James Smith, our Head of Consulting, is familiar with the challenges faced by security leadership and knows first-hand the impact good leadership can make, whether this is working as a permanent Chief Information Security Officer (CISO) or as an on-demand virtual CISO (vCISO).
At Savanti, James is responsible for directing consulting services, as well as advising clients and overseeing the provision of an outsourced security leader as a cost-effective solution.
Before joining Savanti, James gained a wealth of security experience working as a Senior Manager in Risk Assurance at PwC and as a CISO for a leading UK higher education (HE) organisation.
We recently caught up with James to find out what an organisation might expect from their security leadership and to get his views on what makes a good CISO.
Can you explain the role of a CISO?
“CISOs will provide organisations with the expertise, structure and leadership to manage and mitigate their security risks. They will clarify security requirements, set direction, identify gaps, and manage activities and resources”.
In his role as CISO, James also needed to build his security function, bring together disparate resources and define the team’s remit and priorities.
James added, “CISOs must build momentum quickly and tackle top priorities to build confidence and demonstrate value”.
How will a CISO prioritise activities?
As Savanti's Head of Consulting, James benefits from his practical, hands-on experience and advocates a pragmatic approach to governance, risk and compliance to guide prioritisation.
“It’s important to quickly assess and baseline organisational compliance to identify the lowest areas of maturity and prioritise them in relation to the most common causes of incidents. I’m in favour of this approach, over a protracted, asset-based risk assessment, because you can identify and progress quick wins, make improvements, and quickly reduce risk whilst you plan for more strategic initiatives.”
What helps a CISO to be successful?
James highlights the importance of stakeholder engagement.
Reflecting on his time as a CISO, James said, “Building relationships with stakeholders was essential, especially with the previous critics. Security activities frequently involved cross-functional collaboration, but, more often than not, the required resources and technologies are not owned by the CISO".
He added, "CISOs, whether permanent or operating as a vCISO, must gain buy-in and the resources to manage security. Risk, cost, and return on investment need to be clear to top management, whilst responsibilities and the right behaviours need to be clear to all user groups”.
How can a CISO measure success?
“Demonstrating value relies on governance structures to track and report progress and compliance. CISOs must be able to present management information to inform investment decisions and show that security requirements are being met”.
James also reflected on another, less tangible, marker of success - the commitment and competence of the security team.
“In addition to bringing much-needed expertise into the organisation, CISOs should help to develop, coach and upskill their team and improve the overall security capability”.
James stressed the importance of CISOs in providing the necessary support, education, cover and avoidance of distraction to allow the team to deliver their work.
Can you sum up what makes a good CISO?
When asked to conclude what makes good security leadership, James highlighted the challenges of the role.
"With the relative immaturity of the industry, the constantly evolving cyber landscape and the post-covid priorities pushing the CISO role to evolve further, it's difficult to fix a list of role requirements"
However, from his experience and in relation to good security leadership, James concluded -
“Be the leader. Don’t shy away from the difficult stuff, improve relationships, secure support and funding, be consistent, and support your team”.
Security leadership for your organisation
Savanti has a team of experienced security experts. If you have budgetary constraints or limited security resources, a permanent CISO may not be the answer for you, but a dedicated, virtual Chief Information Security Officer (vCISO) could work very effectively.
This expert will still support your information security activities as a CISO would, but in a proportionate way, offering a tailored service specialising in the wide variety of threats that you face, all managed by Savanti.