The panel will also explore the role of the CISO as a mentor the Importance of diversity and the cross-functional role of the CISO.
Transcript
The transcript has been edited for grammatical reasons
The UK Cyber Security Council - Perspectives on the role of the CISO
Andrew Menniss: [00:00:00] Good morning, good afternoon or good evening wherever you’re joining us from. My name is Andrew Menniss, I work with GRC World Forums and it gives me great pleasure to invite you to have another really fascinating panel on PrivSec Global. We’ve been live already today, on day two, for almost two and a half hours.
[00:01:37] There’s so many exciting things going on. We hope you can join us for a lot of the day. Thank you very much to our headline sponsors, Microsoft and One trust. So, as I’ve mentioned before, visit the GRC World Forums page, by that left-hand menu, register your interest for a number of the really exciting new initiatives that we have for this year which includes the women in governance risk and compliance series, which is a series of awards and forums, which will honor female leaders and companies demonstrating excellent across GRC and a number of the really exciting future events that we have for this year.
[00:02:12] So now in this panel, which is the UK Cybersecurity Council perspectives on the role of the CISO, it gives me enormous pleasure to introduce you to Vicky Guilloit from Privacy Culture over to you, Vicky.
[00:02:25] Victoria Guilloit: Thank you so much, Andrew. And welcome everyone. I’m really looking forward to this panel. Before I give an overview, let me bring the panelists in.
[00:02:34] So I’d like to introduce Budgie Dhanda to start with, Budgie is co-chair at UK Cybersecurity Council formation project. Hi, budgie. Welcome.
[00:02:44] Budgie Dhanda: Morning.
[00:02:45] Victoria Guilloit: Next. I’d like to introduce Amanda Finch. Amanda is Chief Executive Officer at CIISec, Good Morning Amanda.
[00:02:54] Amanda Finch: Good morning Victoria.
[00:02:56] Victoria Guilloit: [00:02:56] And lastly, I’d like to introduce Chris Green.
[00:03:04] Hello there.
[00:03:05] Hello there Chris.
[00:03:06] Victoria Guilloit: Chris is Head of PR and Communications, EMEA at ISC Squared. Now, before we start to get into the questions, just a bit of background on this topic in recent times, I’m sure we’re more than aware that the importance of cyber and information security has been under the spotlight more than ever before.
[00:03:26] We’ve had the introduction of the GDPR and copycat laws, similar global privacy laws around the world that have demanded a regulatory focus on data security, and there’ve been ever increasing advancements in technology, such as AI and machine learning, coupled with a wide range of ever sophisticated cyber attacks.
[00:03:48] Then we had an overnight shift as well to remote working, which has put tremendous pressure overall on the role of the CISO. So Budgie, I’m going to start with you. Can you start by telling us what you think a CISOs professional background should look like?
[00:04:08] Budgie Dhanda: Ah, that’s a good, difficult question to start with.
[00:04:12] Historically, I think what we’ve seen is that the CISOs tend to start off with a very technical background and yeah, they come through, whether it’s from architecture or auditing or pen testing, whatever they normally start off with one of those sort of typical roles and then drug take upwards.
[00:04:28] But interestingly, as you get higher and higher up the rungs, particularly as you reach CISO, the role changes completely. It’s less about technology. It’s more about management that business understanding about risk and actually the stakeholder engagement piece. I think that’s starting to be recognized now in that you’re stuck, there’s a bit of a segmentation going on in the CISO role itself.
[00:04:49] And people are now talking about VSOs and CISOs and Kikos, I mean, that’s where we now going to where I think historically, I said they started off technical. I think we’re now going to start seeing people who are coming in, who are not technical. They need to understand cyber security, but they need to understand the business context.
[00:05:04] So I think that will create some challenges for the constructions. We’ve got the qualifications and the certifications that we got and the career pathways as well.
[00:05:13] Victoria Guilloit: Absolutely thought you, yes, you need to be all things now don’t you to be a CISO. Amanda, just same sort of question to you then, what kind of skills do you think that, that, that you knew improve CISO?
[00:05:24] If you like, what do they actually require nowadays?
[00:05:28] Amanda Finch: Well, as glad you says, it’s, it’s moving away from the technical side of things. And I think that’s the problem, a thesis that come in. Is that that actually has to draw on natural skillsets that probably not in their particular skillset profile. So what they need to do is that they need to, to, to build that skill set up, or they need to help all that’s been set up within their team.
[00:05:52] As, as said, it’s the communication cause a lot of being a CISO is really about influencing people, getting people to understand where you’re going, what you’re trying to achieve, all of those good things. And therefore, it’s really concentrating on those soft skills, understanding the business, trying to speak to business in the business’s language so that they get what you’re saying to them.
[00:06:15] And there are lots of courses and things that are out there to help and that are, you really just need to understand yourself. You need to understand what your skills are, where you don’t have particularly strong skillsets. And learn whether you can actually build those up yourself or whether you need to build things up in a team around you.
[00:06:36] Victoria Guilloit: [00:06:36] Thanks, Amanda. So, Chris just on that then, do you think we’ll see people moving here from other areas you think we’ll see some transparence potentially from the DPO or the CDO side or the risks slide more into security or even finance?
[00:06:56] Chris Green: [00:06:56] Well, I think, yes, we do. And more important. I think we kind of have to, I mean, as, as, as both budget and Amanda have alluded to part of the challenge that we face is that the further you go up the the, the corporate ladder the less technical this role gets.
[00:07:10] So we need to start bringing in a much more blended skillset, I think for the modern CISO to actually be effective in their role. And this has really, I think, been particularly born out in the last year where CISOs suddenly found themselves not only dealing with a broad range of, of technical issues, but they’re suddenly facing newfound budgetary considerations and much wider business and regulatory considerations that they’ve had to take into account whilst we’ve been trying to re-engineer the business for the last 12 months.
