Discussions with a CISO –Derek Cheng, CISO at Deliveroo

Derek Cheng, CISO at Deliveroo, was born and raised in San Francisco. With his passion for video games, his dream job when he was younger was to become a video game developer. Based on this goal, he chose to study computer science at university but eventually realised that coding was not for him. When Derek finished his bachelors degree, he decided to go for a graduate programme at Ernst and Young which was looking for computer science graduates to train into ethical hackers.  

From this entrance into cyber security, Derek developed his skills at a variety of different companies – both start ups and more established companies – including a role which combined both of his passions at the gaming company EA. His journey has led him to Deliveroo, where he leads their cyber security team as CISO. 

“Last year Deliveroo reached out to me, and there’s only one thing more I love than video games – it’s food. I took the opportunity because I really wanted to stand behind what the company does, and be proud of it. I just love the idea of food mixed with tech.” 

Addressing the Security Skills Gap 

Finding good talent is a challenge across the board currently, and this is no different in the security space. Where previously some specialisms – such as GRC – were easier to find, Derek is noticing gaps in all role types, including DevSecOps, Security Architects and more. However, one of the biggest challenges at the moment is acquiring supplier security talent. 

“There’s been a rise in third party supplier data breaches, because attackers, are realising that the biggest bang for their buck is to focus on large suppliers with access to a lot of customer information. Security teams are reacting to that and making sure that they have good supplier security programmes in place, which is why it’s difficult to get a supplier security person now.” 

Plugging these skills gaps is vitally important for the cyber security industry. Without encouraging people into the roles, companies will struggle with the security challenges ahead. For Derek, two of the best ways of addressing the skills issue are by companies signing up to apprenticeship and graduate programmes.  As with many technical roles, people can be put off if they don’t have a highly related background, but Derek is keen to share the fact that, within cyber security, people come from very diverse backgrounds, and different skillsets can suit the wide range of roles that are available. 

“Another one that we struggle as an industry with is women in cyber. There’s a big push for that and there’s still a lot of work that needs to be done. We are excited that we already have several women in our security team. Now we’re making sure that we encourage them to promote and advocate women in cyber. We make sure that if there are female candidates in an interview, that we include our women in cyber as part of the interview loop, so that our candidates can see that we have diverse workplace. ” 

Becoming a CISO 

Reaching C-level is the goal for many in the security industry, and the route to achieving that is rarely set in stone. For Derek, key to his success was his consulting background which gave him a variety of skills beneficial for the CISO role.  

“I feel like there’s a certain discipline and training that you get from working in consultancy. There’s a certain way you present this, a certain way you document this, a certain way you run meetings and manage stakeholders. You’re dealing with people, sometimes stakeholders, who are unhappy or difficult. You learn all that on the job in consulting.” 

Aside from this – and more specific to security – is the lessons that come from having a governance, risk and compliance (GRC) background. Often overlooked, these skills can be vital for CISO roles, and Derek encourages taking up some GRC work where possible to gain this experience. 

“ I was promoted because risk management is so important as you as you go up the chain, especially when you go to board meetings, executive level meetings, etc. If you’re not able to have those discussions around risk and compliance, then I don’t think you’re going to be as successful.” 

The Evolution of the CISO 

The tech industry moves very quickly, and as a result roles such as CISO can change swiftly too, with the responsibilities varying greatly from company to company. Maturity models are a good way of defining roles, from a one – where the CISO is transactional led and hands on technically focused – to a five – where the CISO reports into the CEO and is viewed as a strategist.  

“It’s hard for people to understand that it’s sometimes less about the individual person, it’s more where the company views a CISO role. That’s why I feel like this model for CISOs is very important, because a recruiter can ask exactly what type of CISO you want.” 

Exactly where a CISO should sit in the company structure depends on the individual company and its maturity. In a start up or a fintech, a CISO is far more likely to be a level one, whereas in a more mature company the CISO may well report to the CEO.  

“Personally, for me, regardless of who I’m reporting into, I always ask what is my reporting structure to the board or audit committee? If I have that opportunity, where there’s an expectation that the CISO will have the dotted line into the board, then that’s great. Because that’s essentially your outlet to have an independent say about what is going on from a security perspective. That’s really important and not every CISO has that opportunity.” 

Advice for New and Aspiring CISOs 

For any C-level professional, but particularly those in the security field, active listening is vitally important to the role. Despite this, when you have a point you wish to raise, listening can become secondary to talking. In any meeting, there are four roles that people hold and move between. These are initiator, opposer, follower and bystander. The initiator should be able to get their full point across, but the opposer will often move in with their retort before they are finished. The follower – the person who should allow the initiator to explain their point and ask further questions – and bystander – an onlooker who facilitates understanding – are often overlooked roles that can really improve the quality of a meeting, and are regularly well suited to those in security roles. 

“The bystander role is someone who typically isn’t fully involved in this particular process, which is why it really spoke to me, because that’s quite a security thing at times. We’re invited to meetings, and sometimes it doesn’t apply to us. As a bystander, your role is to replay what you’ve heard. Sometimes, hearing the exact same thing said differently by someone who’s not really involved in that means you realise that’s not what you meant. For me, it was really important because it gives you something vital to do in the meeting.” 

For a CISO to be truly successful within an organisation, Derek believes that it is important to take the time to ensure that communication with the rest of the business is clear and correct. 

“I like promoting the idea of being bilingual. Being bilingual to me is taking the time to really understand the business, and then the specific business unit that you are dealing with right down to the acronyms they use, the processes they have, their key stakeholders, and having that conversation first. That way you’re speaking their language, and you can take some time to start articulating how you feel that security can help support them, enabling their business to operate more securely.” 

It’s imperative for a CISO to gain a deep understanding of the business, follow their direction and react to their plans. One of the most effective ways to do this is by following the money, in other words, how does the company generate revenue. 

“When I started at Deliveroo, it was really important for me to take the time – and I’m still doing it – to really understand the business and understand how the company makes money. Because if you follow the money, then that’s going to help prioritise where you should put your security and controls.”