“Most organisations don’t understand what the role of a CISO should be,” laments Vicki Gavin, an information security specialist perhaps best known in the industry for her nine-year spell as CISO for The Economist. “I’d say 75% of CISOs are actually senior technologists, but we should be leaders. I’m a leader.”
Vicki, soon to be starting as CISO for Artemis Fund Managers, admits she actively avoids working for a company that doesn’t respect the way in which she needs to operate to keep them safe. “When I go for interviews these days, it’s a two-way thing,” she say
“Fundamentally, the security team is managing dynamic operational risk and needs to be able to work across the whole business,” she explains. “I think the CISO will eventually disappear into an operational role, likely becoming part of the role of chief operations officer.”
In some ways, the idea of a CISO could last just one lifetime – approximately the length of Vicki’s. “This job didn’t exist when I was studying,” she says, “I grew and evolved with this industry, and this job. That shows there is no point trying to train young people for the jobs of tomorrow when we can’t possibly know what those will be.”
So how, then, do we ensure the next generation has the cyber security skills and interest required to meet the growing demand? Vicki is uneasy about the current zeal for technical skills like coding at the sacrifice of subjects such as arts and humanities. She advocates a more general and broad approach to education to forge the adults the industry will need.
“All the greatest scientists were creative people – you need imagination alongside the science skills,” she says. “And we forget the basic skills: writing, reading and arithmetic are crucial for everything. We need to focus on basic skills and create adults that are adaptable.”
Importantly, she says “There needs to be a realisation that information security doesn’t require some special skill set.” Being able to solve problems and adapt to changing environments are more crucial than any specific technical knowledge for those who will handle information security tomorrow.
Vicki is an example of this working in practice. She pursued her prodigious skills in science and maths at school to a degree in physics at university in her native Canada. Her involvement with technology came by “pure chance”; an ambitious professor purchased a computer out of curiosity and employed her for a summer to “figure out how it worked”.
“It was the best job,” remembers Vicki with a laugh, “I read the manual, and then taught it to play blackjack.” The professor persuaded her to write her thesis on a word processor – the first student at the university to do so – but she had no sense of having found the instrument that would shape her future career. “To be honest, I was telling everyone ‘I never want to work with computers’” she says. “They seemed boring once you knew how to use them.”
Indeed, technology itself has never been the most compelling part of being an information security specialist. “I live my life by the credo that you should do what you love and love what you. I’m a puzzle person. I like having a puzzle in front of me that no one can solve and figuring out how to put the pieces together.”
She is also a people person; another attribute she sees as crucial to the success of a CISO. “In a company, we’re all on the front line together,” she says. “I work to get that message across and empower people to participate in the defence. I inspire trust and put my trust in them in return.”
She speaks with extensive professional experience on her side, but credits her daughters for having taught her the key lessons. “People laugh when I say it, but it wasn’t until I became a mother that I discovered how to be a good leader. It’s the same skill set: never forcing but helping them to understand the world around them and be the best they can be.”
Ultimately, though, there are times when the CISO must step up alone, and Vicki has the confidence to bear that responsibility. “I can cope with the pressure of trying to make a decision when everyone is screaming at me”, she says wryly, and she has developed strategies for making rational decisions even while each second of delay causes damage and financial cost.
“I quite enjoy the challenge of it,” she says, “and I still like not knowing what each day will hold. I often think CISOs need to be like the traditional cowboys sometimes, like the guys who roamed the range. We’re able to be very independent, and enjoy the challenge of believing that it’s just us against the world.”