[00:07:35] So I think pulling people in from, particularly from things like risk. I think maybe sort of rebuilding that traditional umbilical that we once had between it and financial services and the finance team. I think that makes a lot of sense when it comes to trying to find candidates for future seats or roles, but ultimately whoever goes into that role it has to be a blended skillset.
[00:07:53] They can’t just come from the non-technical business side and similarly, they can’t just be a technical professional. That’s worked their way up the, you need an effective CISO needs to be able to grab a screwdriver and fix an issue. But at the same time also needs to be able to sit down with the C-suite and have a financial argument as well for why they should be investing, and you need and everything in between.
[00:08:13] And a good CISO is someone that can actually, how okay. Competent across all of those disciplines. And that’s really where the role is actually starting to move towards.
[00:08:23] Victoria Guilloit: Yes, indeed. Crikey. Yeah, very wide ranging. Of course, they’ll need to understand what capabilities they need as well.
[00:08:30] So it needs to be really connected people too. So, Budgie with all of that in mind and there’s a lot to take on here. How can the council support CISOs in their roles potentially recruiting this level of talent that we were saying needs to be there?
[00:08:48] Budgie Dhanda: Well, I think the council has actually got a whole range of challenges that it’s trying to address, part of this is about the skills piece. So, in particularly the mapping of the qualifications and certifications that are out there and understanding what those mean that you can do and what you can’t do. So, we’ve taken the approach, there’s a framework that’s been developed mapping the qualifications and certifications on onto CIBOK the book of the body of knowledge, which sets out what skills you should, what knowledge you should have to do particular roles.
[00:09:16] And also mapping that over on to career pathways as well. Well, I think there’s a wider challenge that we’ve got is actually that there’s a huge skills gap in not only the UK, but globally. How do we get more people involved actually coming into the profession in the first place? And that’s not something we’re gonna address in one year, five years.
[00:09:34] It we’re developing a 10-year strategy, which goes all the way upstream into schools. Also looking at career changes, people from technical backgrounds and nontechnical backgrounds, and actually demystifying the whole cybersecurity landscape and what the profession looks like.
[00:09:47] And then I think we’ve already spoken about the fact that you need don’t necessarily need to be as technical when you get to a CISO role but actually there’s so many roles in cybersecurity that don’t require you to be hugely technical. And I think we’ve got to get that message out to a lot of people. And I’ll keep talking about some really good professionals I know in senior positions who come from backgrounds like performing arts or linguistics or teaching. And I think that’s the sort of thing that we’ve got to start addressing as well as the classical piece about actually, how do you actually get to become a CISO?
[00:10:21] What’s the career pathway? What knowledge do you need to develop along the way? So it’s, it’s not gonna be quick, but it we’re working on that strategy at the moment and that’s something which a council, when it finally comes on line in week’s time, we’ll start picking up over the next few years.
[00:10:36] Victoria Guilloit: Excellent. It sounds fascinating. We look forward to seeing all of that unfold. I think in, in the meantime, if somebody was actually considering looking at this was quite interested, I can imagine so many people have been fascinated more by cyber security during the pandemic than ever, because we’ve seen so many scams it’s a lot of awareness has been raised out there in public.
[00:10:57] And I’ve seen a lot of people saying, how do I switch? I’ve had people ask me how do I switch? How do I make the move? For example, finance so what could we actually say to them now? Amanda, what are your thoughts on that in terms of in the short term, getting yourself prepared I think you mentioned before about those soft skills.
[00:11:15] But, but the broader skills may be that they could bring to the table. What do you think they could do sort of right now?
[00:11:22] Amanda Finch: Well, I think there’s a lot of understanding what your skills, the skills that you actually have is that a lot of people underestimate the skills they have and they just think, Oh, that’s me, I’m normal.
[00:11:32] I just do this stuff. But actually when you look at the skills that you have in yourself they, they aren’t necessarily that ubiquitous. So we’ve talked a lot about the softer skills and that’s particularly one area that we are lacking within the profession. So really it’s looking at opportunities that will let you use those skills.
[00:11:55] So if you look at training and education that there’s a lot of work that people can do in terms of describing security risks to other people understanding risks, those aren’t technical skills. But you can teach people quite easily how to measure risk, how to explain that to people. And so those are the sort of things for somebody that’s, non-technical so matron on your positives.
[00:12:19] Similarly, there’s a big shortage of technical skills. So what, instead of being in IT, you can say, right, okay, let’s move over towards security. Can we see what this product shouldn’t do rather than what it should do? So it’s really harnessing the skills that you’ve got there to start with.
[00:12:40] In terms of turning that into jobs, I think that a lot of employers are now being a lot more flexible instead of going for the unicorn job vacancies that we’ve been seeing up until now where they’re expecting everybody to walk on water, commune with the angels and all of that sort of thing. People are being more realistic that they actually need to train people.
[00:13:00] So you need to get over the net that you’ve got 60% of that job. But you have the potential to fulfill the a hundred percent. And in our annual survey, it comes out tops every time. But what keeps people enrolled is the opportunity to learn and develop. And it’s why they move jobs as well.
[00:13:20] It’s the opportunity to learn and develop. So, it’s a two-sided thing it’s employees, potential employees need to learn, we’ll dig deep and see what we can bring to the party. But employers also need to think more laterally about how we can develop people, because if you do that, it’s actually cheaper in the long term. Because you spend out a lot less on recruitment costs, you’ve got a happy workforce that stays with you. And what’s not to like.
[00:13:48] Victoria Guilloit: Excellent. Thanks, Amanda. Yeah, I think again, it’s sort of back to the, the risk piece, isn’t it understanding risks so crucial in this role. Chris, have you got any thoughts on that as well? , in terms of the, the professional development path for CISOs and other cybersecurity professionals?
[00:14:04] Chris Green: Well, yes. I mean, it’s, there’s no question. The last year has seen that the role of the CISO and the role of most senior IT and cybersecurity professionals put into the spotlight. But what we have seen is an increasing need and more importantly, increasing shift of skills within organizations.
