Ian Todd: Hello and welcome to the fifth episode of the new realities of cyber security podcast, my name is Ian Todd, I’m a data privacy and cyber security consultant here at PwC.
Today I’m joined by Christian Arndt, cyber security director to discuss CISOs of the future. The chief information security officer is responsible for multiple areas of an organisation’s security strategy, resilience and vision. Over the last 5 to 10 years, the role has become increasingly complex, with more responsibilities and demands placed on an individual and their team.
Ok. Christian, than you for joining us on the podcast and I think today’s podcast is really relevant to our industry at the moment, looking at chief information security officers, CISOs, to what this means historically and importantly, what this means in the future as well, so it would be nice to maybe get an introduction from yourself, a little bit about what you’ve done, your experience and where you are today.
Christian Arndt: Cool, thank you very much. I’m a Director in PwC’s cyber security team. I specialise in financial services, that means I work with some of our largest banking, insurance, asset management clients around the world. I’ve been doing information security now for about 18 years, so from my very first job at university. Before PwC, I used to work for Barclay’s bank as head of security assurance, before that I worked for PwC, so I’ve come back twice and before that some of the largest telco companies in the world. I started off doing penetration testing at the very beginning of my career, so very deep and technical and now I help clients with their target operating models and their strategies and work directly with most CISOs for our clients.
Ian: Perfect. I think that’s interesting because I think the role of the CISO has, it’s gone in so many ways and we can look at this. People understand from a technical point of view can do a pen test, can you do this kind of stuff or is this about communicating issues of an organisation to the board or to the exec’s so, I guess what do you see as a typical CISO, what do you see as our role?
Christian: Now that’s an interesting question, because I don’t there’s a typical CISO, it really depends on the organisation, right and I think the role of the CISO depends, on what level that person is in the organisation, whether the organisation is global or local or more complicated or more simple right and that calls on different skills, whether it’s just looking after simple IT security controls, or actually managing 1,000 people across a very large cyber security team so just to kind of blanket everybody with a CISO title is quite difficult and quite complicated right, but at the most basic level it’s the person effectively who has the buck stops with them if they lose data or they lose information in an organisation. It’s their role to protect that organisation and defend them and be able to respond to an attack.
Ian: Yeah and I guess that role is constantly evolving, you talked about different businesses, different organisations, different focuses, but I assume the role itself is constantly evolving I imagine, that’s something we can talk about the future vision of the CISO, but historically where has the CISO role come from, is this something that has appeared over the last 24 months or is this something that we’ve seen for 15/20 years, historically what’s the feel around that?
Christian: I would say I think the CISO role has slowly come around over maybe the last 6 or 7 years. I think if you look back there were people with that title but very rare in the market place now. I think every client we work with this is a recommendation if you don’t have a CISO - get one. Kind of bit like my career really, that role has kind of grown out of the technical right. So if you thought back you know 20 years ago when you were probably building an IT network, you would have somebody helping you alongside technical teams to make sure things were secure if you’re a bank and that person what an architect, they were a designer, maybe they did security testing and that’s where the role started, so it was like an IT technical security manager, right called a technical person, but as we’ve driven ourselves into more digitisation, as companies have put technology into everything, that role has now evolved because we’ve realised it’s no longer a technical IT risk, it’s now a business risk
Christian: So at the same time that team has more focus, it got more people it’s got more budget, so now what has to happen is the person running that team has to be more senior. They have to be able to work higher up the organisation, they’re managing you know maybe 1,000 people in very large investment banks for example, and that means they have to have different skills, and they can’t just be that technical person. So the challenge is, the role has changed and the person has to either go on a journey to move up that role or it’s a different type of person coming into that role
Ian: Right and I know you said that we go into organisations and we can advise them that they should have a CISO. Are we seeing an appetite for this from the organisation or do we see more and more organisations saying ‘yeah we need somebody there, we need this leader, this figure head’ are we seeing this now, or is there still apprehension about hiring somebody in this kind of role?
Christian: It’s interesting, there’s always been a little bit of a challenge about making room effectively for someone at the lower level because traditionally there would have been somebody there if you don’t have that CISO role who’s doing that job whether it’s your CIO, your COO but someone’s representing information security, so it’s whether they feel comfortable in that role or whether they have enough knowledge to do that right.
