EP 3: The evolving role of a CISO

Tim Cook (00:05): Welcome to our podcast series, The Global Realities of Cybersecurity. I'm your host, Tim Cook, a partner at Headhunters Kafué Consultants. I work closely with PwC to develop partner talent and progress a chief information security officer development agenda. These are also known as CISOs or CISOs. Each episode of this series, we'll be inviting along PwC experts to discuss what they do at PwC, and what they're focusing on at the moment in the ever-changing world of cybersecurity. Today's conversation is centred around CISOs of the future, and I'm joined by Annie Hardiman, a MIA and APAC CISO for PwC and, Lisa Gallagher, managing director, Cybersecurity.

Tim Cook (00:50): Hi, guys. Welcome. Annie.

Annie Hardiman (00:52): Hi, Tim.

Tim Cook (00:53): Annie, give us a quick introduction about your role.

Annie Hardiman (00:55): So, as you mentioned, I am the MIA and APAC CISO for PwC. So, in those roles, I oversee about 400 different people that looks at 75% of the world. What is so important about these roles is that we also make sure that we incorporate everything we do with the business. So we're looking at how are we business enablers, how can we really look at that global, regional, and local view, and how can we continue to meet with our clients and make security differentiator.

Tim Cook (01:28): That sounds really interesting.

Tim Cook (01:29): Lisa, tell us a little bit about- about you and your role.

Lisa Gallagher (01:32): Yes. So, I'm a managing director in the US Advisory Cyber Security and Privacy practise. And my role is- is 100% client facing, so I'm responsible for business development, client relations and overall project delivery, um, with clients across multiple sectors. Um, also, in my role at PwC, I have twice served as an interim CISO for an organisation who, um, needed that kind of help. Um, and so having, you know, been on the other side of the table, as we say, um, gives me a little bit of understanding on, um, the challenges that the organisations face. And that's really why we've started as a… as a consulting practise to actually look at this role and how it's evolving.

Tim Cook (02:21): That's- that's really interesting, because you can see both sides of the equation here, as you say. Why don't we start here, Lisa, with, uh, with your view of, um, how you've seen the role of the CISO evolve, I mean, both from the client's side a- and also, uh, from consulting into the clients?

Lisa Gallagher (02:37): Right. So, um, having consulted into the clients but also having been in that interim role, you know, in that role, I was brought in when, um, when there was a need. So a CISO was exited or a CISO left, and there were some challenges in place. And so we have, as I said, started looking at not only what is the current role, but how is it evolving, what is the need, um, that organisations have, and how does that affect the role.

Lisa Gallagher (03:05): So first, you know, I think it's important to talk about what's going on in the organisations themselves. So, what as organisations start to look at in a mature… the way they approach cyber security, um, we see them looking at it more strategically. So they're seeking to build organisational resilience. They want to implement a shared security risk model across the business, and they… and they also want to measure the value provided by the security function itself. So then when you look at it that way, it's really the fact that those kinds of challenges re- require the role to have a more strategic focus than it has in the past. So you need more of a strategist than someone who's, you know, very technical managing down or tactician. Um, so, again, the- the move is more towards someone who's strategic and- and connecting with the business.

Lisa Gallagher (04:01): There are a couple of areas where, um, I think they're definitely required to become involved a little bit more. Um, so the focus is obviously changing from not only deploying technology but also to manage outcomes and business impact. So to have an impact on the business in- in the value provided by the security function is often, um, trying to be measured.

Lisa Gallagher (04:26): Um, there are always new regulatory requirements, privacy is an example, um, drives how businesses focus on data, et cetera. They have cross-functional leadership responsibilities, so they have to be involved at the executive level and driving organisational change and change management, put in place formal risk governance, manage third party risk, those kinds of things. And also, as the businesses are evolving, um, their strategies and evolving how they do business, um, the CISO needs to be at the table as well. So, for example, digital transformation efforts, um, managing "In- Internet of Things risk," um, and they need to provide leadership and vision and innovation as the organisation makes those sorts of- of business transitions. And they're… so they're very much more and more communicating with executives and the board of directors and they really need to have strategic focus.

Tim Cook (05:25): Yeah. Now that- that's- that's good because, uh, what you're indicating is, um, how more strategic and influential this role is rapidly becoming. Annie, in your job here, how has it evolved in terms of where you focus now compared to where you focused when you started?

