Could you describe your average day as CISO at IAG? Do you have a particular routine for the start and end of day??
It's hard to describe an average day at IAG. So far no two days have been alike. My days are a combination of setting strategy, making various choices, engaging with my team and colleagues and making things happen.
I like to start my day by getting up to speed on what I need to focus on for the day over breakfast and a coffee. I then usually finish the day with a list. I love lists. They keep me focused.
Many of the big name organisations have recently boosted their security divisions by securing top ranking IT security heads like yourself, do you think the key cyber security threats and recent breaches have pushed companies to invest more in this area?
For many of the larger players like IAG there has always been a focus on cyber security in some form. However the growing sophistication of adversaries and the magnitude of the losses experienced by some high profile organisations has likely led to cyber security becoming more front of mind. Also, many of the global consulting and research firms have confirmed cyber security as one of the top priorities for the next few years.
Boards are acutely aware of the new and emerging risks in this space and this is certainly having an impact. Progressive companies are tending to invest more in this area and I expect this will be the norm for some time to come.
On a scale 1-5 do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years? What’s going to drive that??
IAG takes the security of its information very seriously. As such, we would rate our plans to invest as a “5” on the scale. The evolving threat landscape and our own transformation to a digital enterprise are the key drivers for an increased focus in cyber security investment.
How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?
It’s just one of those things that you have to do as a senior leader. It’s not specific to Cyber Security. All leaders have to balance between longer term strategy and day to day issues. From my perspective, its what keeps my job interesting. As I said earlier, no two days are alike in IAG.
I’m really curious on how your job is measured, would you mind sharing your key performance objectives (just the headings not the details)?
As an IAG executive I am measured on the same KPIs as the other executives. Our scorecards cover the usual shared areas of customer, culture, financials and business outcomes. I also have a number of personal objectives around building the new cyber security function and uplifting our capability across the globe.
There are many new cyber security startups that are appearing. Are there any that have caught your eye recently and you are tracking their progress?
I am looking at a number of start-ups in the cyber security space. There are so many areas that are of interest ranging from new forms of encryption, innovative ways to think of passwords, identity and access management to name a few. There are also organisations that are looking at novel ways to protect the Internet of Things against new threats. All of these are catching my eye.
What do you regard as the crown jewels within IAG that has the highest level of security? How well do you conduct ‘mock’ incidents so that the team is prepared for data breaches??
I am pretty sure that this is the one question that most CISOs would be too paranoid to respond to in too much depth.
Certainly we put a lot of emphasis on protecting our data and a key focus for us is on responding and recovering when required.
Only recently we ran a very successful exercise with our executive and broader teams in a mock cyber exercise. Although it went very well, we did learn a lot.
I’m aware that for IAG, Digital is a major strategic driver and clearly on the radar of your new CEO. How much attention have you paid to this online channel in your tenure sofar?
This is one of the core drivers of our enhanced focus on cyber security and it’s not just about our online channels. For us Digital and digitisation permeate everything we do. There are a range of new challenges that enterprises face when ‘going digital’. One area of focus right now are ways to safely expose our information and services via APIs. We are also exploring ways to build security into DevOps to ensure new digital services are ‘secure by design’.
Personally I have been very close to this because in my previous life I was consulting in this space to IAG.
Within the IAG environment are you more concerned about the internal technology vulnerabilities or of rogue insiders?
I don't make a distinction. We are focusing our efforts on detecting and responding to all threats.
Certainly internal technology vulnerabilities are an area that we do need to focus on. Also, addressing this reduces our exposure from both internal and external threats (both deliberate and accidental).
I've noted that you are in the process of recruiting new talent into your team. What key attributes that you look for when selecting a new staff member?
I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent??
Yes, I am recruiting. I am trying to assemble one of the best cyber security teams in the country and I always expected that this would be a challenge. Having said that, anyone who has worked with me will know that I am persistent and confident. Finding new talent is part planning, part timing and part luck. I am confident I will find the expertise I need.
How do you keep up to date with developments in Digital innovation and Cyber Security, this is clearly a dynamic area and it must be challenging?
It certainly is a constantly changing area. Fortunately I am genuinely passionate about this topic and always have been. So for me, keeping up to date is not tiresome because I love the topic. I keep up to date through a combination of endless reading, listening to industry experts and vendors and collaborating with peers. One thing I have learned is that the more you share you more you get back.
Finally what keeps you awake at night?
Lately it’s been Cyber Security webinars scheduled at very unfriendly times!