Our CISO interview series explore the unique answers to questions like: how did they get started in the tech and eventually become a CISO? What is (are) anything that they wish they knew when they jumped into this field? What are the biggest challenges to CISOs? Are you excited to know the answers to more exciting questions like mentioned above, please keep reading and see what they say. Also, make sure to check our first interview of the CISO interview series with Stéphane Rosa, Chief Information Security Officer at ELCA.
1. We would like to get some background information about yourself. What is your background?
I have 23+ years’ experience with Cyber security and IT management. I have a business management master’s academic background, so not the typical development from technology, engineering, coding background. I have always worked in the interface business and IT/security ensuring I develop and deliver risk-based security capabilities matching the business objectives and risk appetite. 15 of my years I worked as a strategic security advisor, leading the security services, and helping organisations identify and understand their security maturity and risks, establish strategies, and run the transformation journeys. The last 8 years I have worked inside global organisation owning and driving the security functions from strategy to governance to security operations. I have also actively driven the security community of knowledge and experience sharing as the regional director for Information Security Forum
2. How did you come into cybersecurity as a profession?
While at my studies for the Master of business and management, I found an interest in IT Management specialization and further risk management connected to IT outsourcing which was a new development at that time and a central part of IT Management in any company today. Through my masters and dissertation, I came into the interest of risk management and further connection to information security. From there-on I have built my key interest in understanding organisations dependencies to information and how that needs to be protected from a people, process, and technology perspective as well as how protection, detection and response capabilities shift to continuously respond to the threat landscape.
3. What is anything you wish you knew when you first went into this career?
If I had known that I would take this path prior to my master’s studies, I would probably have tried looking for a more blended management and technology study. Even though it is key to work in the interface between business and IT, and have a solid understanding of the business drivers and objectives to be able to succeed, the security threat landscape becomes more and more deep technical and the complexity of the technical countermeasures to ensure good security posture is more and more important. I good security professional today will need a good balance of business stakeholder management as well as a technical understanding of the different layers of technology supporting the protection of the company’s assets.
4. Could you explain your role as CISO?
As CISO I am ultimately responsible to set the policies and standards, drive the security capabilities of the company being expected behaviors, protect, detect and response processes, or technical capabilities towards a desired state and maturity to reach an acceptable level of risk. I have the strategy and oversight that security is integrated into all different aspects of the business from customer interfaces protecting customer information, to business development and key processes to the underlying IT infrastructure.
5. It is the fact that the role of the CISO is highly dynamic. Given that, what is (are) the most critical success factor(s) that a CISO must show to succeed?
One of the key success factors for a CISO is to be able to understand the business, discuss security with business stakeholders in an understandable language and provide assurance and collaboration that established the CISO as a trusted business advisor. Similarly, the CISO needs to be able to collaborate with the right technical environments to understand the technical situation and what is needed to effectively protect the environment. The CISO needs to stay on top of changes in the threat landscape and digital developments to understand what is happening and what is needed to effectively protect the company and detect and respond to situations
6. What are some of the biggest challenges for a CISO such as yourself at a global company?
One of the key challenges for a CISO is to have good visibility of the assets in the environment and the risks connected to each of them. Further, with more and more services being hosted in cloud environments or externally accessible on different devices, finding the balance with secure and effective ways of protecting the company’s crown jewels at the same time as making security as low barriers for the user as possible is a big challenge every CISO continuously try to find solutions for. CISOs need to enable business by securely provide the right people with the right access to the right information when they need it while at the same time ensure that the people who shouldn’t have access to that information do not get to it.
7. Do you have advice for someone looking to start a career in cybersecurity?
The good thing about going for a career in cybersecurity is that there is currently a huge skills gap and it is increasing. A career in cyber security will almost certainly provide job security for the foreseeable future. When looking to start a career in cybersecurity, there are many different paths to take from deep technical operational specialist fields with security analysts in security operations and incident response, to security engineers building and testing security strengths of different components in the IT environment, to focus on the human interface with training, communication, and awareness, or more towards governance, risk and oversight as well as more business development, strategic transformation journeys, and leadership. You cannot necessarily be a deep expert in all the different aspects of cyber security, but you could over time build a career with experience in most or all of the different topics and build a strong generalist managerial profile.
My advice would be first and foremost, find your passion. Try to find out what gives you excitement within the cyber security world, what thrives you, and gives you energy. Is it trying to find the bad guys and the needle in the haystack and celebrate when you have managed to stop things from happening, is it really digging deep to figure out what happened and the root causes so that vulnerabilities can be fixed, is it trying to break things and get through the barriers so that the barriers can be further strengthened, or perhaps influencing people’s behaviors or driving strategic change journeys. Whatever gives you passion and energy is probably the best career path for you. You need your passion and energy to further develop and excel in your career and most importantly enjoy what you are doing.
8. How do you think we can attract more young people to this field?
By establishing and driving an open discussion and understanding among schools, universities, businesses, governments, and media about the importance and dependency of cyber security, showcase the vastness and different opportunities there are within cyber security and ensure cybersecurity is integral to everything we do from business development, customer contacts to technical areas, and as well that a career in cyber security will provide job security as data and digitization grow, I hope more and more people get their eyes up for this career path and join in.
9. Do you have concerns about the state of cyber security today? If so, what are those?
One of my key concerns with cyber security today is that we with the pace of digitization and connection also build and connect on top of a lot of old legacy infrastructure. We need to access anything from anywhere at any time. This exposes a lot of attaching surfaces it is hard for us to protect.
The cyber criminals are getting more and more organized and there is big business in cyber crime. Combining these two factors makes the current environment and risk with cyber security high today. We need to find new ways of security in the always on always connected world to ensure business resiliency and protection of crown jewels. There are different developments that give positive directions with a more people-centric security model placing the key protection closer to people, their devices, and data. However, at some time these individuals will need to access and manage information residing on old infrastructure, and transforming old legacy infrastructure into the modern secure digital world is costly and time-consuming.
10. Is the cyber security workforce shortage a reality for you? How this can be solved?
Yes, the security workforce shortage is a reality, but it is also different pockets of shortage, and it is more about having the right people at the right levels to effectively drive and manage than necessarily getting enough people. Further, a shortage of key skills drives the development of more hybrid models of having certain key resources in the house while connecting with partners who can work at scale for other services.