Annie Hardiman (05:42): Yeah, so if we look at the role within PwC, and I take a step back, PwC is a network of firms, which means that there are 150 different member firms that fall under the PwC brand. We have taken that global approach and said we can't just be focused on the technical skills on- on compliance, which was the key focus, if you look at five to seven years ago, and it's what our clients were mandating. We need to be leaders. We need to make sure that we are in front of our clients in being able to protect their data. And that means that, for us, it's really proactively working with the business. We have to look at it from a risk-based decision making. It's no longer what is… what do we need from a compliance perspective or what do we need to do just to meet a legislation. It's what are those key risks, how do we address them, and what are those risks coming… that we see coming in the future.

Annie Hardiman (06:42): The biggest thing is that it means that you have to constantly be leading a transformation. So if you look at that five to seven years ago, security was changing, but not at the pace that you see today.

Tim Cook (06:53): Yeah.

Annie Hardiman (06:53): So it means that you have to constantly manage that rate of change throughout the business, but also may sure that we're staying and really incorporating ourselves with the business to be part of the solutions of the future.

Tim Cook (07:07): Hmm, very good. And d- does that, um, change the way you're measured as a CISO? How's that evolved over time? Lisa, I'd be interested in your view on this too, um, once, uh, once Annie's given us a sense.

Annie Hardiman (07:20): Um, absolutely. So, I think let's take a step back and say, who's measuring us today?

Tim Cook (07:24): Yeah, yeah.

Annie Hardiman (07:25): So if you looked at it before, we were really measured about the same things as IT because we were within an IT organisation, which means it's usually how much money you're spending and are… how many incidents are there. You look at it now, and we're measured by our board. We're measured by the leadership of… from a global perspective and each member firm to say, "Are we able to stay ahead of the different client requirements? How are we meeting the regulations, and how are we mitigating that risk?" So it's really from the risk perspective that they're looking at how are we able to effectively spend money and maintain our security level.

Tim Cook (08:07): Uh, Lisa, are you seeing a similar thing with your clients?

Lisa Gallagher (08:10): Most definitely. Um, as Annie said, it used to be, you know, how much money are we spending on technology, how much money are we spending on staff, how many, um, you know, vulnerabilities did we patch, those kinds of things. And really now, it's about overall impact on business risk. It's the value that the function is providing. It's, um, being at the table during any sort of transformational activities and coming to the table with solutions that are innovative being a leader and having an impact.

Lisa Gallagher (08:46): Also, in working with boards and executive management, you know, we work with our CISOs on- on being able to communicate to them in a language that they understand. And the reason why that's important is because we need to enable those boards and those executives to more effectively manage business risk. So we have to have a language that we can both understand and we… and the goal is to allow them to do their jobs in managing corporate business risk.

Tim Cook (09:15): Got it. Very interesting. I- I- I wanna test something on- on you both because, um, in my, uh, years of assessing and recruiting, um, CISOs, one of the things has become apparent is there is a maturity level for different CISOs. And so if you take a maturity model that has five levels on it with level one being bottom and level five being top, uh, and the difference in a level one and a level five is level one is buried in IT and, uh, doesn't ever appear in front of the audit committee, uh, and is quite technical in- in outlook, whereas the level five as an… uh, is intimate with the chairman and the chief executive, is involved in all key decision making in the company before other people know about it, big hirings, big firings, new IP, new products and services, and could act as a non-exec director, uh, in other companies, for example, in the supply chain.

Tim Cook (10:05): So if you look at the, um, range of- of CISOs out there from level one, basic, to level five, very sophisticated… and by the way, we… I think the only level fives that there are in the market are probably in the US, um, what would you both… h- how would you both view, um, that as a, uh, as- as a way of, uh, enabling you to understand, if you like, the evolution of the CISOs that, uh, that you've been working with, uh, and are? Annie?

Annie Hardiman (10:30): So I think to start with, it's the level one, level two is what you really saw the five to seven years ago.

Tim Cook (10:36): Yeah.

Annie Hardiman (10:36): And in some immature markets, you still see that today where they're still trying to catch up. What you have global businesses and many of our clients now demand is that level four on to the level five. So if you're at the level four plus today, it's how you're going to get to a level five-

Tim Cook (10:54): Yeah.

Annie Hardiman (10:54): … because they have to look at their third party and fourth party risk today, and that's what they're measured against as well. So I think we still have ways to go in getting most of the CISOs to that level five. As you said, right now, they're mainly in the US, and there's probably only a handful of them. But when you see the role continue to evolve, that's where you're going to see the majority of those CISOs especially when they're in these global position.