[00:14:21] I mean, there’s no question. We all know that there is a significant skill shortage in the industry. And one of the big things in the industry is. Trying to do and has been for several years now to try and address that shortfall is about trying to either repurpose or multi-skill staff within organizations.
[00:14:37] So we are increasingly seeing people, either career changing within organizations or career changing from outside the organization and switching across into CISO and similar roles. And in particular, we are seeing people come across and things like risk and compliance as well as coming in from completely sort of non IT normal hierarchy roles in that, that route into the CISO role in order to try and bring new skill sets, new soft skills into the organization whether it’s problem solving or reasoning and things like that.
[00:15:06], if we’re ever going to address the shortage of professionals in the space, and I think the last year is only likely to amplify that shortage we have to be mindful of the fact that we cannot purely recruit from within we’re going to have to bring people in from outside the organization.
[00:15:21] We’re going to have to be more receptive to the notion that a good CISO does not have to come from an IT background. It does not have to come from a traditional business background. But they do need to be able to demonstrate, I think some certain core competencies and particularly that’s around business reasoning, it is around problem solving financial acumen things like that.
[00:15:35] And we’ll find those skill sets in a variety of other industries and variety of other careers. But also more importantly, I think from our perspective, probably one of the key roles that our good CISO should be able to display is the ability to bring people along for the journey, whether that is through education or through communication.
[00:15:52] So hence why one of the areas where we see a number of people transferring into the sector from his edge is from the education sector. We have seen several, a growing number of teachers, for example, in academics, moving into cybersecurity, and that potentially brings a wealth of new skills into the sector and potentially helps create if not the current, certainly a future generation of CISOs that we’re going to bring a very broad and, and very learned set of skills to the bird, to the fall.
[00:16:19] Victoria Guilloit: Excellent. Yeah, it sounds exciting. A whole new landscape of chief information security officers and, and Budgie just those words themselves. Just remind me that in recent times we describe security as cybersecurity. So often now I know some companies split the two cyber security and information security.
[00:16:37] And those of us that have been in the industry for a long time, spent a long time trying to hold back that cyber security tide to say, no, it seems mentioned security. And it’s the chief information security officer, so that makes sense at that level.
[00:16:51] But do you think that as part of this overall recruitment strategy for the new kind of CISO that you all describing this sort of blended person that could come from any kind of background, we’ll need to start looking at that language again, the way that we describe it, because immediately when you say cyber security, it doesn’t sound like anything other than something that’s technical, I think to people that are outside of the industry, what are your thoughts on that?
[00:17:20] Budgie Dhanda: Yeah, absolutely. I mean, language is really important. And when we were setting up the council there was an awful lot of discussion about the actually what the definition of cybersecurity is. And personally, I take a very broad definition of cyber security is not just about the information security and it’s not just about the IT aspects of it, because yeah, if you look at where the threats come from, they can come from any part of the business.
[00:17:44] So you’ve got to bring all the disciplines inside the business, along with you. So that includes, the project management community, the IT function, the commercial function. Yeah. How much risk are you bringing in through your supply chain? So you can make contracts, right? HR a part of this as well.
[00:18:00] The classic one is if you have, if you’re a company and you roll out a phishing training, for example, how to spot phishing attacks, you’ve done the training. You click on a link something comes through and you click on a link. Okay. That might be the fact that you didn’t engage with the training property.
[00:18:14] You click on it again. Maybe the training’s not right. You take on a third or fourth time. What point is it? Does this become a disciplinary issue? So it is multifaceted. So I think the language is important. I think we need to frame it in that way as well. Cybersecurity is a whole business issue.
[00:18:27] It’s not just, even when we were talking about information security, it was very much about actually, so who’s responsibility information. Are we going to put it in story and contain it in a nice team area over here and control who access has access to it? I don’t think that’s right either. So yeah, it’s a cultural thing. I think that we’re going to try and fixing.
[00:18:46] Victoria Guilloit: Yes, absolutely. And Amanda what about those roles where people are double hatting. How do we, how are we going to manage that? Because I think a lot of businesses, especially potentially the smaller businesses have tried to concentrate, the CISO, CEO, CPO slash DPO role all into one. So what kind of person does that need to be? Is that another set of skills as well?
[00:19:13] Amanda Finch: It’s always difficult for a small organization. I mean, you take something like the chartered Institute of information security. My background is that I’ve done information security since the nineties.
[00:19:23] But at the moment I’m CEO DPO every seat number in the C-suite and you have to be multi-hatted and take on a lot of rules and it is difficult in a small organization, but I think the thing is that you need to reach out to people when, you come to the limit of your capabilities.
[00:19:43] And I think that’s the big thing, because in a small organization you can be dealing with an incident in the morning trying to write the policy in the afternoon, get some money for a project later in the day. And it’s pulling on lots and lots of skills. And it’s, it’s challenging and it’s enjoyable.
[00:19:59] But the main thing is, is really looking at the risk profile. If you’re in a small organization, understanding what is important, what it is that you can actually do as a person, what your capabilities are, and then when you are struggling, reach out.
[00:20:16] There’s a lot of initiatives for part-time CISOs where organizations are offering. Consultancy to look, to come in and help organizations address particular issues. And I think that if you’re working in a small organization, that’s where you need to think, what is it that I can concentrate on? What is it that we potentially need to outsource as a service bearing in mind?
[00:20:38] You still need to manage the risk. Where is it that I need to get some knowledge and guidance from other areas and going to places that you trust as well. So it’s making sure that you go to the right people.
[00:20:52] Victoria Guilloit: Excellent. Thanks, Amanda. And Chris, I suppose in these situations where people are having to wear more than one hat, it’s difficult to, to retain a level of independence, isn’t it?
[00:21:03] So imagine if you’re having to play the Data Protection Officer role and you’re having to be there on behalf of the business as the Chief Information Security Officer, that must be a quite a difficult position often to be in.