As we make directors in organisations more and more responsible for the activities for their company, I think we’ll see more CISO roles appearing. I think if you take a survey of like the FTSE100, I think last time we looked it was about year and a half ago, I think the last time we checked, but effectively all of the FTSE100, it’s only like 2 or 3 that don’t have a CISO with that title, so the role is very prevalent right, especially in the large global organisations. When you go further down the FTSE250 sometimes you get people with IT security manager and those kind of titles, but I think any organisation that is global or large needs somebody with those skills.
Ian: Right that makes sense. I’m thinking chief information security officer, the officer in my mind would be kind of a director or somebody who is at that level, but where are we seeing CISOs lie in a company? I’m imagining it depends on the organisation but do they sit at the very top of the company, or are they sitting a little bit further down, traditionally where have you seen this?
Christian: This is a really topical question actually, so we’ve been talking to clients for the last 2 or 3 years specifically about where should the CISO report in your organisation and it’s a bit of a maturity curve, so the least I would say, immature organisations, right, would focus on technical controls, firefighting, putting in the most basic security controls and their CISO would tend to report, or maybe not even called that, maybe they’re an IT security manager, would report somewhere into IT right.
The next phase of the journey is as you become more mature and you focus more on risks, you become more about information risk, you’re more doing risk management, more focussing on controls, that role then moves a little bit and shifts maybe to reporting to a CIO right.
The most mature organisations have kind of worked out information security is actually a business issue right, it’s not a technical issue, it’s a business issue and they’re more aligned to the business, so what they then do with the CISO role is they make the CISO role report to the COO, so you’re removing the role from IT, so you’re putting them almost alongside, so you lose this almost conflict of interest you get when you have the CISO in IT you get this conflict of interest where you’ve got one arm going….I need to build something from a technology point of view, I need to put it in, you’ve got budget challenges, but then you’ve got a security person going……well can’t do that, you can’t do that because that’s too expensive or that’s not secure, so if you’re familiar with the three lines of defence type model
Ian: Explain that a little bit
Christian: OK so the three lines of defence model for those who aren’t familiar, has the concept where you’ve got a first line who actually defines the type of controls or protecting the organisation, the second line provides assurance that those are happening and working correctly and the third line provides assurance of the whole thing is normally internal audit type concept right. So your security CISO traditionally would have sat very much in the first line, protect, defend, create controls, you know run security operations. Where that second line was quite empty and the most mature organisations, the CISO’s moving more to that right hand side providing more assurance over what IT is doing in the security space. You end up with some very complex hybrid models, because it’s never that simple of 1.5 and things like that but generally that’s the trend that CISO are moving up the organisation, they’re more business, they’re more risk focussed and they’re providing more of an assurance role over IT, so if they do that they need to sit outside of IT and hence why, reporting to the COO is probably the most mature place for CISOs to be nowadays.
Ian: OK interesting. I think you’ve touched upon it a little bit there, but what are the challenges you’re seeing for CISOs, what are the big and again I guess this goes back to the maturity of the organisation, kind of depends on what the challenges are going to be, but what are the large challenges you’re seeing out there at the moment?
Christian: I think there’s, there’s a lot of challenges. I think is, the general trend, I think is first of all in information security generally, there’s a challenge around resources and people right? There’s not enough skilled people in the market place, so whether it’s us trying to hire people to help clients, or whether it’s us advising clients that they need to get more people and to get a CISO, that’s easier said than done right? We’ve under-trained or under-resourced information security for many years now and as it becomes a hot topic, we’ve realised there’s a shortage so you can join an organisation as a CISO and get given quite a lot of money, you know go and fix these problems, go an hire a bunch of people and then the challenge comes of actually hiring those people to build your organisation so that’s a really big challenge I think for CISOs.
