It’s possible to love a Bank is the slogan of BOQ. I’m just wondering is it possible to love a CISO? Actually in all seriousness I’m aware that this is a tough job and usually more difficult rather than being easy. What’s your view on the role?
The Bank’s marketing position stems from our deep understanding of our customers and that friendly Queenslander disposition. I see that more and more companies across so many sectors are embracing (although perhaps not loving) the CISO role as a critical decision-maker and influencer.
It is a role that requires collaboration across multiple business areas including IT, Operational Risk, Projects, Fraud, customer-facing business units, Legal etc. It also requires an executive presence, Board-level influence and regulator knowledge.
My take is that it can be a challenge to balance the demands of all those stakeholders while still holding customers’ best interests at the heart of everything we do. But it is a challenge I love.
Banks are evolving to becoming Digital Banks piece by piece. As CISO how do you see your role transforming in 5 -7 years time when these technologies are starting to be in the market?
The evolution is well underway – the pace of change is ever increasing and the continued focus on cyber security from Boards and management is ever present.
I see the CISO role (and those of supporting team members) moving to be less techy and more like professional risk managers. There will also be a growing need to have a truly regional or global team and increased use of external partners.
I think that big data analytics will be a significant focus to assist us in predictive behavior analysis and to provide decision support material. I’m optimistic that the tools and technologies we use at a detailed level will improve at the same pace as customer-facing tools. I’d like to see greater cyber security tool interoperability, ease of implementation and less customisation.
One big area long-term challenge is employee acquisition and retention. We need to find ways to increase the number of skilled people in the industry to keep up with demand.
On a scale 1-5, would you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that?
No question that investment will be up. However, I see that large-scale security improvement projects are no longer de rigueur. Instead, progressive business units and CIOs are ensuring that cyber security is a mandatory requirement for all projects and investments.
The two reasons why I believe the investment will continue: risks are increasing as more is pushed to the cloud or outsourced; and executive level awareness is now high.
How do you and your team stay across digital developments and new emerging technologies? How much time do you personally invest in the thinking about the future in a normal week??
We stay connected to our industry peers, to our strategic partners and our research partners. We all make the time to attend industry briefings and product sessions. At least 50% of my week goes into thinking about the future, our strategies and how to lead my team to greater outcomes.
When you are looking for skills and capabilities that are needed for your team to manage the future. Are there any specific ones that you are looking to build or hire?
As I mentioned, we are heading towards a critical cyber security skills shortage within the industry. We rely heavily on regional staff from our strategic partners so it is vital that we assist our partners to build the right skills too.
We’re building skills including technology risk management skills for cyber security personnel. This is about moving technical staff to think about threats and vulnerabilities in terms of risk to the organisation. We also have a continuous focus on “soft” skills such as documentation and communications skills.
We all have roadmap of change, how much stretch do you put into the plan and what makes you comfortable with that position?
Yes, our 3 year strategic plans have stretch built in – doing more with less. I am comfortable with that. We’ve built an incredible team here at BOQ and with our strategic partners, in particular HP and Dimension Data. I’m comfortable that we have the right brains trust and outcomes focus to give our customers even more reason to trust in us.
How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?
Operational imperatives always take precedence. The key for me is to determine potential impacts quickly and then ensure a responsible and accountable member of my team takes the lead.
When you think about more broadly of using 3rd parties to work with across BOQ and not just in the security arena. How comfortable are you that these partnerships have sufficient vetting?
My team and I perform reviews across all our partners. While we are improving the process, my team and I spend a lot of effort to assist our partners to have, and report on, appropriate controls. We insist all our new partners reach a high level of risk management before we will do business with them.
Thinking about Cyber Security in BOQ – people, process and technology. If you could magically change one thing, what would that be?
If I had one wish, it would be to have more wishes! But just one – it would have to be that that our technology footprint was less complex.
What’s the one best piece of career advice that helped you become CISO at BOQ?
Leadership. Regardless of technical background, experience or personal disposition: leadership capabilities are the key to success in this or any other senior position.