Lessons from a CISO

Last month we were lucky enough to welcome not one, but two awesome guest speakers to Leaders In Tech. The first was Cath Goulding, CISO at Nominet, and the second was Paul Tacey-Green, co-founder of Amito. Both had plenty of fascinating things to say about that evening’s topic, Decoding Cybersecurity. So, we’ve decided that each talk deserves its own article. First up: Cath Goulding.
If anyone knows the cybersecurity arena, it’s Cath Goulding. She’s spent the last 20 years in the industry; 15 with GCHQ and 7 with the .uk domain registry, Nominet. Cath kindly agreed to share the valuable lessons she’s learned with our tech leader guests. Like them, we were all ears.

Connect with the Board
Cath began by looking at what can be the most frustrating element of a CISO’s job: explaining to a Board why investment in cybersecurity is essential. Her three cast-iron reasons came down to the following: (1) to avoid security incidents and disruption to the business, (2) to meet the ever-growing list of compliance and legislation, and (3) to build trust in the business – to build a reputation as a safe, secure brand. “Some security professionals say that Boards just don’t understand,” says Cath. “But Boards understand risk. You just need to translate it for them. Explain the impact of an incident and how likely it is,” she advises. “It’s an opportunity and should be sold that way.”
Think differently about recruitment
For Cath, the biggest risk to security is lack of qualified professionals: “Ever since I started in this field, we’ve been short of people.” Her solution is a practical one – to hire a broad mix of talent, from techies to business-orientated professionals. “After all,” says Cath, “there’s no such thing as this unicorn, the security professional who knows everything.” She also advises tech leaders to think differently about recruitment by looking at people’s potential. For example, an Auditor could have the skills to make a good CISO.
Do your best to measure
If the biggest risk to cybersecurity is people, the hardest part is measurement. Although Cath doesn’t have all the answers, she suggests a useful tool: the Capability and Maturity model. This helps CEOs understand their organisation’s position. “They can use it to make informed decisions,” says Cath, “and then you’re likely to get more budget!”

Don’t believe the hype
Cath’s next tip? Beware of the cyber hype. Infosec is a huge marketplace – with many snake oil salesmen. If you have to venture into this arena, Cath recommends a sceptical mindset. “Ask what the product or service actually does and get proof of value.”
Be prepared
Cath’s next lesson came from the book of common sense: when it comes to cybersecurity, prevention is better than cure. She highly recommends two-factor authentication, on personal email accounts as well as business systems.
Think about culture
Finally, Cath stressed the importance of workplace culture in cybersecurity. She illustrated her point with a story about how she got her team to switch to more secure working practices through a competition. “If you have a positive culture and environment, it will make you as an organisation much more secure,” says Cath. “Training and the human aspect are massively overlooked.”
In summary…
To finish, Cath gave a list of questions that tech leaders should be asking CISOs:

Do we know what to do if there’s a major breach?
Is our most important data backed up?
Is our infrastructure fit for purpose and future proof?
How confident are we in the security of our products and services?
What are our top three risks and what are we doing about them?
How well do trust our suppliers?
How are we measuring the effectiveness of our cybersecurity?

We hope you’ve found Cath’s lessons as useful and interesting as we did. We’re very grateful to our fantastic guest speaker for sharing her wealth of experience. Many thanks to Cath Goulding and to everyone who made it to December’s Leaders In Tech | Reading.
Look out for details of the next event on our social media channels.