This quasi-government organisation employs about 400 researchers and administrators, and delivers research services together with EU, US and other overseas government and educational establishments, to plot all activities in the North Atlantic requiring analysis and monitoring. The organisation collects and focuses on information regarding the spread of disease, wildlife stocks, environmental and human non-military activity and other activities, some of which are highly sensitive.
The CEO and the Senior Leadership Team (SLT) are required to manage an organisation delivering world-class analysis, interpretation and information to government sponsors and universities alike. The protection of that information and the underlying data is key to the success of the organisation. Hitherto the SLT had been concerned that the level of Information Security had been basic and not fit for purpose in an ever-changing world of cyber threats and increasing vulnerabilities. The whole reputation of the organisation was at stake.
Appointing an experienced IS Leader would add senior experience and support to the SLT to help define what they needed to do, execute difficult decisions regarding cyber security and data protection and prepare realistic CapEx and maintenance budgets, whilst continuing to steer the organisation in a direction commensurate with its vision, principles and values. At no point could the organisation risk its reputation nor its ability to deliver world-class insights to its important government and research institute stakeholders. There was clear and present danger of a cyber attack and its avoidance was mission critical.
The CISO is the senior-level executive within an organisation responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance (e.g. supervises the implementation to achieve ISO/IEC 27001 certification for an entity, or a part of it).
What the IS Leader / CISO Did
Provided leadership and took the organisation to a higher level of security and readiness
On starting the assignment, the CISO provided digital leadership skills, capable of empowering and leading the IT team to meet business and IT security goals. Through solid people management skills, providing direction, monitoring performance, motivating staff and building a positive working environment, the CISO was able to adapt to a fast-moving IT landscape and keep pace with the latest thinking and new security technologies. Because the CISO has a passion for technology and security safeguarding with a desire to deliver, thriving on change and with an impressive ability to help drive the IT security strategy forward, the SLT were confident the organisation was in safe hands.
The CISO has an analytical mind capable of managing numerous information sources and providing data analysis reports to senior management as required, managing several concurrent projects and prioritising demand. And the CISO’s creative thinking ability to look at alternatives and consider new ways of thinking to problem solve eased the forming of Business partnerships that then helped drive the security strategy forward.
The CISO has a strong customer focus and was able to meet the demands of internal and external customers, with excellent communication skills providing verbal and written communication to both direct reports and senior management as well as other stakeholders, was at all times on top of multiple issues.
As well as keeping fresh the strategy for the deployment of information security technologies, updating IT security risk assessments and reporting to the SLT on the latest ways to minimise threats, the CISO constantly monitored security vulnerabilities and hacking threats in network and host systems and communicated with key stakeholders about IT security threats. By tracking the latest IT security innovations and keeping abreast of the latest cyber security technologies, the CISO ensured business continuity, and by implementing an effective process for the reporting of security incidents over and above existing Business as Usual arrangements, facilitated the timely investigation of reported security breaches. The CISO was responsible for developing future strategies to handle security incidents and trigger investigations, and by championing and educating the organisation about the latest security strategies and technologies, and monitoring quarterly progress, improvements were assured.
The CISO created an environment for confidence, safety, security and reassurance.
- As a quasi-government organisation, it was paramount that standards were met and maintained at an international level.
- Delivered IS services into every part of the organisation, both onsite and at sea.
- Successfully kept CapEx and Maintenance budgets within the 5-year plan agreed upon by the SLT prior to the start of the CISO engagement, despite spiralling costs and an exponentially increasing threat environment.
- Successfully renewed security supplier contracts for another 5 years without increased cost but with increased threat monitoring capability, onsite and at sea.
- Met ISO and NIST IS standards compliance.
- Kept Cyber Insurance renewal premiums to a minimum working closely with underwriters to ensure mutual understanding of perceived risks and threats.
- Maintained full Thycotic Mapping compliance across the whole organization and threat landscape.
- Maintained customer satisfaction and confidence throughout.