You’ve been CTO at EMC, CIO at NetApp and now CIO at SANS; how do you approach the CIO/CISO relationship for effective partnership?

I’ve seen changes and developments in security over the years, but one thing that remains constant is the need for security leaders to make strong relationships at board level and champion your team. IT previously ‘owned’ security and so traditionally businesses were kept secure using methods such as firewalls. The difference now is that the threat landscape we face today is completely different, and therefore the relationship security has with the business also must change to meet those new requirements.  

From my perspective as a CIO, you should be best friends with your CISO. CISOs are focused on eliminating risk for the business, and they do this by, among many things, building security awareness within the business and putting in place the correct systems. CIOs are focused on building business resilience and operational resilience, and therefore the two roles are intrinsically linked. Communication between the CIO and CISO in a business really must be completely aligned and clear to ensure you achieve your business goals and manage risk effectively. Within SANS we are developing this type of CISO, where these new skills and responsibilities are central to the role.

What advice do you have for technical leaders who want better relationships with executives at the board level?

My top tip is very simple - be interested! Be interested in what the business is driving at as a whole. It can be easy to just be concerned with your department, but that won’t allow you to have a true understanding of what the brand is driving and how each team is contributing to overall business success. This will make it much harder to communicate with the board and to demonstrate how security is making a difference.  

Be interested in everyone you work with! It's always important to me to build relationships with everyone I work with, particularly in the c-suite, to make sure to avoid any siloed relationships. If you feel like you might already have these silos within your organisation, go and meet people and suggest having a quick coffee! It really does make a difference when you get to know the people outside of your team as well.

How has 2022 been for your team so far? Have there been any specific security challenges that you’ve been focused on?

Over the past few years, we’ve been focusing on doing a deep dive into our current tech stack and a particular priority in 2022 has been web applications. After an initial application inventory check, we realised as a team we were engaging with over 1400 web applications! From a security perspective, and with my risk lens on, this became a priority for us to look into.    

This year we’ve been going through a period of business transformation, looking to streamline, automate, compare, and truly understand the risk profile of each application. If any readers have any great tips around app inventory, please do reach out!

What do you enjoy most about your role at SANS? What makes SANS special?  

In my role now at SANS, I’d have to say the culture and horizontal nature of the organisation. The ability to make an impact and the speed of change at SANS is phenomenal, in part due to such a flat working structure, and it’s amazing to see how well this works. We see an incredible efficiency in our projects, and I work with people who are motivated and passionate to get things done. At SANS we are always asking ourselves, how can we get better and go faster? The culture and people at SANS are truly remarkable, and that really is key to success in a business.

And finally, what are you most proud of in your career?

I’ve had the opportunity to work on great, huge projects, that have been really fun, but I’d have to say every major thing I've done in life that I’m most proud of centres around people. I love to mentor and guide people, to help them develop and take the next step in their career, and then watch them succeed. Other people's successes are the best successes in my eyes.  

The best impact we can make is on other people. The operations part of my role is interesting but helping other people to navigate and progress is definitely my proudest achievement.  

Thank you for your time today, Howard!

‍

Click here to read the other blogs in this series: 

• SI In Conversation with.. Lee Whatford, CISO at Dominos
• SI in Conversation with.. Rob Forster, Head of Cyber Security at Milk & More
• SI In Conversation with.. Matthew Bryant, CIO at 118 118 Money