Tim Cook (11:19): Yeah, I- I'm absolutely sure- sure you're right there. Lisa, what have you observed in- in your market in sectors?

Lisa Gallagher (11:25): So, um, keeping in mind that I'm often brought in or come into a client when there's a challenge at the CISO level, right, um, but I would say based on that, they're more in the two to three range. Um, and I think we also have to recognise that nationally in the US, the talent pool for CISOs is fairly shallow. So, right, we have a lot of people who have, um, performed as CISO as more and more organisations trying to hire CISOs. The good ones get hired and, you know, recruited away. And so we often find that there are gaps at that level. They're trying to promote people up from being very technical into a CISO role. So there are a lot of challenges there. And a lot of times, I come in and it's a… maybe a two to three level. Um, that… what I work with the, uh, clients on is, "Listen, you have to try to find the right person. So you have to understand the market and you have to sort of… either you're going to go find someone who's already at that skill level, that four or five level or when you bring in a person, you're going to have to invest in them. Um, so-

Tim Cook (12:36): Absolutely.

Lisa Gallagher (12:37): … provide, um, mentorship, provide coaching, training. Um, you know, we did a recent survey of executives and one- one of the things that came out is only 24% of the executives say they provide any sort of support at the CISO level, um, to help elevate them as an executive, right. So we know there's a… there's work that can be done there to- to help those CISOs mature. Um, but really, uh, it's a challenge at that level to find and- and keep the right person and with the right skillset.

Lisa Gallagher (13:13): Um, we have been taking a look at what the skillset should be, and I'm sure we're going to talk about that in a moment. But, um, it's really taking that technical person who wants to manage down into the security function and really having them take more of a… um, um, an executive presence and viewpoint and participate at the executive level in- in managing overall business risk.

Tim Cook (13:38): Right, thank you. And I'm going to ask a cheeky question here of, uh, Annie. So if only 24% of, um, companies support their CISOs to develop, what are PwC doing to support you developing in your role?

Annie Hardiman (13:51): So I would say that's where PwC is part of the other 76%, uh, where they are continually investing through mentorship. But then what PwC also does is it forces you to have that career conversation. So it's where do you want to be in the next three to five years, and how can we give you the tools to be able to get you there, but how can we also give you the exposure that is needed so that you can become that level four plus or five CISO?

Tim Cook (14:18): Yeah. And I know that you personally believe a lot in- in the whole training and development side. You've got a really big team. What do you do to try and bring on talent in your team here within PwC?

Annie Hardiman (14:27): So what I've really learned, especially when you're looking at the security market, and this is something that Lisa touched on, is that you're really only as good as your team. And you can have all of the tools that are there, but if you can't retain and grow your team, you're never going to be effective. So with us, it's really looking at how can we train them from the very beginning and continually give them opportunities to grow. When you're in the security market, you are constantly evolving and there are new challenges. So you're recruiting people that thrive for… or thrive when they're in that challenging environment-

Tim Cook (15:01): Yeah.

Annie Hardiman (15:01): … and really look to continue… to continually grow. What we also do is we provide the opportunity to go on secondment. So someone that is based in London can go to Australia for a couple years, and understand what is the difference from a security mandate and regulatory perspective there. So we're able to continually broaden their skills and grow them-

Tim Cook (15:21): Yeah.

Annie Hardiman (15:22): … as well as growing our team as well.

Tim Cook (15:23): That's really good. Lisa, you've- you've got a- a point, um, around developing the skillsets, if you like, for the next generation of CISOs. What- what- what's coming out to you now in the marketplace? What are the key skills do you think we need in this new generation of evolving CISOs?

Lisa Gallagher (15:41): Well, you know, we have taken a look at that. And- and one point of information that drives us is that, out of our survey, um, we found that there's a perception, um, 50% of our executive respondents did not view the CISO to be part of the C suite. And so we've got a role that has traditionally been, I think, as Annie mentioned, in the IT group, implementing technology, implementing tools, um, and being very technical. And because also maybe they work for the CIO, um, they're sort of one level down, and they're not considered by everyone as part of the C suite that is evolving. So, um, boards and executives more often want to hear directly from the CISO, and it's pulling and elevating the role up.

