It's 2019 and the role of the CISO is vastly different to what it was ten, even five years go. Whereas previously security was a perhaps considered an 'add on' to a company, we are now seeing the industry is stepping in front of others and enabling business transformation. We spoke to three high profile CISOs to talk about their experiences and hear their thoughts on how times have indeed changed for them, and some thoughts on how to move forwards.
Speaking at Infosec, Paul Watts, CISO of Domino's Pizza UK & Ireland said he has witnessed a huge change in the role of CISO in the last five years: "Security teams used to be a bolt-on to the organisation trying to put fires out. What is now starting to happen because of the cadence and velocity in how technology is building, shaping and changing an organisation, is a lot of your time is spent in a business partnering role and to some extent a marketing role when you're trying to sell security to the business. But it's not just about having to up-sell, it's about providing a business context to what your security operation is."
"It's also having a degree of agility," continued Paul. "So rather than just have someone [on your team] who just does GRC, give them the opportunity to cross-pollinate, cross skill and support each other, so you become less concerned about going on holiday for a couple of weeks. It's really important that people feel that they have that front line policy and they can make decisions on your behalf as a team for the business' benefit."
Emma Smith, Global Cyber Security Director at Vodafone is more realistic, perhaps: "We had a new CIO and with that comes a new way of working. He said on a video to my whole team, 'I want you to become the spear of the business, don't think of yourselves as a service functional support function.' And I think while we might have always tried to be an enabler and tried to do that, actually in practice it is really challenging and does require quite a culture change inside the security teams when we are seen as the one who provides solutions not risk assessments or logs or other traditional tasks."
Kevin Fielder, CISO of Just Eat said that security hasn't changed in terms of the core security pillars, but where your data is and where people access it from is very different.
"Since the 90s we've talked about security being more integrated in the business and I think that's always been critical," said Kevin. "We are getting better at it and being seen as an enabling function - helping the business to run fast and securely, is a key part of the messaging. Be agile - I think you can run security as an agile delivery team regardless of how your business works because you'll get more done."
So how can you keep up in an ever-changing, highly demanding role with increased responsibilities?
"I try to learn new things," said Kevin. "It's why I'm in security in the first place, there's always something new to learn. Communication is key - so much of our world is communicating with each other or to other departments in the business to why security is important and why they should be fixing x, y, or z. There is always that challenge between, 'fix x or get a new feature out,' so you have to be really good at communicating that what you are doing is important not just saying, 'hey, zero day vulnerability, hacking hacking hacking, etc.' and using business language instead."
Lee Blarney, former Head of Information Security at Mark's & Spencer said: "Business acumen and communicating are the two single most important things people can bring to a team. Plus, change is always going to happen and it is often forced on you, whether it's an incident or a wider change to your team, so you need to be resilient."
Paul Watts added: "It's about adaptability. The infrastructure of today is not the infrastructure of tomorrow."