Could you describe your average day as CISO at ME? Do you have a particular routine for the start and end of day??
First thing I do every day is check email and LinkedIn; normally on the train. I like to get this touch base out of the way before I get into the office so I can map out a plan for my day. Plus if there have been any issues overnight, the alerts from our monitoring tools are in there for me to review.
Every day is different. My team and I could be working on security operations, threat detection, or we could be acting as advisors to our project teams on how to innovate and develop securely. Days are often so full of meetings and collaborating that I don’t get a lot of time to ‘do’ things, so I tend to leave them until late in the day or once I get home.
I love working with our project streams on what they are doing to innovate. I thoroughly enjoy learning about the latest approaches to customer experience, how we roll out our bank products, and what we plan to do to become the ‘best bank in the digital era’! Also I really enjoy the time I spend with other CISO’s and security professionals when we get together and talk about what we are seeing and hearing across industries.
I’m a member of a few of our governance committees (sub boards) and contribute to the ME business dialogue with regards to cyber resilience and cyber security. This could be a lengthy discussion on risk appetite or updates on the threat landscape inside or outside of ME.
ME is a Digital Bank and hence is a critical strategic driver and clearly on the scorecard of your CEO. How does being a Digital Bank change your role compared to your prior positions?
This is my first CISO gig. However, in previous roles in IT delivery, infrastructure and IT risk solutions, I've been exposed to plenty of tools, techniques across DLP, security monitoring, security analytics and threat management. The premise of which doesn't change with being a largely digital bank. What does change is the threat surface. Our perimeter is not just the ME bricks and mortar. It is the ME customer, mobile technology, cloud services and internet banking. We need to ensure our customers know our brand, their data is protected and that they don’t fall victim to phishing.
At the end of the day, the work I do is more about managing the banks cyber-risk profile as part of our overall business risk appetite; as a largely digital bank we way up the business risk associated with progressive innovation and assure secure use of technology within our organisation. Our Board and our Executives are cyber-savvy and are fully informed on our cyber security strategy and how it’s linked to the ME business strategy.
It is particularly pleasing to interview a Woman CISO, as a role model for others. Are there any learning’s that you have gained that helped you attain this position that you can share with others?
I’ve not had a traditional career path to CISO. I’m not a technical security person ‘by trade’.
The skills I’ve developed over my career have come from roles I’ve chased based on interest and ones that I thought would develop my skill set. This means I’m an all-rounder when it comes to IT and business. I’ve always selected roles that put me in between the business and IT so I can bring a business lens to the IT thinking, or help attribute technology thinking to the business need. I’ve taken a few risks on roles based on interest and what I am confident I can do, whilst not necessarily having a specific domain specialty. This has worked well for me..
Over the years, having worked across different company business units and in different IT teams I’ve developed professional relationships with people from many different walks of life. Some I remain in touch with as mentors, sponsors and advisors. These people have influenced my career decisions, pointed out my weaknesses so I can find ways to address them, and been my advocate to others when there were suitable career opportunities available that may be good for me to pursue. I’ve had some wonderful female leaders and colleagues. I’m incredibly supportive of their career journeys and they have supported me as well. This level of support and collaboration is important for women in tech, there are so few of us at leadership levels.
I think it’s imperative that female leaders with the potential to develop successful careers have strong male sponsors to help them along the way.
I’ve had a career misstep and I took a lot of learnings from this. I jumped from a senior role in one organization, to another, and it was just not the right move for me. There was a gap for me culturally, I couldn’t find the path to success, and the work wasn’t inspiring. I was devastated, but once I had some time to reflect,the learnings were great. I haven’t been scared to share this either. Success for me is a mixture of moving upward, stepping sideways, and enduring a bump or two on the road. I never stop learning.
I’m vocal on forums about the need for more women in STEM roles. Obviously this encompasses security. I have memberships and have lent support to a number of not-for-profit groups who are developing initiatives for growth of the female IT agenda.
I am also leading the ME Women in Technology & Digital Committee. We have about 25% male members in our group, which is incredibly impressive. These guys are key to us coming up with a plan to balance our diversity and retain and attract female leaders to tech roles in ME. My Security team is 35% female and our GM’s of IT are 60% female.
I’ve come across an ideal of Secure by Design and the implications of this approach to Agile development. Is this an ideal that is practiced at ME?
ME does innovate through an Agile approach. We also have a robust development and test approach in IT. It is important that our applications, whether off the shelf, or being developed in-house, have secure code and are tested to ensure that they are meeting security benchmarks.
