"Exploring ways to build security into DevOps to ensure new digital services are ‘secure by design"

CISO Interview Series: Jeff Jacobs, CISO, IAG

Could you describe your average day as CISO at IAG? Do you have a particular routine for the start and end of day??

It's hard to describe an average day at IAG. So far no two days have been alike. My days are a combination of setting strategy, making various choices, engaging with my team and colleagues and making things happen.

I like to start my day by getting up to speed on what I need to focus on for the day over breakfast and a coffee. I then usually finish the day with a list. I love lists. They keep me focused.

Many of the big name organisations have recently boosted their security divisions by securing top ranking IT security heads like yourself, do you think the key cyber security threats and recent breaches have pushed companies to invest more in this area?

For many of the larger players like IAG there has always been a focus on cyber security in some form. However the growing sophistication of adversaries and the magnitude of the losses experienced by some high profile organisations has likely led to cyber security becoming more front of mind. Also, many of the global consulting and research firms have confirmed cyber security as one of the top priorities for the next few years.

Boards are acutely aware of the new and emerging risks in this space and this is certainly having an impact. Progressive companies are tending to invest more in this area and I expect this will be the norm for some time to come.

On a scale 1-5 do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??

IAG takes the security of its information very seriously. As such, we would rate our plans to invest as a “5” on the scale. The evolving threat landscape and our own transformation to a digital enterprise are the key drivers for an increased focus in cyber security investment.

How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?

It’s just one of those things that you have to do as a senior leader. It’s not specific to Cyber Security. All leaders have to balance between longer term strategy and day to day issues. From my perspective, its what keeps my job interesting. As I said earlier, no two days are alike in IAG.

I’m really curious on how your job is measured, would you mind sharing your key performance objectives (just the headings not the details)?

As an IAG executive I am measured on the same KPIs as the other executives. Our scorecards cover the usual shared areas of customer, culture, financials and business outcomes. I also have a number of personal objectives around building the new cyber security function and uplifting our capability across the globe.

There are many new cyber security startups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?

I am looking at a number of start-ups in the cyber security space. There are so many areas that are of interest ranging from new forms of encryption, innovative ways to think of passwords, identity and access management to name a few. There are also organisations that are looking at novel ways to protect the Internet of Things against new threats. All of these are catching my eye.

What do you regard as the crown jewels within IAG that has the highest level of security? How well do you conduct ‘mock’ incidents so that the team is prepared for data breaches??

I am pretty sure that this is the one question that most CISOs would be too paranoid to respond to in too much depth.

Certainly we put a lot of emphasis on protecting our data and a key focus for us is on responding and recovering when required.

Only recently we ran a very successful exercise with our executive and broader teams in a mock cyber exercise. Although it went very well, we did learn a lot.

I’m aware that for IAG, Digital is a major strategic driver and clearly on the radar of your new CEO. How much attention have you paid to this online channel in your tenure sofar?

This is one of the core drivers of our enhanced focus on cyber security and it’s not just about our online channels. For us Digital and digitisation permeate everything we do. There are a range of new challenges that enterprises face when ‘going digital’. One area of focus right now are ways to safely expose our information and services via APIs. We are also exploring ways to build security into DevOps to ensure new digital services are ‘secure by design’.

Personally I have been very close to this because in my previous life I was consulting in this space to IAG.

Within the IAG environment are you more concerned about the internal technology vulnerabilities or of rogue insiders?

I don't make a distinction. We are focusing our efforts on detecting and responding to all threats.

Certainly internal technology vulnerabilities are an area that we do need to focus on. Also, addressing this reduces our exposure from both internal and external threats (both deliberate and accidental).

I've noted that you are in the process of recruiting new talent into your team. What key attributes that you look for when selecting a new staff member?

I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent??

Yes, I am recruiting. I am trying to assemble one of the best cyber security teams in the country and I always expected that this would be a challenge. Having said that, anyone who has worked with me will know that I am persistent and confident. Finding new talent is part planning, part timing and part luck. I am confident I will find the expertise I need.

How do you keep up to date with developments in Digital innovation and Cyber Security, this is clearly a dynamic area and it must be challenging?

It certainly is a constantly changing area. Fortunately I am genuinely passionate about this topic and always have been. So for me, keeping up to date is not tiresome because I love the topic. I keep up to date through a combination of endless reading, listening to industry experts and vendors and collaborating with peers. One thing I have learned is that the more you share you more you get back.

Finally what keeps you awake at night?

Lately it’s been Cyber Security webinars scheduled at very unfriendly times!

Join the CSO newsletter!

Error: Please check your email address.

Tags strategic discussionsIAGcyber activitiesdigital innovationJeff Jacobssolving customerCISODavid Geecyber securityCISO Leaders

More about IAG

Show Comments

Editor's Recommendations

Solution Centres


View all events Submit your own security event

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Media Release

More media release

Market Place