It's really important that I be well informed on all areas of Trainline. I'm here to not only make sure we are not negatively impacting security and privacy but also protect the business and our customers. To do this, I need to work closely with all areas of the business. It's easy to get drawn into the day-to-day complexities of our technologies and processes, but I need to stay focused on the bigger picture.
My primary responsibility is to make sure that the board is aware of cyber and information risks. They need to be informed so they can make the right decisions, but it's also important that they're excited and driven by security and privacy.
What less mature emerging technologies are you most excited about that could have the biggest impact on security and threat prevention/detection - and which are you most worried about?
Mieke Kooij: I don't spend as much time as people might assume someone like me would thinking about technology. I'm far more concerned with how people interact with it.
I think Trainline is way ahead of the curve when it comes to new technologies. We adopt and adapt with a rare agility in the security space. When we made the move to the AWS we used this as an opportunity to build a flexible scalable security foundation. It also gave us the chance to better understand precisely what data and information we have, which is serving us well as we move towards GDPR.
What's your best advice for forming a strong relationship between the CISO and CIO role?
Mieke Kooij: Mutual respect and trust. In all honesty I wouldn't work for anyone I didn't have this with.
Recent CIO 100 research suggested security leaders were overwhelmingly reporting into the CIO function - what do you think are the advantages and disadvantages of this?
Mieke Kooij: Reporting lines and their appropriateness can be very organisation dependent. The key thing is to have sufficient independence and a line to the whole board, including the chairman, and not just a single member of the executive team.
I report to the CTO, but I also have a secondary reporting line to our General Council, and at Trainline, this makes perfect sense. In other organisations, this may not give people the independence needed to act as an impartial advisor, which can make it difficult to do the right thing for the company.
Security non-executive directors are one way I see of addressing the need for independence in the future - which also helps get around the shortage of skilled, experienced CISOs - but sometimes a simple re-organisation could make all the difference.
Sign up for CIO Asia eNewsletters.