Our Agile projects are collaborative at inception, with inclusiveness of Enterprise or Solution Architects and Security Architects. OWASP is an important tool in establishing rigor and how we can design securely. We require Pen tests as well. We expect of our vendors to align to our security requirements to ensure we are confident that security is well managed across our supply chain.
Do you have any Digital Banks that you benchmark yourself one and learn from with regards to Cyber Security best practices?
We don’t specifically benchmark ourselves on other regional banks, but we do collaborate on all sorts of things, including security. Security is non-competitive and as a CISO I leverage the broader CISO network in Australia to bounce ideas around and request some advice. As cyber security best practice is concerned, we leverage common frameworks to set up the foundation of what we will focus on. We also look at our prudential requirements.
There are many new cyber security start-ups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?
Yes there are quite a few. It’s a challenge to keep across what’s happening in the marketplace. With the Government set to sponsor more entrepreneurialism in this space, it could get even harder. But what I like is the speed and agility of those who disrupt in the security space. We need this. We want to get ahead of the threat landscape and some of those I’m watching at the moment embody that innovative and disruptive approach. We are using OKTA in ME, which has been born out of a 2009 start up. It’s still growing and maturing and I’m hopeful we’ll get more out of it as we apply to more use cases. I also have a keen interest in customer data protection, threat detection, and security analytics; so I’m watching start up’s like Kasada and Covata.
On a scale 1-5 do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??Read more: Enabling cyber strategy through data visualisation
Constant evolving threat and remaining ahead of the attackers will drive investment in cyber security. As we evolve as a digital bank and our threat surface changes this will also impact our tolerance for cyber risk and this too will drive investment.
We are focused on data driven approach to security. Our need for cyber resilience and to be fully aware of our data and how it is protected will continue to drive security investment. As we grow and our business plan drives us to digital we will find other initiatives we need to secure.
I’m really curious on how your job is measured, would you mind sharing your key performance objectives (just the headings not the details)?
Being a financial institution our focus is on protecting customer data, limiting risk exposure, and ensuring customer trust, brand and reputation. As such my key performance metrics are aligned to these important business needs.
Within the ME environment are you more concerned about the internal technology vulnerabilities or of rogue insiders?
I guess if I could, I'd change the question. At the end of the day I am primarily concerned with protecting ME’s data. I’m not so much how it's used or what its business purpose is, this is our Data Officers concern, but how we govern and secure is incredibly important. Whether that's protection of the data from an external or an internal data breach becomes mute. It's about how we protect our data at rest, at transit, or even at vendor is what’s important to security at ME.
Access and identity governance for our supply chain from customer to third party is a very important process for us.
It's not just about 'rogue insiders' either. Commonly we see that a data breach is more likely to be from well-intentioned users trying to execute a business process, or even meet a customer request. All of which comes down to good old fashioned security awareness.
What key attributes that you look for when selecting a new staff member? How long does it take on average to find new talent or do you grow your own??
I’ve been building the Cyber Security team at ME, so we’ve done a bit of both. The preference is always to look within and support growth and development internally. For example, we’ve done this with our focus on Threat Management and Tools & Monitoring, moving the focus out of Security Operations, and to a senior capability in the Security team.
Our Security Operations team is growing and we are looking more at the market. It’s been challenging to find the candidates that have established cyber security skills and that could also be a cultural fit at ME. We lean more towards cultural fit; so our top picks have been those with some cyber security experience, a passion for what they do and a keenness to develop deeper skill sets.
We are excited that we have acquired more Security Architecture skills in the team through a recent external hire.
How well do you conduct ‘mock’ incidents so that the team is prepared for data breaches?
We've got a strong operational risk team - they help us to do these. We've had a few desktop tests and full experience incident tests. (These are great). You always find something new and improve on your ability to look objectively at the incident and respond in a better way each time. I think it's important to build on your cyber resilience, how we respond is key to any incident.
Finally what keeps you awake at night?
Like most CISO's it's more about technology hygiene factors and the ongoing cyber security risk. The introduction of cyber risk as a result of new innovations not meeting the minimum security standards for development is a concern, albeit a manageable one.
There is the off chance that we are targeted by cyber attackers, and that an unknown vulnerability is exploited, or that a zero day malware sneaks through the protection systems. There may be the day that a cyber-attack is successful, we do a lot to build multi-layers into our cyber resilience and do what we can to limit any impact. Our approach is aligned to best practice frameworks and we are very focused on our ability to respond.
We are not unlike many other organisations in that keeping on top of known vulnerabilities and managing patching is still a primary focus for security leaders. It’s the ongoing push or pull in the organisation to balance innovative development in technology with the hygiene and maintenance activities. This sounds quite rudimentary, but the importance can’t be discounted.