I think the complexity of the topic is something that most people are really struggling to get their heads around right, so even if I kind of reference myself, when I started information security 18 years ago, I could have been almost an expert on everything right, because the topic was fairly narrow right, there were only so many things, but now when you look at the topic, you have to be an expert in data protection, you have to be an expert in identity and access management, down to very technical controls or application building, how to manage very complex risks, how to report to the board, how to create MI, you know so the role has just really exploded, right. So that isn’t so much about being a CISO that knows everything, you’ve now got to build a team underneath you, you have that expertise that kind of helps you be successful …
Christian: … right, and if you take your traditional CISO who has grown up out of IT, they might not necessarily have those skills, right, to kind of build a team, run a large organisation, you know report to the board, so there is a bit of a skill challenge there that they have to train up, they have to learn new things to kind of make themselves more business savvy …
Christian: … and technical savvy, so that is why there is a bit of a change in the whole space around CISOs.
Ian: And it seems like an individual who performs his role could quite quickly get engulfed by just the mass of everything out there. How, how do you balance it as a CISO? How do you understand the data protection regulations and PCI regulations and your security controls in internal audit while trying to work with the business to articulate, the risks that you have out there? I mean this must be a very difficult balancing act I imagine?
Christian: Yeah very difficult but I think it’s about having the right team and the right specialists to help you in your organisation. It’s about making sure that when you hire people you fill in the gaps of knowledge that you don’t have admitting where you have a gap.
Christian: It’s also about having a good framework of strategy you could hang everything off, right. I think one of the bigger challenges is, if you are thrown a bunch of money and you have got a big challenge ahead of you to fix a bunch of cyber security problems, you could just fire-fight left, right and centre, right, and it’s about being a little bit more strategic, about working out, right these are the most important things, these are the things I am going to deal with first, these topics I’m not an expert in I will get help on that and being clear on a roadmap – and then once you have got something solid in place, whether it’s a vision, a strategy, a roadmap, it’s then being able to communicate that up …
Christian: … to your stakeholders to say, do I need funding for this? This is where I’m getting to, this is what I’m fixing – and then you have got to be able to communicate that down to your team to make sure that they are running in the same direction as you.
Christian: So it’s any, it’s, it’s, the role has got a lot of leadership …
Christian: … as part of it when I would say it didn’t traditionally have that.
Ian: It sounds incredible challenging. I mean like you say you have to have all this incredible security understanding whilst being a great leader, whilst being a fantastic communicator.
Ian: And that’s, to find them individuals I imagine it is a very difficult task for organisations.
Christian: And to layer on top of that one of the other challenges if, I mean if you read the newspaper on a daily basis, right, there is always a new cyber-attack …
Christian: … or a new issue, right. You could be the best CISO in the world, have a very strong programme but as someone determined to attack you or get into you, you might be the next one standing on the news, right …
Christian: … defending yourself or defending your organisation, right. So you have got a highly stressful job, right, it’s quite complicated but at the same time you have got a, a growing threat environment …
Christian: … that you are trying to kind of protect an organisation from, so it definitely isn’t an easy job and what I always say is quite a lot of people wouldn’t be willing to sign-up to it.
Ian: Yeah and so this flows quite nicely into the next question I guess is, how does the future look? So what, what do we expect to see from the future of CISO? I know you have talked a bit about maybe sort of having a team under them to help support them, we need somebody who is a great communicator; we need somebody who has got some technical background, some security. So how does the future look do you think maybe in five, ten years’ time from now when we are going to see more regulations, we are going to see more use of digital out there, everyone is going to be connected in some way – so how does that challenge continue and what do we expect to see in five years’ time or ten years’ time?
Christian: Yeah I, I think the, the CISO is going to have to adapt kind of like, to kind of along the lines I was talking about becoming more business savvy and more aware of the organisation building a team and be quite clear about their vision, right. I think if you are in a situation at an organisation where you get attacked or you lose some data, or something bad happens and you have a clear strategy in place, you will be able to respond to it, you will survive shall we say, right, no one is going to lambast you, right. If you are in a situation where you haven’t got a clear plan and a clear strategy and that happens, you are going to be one of the first ones out the door, right. So it’s being clear about that, so that’s CISOs are going to have to adapt. I think one of the things most recently, you know I think the biggest challenge is going to be about GDPR.
Christian: Right so …
Ian: So the General Data Protection Act.
Christian: … the General Data Protection Act.