[00:21:18] Chris Green: I agree. It’s an interesting challenge because yes, you are required to maintain the sort of a degree of independence in each one of those roles.
[00:21:25] But at the same time, they are definitely overlapping ones. So, in this day and age of multi-skilling and wearing multiple hats it’s notable that the things like GDPR legislation was opened to the whole notion of, for example, a CISO and a DPO being the same person.
[00:21:41] So even that recognized early on that even amid the, the requirement for independent sometimes potentially even contradictory thinking and decision-making that the, those roles could sit within the one person. And we’ve seen that through the industry, it is quite possible for people to hold these multiple roles and to actually bring their combined knowledge to the fall to actually carry out those multiple functions quite well.
[00:22:01] It’s a necessary evil at the moment. It’d be lovely if we had a situation where you could actually separate all those roles out into individual people, but most organizations and another thing, Amanda actually touched on quite rightly, especially things like SMEs really can’t even begin to do that, they just don’t have the people that don’t have the resources.
[00:22:17] In many cases, they don’t even have in-house staff doing this. Remember a large number of SMEs are still often reliant on external contractors to hold these roles for them. I could quite easily to point to a large number of have quite, sizeable SMEs who were still using external contractors and agencies to be their virtual CISO as well as actually to do their GDPR compliance roles.
[00:22:37] So, we were going to have to accept that, there will be multi-skilling, there will be overlapping and, and cybersecurity is no different to a variety of other roles. I mean, prior to the role that I’m sitting in today, I was a journalist working in the technology sector. And before that international newspapers, and we grew increasingly saw multi-skilling creeping into areas such as the media where it’s now commonplace.
[00:22:56] A journalist can be their own camera man, their own sound man as well. They traditionally would be separate roles with separate thoughts or functions now very much combining into one. So we see this move towards, combined roles of both integrating conflicting tasks is quite commonplace across a variety of, of senior business roles.
[00:23:15] So we have to embrace it, but, again, this comes back to the point, I was making a bit earlier about the need for bringing in a variety of soft skills from outside of the industry and to embrace the career changer path, to bring those skills in. If we’re going to have competencies, so you can juggle all these different roles effectively and execute all of them to to a high standard, we’re going to need to look at where we were bringing in talent from, whether we all bring in career changers from other sectors to lean on those skills, whether it’s happening into arguably underutilized sectors, like for example military personnel who’ve left the service and bring in them and the large variety of skills and leadership attributes that they have and bringing those into the fall.
[00:23:59] So, yeah, we have to take into account that multi-skilling is not going away wearing these different hats is not going away, but it will absolutely need to shape both our recruitment strategy, but also, it’s going to have to shape the job descriptions. I think for a lot of these roles we need to be calling for, or looking for a very broad set of skills, a broad set of competencies to effectively juggle those roles. Whether that means, looking at unusual and I suppose, nontraditional paths into the CISO suite.
[00:24:33] Victoria Guilloit: Excellent. Thanks Chris and Budgie, as much as it feels like from what all of you are saying, and just picking up on some points that Chris made there about the opportunity to really widen the net and look for skills and, and look at different sectors to bring people in. Most of us here, I think I’ve been around long enough to remember when the CISO was fighting for a seat at the C-suite level for a long, long time and had various different security-hatted roles.
[00:25:01] Is there a danger, do you think with all of this multi-skilling not just to be the SME level, but with all of these data related roles floating to the top now, as I mentioned, I think chief data officer, chief privacy officer slash data protection officer, chief information officer, chief information security officer, is there a danger that businesses will start to think, well, hold on a minute, do we actually really need the CISO role anymore, or is it just that there needs to be a data related role at the C level and then there’s security roles that sit beneath that. So, could we be in danger of going full circle again, do you think?
[00:25:42] Budgie Dhanda: Might be slightly contentious here and that I think, I would argue that, you don’t necessarily need to have somebody with moniker of CISO, even at the top table, it’s ultimately it’s about risk.
[00:25:53] And if the board understands risk and understand where their risk lies, where it’s coming from data protection, whether it’s coming from your IT assets, whether it’s coming from global pandemic, whatever it is, if the board understands the risks, they know who should be on the board and what expertise they need to have on the board, which functions need to be represented on the board.
[00:26:11] I think, yeah. One of the reasons that the CISO has been elevated up to that level and the DPO and various others been elevated up to that level because the risks have been becoming better understood. And particularly the consequences are becoming better understood by boards. And when you see big fines being divvied out to big multinationals, all of a sudden that raises your awareness of there might be something out there I need to take a bit more interesting.
[00:26:36] So therefore those roles automatically get elevated up, or at least there’s a route for them directly to get elevated into the board if that’s required. So yeah. Might be slightly contentious. Do you need all of those up there? Not necessarily, but I think you need somebody up there who understands what the risk is from the cyber part into your business.
[00:26:54] And then you need to have somebody who can have a sensible conversation about it.
[00:26:58] Victoria Guilloit: Yeah, absolutely. I completely agree. So perhaps Amanda, then we might not necessarily need to retain the label of CISO. It’s actually about, looking into the future, it’s just all about finding the right skills to make sure that that information is protected or as Budgie and all of you mentioned, we have the right people that understand and can face into the business risk.
[00:27:24] Amanda Finch: Again, the risk of being contentious. I think the CISO title is incredibly overused, and it can mean so many things to so many people. But in many ways it would be better if we didn’t have the main CISO and we had some different names, but then we’ll probably go into a whole load of other concerns about what people should be called suddenly, and we’ve had enough arguments about cyber over the last couple of years. So I’m not going to go down that route. I think the whole thing is about influencing and sometimes it’s not important to be the person at the top table, it’s about getting your voice heard.
