“At least 50% of my week goes into thinking about the future ”

CISO Interview Series: Georgina Crundell, Head of Enterprise Solutions Risk Management, Bank of Queensland

It’s possible to love a Bank is the slogan of BOQ. I’m just wondering is it possible to love a CISO? Actually in all seriousness I’m aware that this is a tough job and usually more difficult rather than being easy. What’s your view on the role?

The Bank’s marketing position stems from our deep understanding of our customers and that friendly Queenslander disposition. I see that more and more companies across so many sectors are embracing (although perhaps not loving) the CISO role as a critical decision-maker and influencer.

It is a role that requires collaboration across multiple business areas including IT, Operational Risk, Projects, Fraud, customer-facing business units, Legal etc. It also requires an executive presence, Board-level influence and regulator knowledge.

My take is that it can be a challenge to balance the demands of all those stakeholders while still holding customers’ best interests at the heart of everything we do. But it is a challenge I love.

Banks are evolving to becoming Digital Banks piece by piece. As CISO how do you see your role transforming in 5 -7 years time when these technologies are starting to be in the market?

The evolution is well underway – the pace of change is ever increasing and the continued focus on cyber security from Boards and management is ever present.

I see the CISO role (and those of supporting team members) moving to be less techy and more like professional risk managers. There will also be a growing need to have a truly regional or global team and increased use of external partners.

I think that big data analytics will be a significant focus to assist us in predictive behavior analysis and to provide decision support material. I’m optimistic that the tools and technologies we use at a detailed level will improve at the same pace as customer-facing tools. I’d like to see greater cyber security tool interoperability, ease of implementation and less customisation.

One big area long-term challenge is employee acquisition and retention. We need to find ways to increase the number of skilled people in the industry to keep up with demand.

On a scale 1-5, would you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that?

No question that investment will be up. However, I see that large-scale security improvement projects are no longer de rigueur. Instead, progressive business units and CIOs are ensuring that cyber security is a mandatory requirement for all projects and investments.

The two reasons why I believe the investment will continue: risks are increasing as more is pushed to the cloud or outsourced; and executive level awareness is now high.

How do you and your team stay across digital developments and new emerging technologies? How much time do you personally invest in the thinking about the future in a normal week??

We stay connected to our industry peers, to our strategic partners and our research partners. We all make the time to attend industry briefings and product sessions. At least 50% of my week goes into thinking about the future, our strategies and how to lead my team to greater outcomes.

When you are looking for skills and capabilities that are needed for your team to manage the future. Are there any specific ones that you are looking to build or hire?

As I mentioned, we are heading towards a critical cyber security skills shortage within the industry. We rely heavily on regional staff from our strategic partners so it is vital that we assist our partners to build the right skills too.

We’re building skills including technology risk management skills for cyber security personnel. This is about moving technical staff to think about threats and vulnerabilities in terms of risk to the organisation. We also have a continuous focus on “soft” skills such as documentation and communications skills.

We all have roadmap of change, how much stretch do you put into the plan and what makes you comfortable with that position?

Yes, our 3 year strategic plans have stretch built in – doing more with less. I am comfortable with that. We’ve built an incredible team here at BOQ and with our strategic partners, in particular HP and Dimension Data. I’m comfortable that we have the right brains trust and outcomes focus to give our customers even more reason to trust in us.

How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?

Operational imperatives always take precedence. The key for me is to determine potential impacts quickly and then ensure a responsible and accountable member of my team takes the lead.

When you think about more broadly of using 3rd parties to work with across BOQ and not just in the security arena. How comfortable are you that these partnerships have sufficient vetting?

My team and I perform reviews across all our partners. While we are improving the process, my team and I spend a lot of effort to assist our partners to have, and report on, appropriate controls. We insist all our new partners reach a high level of risk management before we will do business with them.

Thinking about Cyber Security in BOQ – people, process and technology. If you could magically change one thing, what would that be?

If I had one wish, it would be to have more wishes! But just one – it would have to be that that our technology footprint was less complex.

What’s the one best piece of career advice that helped you become CISO at BOQ?

Leadership. Regardless of technical background, experience or personal disposition: leadership capabilities are the key to success in this or any other senior position.

Join the CSO newsletter!

Error: Please check your email address.

Tags security professionalsBank of QueenslandLinkedInCISODigital BanksGeorgina CrundellDavid Geecybercrimecyber securityCISO Leaders

More about Dimension DataHP

Show Comments

Editor's Recommendations

Solution Centres


View all events Submit your own security event

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Media Release

More media release

Market Place