3 Questions with Horizon Power CISO Jeff Campbell

Feedback on CISO Reporting, Journey, Prioritization

Add bookmark
Seth Adler
Seth Adler
08/18/2020

Jeff Campbell is the Chief Information Security Officer for Horizon Power in Perth, Australia. Zoom has you believing that he is a laid back individual. Which might be true when he’s at the BBQ- but when he gets down to business answering key questions about the CISO purview, it’s clear that this his security posture is anything but laid back.

We recently had the opportunity to ask him three questions about how he sees what he sees:

What are your thoughts on to whom the CISO should report?

Interesting question. And gosh, if you ask this question across CISOs, some would say they need to be running the organization!. My opinion on this has always been that as long as you have buy-in from the executive and have remit to provide those services- rather than autonomously- but collaboratively, across the organization, then it doesn't really matter.

Now some would say now that the CISO function is more risk in governance function rather than a technical one. So maybe the correct reporting line would be through to your audit and risk management committee or the board directly.

But I think we're starting to see that shift now where it's moving outside of technology, and we're starting to see reporting through to risk bodies or corporate governance bodies.

Follow-up- is there a conflict of interest in the CISO reporting to the CIO?

Yep, because if you look at the remit of the CIO, what is it? Is it to enable digital evolution quickly? And sometimes that's in direct conflict with the mandate of the security individual. Because yes, we can do things quickly and securely, but there may be some technological constraints that we have to concede, and that may not fit in within the quick evolutional agile delivery of those products. So, yes.

What are your thoughts on the evolving CISO journey?

CISOs used to come from the computer science background, in my experience. That's radically changed. When you look at the university programs are delivering computer or technology professionals, we're seeing CISOs come from counter terrorism backgrounds, risk backgrounds.

We're also starting to see CISOs come from change backgrounds because of the rapid change in the security landscape- sometimes being divorced from having a deep technical understanding of any specific domain. Being a generalist can sometimes benefit by looking at new approaches.

I think we're going to see more individuals that are rounded, from a business perspective, step into these roles, but don't get me wrong. You still need to have the technical depth, and whether that's you're surrounding yourself with people that can filter that through to you- or you have that yourself- you still need to understand some of those technical concepts to actually know what security approach is best.

How is it possible for CISOs to prioritize? How do you prioritize? What do you suggest for others?

It's all got to be based on risk. Tapping into the corporate risk framework at your organization and understanding what they consider to be important as a strategic enabler, and then understanding that security, particularly now in this digital future, plays a very, very important part in enabling those strategic initiatives.

So how do you prioritize? You develop metrics consistent with what your board likes to see around cyber security, as well as how that ties in into delivery of those initiatives. Those metrics need to be framed in a way that is a common language, and the common language at the board and exec layer is risk. And that's how you prioritize.

Follow-up: What might be a quick tool to use to kind of have the board conceive of the business case of a cyber security execituve?

A good mechanism is phishing campaigns. When you look at some of the major breaches recently that have caused hundreds of millions of dollars in lost revenue or productivity all originated from either a phishing email that was inadvertently clicked and then lateral movement within the organization.

So a good mechanism is to run what we call culture and awareness sessions. Now what works? Sometimes third party edification is the only thing that will get you across the line, right? They can hear it from you, but you're in the organization. But magically, when someone else starts to say the same thing, suddenly the board starts to, I guess, take notice.

So, I would highly recommend engaging in a security awareness specialist to maybe do a board presentation. Frame it in the language that they understand and then translate that to an impact that's relevant to what they're doing.


RECOMMENDED