My journey to CISO was initially more luck than judgement. I started out in the world of technology around 18 years ago within an IT position which ignited a professional enthusiasm for something which had always interested me when growing up: the inner workings of computers and the networks which support them. As experience grew and the professional certifications stacked up, I moved through the engineering, design, architecture and manager roles to where I am today.
I am fortunate enough to have seen first hand how our personal and professional reliance on technology has dramatically changed. Ten years ago, we as the IT department controlled what a user had access to and how they connected; now the user demands access to applications of their choosing at a time they specify and on a device and platform they stipulate – oh how the tides have turned. How do we keep up? In most cases, it’s a challenge but not an insurmountable one.
The external perception of information security has also changed dramatically throughout my career.
Historically, as a function, we were seen at the expensive retrospective checkbox; now we’re a critically important business unit adding strategic value.
Our boards demand that we make their organisations ‘secure’ but don’t want esoteric technobabble in the way of business-justification. The CISO these days is must now have a professional toolkit of astute business leader, technical guru and possess a PhD in Powerpoint.
Consensus suggests that staying technical and having senior management responsibility are in some way mutually exclusive; I buck that trend. I believe the over-arching requirement of hands-on security leadership is to convey information security risks to board-level executives in terms which resonate with them and allow for balanced and considered risk management; a skill I have developed through engagement with a diverse range of stakeholders across market-leading organisations.