As part of the Talking Tech series, I conducted an interview with Joel Van Dyk, ex-Deputy CISO of the London Stock Exchange, about what the CISO position entails.
What is the role of a CISO, in your own terms?
The job of the Chief Information Security Officer is to assess risk and protect the firm against that risk. The threat generally comes from hackers outside the firm and the the firm’s assets (monetary, physical, intellectual property) are vulnerable to the attack. The CISO can’t protect the firm solely on their own, but they can suggest actions and steer their peers in the right direction.
Having been in the industry for over 20 years, has the role of a CISO changed over this time?
Yes, things have progressed enormously since I started my career - we used to just grant and deny people access to the internet; the firm was relatively closed. Now, the firm is often wide open as part of the way we do business, and security has to be thoroughly built in at every endpoint, process and application from the start.
You’ve served as a CISO for leading banks and trading firms in the US and Europe; is security viewed differently in both regions? And what are some of the differences/similarities in these regions?
There is not really much difference between New York and London. Paris, however, is much more bureaucratic and has to respond to the regulators much more. Italy is somewhere in between the two.
New York and London are both very business oriented and driven by practicality. This sometimes leads to a risk/reward trade-off on the side of more risk. As previously mentioned, Paris is driven by a stronger regulatory and government presence, so the trade-off often comes out very risk averse, with a lot of time spent going back and forth with the regulators. In Italy, the risk-reward equation is more likely to be influenced by external factors such as the political or economic environment.
RELATED: Women in Tech - Interviewing a Cyber Security & Technology Risk specialist
How can CISOs practice Security without affecting a company's ability to innovate? How does one get developers to understand that Security is not meant to stifle innovation?
Good Security is all about enabling business processes and preventing errors before they occur, rather than halting progress altogether. Security is about getting in there early in the design and working with the developers to build a safe piece of software.
Security is about making innovation safe. If it’s not safe, it’s not innovation for the real world. Your app won’t survive in the real world of the internet and will wind up costing the business significant amounts of money. It is like constructing a building - if you don’t design it properly in the first place, it may look great, but it will still fall down in the real world.
You’re an internationally recognised speaker and member of various Security councils - why is speaking with Security executives so important for the community?
The main reason for communication is collaboration; we need everyone to share their knowledge.
Hackers talk all the time and collaborate, so it is necessary for Security professionals to do that too, and even more efficiently. The ISACs (Information Sharing and Analysis Centers) in the US are a good example of this. The more we share our knowledge, the better the solutions and the more robust the defenses we can come up with.
What advice would you give to Security leaders about how to build a Security team?
Don’t hire just on security expertise as the requirements change all the time. Hire smart people, people who can think for themselves, people who are willing to keep learning and who are willing to take on new challenges. The next step is to constantly train those people all the time, so they can learn and improve their skills.
A really important thing to remember is to make sure individuals within your team realise that they can’t work all the time. A well rested person works at the top of their game. Working around the clock is unsustainable and only beneficial for the very short term.
How can we encourage more diversity in Security?
You have to work at it and seek out the diverse candidates: Keep asking HR and recruitment partners to provide female job seekers and more diverse candidates. Otherwise, it's all too easy to be presented with the same type of candidate time and time again.
Once you have done that, it is crucial that you encourage them, mentor them and give them the same chances as everyone else.
Historically, Security has sat under the wider Technology umbrella - what are your thoughts on the reporting line for a CISO?
This is a question that has been debated endlessly. The right answer differs for each and every organisation. The position where a CISO sits is not as important as an organisation correctly funding and having a firm wide 360 degree commitment to a culture of Information Security. However, many organisations have taken to separating the CISO from Technology as it is hard for any organisation to be self policing. Often the CISO will report to the Chief Operations Officer and/or the Chief Risk Officer. Now, given the firm wide scope and the importance of CyberSecurity, many have suggested that the CISO should instead report directly to the CEO.