[00:27:56] So if you influence the board, through the CFO, the CRO, directly with the CEO, that’s really where you need to focus your attention so that you can get the voice heard basically. And every, every organization is different and every culture is slightly different. So you need to make sure that you roll with the punches and you go with the right people and we’ve done quite a lot of talks about this with them influencing the board level and getting the voice heard because it’s, it’s been a perennial problem.
[00:28:32] And it’s really about understanding your particular culture and working around that. I think those of us that have been trying to influence boards over the years, they’ve probably fallen on our noses several times because we’ve learned by our mistakes, but it’s really about getting people onsite and using the right means that you need to that.
[00:28:52] And I don’t know if I’ve answered the question you asked me, I’ve gone off on a tangent. Was that? The answer that you wanted?
[00:28:59] It was great.
[00:29:00] Victoria Guilloit: Absolutely. So, so we were talking about, do we actually need the label of the CISO role or the label of the CISO so when you said, actually it is, it’s about being able to influence the right people at the right level to get what you need to get done,
[00:29:18] Amanda Finch: Then the let’s call it that, whatever it is, you need the me to do whatever.
[00:29:22] Victoria Guilloit: Yeah. But it is sort of no withstanding everything that you’ve said. Chris, it still feels like it’s a big role, isn’t it? Regardless of its label is still a big role. It’s always been the, if you are that person that is worrying about company information and what happens to it, let’s say it like that for argument’s sake, rather than saying information IT say and, and cybersecurity you’re at the forefront of everything.
[00:29:49] , that the people that are in this arena usually know. All of the projects that are going on in the organization, if they’re tapped into that, through their secure, by design process. So they know where the risks are, they’re seeing all of the external threats, they’ve got eyes over everything that’s happening internally.
[00:30:08] Then they need to find solutions to respond to those, whether they be a process related procedure and this education and awareness, as we know that needs to happen around that, whether they’re finding technical solutions and then they need to make sure that everybody knows that that that’s what’s happening.
[00:30:26] There’s a unification they’re connected with anybody that’s working with data, anybody that’s interested in risk. So it just feels like regardless of what we label it’s something that should command a reasonable salary. So I think where I’m kind of getting to I suppose, is that going to be difficult if you haven’t got chief in front of your name for example.
[00:30:50] So if you’re saying, okay, you need to be all of these things, but you might be sitting further in the background in an organization.
[00:30:59] Chris Green: That’s an interesting question. I personally, I don’t think that the title has too much of an impact on the earning potential and thus the incentivization to get people into the role.
[00:31:10] As Budgie said, you can ultimately call the role whatever you want it’s about form and function, but what we do know, and we’ve seen this from our own research, is that, incentives like remuneration are more affected by qualification than by title, particularly in this sector.
[00:31:26] And a CISO for want of a better term or whatever we want to call them that’s coming in with clear qualification, certification, validation of their capabilities in their skillset, will be able to command a significantly higher salary than one that’s purely just going on experience alone.
[00:31:42 ]And this circles back to one of the key points, really one of the keep points of the council, and that is about pushing this professionalization angle for our industry and key to professionalization is certification. So, it is critical that CISOs or whatever that their title may be, that they’re carrying a broad spectrum of certification.
[00:32:00]Really just to verify their capabilities across that broad range of skills that we’ve talked about already. Whether they carrying a high level ITO cybersecurity certification, or they’ve got an MBA, which will allow them to have those business level conversations with credibility at the table or any other, senior certification. We even have certifications now that are specifically tailored for the CISO role. A certified cybersecurity leader at the board level or close to it, is going to be more authoritative, they’re going to be more capable and more probably they will bring more people along for the journey.
[00:32:32] A qualified and verified leader is a more effective leader at the end of the day. And if boards are going to take the advice that they’re getting from the CISO truly, seriously for want of a better term, it’s got to come from someone that can absolutely validate their position.
[00:32:46] So certainly, I said it comes down to if you incentivize with money absolutely, but you justify that incentivization by looking at the validated skillset that the person who’s going to bring to the role, not the title of the person who’s actually going to fulfill. If they’ve got the certs, if they can demonstrate that they are a true leader in their field, then they’re going to be able to command the sort of salary that brings in the best talent and holds it as well.
[00:33:15] Victoria Guilloit: Great. Thanks, Chris. Budgie and Amanda, I’m going to ask if you’ve got any builds on that before we go to have a look at what questions we’ve got coming in.
[00:33:28] Budgie Dhanda: Yeah, I was going to say, I understand where Chris has come from. I’m not sure that’s always the case though. And certainly if you’re trying to get into a role, then the certifications help. And if you look at the job adverts are out there, they typically say, must have CIS, must have CISM that sort of thing. It’s a way of validating and one of the things which the Council is going to be doing is actually looking at competency, so there’s gonna be a route map to becoming a chartered cybersecurity professional much like a chartered engineer. So I think there’s a competency element to this as well.
[00:33:56] I think also, what you tend to find is, particularly at the senior levels, and I know an awful lot of people that are CISOs and their certifications have lapsed. Their view is actually once I’m in the role, I don’t need to keep that. And they then go on experience reputation when they move from one role to another.
[00:34:13] So I think there is a, there is a role here for certifications and qualifications and knowledge. But as you get more and more experienced and into more and more senior roles, I think that sometime drifts away a little bit.
[00:34:26] Victoria Guilloit: Yeah, I would agree. I think that’s right, I think I took CISM probably the early two thousands or like in the end of the nineties is around then.
[00:34:34]And I did the same because she had to go to a number of conferences and just build up accreditation didn’t you and I just remember just being so buried under work that I never got to go and do it. So I did a similar thing. Amanda, what are your thoughts on it?
[00:34:48] Amanda Finch: For me, theres a lot of store that needs to be put by competency is that you can have lots and lots of qualifications and you can sit and lots of exams, but one of the things the Charted Institute puts a lot of store by is being able to actually apply that in workplace. And all of our accreditations are basically on the ability to apply that skill in the workplace. So we test competency by peer review. So at the senior level which will probably be the level of chartered when it becomes available, an individual has to be interviewed by two of their peers. In fact, that can actually ask those tricky questions about how would you do this? What did you do in this particular situation? And I think that that’s one of the things that we should be looking more for within the community, is that the competency aspect of it.