Christian: Yeah, so, if as you’re aware, if you lose data underneath that, right, as potential 5% of global revenues, right, so if you’re responsible for security controls over some data the company could lose 5% of global revenues, that could bring some organisations down, right, so all of a sudden you’ve got a role that maybe wasn’t super important now is very important, strategic, global risks to organisations so a lot of focus on that role so individuals will have to change, become more business savvy, right. I can see people who maybe have been technical before and doing MBAs, that kind of stuff, getting more risk knowledge, kind of moving up an organisation, right.
Ian: As a younger or a more junior person who’s starting their career, as you know in the junior areas of their career right now within cyber, what would you I guess recommend to them, how would you see that their journey progressing, do you think we should be looking at people focussing on something completely outside of cyber now, do you go into maybe doing some kind of business analytics for a little while or do you do some kind of communications for a little while then come back to cyber, how would you advise that journey for younger people?
Christian: Oh that’s a difficult question actually. I think it’s down to an individual …
Ian: … right ….
Christian: … really to focus on their strengths, the things that they will be able to bring the role. As I said it’s the whole thing is about a team, right, so any leader you know needs to know what their strengths are and what they are able to bring to the role, right. If they’re very strong technical person then lean on that, if you’re not so risk aware bring in risk people to support you and have that right balance in your team. But that’s about being a good leader and realising what your strengths are and what aren’t your strengths, right. I would say that if someone was starting today in cyber security they need to kind of 1) work out what they’re interested in and follow that passion, but by doing that they also need to get as much exposure or breadth across the information security to be able to work out what that is yeah. So in our graduate programme, which I look after, for us I focus very much on trying to make sure that we rotate people round who are starting in our graduate programme to get that exposure to as many topics as possible…
Ian: … right ….
Christian: … to kind of see as much of information security as possible. So they can work out what really are they interested in, what are they really good at, what’s the topic they want to excel at ….
Ian: … yes …
Christian: … and I think that’s all about how you set someone up on a long career journey.
Ian: Perfect and I guess finally, I know we talked a little about internally what we’re doing at PwC but what are we doing externally, what are we doing for our clients, what are we doing for organisations out there who need support and help with the CISO’s role?
Christian: So there’s quite a few things we do with clients I mean just broadly in kind of the advisory role we play in all the projects we work with clients we work with CSO’s in their role we spend a lot of time whether it’s designing organisational structures or maybe coaching them in a broad presentation or maybe helping them with their MI and having those discussions so helping them on that journey, right, helping them with the gaps or the skills they don’t know, which is generally what we do as an advisory business. I think what’s more maybe relevant or interesting is we actually second quite a few people to our clients to fill that CISO role so where that, when I mentioned the skills gap that exists and people can’t find CISOs they come to us and say ‘hey would you be able to fill that gap for a couple of months’…
Ian: … right …
Christian: … so that’s something we’ve done for quite a few clients over the last couple of years to fill that immediate gap and then it’s maybe plug the gap, fight the fires, it’s come up with my strategy, help me recruit someone permanent, right. What’s the roadmap mean for the year so when they land we’ve got the funding ready for them to go, right. Maybe do a bit of an overlap to kind of bring them up to speed and then maybe do the programme for them or something like that. So that’s something we’ve been doing with clients quite successfully over the last couple of years.
Ian: And I might add is massively helpful because not only are we giving them some expertise in the short term but like I say we are paving the way for them long term as well in supporting them and then when their full time CISO comes in can we still be there to help them and provide support there as well?
Christian: Yeah I think that’s always the idea is that we set up a programme, bring a CISO in who’s going to run it or be involved in it, right, and then maybe we can either provide support to them as an ongoing basis, I’ve actually done a role where I was coaching a new CISO in their role who could come in, wanted to know kind of everything that was happening in the organisation, didn’t have the time to do it and kind of needed some more knowledge about the broader background information security and I spent about 9 months doing that kind of coaching role, you know regular meetings and stuff like that so that’s something we can also do.
Ian: Right. Perfect.
Christian that was interesting. Thank you so much for joining us. I think you had some really great information there so we appreciate it.
Ian: Thank you for joining us.
Next week we’ll be joined by Louise Taggart who’ll look at the threats companies face from individuals, groups and even States who are sponsoring and funding cyber-attacks.
Please remember to subscribe and review the podcast series.
Cyber Threat Operations - Manager, PwC United Kingdom
Tel: +44 (0)7841 803680