Serendipity and sacrifice – a CISO’s path

15th February 2019

Sarah Rees headshot

Sarah Rees

Lachlan George, Group CISO for Nando’s, never planned to work in information security. He never even planned to study technology at university, setting his sights on a law degree to satisfy an interest in social sciences and business. But then he landed a technology scholarship and “within six months I was completely fascinated,” he recalls.

Another serendipitous piece of the puzzle was his choice of institution; Queensland University of Technology, which ran what was then one of the world’s first information security programmes. He emerged from higher education with cyber security experience at a time when the discipline was only just becoming important, his CV arriving at Deloitte Australia just as they established a new cyber security consulting function.

“I think they were surprised I had cyber security experience,” he admits, “it just didn’t really exist back then. When people ask me how to prepare for a career as a cyber security professional I don’t know what to say. I liked technology, but I never wanted to be stuck in a back office as the IT guy. Luckily, the roles in cyber security have become exactly what I was looking for – high level strategic stuff, governance and risk management. It’s all just fallen into place.”

He undersells himself. While timing has served Lachlan well – his was, for example, working with BAE Systems as part of the team sent into TalkTalk in the aftermath of the breach, and tasked with re-building the cyber security function from the ground up – but he has also worked incredibly hard in a series of demanding consultancy roles. “I pretty much did nothing but work through my twenties, and in my evenings and weekends I was reading up on cyber security,” he says. “I sacrificed a lot.”

It turned out to be ideal training for the Group CISO position he took up in late 2018 with Nando’s. “It’s a different role, but a lot of the projects that I ran as a consultant I am now running internally instead,” he explains. “It’s good to finally have the authority to make decisions, rather than trying to persuade others to do so.” Yet he is also grateful for those years of honing stakeholder management strategies as a consultant – these help him drive changes across the huge multinational corporation he now finds himself in.

“It’s hugely challenging,” he says. “My strategy is to start small, identify where the issue is most acute, then work with one team to explore a new approach. Pilot it, make it work really well for them, and then they can then serve as advocates for the other teams. This approach is far more successful than trying to make holistic changes across the whole business or simply being the authoritarian CISO – I’ve come across those, and it never works.”

He has also witnessed the failings of the CISOs with too much governance experience and not enough technological understanding. “This job is 75% stakeholder management, but you still need technical understanding. You need to know enough to ask the right questions, to earn the respect of your tech team and to be able to spot the b******t.”

A foundation in tech also helps the CISO to make informed decisions about cyber risk rather than behaving reactively, as Lachlan believes many are doing. “Too many companies are just paying lip service to security. They’re anxious, but they often don’t know what to do about it. And the cyber security market is a minefield – companies are just spending money on products without first identifying the problem that needs solving. We forget that technology is only there to solve problems.”

Lachlan believes that many of the internal issues that leave companies unprotected stem from the common misunderstandings about what a CISO should do; even the name is “odd” he says. “You aren’t truly part of the C-suite, you shouldn’t be really. Cyber security is just a subset of risk management and should in most cases report into the Chief Risk Officer or similar.”

The person responsible for information security also needs to be agile and adaptable in approach, seeking to remain in tune with the wider business objectives while still pushing for secure systems and approaches. “I like it when everyone is happy,” Lachlan says. “If I can link business objectives to the technical aspects of security, delivering a technical solution that mitigates risk and enables the business – such as improving the user journey or give the business confidence to launch a new product – that’s ideal.”

Lachlan’s strong ideas on the role of a CISO guide his work but don’t send him to the conference circuits to preach. “I do wonder how those CISOs who seem to appear at every major conference have time to speak at all those events if I’m honest – I’ve got too much to do,” he says. In fact, he is trying to strike a better work-life balance in his new role than previously.

“Now is the time for consolidation, and if I can manage it, a bit of a rest!” he says. “I’ve just finished an MBA which I did part time while working in my previous role, I’ve just changed jobs and we’re exchanging contracts on a house that will need renovating,” he lists. He is also engaged, so a wedding will likely be on the cards in the coming years, plus he always needs to find time to keep in touch with his parents, who follow his career keenly from Australia.

“They are interested in what I do, and surprised I think,” he says. “They say, ‘but you were never really into technology’! But they’re happy that I’m happy. Yes, I never had any clear plan, but I have always been ambitious and pursued the opportunities as they became available. This is the end product of that – and I love what I do.”

Read Nominet’s report ‘Life Inside the Perimeter: Understanding the Modern CISO’ and find out more about the life of a CISO in our interview with Vicki Gavin, best known for her role as CISO for The Economist and now at Artemis Fund Managers.