[00:35:42] Victoria Guilloit: Yeah, I think that’s a great point. Definitely. So are we ready to go to questions? Should we see what’s coming? Perfect. So the first question, what are the main challenges a CISO will face in the workplace today? So, Budgie, I see you smiling. So I see you.
[00:36:03] Budgie Dhanda: Yeah. Where do you start? In many ways, I think that the challenges you face today and no difference do the challenges we faced 18 months ago.
[00:36:10] But I think from a year ago, I think what we’ve seen certainly years and yeah, Chris Greene’s organization IC Squared did a really good report, which I recommend reading on just how fast people have to adapt to new ways of working. So I think that pace has changed. I think there’s more of a recognition that the threat landscape has changed because we’re all homeworking that the sheer surface area has increased.
[00:36:36] But in many ways it’s a challenge that we’ve always had there, but it’s just the fact that we’re now having to respond to more quickly, I think well, any other chance, I’m not sure that there are, to be honest. I mean, the technology’s there. I think they’re more first have moved to cloud and online working.
[00:36:52] So there has been a shift in the technology, but the threats are the same. The challenges are the same. Will it be more money for this? Who knows, some organizations because of recognize the change, you’re actually putting more investment into this, but yeah, I can’t say that I’ve seen a huge shift in, or some people saying that the CISOs role is going to be completely different to what it was a year or 18 months ago.
[00:37:15] Victoria Guilloit: Thanks Budgie. And Chris or Amanda, did you have any thoughts or builds on that?
[00:37:21] Chris Green: Yeah, so there’s a couple of things. I’ll probably add that. I mean, budgie touched a bit on the research that we’d done on that. So just to put that into context, if you want an idea of how the world has changed for CISOs in the last year.
[00:37:33] Yeah. Case in point is the sudden digital transformation that’s been imposed on so many organizations that CISO has been front and center in delivering. Nearly a quarter of organizations had to pivot either all or the vast majority of their workforce to remote working in the last year in on a day’s notice.
[00:37:50] Nearly half had to do it in less than a week. Yeah. And the CISO was very much leading the charge to actually deliver on that. So, again, I think that’s just one very small, but critical aspect has shown how the role of the CISO has been put very much in the spotlight and how, I suppose, they in their team has really, once again been shown to be so business critical for the organizations that they operate in because, without the cybersecurity teams , those digital transformation efforts would not have been executed in the time that they did.
[00:38:17] And more importantly, it wouldn’t have been executed in a functional way. And that’s even before we get onto discussing the secondary issue, which is okay, you’ve now in the last year, you’ve, re-engineered your business to work remotely. Now the cybersecurity team is charged with a very, very significant secondary issue, which is how do we now extend the castle wall around this new distributed workforce.
[00:38:38] And this is probably one of the biggest things that’s keeping CISOs awake at night, is how they rearchitect cybersecurity strategies to work effectively with a highly distributed workforce, with a highly unpredictable technology and environmental sets I have to deal with everything from they no longer control the hardware, necessarily.
[00:38:54] They no longer control the internet connectivity. They no longer control the environmentals that they won’t see it. You no longer have the comfort of knowing that everybody is tucked in the castle behind the castle wall. Because now the castle is a distributed set of buildings all over the village.
[00:39:09] And when the attackers come, whatever form they might take, you now have a much more significant challenge to ensure that this distributed structure can actually not only repel, but also be proactive in delivering cybersecurity competency whether that is technical or regulatory or best practice.
[00:39:27] So you’ve got a lot of that to consider. There’s also the fact that just the threat landscape in the last year has changed significantly, and it has creating a new challenge. We’ve seen threats, depending on whose research you look at, the number is different.
[00:39:38] Our research suggests that, the threat landscape has gone up by almost 20% that is a direct result of the COVID-19 pandemic, and the changing work environment that we now face. So CISOs are now very much, on a defensive footing in a lot of organizations just dealing with that increased onslaught of challenges coming from outside the organization, over and above all the other challenges have been created by the changes of the last year.
[00:40:05] Victoria Guilloit: Thanks Chris. Yes. That certainly chimes with a lot of the conversations that I’ve had as well. Amanda, I think you were going to add something to that too.
[00:40:14] Amanda Finch: I was just going to say that the CISOs role has always changed, since time immemorial and he says we’ll just adapt to it. Things get better, things get worse.
[00:40:23] I think that there’s a whole thing that everyone else has said about the breadth of the landscape is much bigger. One of the things I’d like to bring in is about burnout. It was one of the things that got picked up in our survey on the profession that we did and that the high level of burnout that CISOs are seeing within their own community.
[00:40:41] And I think that’s something that we need to be very careful of over the next, well, forever really, is it’s so easy to just work and work and worker. And that we need to be more disciplined about how we manage our own time, but also how we manage the time of others. Because it’s just so easy to sit on zoom calls from dawn till midnight.
[00:41:04] Victoria Guilloit: Yes, absolutely. Absolutely. Especially as you say with the requirements for the skills bridge of CISOs just out all the time. Definitely, definitely. So I think, I know we started to talk about this, but perhaps we can dig into this one a little more. It’s how do we attract more people into cyber security, through non traditional routes? And perhaps Budgie would like to start the conversation on that one.
[00:41:29] Budgie Dhanda: This is incredibly important, but I think it’s a two way thing.
[00:41:33] I think firstly, there is an awful lot of interest and people out there that want to get into cybersecurity but find it really hard to getting that entry point is really difficult. And I think that’s partly because many organizations start off with a mindset of, this is what we need, this is the perfect person, unicorn thing, as Amanda mentioned, and they don’t exist, you’ve got to take them on as an entry level and you’ve got to develop them.
