What makes a 'CISO' great? What attributes do you really admire??
I've had the pleasure of working with or being involved with a number of good CISO's over my career whom I have learnt a lot from. The ones that have impressed me the most have been those who have a high level of business acumen underlined with a solid technical background, which does not have to be an IT one. A few spring to mind immediately such as Rob Coles the CISO at GSK (UK), Ray Archer the CISO at Scotiabank (Canada) and Shamla Naidoo the CISO at IBM (US).
They can visualise the outcomes needed, use the technical or domain requirements and paint a story that people can buy into. They are able to build momentum that will make a security capability relevant to the business. Each of these people have come from different career paths and are able to bring first-hand experience to the conversation. Their ability to be able to clearly articulate the problem is what impresses me.
When you are hiring new staff, are there any qualifications that you believe are important to look for?
The things I look for are people who are articulate, bright, understand the space and willing to learn more. I'm not someone who focuses on industry based qualifications, as I often place experience over those types of qualifications.
Education is paramount. Being qualified at degree or post graduate level, on the other hand, is really important, so I do place a lot of emphasis in this area. This demonstrates that a person has a drive and a passion to continue learning, plus is able to problem solve.
Again the softer skills are really important - you can have the most qualified person who is really, really smart but if they cannot interact and communicate then they will struggle to make an impact.
What's your thoughts around the largest gaps in the market around new cyber technologies?
The area that I'd like to see more focus on is data. How to secure it, manage digital rights, handling/classification through applications and systems, that is something that can deliver a data centric security model.
This is not DLP, which has failed due to the overheads and the lack of ability to integrate across the estate, this is pie in the sky stuff but it is where I'd love to see the industry head.
I remember chatting to Jay Chaudry the founder of zScaler and he said that the reason he started the company was to pick up something that was not quite working in the market and start again. I think in a number of areas that is what is needed. A clean slate. It will frustrate some people and will require boldness to do it, but it has to be done.
Sign up for CIO Asia eNewsletters.