COVER STORY
thing or something else, so it’s really
important that, when we pass that
business case across the table, we
can look the CFO, CIO and other
stakeholders in the eye and say we
genuinely believe that it’s in the best
interest of Camelot to be doing that.”
The skills shortage
Boda believes the private sector has
a role to play in helping to combat the
ongoing cyberskills shortage, alongside
government initiatives.
“I think you recruit a team, you don’t
recruit individuals, so you have to
have a balance of people that do have
experience, but you should also be taking
people and training them up,” he said.
Camelot has an internal red team which
is used for running simulated attacks
against the organisation itself.
understand each other’s perspectives
and build relationships with each other.
It’s about long-term partnerships, it’s not
about transactional things and, through
that understanding and relationship
building, then the whole buy-sell
becomes a lot easier.”
On selecting vendors
There are many vendors offering a
multitude of products and solutions.
For Boda and his team, the selection
process is driven predominantly by the
organisation’s three-year information
security strategy.
If approached by a vendor, Boda
says he is open and transparent
about their offering not being part of
the organisation’s roadmap at that
time, but the solutions are given due
consideration in a thorough testing
phase when the time is right.
“If we’re doing a security thing, it means
we’re not spending on a commercial
www.intelligentciso.com
|
Issue 17
“If the only time you see bad stuff
happening is when bad stuff is actually
happening, then you’re probably not
going to react to it very well but if you’re
constantly practicing that then your
judgement calls are going to be better,
so we use that red team capability
as a core part of our learning and
development as a team,” he said.
The importance of
ongoing training
A key part of Camelot’s overall strategy
is around building a strong security
culture. It’s not just about ‘putting
posters up in the canteen’ – it’s
about understanding how to create a
behavioural change. One recent example
involved inviting a comedian to speak
during a lunch session. His sketch is
based around his experience of having
his identity stolen when he was younger.
“It’s not ramming security down
people’s throats, but for that hour
they’re thinking about security and,
at the end of it, I talked about how his
experience related practically and what
it means for Camelot,” Boda said. “If,
hypothetically speaking, The National
Lottery contact centre wasn’t carrying
out data protection checks properly
It’s really important
that, when we pass
that business case
across the table,
we can look the
CFO, CIO and other
stakeholders in the
eye and say we
genuinely believe
that it’s in the best
interest of Camelot
to be doing that.
or if we were socially engineered
into giving out information, that
means personal information could be
compromised. We really landed those
key messages in a much more effective
and memorable way.”
On what makes a good CISO
“Someone who has got a good broad
range of skillsets, from the commercial
business side of things to being able to
talk credibly, technically,” Boda states.
“It doesn’t mean they need to have a
comprehensive understanding of every
detail but they need to be able to ask
the right, probing questions, draw out
the issues and be able to communicate
those effectively.
“Some CISOs are much better at being
able to communicate with the board and
bounce ideas around how they’ve done
that, or being really good at presenting
metrics. Some are great at challenging
their team or vendors and really asking
the probing questions.
“We’ve all got our strengths and
weaknesses, and being able to help
each other out is really valuable.” u
53