[00:41:55] And if you look at unemployment rates for just computer science graduates, they’re ridiculous high those people are the sort of people you would have thought you’d want to welcome in. At the level of apprenticeships and the level three level four entry level apprenticeships is remarkably low. We need to do more as an industry to actually bring these people in because there are people that want to get into this industry.
[00:42:17] Then there’s the piece about diversity, we tend to recruit in our own image, but there’s a huge amount of talent out there, which we’ve just not getting. We know people from a newer, diverse background once they’re in these roles, do remarkably well, but our processes for getting them in the first place are appalling.
[00:42:35] We haven’t got enough women coming through. We haven’t got enough ethnic minorities coming through. Social demographics, count a huge amount. If you come from an affluent area, your affluent parents, you’ve got more of a chance of getting in than somebody who might have just as much talent and capability, but they haven’t had the opportunity.
[00:42:51] So there are issues around that I think that we’ve really got to address, but there is an issue here and it’s not just cyber. This is a whole wide issue around people coming into STEM disciplines. So this is something that we’ve got to actually go all the way back into schools. I mean, there’s some good research showing that for boys, by the time they’re in about Year seven or eight, we’re talking about 12, 13, 14 ish.
[00:43:16] They’ve pretty well decided which career pathway they’re going to go. But for girls it’s much younger. You’re going to get them in junior school by about year six. So there’s a piece in there as well. And then there’s just that, I think Chris mentioned earlier, yeah, ex-military type people who are looking for roles.
[00:43:30] There are a whole bunch of people out there who would love to come into this area. They’ve seen the news headlines about shortage of people, but they can’t find that first part first step in. So yeah, it’s a passionate area of mine, but I don’t think it’s one that we can fix very, very quickly.
[00:43:45]The career pathways work, which the council’s going to do, will help educating people on the sort of certification, the qualifications that they might need will help. But we, as an industry, particularly those in recruitment roles, whether they’re in HR or whether they’re in a CISO role, when they’re putting out a vacancy need to think more broadly, more imaginatively about the sort of people that they’re trying to attract in the first place.
[00:44:05] And then think about how they’re going to develop them once they got them in.
[00:44:09] Victoria Guilloit: Absolutely. And I think so, so often we apologize for the industry we’re in don’t we. Oh, well, what do you do? Oh, well that means you won’t be interested it’s cyber security or data protection, but yeah, we need to flip that around and be proud of it because is so much about it that’s fascinating and it’s really interesting what you say about trying to get to girls in particular at junior school age.
[00:44:33] I didn’t realize that that was the optimum age to try and attract people to the suit to that career. So, yeah. A lot of work to do. Amanda or Chris, before we move on to the next question. Amanda, would you like to build on that?
[00:44:47] Amanda Finch: Yeah. I think that Budgie summed that up so well. And it’s really attracting people at all levels.
[00:44:54] Budgie and I both worked on an apprentice scheme T3, which is amazing because it’s such an entry point and it’s not just for kids. It’s for people that are job changers. And it’s this whole thing about diversity that I would like to talk about is that basically diverse teams are strong teams and whatever works for targeting women or particular sections actually works for the whole community.
[00:45:20] It’s good business sense to have diverse teams and that we really need to work on that and push that because it’s the way we’re going to be strong. And also, if you look at the apprentice schemes, there are so many government grants and things that are out there. So I’d really like to encourage employers to look at this, and we’re going to be personally involved in some book work, which we’d be happy to share with you when it becomes available about attracting people into apprentice schemes but diversity is key.
[00:45:51] Absolutely.
[00:45:53] Victoria Guilloit: Yeah, absolutely great points Amanda, I’m sure that people watching and watching later would be really interested to know about those schemes as well. So we’ve got a few questions left and I think let’s just see, where are we? I think we’ve got about five minutes left. So, I’m just looking at the questions that are here.
[00:46:12] Because I know that we kind of started to cover them.
[00:46:15] So I’m going to go from question five and then we might fill in a little more on question three and four. So I think we’ve covered those quite a bit. The question is, and Chris, I’m going to put it to you first, I think, is it true that being a CISO is a precarious role, like an ejector seat because it’s the first fuse that trips, if there’s a data breach or a hack.
[00:46:34] Chris Green: It’s a good question. And I would say just to be open, yes and no. Yeah, you are right. I mean, yeah. The CISO is absolutely the first fuse that trips in the event of an incident, but at the same time, they’re also the leader ultimately of the team of breach men that will come in and seal the hole.
[00:46:51] So, is it a thankless task? Yes, probably is to some degree, but the fact is, I’m pleased to say that, if you do look at the industry as a whole, very few CISOs suddenly depart after a major data breach. And that’s because more often than not, your CISO is going to be probably the best placed person to help deliver a solution rather than, being the one ultimately labeled with having created the problem.
[00:47:13]Y ou also have to bear in mind that if you take out the leader of your cybersecurity strategy or cyber security people , that causes in itself a significant amount of disruption. So, you have to make that decision very carefully and more often than not, it’s better to support your CISOs, to support their response rather than necessarily take what you can argue as the easy way out. And it’s like well, we’ve had a problem? Who do we blame? Playing the blame game rarely serves any organizations well. It’s ultimately, it’s about what we can learn from an incident, how we can react to it, how we can make things better for the second time.
[00:47:47] And often that is best done by keeping our key personnel in place so that they can learn from it so that they can implement the knowledge that’s been gained over a period of time to future incidents. So, yeah, it’s a precarious task. It’s a challenging role, but in most C-suite roles are challenging roles, but I would argue that the CISO is the one that is ultimately best placed to be able to deliver significant change and a meaningful response in the event of a cyber security challenge.
[00:48:14] Budgie, I think you want to come in on this. So yeah.
[00:48:16] Budgie Dhanda: Yeah. This goes back to something that we were saying earlier about the role of the CISO. Yes, the CISO has a duty and a role and responsibility to protect the business. That’s fine, but there’s other parts that stood back to the soft skills, but actually the role of the CISO as a communicator and an educator of the board. The board has to understand that nothing’s going to be 100% safe.
