The modern CISO: A cyber risk leader who partners with the business and the board

“My journey in cyber security started with hands-on security 101. After obtaining my degree in telecom and network engineering, I took a job in a remote access support team. I had opportunity to gain experience in hands-on security engineering. I really enjoyed that time in my career and after a few years, I moved on to expand my know-how in project management, where I was managing cyber security for large global merger and acquisition projects. That was when my career really took off.

I started focusing on cyber security operations, incident response and vendor risk management and increasingly gaining leadership responsibilities with security and risk governance roles. I became accountable for running, controlling and strengthening information security protection, managing budgets for the global function as well as for global projects. I also gained valuable experience in working in a highly regulated environment and from managing a global and diverse team.

My hard work payed off and I became responsible for Novartis’ biggest division: Pharma. I was accountable for setting and executing the overall cyber strategy, leading a worldwide organisation and ensuring that the global Pharma business and overall commercial – “go to market” – IT products, projects and services were developed and delivered in a secure and compliant fashion. This role also came with increased managerial and budget responsibilities. Prior to my appointment, this role and organisation did not exist, so I designed and established it from scratch, hiring the people I needed along the way.

When I was asked to become Panalpina’s CISO, I had to say yes. I knew this was the opportunity for me to really shape the organisation’s cyber security vision and have a real impact on society. At Panalpina, I report directly to the CIO and the Board; I’m shaping the organisation’s security vision and strategy and focus on delivering value to Panalpina and its customers. I also sit on advisory boards of leading IT technology companies, cutting-edge start-ups and global security forums."

For Daria, taking a position as CISO meant more than just keeping her organisation secure on a day-to-day basis. Daria looked at the bigger picture:

“You need to think about what it is you want to achieve, what you want to focus on to add value to the business and your customers”.

Daria’s motivation is as clear today as it was when she first became a CISO:

“I want to make a positive impact on the company I work for as well as on society in general”.

At Novartis, her purpose was very clear: participate in giving back to those who are ill. Then, when she became a CISO, she made sure she joined a company whose culture and priorities lined up with her aspirations. As a cyber leader, she sees herself not as the head of the department of “no”, but as an advisor and manager of a great team and a steward of data, information systems, and resources. She understands that, as a CISO, she will influence major decisions that affect real people. At the same time, the world of transport and logistics is relatively new to the digital realm, making Daria’s role as CISO a green field. By bringing her experience and expertise, she is not only helping her company, but also her industry.

Daria’s aspiration to help others is fed by her understanding of what cyber security is:

“A few years ago, many equated CISOs with IT. The role was seen as that of securing a company’s systems; nothing more. There was no talk about security as a competitive advantage and business enabler, let alone ethics”.

Oh - how things have changed! In 2017 already, 87% of FTSE 100 companies identified cyber as a principal risk . With this increase in attention, boards are now paying close attention to the topic and increasingly include cyber security experts. This shift comes hand-in-hand with an increased scope for cyber security roles:

“Cyber security went from covering only IT to more broadly addressing risk. It’s also about resilience: preventing incidents while ensuring the company pulls through in the event of an incident”.

In addition, data protection laws and regulations such as the EU’s GDPR protect individuals’ privacy as a fundamental human right, reinforce the notion that this field has a direct impact on people’s lives, both at home and in the workplace and for all age groups.

The time when the line between the physical and digital worlds was clearly defined is long gone and, as a result, cyber security has become too important to be exempt from morals and values. What we can learn from Daria is that it is essential for cyber leaders today to understand the implications of their actions on people’s lives and to be able to stand behind their decisions whatever happens.