You've mentioned that budgets are under pressure for many in the industry - do you have any advice on how teams can manage these pressures internally?

Yes, so I’ll start by saying, at the heart of cyber security is risk management, and ultimately what you are selling to your stakeholders is insurance. The board want to know, 1) How secure is the business? 2) How do we know?

When it comes to your security budget, you need to be able to answer those questions, and define risk clearly in terms of your organisation and its goals. Every penny that you spend needs to be traceable to an applicable security risk, whether that be how will it reduce the likelihood of a breach or impact a specific risk.

As a security leader you want your business to perform well and succeed overall, so you don’t want to either over or under invest. There is a sweet spot that you need to find when securing the business that needs to be proportionate, and you must be able to justify each decision, especially at times of budgetary pressure. That could mean investing in certain areas, but equally I’ve taken the decision to turn certain security tools off in the past, and of course then had to relate that back to our exposure as a business.

I’ve always found the NIST SP 800-30 framework, which is a guide for conducting risk assessments, a really valuable tool in translating and visualising cyber risk in a way that can be understood by the board.  It can take you on a journey from threat type to business impact, and financial impact, so I’d really recommend including this framework in future conversations with stakeholders.  

Importantly, you need to be able to communicate in language that financial teams understand. This is true all of the time, but especially at times when there is pressure on everyone to meet budget requirements and targets. You need to be able to explain to your CFO exactly how you’ve spent your budget, how it’s influenced the business and ultimately the return-on-investment.

You've had a varied journey in security, from BT and Ofcom, to Monese and now 118 118 money. Do you think the role of security leader varies from global corporations to start ups, and industry to industry?

Yes, throughout my journey I’ve seen quite a few fundamental differences that affect the role of a security leader and the overall experience in each type of organisation.

Firstly, there are 2 types of business, 1) where security is an enabler and 2) where security is a hygiene factor. A small accountancy or law firm, for example, needs to have secured IT systems, but security isn’t really a core enabler of their services. However, a technology or software business absolutely has security at the heart of its operations, and without security they would not be able to run. For example, no customer would use an online banking app if they weren’t sure that their data was secure. This will of course influence your role as security leader, and the importance placed on your function.  

Another factor is the amount of regulatory attention you attract and associated expectations from senior stakeholders in the business. From Seed to Series A you don’t tend to see a significant investment in compliance related activities. Companies tend to be focussed on survival, getting their product to market and growth. However, from around Series B onwards, investors and senior stakeholders' expectations move towards demonstrable compliance and having independent 2nd and 3rd line audit functions.  This changes your experience as a CISO as governance and accountability related activities take up an increasing proportion of your day.  

Looking more at start-ups and smaller businesses, you also need to consider the reason you’re being hired as a CISO, especially if you are the first security hire, as this can really impact the expectations of your role. A highly regulated business may have been told by investors that it is mandatory to bring in a CISO, but might not necessarily understand the purpose of the role. So it’s important for me to always work out why you’re being brought onboard, and the expectations that stakeholders have of how close the CISO is to the coal face. The role of a CISO can often be elusive to those who are not familiar with the role – for some it may mean compliance, for others it’s an individual to configure firewalls and to others it’s a strategic leader. I think it’s important to have this conversation upfront to make sure everyone is on the same page.

That’s an interesting point you’ve raised Matt, about how the role of a CISO can still be misunderstood or have varying definitions to different stakeholders. Do you think the role of the CISO has changed in recent years?

Yes, I do, I think it’s evolved over the last 20 years. Security leadership in the early 2000’s was often a part of the IT function. It was rare to meet CISOs, and they had the stereotype of being the department that said ‘no’ to everything.

The challenge this presents is that IT and security teams often have conflicting goals. IT teams tend to focus on short term operational objectives - the need to keep things running, whereas a security programme is focused on risk management and values caution and process over expediency. So it made sense to separate the two functions. Once security became an independent function, it opened the door to less technical and more business minded leaders moving into the CISO role.

The CISO now needs to understand business problems, to be able to talk to the board and investors, be PR savvy and understand how to market security and the team. It’s worth noting that there are only so many security controls you can apply 'to' a business. There comes a point when the business has to take steps to secure itself as well. For example, the software development team needs to build secure software, not the security team. Every day, employees from across the business make decisions on how they handle, process and share data. The security team can’t make those decisions for them. So, the role of the CISO and the security team is to equip colleagues with the knowledge and skills to make good secure decisions, and to make them care about it. You need to be able to sell security as a business enabler, not a department that says ‘no’.

I think CISOs understand that they are not the only show in town. Even though a lot of businesses wouldn’t exist without security enabling their products or services, there has to be a balance with the commercial side of the business. CISOs need to be good negotiators and learn how to speak the language of other departments.

So, if someone reading this is looking to become a CISO later in their career or has maybe just taken on the role, how can they develop those skills you’ve mentioned? Is there any advice you could share?

I think if you’re considering the role of a CISO, know that there doesn’t have to be a traditional journey to the role. I’ve seen individuals from more commercially focussed teams, such as quality assurance, move into security and their understanding of the business and industry has proven invaluable. Lots of companies promote the idea of security champions, so if you are interested in taking you’re career in this direction, this could be a good option.

One piece of advice I’d share is, as with all leadership roles, you have to be passionate about developing people. This is important not just for your security team - as a CISO you will be required to instil a security culture into the whole organisation and ensure people both understand and care about security.

Lastly, I’d say what keeps me interested is the constantly evolving and changing security landscape. I like that I need to keep up to date - it keeps me on my toes. I’d say if you are considering becoming a CISO, it should be because you are passionate about the sector and are prepared to commit to your ongoing personal development. If you stop for a week, you’ll get left behind!

Thank you for all of that great advice Matt! Finally, what are you proudest of in your career?

I think it would be the transformation projects I’ve led that I’ve both enjoyed the most and been most proud of. I’ve joined several businesses where I've inherited a security programme, which means you also inherit any legacy issues and security debt. I’ve loved going into business and fundamentally changing their approach to security in a journey that involves every single department. It’s a complete cultural transformation. I’ve done this several times and leaving those companies has always been a bit harder, as you are so invested in the business, but this also makes them the most fulfilling and therefore proudest experiences!

Thank you so much for your time today, Matt!

Click here to read the other blogs in this series: 

• SI In Conversation with.. Lee Whatford, CISO at Dominos
• SI in Conversation with.. Rob Forster, Head of Cyber Security at Milk & More
• SI In Conversation with.. Howard Cribbs, CIO at SANS