[00:48:41] And this is about making the business case to the board about this is what the threat profile is, what the risks are, what the impact is, the probabilities are. And this is why we think there’s a business case here to make investment in this particular area. Now that will reduce the risk, but it won’t get rid of it altogether.
[00:48:57] But if the board says, we’ve taken what you said on board, but we’ve decided not to do this. And that’s where the breach comes from. Well, it’s not the CISOs fault. But the CISO has a role to do that, the communication piece in the first place. And that’s why we’re saying actually it’s more of a business role now, it’s a business risk role than a technical role.
[00:49:16] Chris Green: Absolutely. Absolutely.
[00:49:19] Victoria Guilloit: Amanda, did you have any thoughts?
[00:49:21] Amanda Finch: I just have one thing to add to that. I think it’s going back to the old thing of, it’s not if, it’s when and it’s about how you deal with the breach. And it’s very much coming back to having a really good plan in place. Making sure that the board has bought into the plans that you have as Budgie says if they really blatantly ignored something and not giving you the backing.
[00:49:42] Well, that’s the problem, but a lot of it is about how you deal with breaches. For me is the important thing and having a really good exercise plan there so that you can say we knew it was going to happen at some point we’d limit the exposure by blah, blah, blah.
[00:49:59] Victoria Guilloit: Definitely. Yeah, absolutely.
[00:50:00] Some really good points raised there. And I think we kind of come round in a way full circle. Don’t worry because in the event of, or as Amanda says, if it’s not if it’s when the breach happens, that role needs to be in a really strong position of influence. And quite often, the only way to be in that position of influence is to be at the C level.
[00:50:23]And as we’ve said, maybe the, the title isn’t CISO, but it needs to be there or very close to that area. Right. I think. Okay. So I think we’ve actually really come up to the close of the session and it’s been an absolutely fascinating discussion. I’d like to offer the chance for Budgie, Chris and Amanda, just to give some closing remarks, what would you like to leave people watching with what’s your top tip if they’re looking for either career advancement or to make sure that their team are adequately skilled in this area? Budgie, can we go to you first?
[00:50:59] Budgie Dhanda: Yeah. So I’ll just go back to what we were all involved in, which is setting up the UK cybersecurity council. Now on day one, it won’t have all the answers, but it is producing those frameworks, which will allow people to actually manage their careers in terms of understanding certifications and qualifications and career pathways, and actually offering education for people that want to come into the profession as well.
[00:51:22] And as well as doing all the bits around outreach diversity and thought leadership. So just watch out for that, the big launch isn’t happening for another month or two yet but when it comes along, follow it and then just get involved in the council as well. And this will be the voice of the profession going forward.
[00:51:39] So this is your opportunity to influence how the profession will develop. So just watch out for that.
[00:51:44] Amanda Finch: Yeah, again, I would echo what you say that, so the council is very important that we will go to buy into this and make it a success in its way. The two takeaways I’d like to leave everybody with is really if you will CISO I’d like you to understand the teams that you’ve got there. One of the things we’ve been doing quite a lot of work with is working with organizations on capability development.
[00:52:08] And what we’ve tried to do is to get the CISOs to benchmark their teams so that they can understand that the skills that they’ve already got there and really where they need to be in terms of capability so that they can do a roadmap for themselves on where they need to take their team and the skills that they need to bring in and development in-house where possible.
[00:52:30] The other thing is your own career journey. Think about where you are at the moment where you’d like to be. And again, benchmark yourself. We have a skills framework that we use to do that, which looks at all the different skills, but the main thing is really about understanding yourself, what you want to do and where you want to be, because that’s where people are going to be successful.
[00:52:51] You’re doing something before fulfills you you’re going to be successful. So if it’s either for yourself or for your teams, that’s what I’d like to leave with everybody.
[00:53:00] Victoria Guilloit: Great advice. Thank you, Amanda. And finally, to you, Chris.
[00:53:06] Chris Green: Do remember, what’s been a year that’s been dominated by COVID-19, organizations must ensure they recognize, and they appreciate the value of not only the cybersecurity teams that they have, but the CISOs and the CISO facilities that they have in place.
[00:53:20]And they’ve got to realize that whilst these cyber security leaders and their teams have done incredible things, there’s still a lot more work to be done. And which is why investing in the CISO role, investing in the CISO resources for the longer term is, is critically important I think for businesses long-term safety and prosperity.
[00:53:37] With the cyber security council coming into operations imminently I think you’re going to see a number of resources I think coming into the marketplace that’s going to help organizations, and help CISOs themselves, to further their work, to find new and different problem-solving candidates to bring into their organizations. But most importantly, I think one of the biggest things the counselor’s going to do to help CISOs and their organizations in this new reality that we find ourselves in is being by mapping out the many qualifications of career pathways into the organization.
[00:54:11] So whilst the roots cyber security does start very early on in the educational life cycle, early on at STEM at school, the important thing is that when people are entering the workforce, I think the more that we can do to clarify how they can enter the cyber security world and progress through it, the better, and that can only ultimately help CISOs in finding great talent, cultivating that talent and bringing it forward for the longer term.
[00:54:33] Victoria Guilloit: Excellent. Thanks so much, Chris, and to all of our panelists to Budgie, to Amanda and to Chris, it was really great speaking to you this morning, and I’m sure the audience found it really helpful. To you, Andrew,
[00:54:47] Andrew Menniss: Thank you so much that was terrific. I really enjoyed that. Thank you, Budgie, Chris and Amanda, looking at that ever expanding role of the CISO.
[00:54:56] I was particularly interested in that sort of balance between certification, qualification, and knowledge as they expand their career. Join us on our next session, which is how to understand the culture of privacy within your organization, which will start imminently. Thanks so much.
No comments yet