspiring CISO who played a big part in Andrew’s decision to move.
“He was inspiring and I thought I could learn a lot from him. But, on my first day, he quit. I was very disappointed!”
Regardless, Andrew continued to push security. Eventually, they split the security team in two and gave Andrew the Security Operations function to look after. Within a year, Andrew was looking after both teams and acting as a CISO.
“So actually, it was a relatively short time frame, if you look at it that way from just being a user admin person to being a CISO. But this was 15 years ago, so security was a much smaller entity in those days.”
Nonetheless, the opportunity to become a CISO at a global law firm was Andrew relished. He successfully took that firm to be the first major law firm with ISO27001 certification, and management looked to expand his role, into wider IT management. This wasn’t a path Andrew wanted, having become passionate about security, so when he was approached by another law firm eyeing a similar transformation project, Andrew moved on. He delivered a similar security transformation and certification project before looking for a change of pace after 10 years in the Legal sector.
“I just finished the largest law firm in the world. And I was thinking, where is there to go now?”
Forrester Research came along, offering Andrew the chance to reflect on his CISO experiences and work with many different industries as an Analyst. Andrew spent 4 years in this role that, to many, would seem like a step backwards on paper.
“That was quite an interesting step back from the crazy world of being a CISO. As a CISO, you have little time to think. You're always busy, busy, busy. So as an Analyst I did get that ability to go and speak to multiple CISOs around the world and say, how would you do this? How would you put a strategy together? How would you do a security awareness campaign, and to distil all that knowledge and experience into workable models and then write papers about it? It was a real privilege to be able to do that, and that helped me get my own thoughts clear on how various aspects of the CISO role should be done.”
From here an opportunity came up to join the UK’s air traffic controllers as their CISO & Head of Cyber Security. The role involved a massive transformation project, something Andrew found incredibly interesting.
“They were going to completely redesign and rebuild their traffic control system from the ground up. I couldn’t say no.”
Four years later, with that design phase done (and ISO27001 delivered again), Andrew moved to the financial services sector – something he’d always been keen on but never had the chance to get in.
“It was difficult to get into financial services without having worked in financial services already. So the opportunity to join a financial services firm as the CSO was too good to turn down. It also opened up new opportunities, such as managing physical security for the first time.”
There are a vast array of different opportunities within security. But it wasn’t always that way. As Andrew's background suggests, it used to be a case of being an analyst or security manager or CISO.
“But now there's so many nuances, so many varied opportunities”
This is great when it comes to finding a career in security but more roles also mean more required skills. We asked Andrew what he believed were the most important skills for aspiring CISOs.
One of the key skills defined by Andrew was pragmatism. The idea that you can think your way through problems and come up with good, solid business solutions that are going to deal with the risk at hand but to do that in a way that's not going to disrupt the business, not going to cost too much, and going to be commensurate with the risk.
“As a CISO, you've got so many different areas you’re dealing with you to have to be pragmatic about battles to fight. What’s a sensible amount of risk that you can actually accommodate and how to sort of allocating your budget and your resources wisely to get the maximum bang for your buck?”
“We need to make sure the Board understands where they are in their security journey, what they need to do next, and to instil in them that passion, understanding and drive to help you achieve what you need. That comes from using great metrics, working on the way you speak to them, and by building trusted relationships – you need to have the trust of the Board as that makes everything run so much more smoothly.”
It's your job as a security leader to identify those issues, identify those gaps in your portfolio applications and functionality within your organization. And cover those in a, cover them with, with secure solutions.
“The answer is always “yes, now let’s work together to find out how”.”
Gaynor Rich is the Global Director Of Cyber Security Strategy & Transformation at FMCG giant Unilever.
With a security career spanning 22 years, Gaynor started in financial services working in investment banking, studied for her banking exams and soon secured herself a place on the leadership development program.
This enabled Gaynor to move around different business sectors of the bank, including insurance, investment, corporate and payment cards, combining her business consultancy skills with IT implementations to enable the business to streamline operations and deliver business efficiencies.
Gaynor first moved into the security whilst at Capita, where the combination of her experience with payment cards and the genesis of the payment card industry data security standards (PCI DSS) presented an opportunity for her to directly support the business taking the lead in establishing the internal programme; growing this into a wider cybersecurity programme and function covering 10 business divisions.
“I have always had a keen interest in joining the dots, whether people, process or technology to see things holistically to solve a problem or challenges, taking a collaborative approach across the business. Being able to manage and align all of the differing needs and requirements into a single security programme that had the support across the organisation was a massive challenge but also a massive opportunity to build that integration cybersecurity needs.”
Gaynor joined Unilever to help develop their cybersecurity function. Initially leading the development of the Risk & Governance frameworks around cybersecurity, a global programme for security education and culture change and building capability around the management of third party risk. She is now responsible for cybersecurity strategy and transformation.
“Cybersecurity is an exciting and dynamic space, it sometimes feels like no two days are the same especially working in one of the largest FMCG organisations in the world. Transparency, communication and strong stakeholder management are key”
After the Equifax Breach of 2017 eyebrows were raised over the CISO’s background. But it’s very clear from the responses in the infosec community that a truly great CISO doesn’t have to have a degree in cybersecurity. So what makes the ‘perfect’ CISO?