Lisa Gallagher (16:38): So given that and given some of the things that we talked about earlier, I think there's a set of experiences, skills and even personal attributes that are really becoming required, um, at the CISO role. Um, as I mentioned earlier, you really need to have a strategic focus, um, and allow your team and the leaders of the security function to be the more technical, um, people on… in the function and- and elevate up to a strategy level. So then strategic thinking, um, leadership skills, I think the ability to make data driven decisions and- and help the organisation take smart risks, right, because you're helping them manage overall business risks so, you know, we're constantly making risk based decisions and there are times when, um, you want to completely mitigate risk and there's times when you need to take smart risks, as I say.

Lisa Gallagher (17:40): And- and- and they need to be able to help the organisation do that. I mentioned earlier executive level communication skills, so being able to establish a language with the board and executives that works, um, building relationships across the business so, often, uh, the security function is a centralised function, um, but you have to have a relationship with the leaders of each of the businesses as your job is to enable them to be compliant with all the regulations and to follow all the policies, so building those cross business, um, relationships, um, the ability to build a team, um, and mentor and elevate talent, as Annie was talking about earlier.

Lisa Gallagher (18:29): Um, in our survey, the executives, 84% of them, said that the ability to educate and collaborate across the business is emerging as one of the foremost skills for the CISO. So, um, that point really corroborated our thinking in that area.

Tim Cook (18:49): Yeah, and- and I completely agree with you that, um, what becomes more and more important for, um, CISOs particular as you go through the maturity curve is an ability to influence. And when they're starting in the roles, it might be just at the IT level. But by the time you're getting to levels threes and fours, they're influencing successfully at exco and board level. And then sometimes with external, uh, boards as well. And developing good influencing and communication skills really quite difficult. I was talking to a CISO, uh, of a huge retailer, um, here in the UK today. Uh, and he was saying that he would rather hire for good communication skills than he would for good technical skills because you can always buy in technical skills if you need somebody. He'd rather have a team with great influencing and communication skills.

Tim Cook (19:36): Annie, what do… what's your take on that?

Annie Hardiman (19:38): Yeah. So I think the one other thing that I would ad and it's linked to communication is being able to have those hard conversations with stakeholders.

Tim Cook (19:46): Yes, good point, yeah.

Annie Hardiman (19:46): So, speaking truth to power, which can be very difficult with the board and with the C suite, especially when they traditionally, in 50% of the cases, haven't considered the CISO to be part of that C suite.

Tim Cook (19:57): Yeah.

Annie Hardiman (19:57): But you have to be able to have those difficult conversations, so that they aren't caught off guard if or when there is an actual incident. With that, it's also necessary to consistently demonstrate clear judgement and to know how to effectively escalate but also have enough flexibility so that when the situation changes, you know how to clearly explain that to the executives in language that they understand, as Lisa was mentioning.

Tim Cook (20:23): Right.

Annie Hardiman (20:23): So, the key to all of this is really clear and effective communication. Because you can teach technical skills, you can buy them or you can reach into your traditional IT organisation-

Tim Cook (20:35): Yes, that's true.

Annie Hardiman (20:35): … and give them the career opportunity to continue to grow and to help support you as you elevate this function.

Tim Cook (20:42): Yeah. What about reassurance? Lisa, you've done a couple of, um, CISO roles where, you know, you were brought in, um, to help fix problems and move the organisation forward. How important is reassurance do you think as a capability?

Annie Hardiman (20:56): Well, I- I think it's very, very important especially when there's a problem or a crisis. Um, and I think that communication skills, definitely help with that. But- but also, it's about being, uh, clear, as- as Annie said, speaking truth to power and being, what I call, a strong and convicted leader. So, um, you- you have to talk about reality and have data driven options in terms of what's next. Um, if you believe that the recommendations that you have are important, you have to stay behind them. Uh, don't abandon plans just because someone doesn't understand it or there isn't currently funding but really, um, focus on solving the problem in the… i- in terms of the best risk-based approach. Um, so reassurance is brought about by a number of things and including, um, the strength and conviction of your leadership, the… and- and credibility, and- and the trust that you build within the organisation.

Tim Cook (22:06): Got it. Okay. Let's, um, l- let's bring this, uh, session to a conclusion by looking ahead. Um, and particularly focusing on the future and, uh, how we all see the- the role of the CISO evolving further. Annie, what do you think? What's… how do you see your role evolving going forward?

