As part of the Talking Tech series, I conducted an interview with Joel Van Dyk, ex-Deputy CISO of the London Stock Exchange, about what the CISO position entails.
The job of the Chief Information Security Officer is to assess risk and protect the firm against that risk. The threat generally comes from hackers outside the firm and the the firm’s assets (monetary, physical, intellectual property) are vulnerable to the attack. The CISO can’t protect the firm solely on their own, but they can suggest actions and steer their peers in the right direction.
Yes, things have progressed enormously since I started my career - we used to just grant and deny people access to the internet; the firm was relatively closed. Now, the firm is often wide open as part of the way we do business, and security has to be thoroughly built in at every endpoint, process and application from the start.
There is not really much difference between New York and London. Paris, however, is much more bureaucratic and has to respond to the regulators much more. Italy is somewhere in between the two.
New York and London are both very business oriented and driven by practicality. This sometimes leads to a risk/reward trade-off on the side of more risk. As previously mentioned, Paris is driven by a stronger regulatory and government presence, so the trade-off often comes out very risk averse, with a lot of time spent going back and forth with the regulators. In Italy, the risk-reward equation is more likely to be influenced by external factors such as the political or economic environment.
Good Security is all about enabling business processes and preventing errors before they occur, rather than halting progress altogether. Security is about getting in there early in the design and working with the developers to build a safe piece of software.
Security is about making innovation safe. If it’s not safe, it’s not innovation for the real world. Your app won’t survive in the real world of the internet and will wind up costing the business significant amounts of money. It is like constructing a building - if you don’t design it properly in the first place, it may look great, but it will still fall down in the real world.
The main reason for communication is collaboration; we need everyone to share their knowledge.
Hackers talk all the time and collaborate, so it is necessary for Security professionals to do that too, and even more efficiently. The ISACs (Information Sharing and Analysis Centers) in the US are a good example of this. The more we share our knowledge, the better the solutions and the more robust the defenses we can come up with.
Don’t hire just on security expertise as the requirements change all the time. Hire smart people, people who can think for themselves, people who are willing to keep learning and who are willing to take on new challenges. The next step is to constantly train those people all the time, so they can learn and improve their skills.
A really important thing to remember is to make sure individuals within your team realise that they can’t work all the time. A well rested person works at the top of their game. Working around the clock is unsustainable and only beneficial for the very short term.
You have to work at it and seek out the diverse candidates: Keep asking HR and recruitment partners to provide female job seekers and more diverse candidates. Otherwise, it's all too easy to be presented with the same type of candidate time and time again.
Once you have done that, it is crucial that you encourage them, mentor them and give them the same chances as everyone else.
This is a question that has been debated endlessly. The right answer differs for each and every organisation. The position where a CISO sits is not as important as an organisation correctly funding and having a firm wide 360 degree commitment to a culture of Information Security. However, many organisations have taken to separating the CISO from Technology as it is hard for any organisation to be self policing. Often the CISO will report to the Chief Operations Officer and/or the Chief Risk Officer. Now, given the firm wide scope and the importance of CyberSecurity, many have suggested that the CISO should instead report directly to the CEO.