“More than just technical expertise – The modern CISO needs to be able to understand the technology but more importantly needs to be a business leader being able to translate technology risk and cybersecurity into a language that can be understood by key business leaders and decision-makers to enable them to understand how their decisions impact their desired business objectives”
A willingness to listen, understand and talk about the realities and limitations of how security works is necessary to tackle the challenges presented in a balanced way that can be understood and acted on by the executive to understand and develop the appropriate level of cybersecurity protection that balances the need to protect with the need to run the business.
Munawar Valiji is the (former) CISO at Sainsbury's. With a career spanning 26 years, Munawar has been in cybersecurity since before Y2K.
Starting his career as a systems engineer, Munawar studied environments, technology and tuning. Munawar joined JP Morgan in 1999 as a systems team leader for the UK Investment Bank. He was looking after all the backend servers 2 years in advance of the year 2000 and the systems needed tuning, some needed retiring. That’s where he started to get into security.
“I always had that technical background, strong networking skills and strong stakeholder management skills.”
Most recently, Munawar’s role at Sainsbury's involved taking responsibility for shaping, defining and delivering the security strategy for all of Sainsbury's operating companies including stores, digital business including on-line and financial services.
“I’ve had to deal with digital transformation and change in a business that is 150 years old. There is an inherent risk with that, but it’s the second-largest retail business in the UK – there is a lot of opportunity and excitement that comes with that.”
When it comes to security everyone has a responsibility to do the right thing. For a CISO, at the very tip of the security spear, it’s about coupling technical knowledge with really good communication and stakeholder management skills.
“Being able to hold your own is so important because you’re effectively appealing to hearts and minds. It’s about landing cultural and organisational change in security. With that, there has to be a certain degree of technical credibility that you need to bring to the table.”
Good general computer control or networking background also helps and with many institutions building programs and organisational awareness around cybersecurity, you should be able to work on a discipline that will allow you to understand organisational change, networks and systems.
Listen Well – You need to be a great listener, someone who won’t be seen to take a prescriptive approach.
Translate Technical Complex Discussion – But also someone who can take technically complex discussions and translate those to an executive committee and do it in a way that is meaningful.
Avoid Scaremongering – Someone who is also really personable who can bring something to life. Make key stakeholders aware of what’s happening, rather than scaremongering.
Bence Horvath is Director, Technology Consulting – Security at multinational professional services firm Ernst & Young. With a long career in technology, Bence is at the cutting edge of technology security.
“My ‘superhero origin story’ started during University.”
While studying towards his MSc in Business Information Systems, Bence was working on a project as part of a summer job, when he realized the weaknesses of the platform:
“I realised they basically had no security on one of their components. You could do a very simple attack to get access to personal information within their system.”
When he approached the leadership of the company they dismissed his concerns at first.
“I just turned the screen towards them and showed them. I remember saying this poses a fundamental threat to the platform, which completely baffled the financial experts – they never thought to look out for such a massive technology risk!"
Bence’s general interest, from an IT management perspective, was always in Information Security, even before it had adopted the name ‘Cyber.’ After finishing university, he moved into consulting at the start of his career
His first major project was a transformational project at a big telco firm, where he got to spend some side on the ‘customer side’ before moving to the solution provider side.
“ I think one of those things that I look for in my career is having a balanced view of cybersecurity. Not just an internal view or just from a consultant’s perspective, but having sat on both sides of the table, so to speak.”
Over his career, Bence has been through a number of democratisation moments for technology. Crucially for information security, these moments of technology democratisation have led to increased understanding of cyber threats across the board. This has made part of the CISO’s role – the part where they get buy-in from organisations and people – a bit easier.
“ If I look back 15 years ago, our industry was something quite niche. Previously we were part of the Geek Squad somewhere down in the basement next to the machine room, just a couple of nerds trying to keep out of sight from the executives, whilst today we’re really on the forefront of possibility”
When it comes to Information Security is there a special sauce? A perfect route to walk? For Bence, it’s less of a perfect path and more a set of skills that complement each other.
“I don’t believe that there is such a thing as a perfect route. Having that understanding and being able to walk a mile in other people's shoes, being able to sync with other people’s heads that helps you to solve your day to day challenges. “
Another key skill for CISO is stepping up to become what Bence calls “the agent of change”.
“They need to get more out of their comfort zone, take a non-technical mindset when going out to the boards, diverse committees and business leadership, and say: Look guys, the changes you are trying to enact will open us up to new risks, so please consult us, include us, because in the end you’re accountable for keeping the company, it’s employees and it’s customers safe."
A new and emerging skill that is being eyed greedily by security hiring managers is the ability to step out of the narrowly defined technical role and become this agent of change.
Perhaps unfairly, those in Tech Security are often stereotyped as being restrictive and overly concerned with process. This, more often than not, leads to them being seen as obstacles or ‘naysayers.’ For Bence, it’s crucial for a CISO to kick that stereotype quickly.
“Move from being the person always saying ‘It's not allowed. Nope. There’s no way we can do that ’, to being the proactive one working with the rest of the business and with the rest of the stakeholders to come up with a solution.”