Annie Hardiman (22:26): Yeah, so right now, we really talked about security transformations and the change. As we look at it going forward, it's not just looking at security transformation, but it's really how do you lead all transformation and change throughout an organisation? Security is tied to everything that we do. So at PwC, if you think about security, it's a core part of an audit of any deal or M&A transaction. It's also in your traditional human capital security and technology engagements.

Tim Cook (22:55): Absolutely.

Annie Hardiman (22:55): But it's the backbone of our business. So it's security actually being incorporated in each of those decision making, instead of being siloed or purely seen from a risk perspective.

Tim Cook (23:06): Okay. Lisa.

Lisa Gallagher (23:08): So for me, in- in taking a look at going forward, and the skills and personal attributes of the future CISO, I've- I've sort of categorised it into four areas. Um, the… first of all, as I mentioned earlier, um, you- you need to be a strong and convicted leader. And- and- and that really means being an influencer across the organisation, building relationships, building trust and credibility, so that, um, when you're at the table, um, with transformational activities or innovation, um, you've got some influence on the process. Being an educator so, um, abi- the ability to develop, recruit and retain talent, um, team building and focus looking at future leadership, having a, um, succession plan in place, avoiding over focus on technology yourself and really, uh, focusing on that communication education across the business. I- I mentioned earlier having an analytical approach, so making data d- driven decisions and taking smart risks.

Lisa Gallagher (24:22): And finally, I think when you get to the four or five level, you need to be a visionary and a… and an innovator. So have a long view, innovate. So as the company's infrastructure evolves or they're taking on digital transformation projects, the threat landscape and attack surface is gonna change. So w- what are the, um, solutions that are innovative and that follow the evolution of the company's business strategy, and be at the table to provide, um, those innovative solutions going forward? And that's a tall order, right? It's a completely job than at the one or two level. Um, but I really think that that's how the security function and the CISO can most add value, uh, to the business.

Tim Cook (25:11): Yeah. I- I- I- I think you're absolutely right there. I think that, um, what we see is, um, CISOs maturing to become CSOs in some places or the chief security officer. Um, there's probably a growth path that's more towards risk. Um, so potentially, um, evolving into the, uh, risk function, uh, itself at some point. Um, and a- as you pointed out, I mean, the- the very best CISOs, um, have absolutely all the capabilities needed to become excellent nonexecutive directors in other organisations and strategic advisors, um, in their sectors. What advice would you give GRPs who are having cybersecurity discussions with their clients at the moment?

Annie Hardiman (25:52): Yeah. So if you look at security today, it touches every aspect of your client's business. If you're working with the financial services or healthcare clients, they're gonna have very specific questions and requirements for you whereas some of the other clients are still developing where they are from a security perspective. But all of our services really incorporate security in some way. So if you think about it from our traditional audit and tax services and the tax credit, uh, service that we can provide or some of the M&A services that we have or some of the more traditional and security services, have that conversation with them. If they wanna know about our security, that's where we have an internal team that can help work with you to educate the client on how we really are protecting their data and how we're able to meet their standards. So reach out to the network information security team to be able to have those conversations.

Lisa Gallagher (26:45): Right. I- I completely agree with Annie. I- I would say that bring it up, um, no matter who you're talking to. Bring it up and say, you know, "Do you have any needs? Do you have any questions? Can I connect with the CIO or the CISO and- and have a conversation to see, you know, how we might be able to help?" In most cases, these are clients that we've got a long and trusted relationship with, and there's value in that. So, you know, let them know that we have, um, these capabilities and- and bring it up. And then the second thing I would say is at least know within the sector that, um, the company is in if there's any, um, new pertinent regulations or other, you know, driving forces around cyber that can be leveraged for the conversation as well. Um, and you can do that just by reaching out into the cyber practise.

Lisa Gallagher (27:36): Um, in the cyber practise, we have, uh, folks who… we work across all sectors. But- but a lot of folks specialise in certain sectors, financial services, healthcare, that are highly regulated and we can give you talking points to bring up as well. Um, so- so know, you know, the company you're working with what sector they're in at least a couple of talking points on really what's driving, uh, cyber in- in the… in the industry. Um, and so it's a collaboration with us now. Um, and I think we're seeing a lot of that but bring it up with the client and then reach out, as Annie said, back into the practise and- and we can, um, help with the conversation.

Tim Cook (28:14): Thanks again for joining us today. It's been really great having you.

Tim Cook (28:18): Remember to subscribe to our podcast series so you don't miss out on our future episodes. If you have any questions about what PwC do within cybersecurity, please reach out to our guests.