Intelligent CISO Issue 31 | Page 53

I ’ ve always been of the view that the biggest challenges we face are the more mundane issues .
Good relationships are key to building better security .
COVER STORY

I ’ ve always been of the view that the biggest challenges we face are the more mundane issues .

In practice , the result is more of a focus on those areas which will drive the most security and business value . One such example is automation , whether that ’ s building security into the SDLC , our infrastructure deployments , or automated compliance testing , the ultimate goal is driving towards a state of ‘ Security as Code ’.
How do you ensure a strong cybersecurity culture ?
I don ’ t think I ’ m going to shatter anyone ’ s world view by saying annual or seasonal approaches to addressing cybersecurity cultural change don ’ t work . Cultural change is difficult , irrespective of whether it ’ s to promote health and safety , security , or just ways of working ; and changing an organisation ’ s culture doesn ’ t happen overnight . It requires a lot of time and energy , both in terms of driving more tangible components of a change programme such as the communications aspects ( i . e . security awareness and training ) as well as in building and maintaining relationships with key parts of the business which is necessary to instantiate cultural change at as many functional , geographical and organisational intersections in the business as possible .
The thing I try and keep in mind more than anything else is a saying I came across a few years back which has stuck with me : ‘ Change is disturbing when it is done to us , exhilarating when it is done by us ’. ( Kanter , R . M . ( 1983 ) The Change Masters , New York , Simon and Schuster ).
What are your priorities when it comes to taking a pragmatic approach to cybersecurity ?
Obviously understanding what ’ s pragmatic and practical for the business you ’ re working within is key , but typically prioritising complexity reduction , process reduction and automation are a great starting point . I think good relationships are key to building better security and reducing friction wherever possible is a great way to help with that , which these priorities all address in some form or another .
This approach really stems from my belief that we should think of security as a product or service and as such , we should organise , market and productise to create and meet demand of our customers , and anyone who

Good relationships are key to building better security .

works in a product environment will know that NPS is king .
What can vendors be doing to provide support to their customers during these challenging times ?
I think I ’ d give the same advice today as I would have last year – talk to your customers on how to get the most out of what they already have . If you can help me drive the maximum value out of what I ’ m already spending with you , I ’ m much more likely to come back to you for something else later .
What advice would you offer to aspiring CISOs ?
I won ’ t offer any advice on security itself or the path to CISO , but instead focus on approach once you ’ re in the hot seat .
Play the long game – easy to achieve low hanging fruit and point fixes are good to showcase ‘ positive direction of travel ’, but focusing too much on this is why we still struggle to get to grips on the basics as an industry . Think about the fundamentals you would like to have in place when you join a business and make sure they ’ re in place for whoever comes next .
It ’ s more effective and sustainable to lead through influence than authority . There is a limited amount of times you can hit the nuclear button and force an escalation before it starts to lose its effectiveness .
Remember that your peers are your team too and you are all operating in a zero-sum environment . Every additional headcount or pound / dollar you consume has to be diverted away from some other activity to make its way to you , so use them wisely and appreciate security is a team sport . u www . intelligentciso . com | Issue 31
53