“Business has to be at the heart of what we do. If there is no business, we can be neither secure nor compliant. And without the customer there is no business. Our focus needs to be one of enablers. The key here is allowing the business to make informed risk decisions.”
Stuart Seymour is the Group CISO for Virgin Media O2 in the United Kingdom. Prior to joining Virgin Media he worked at both BAT and Centrica. Check out his interview with Samir Aliyev, CEO and Founder of the Swiss Cyber Institute in which Samir discusses with Stuart how he sees the role of the CISO evolving to keep up with the threat landscape.
Many chief information security officers see their role as a blend of both technology and business. How do you see the CISO’s role evolving so that they can keep up with or ahead of the threat landscape?
Business has to be at the heart of what we do. If there is no business, we can be neither secure nor compliant. And without the customer there is no business. Our focus needs to be one of enablers. The key here is risk and allowing the business to make informed risk decisions. Technology is an enabler, however we cannot speak of technology without people or process, with people being at the top.
Common ways to assess the value of a senior executive to an organization’s business is to look at any identified impact they have had on the top and bottom line. How should an organisation measure the value of a CISO?
There are multiple ways, but I like risk reduction which is in turn directly correlated to pounds and pence.
The visibility of a CISO often boils down to how much the business values security. How important is it for a CISO to have a seat on the board and does it matter who a CISO reports to?
It is critical. If not a seat on the board itself, to be regularly briefing the executive committees and be a regular agenda item in board committees such as risk or audit. It does matter who the CISO reports to. I am very blessed that I report into the General Counsel which gives me true independence from IT and allows more effective challenge and governance.
What are the key steps an organisation should take to ensure that it is well prepared to effectively respond to and recover from a potential cyber-attack, and how should one prioritise and allocate resources towards achieving and maintaining an effective state of cyber resilience?
Again, it’s all about risk and understanding this. If you look at risk about being likelihood and impact it is clear that likelihood is high. The key steps are for businesses to understand risk, their critical assets and limit the blast radius.
On the obverse, what do you consider to be the most underrated trend and/or technology in cybersecurity and why?
People. I hear many times that they are the weakest link. I like to think about them as our most vulnerable asset. Without people there is no nuance in analysis or judgement calls.
While most business leaders are more aware of their organization’s cyber issues than they were, would you say that achieving management consensus on how best to address cyber risks remains a challenge?
Yes – though we are our own worst enemy. I cannot count the amount of times I have seen cyber security go to places like an investment committee and talk in three-letter acronyms. I also cannot count the number of times that we talk about a security control assuming that the person we are talking to is an SME.