John Taylor on How to Achieve World-Class Cyber Security

Having worked in several industries over his career, including government sectors, insurance, and consulting, John emphasises the importance of diverse experiences in building knowledge and skills. 

A key challenge in cyber security has always been hiring good people. But more so today, finding talent with the necessary breadth of experience is hard. The issue? Frequent job hopping hinders learning from mistakes. Actual growth comes from facing and overcoming challenges, the “hard knocks” that build resilience and crucial skills.

Good leadership is crucial for allowing people to learn from their experiences. Leaders who create an environment where employees can learn from successes and failures empower them to reach their full potential. 

While nothing beats firsthand experience, the past few years have seen a positive shift in cyber security. Openness to sharing lessons learned has increased significantly, providing valuable insights that complement on-the-job experience.

Mental health is becoming a recurring theme in conversations with cyber security leaders.

Cyber security roles come with high stress and accountability, creating a significant mental health challenge, John explains. This high accountability is why some people avoid taking leadership positions altogether.

Organisations must prioritise mitigating these burdens, particularly on CISOs. While completely removing blame from security leaders might be unrealistic, a change is necessary.

Fostering a shared responsibility environment and promoting learning from mistakes can significantly reduce stress.

It’s also up to security leaders to learn to let go. Clearly explaining challenges to the board fosters collaboration and informed decision-making. However, effective leadership also involves learning to move on after those conversations.

John notes that technical skills are not as important for CISOs as they used to be. Relationship-building, communication, and influencing are crucial for navigating leadership roles today, including the complex dynamics of budget allocation.

In any organisation, the cyber security budget is both a tool of strategic influence and a responsibility of custodianship.

Competition for funding means security leaders must justify needs against other spending priorities and communicate value and ROI to secure appropriate budgets. However, with influence comes responsibility for budget execution and outcomes.

As the budget holder, the CISO must develop a security program and allocation that aligns with organisational priorities and risk appetite. Since you can’t do everything, the budget must focus on top risks, not “gold plating” security.

Governance, awareness, and incident response are the most important areas that CISOs can focus on, and they can lead to world-class security, John believes.

• Governance, often viewed as bureaucratic, is really about having conversations to get agreement on priorities. This builds budget alignment and accountability across the organisation.
• Awareness builds support for the program while enhancing defences. The best cyber security practitioners are often not the technical masters but the skilled communicators who can translate concepts for any audience.
• Rapid response and recovery from security events justify budgets while informing new risk priorities and control implementations. This delivers tangible value and outcomes.

Each pillar is interdependent and reinforces the others when executed effectively.

A persistent theme in cyber security is the prevalence of arrogance, affecting both suppliers and security leaders. While natural in competitive and complex fields like cyber security, arrogance can become a barrier if it reduces openness. 

Arrogance is less prevalent in organisations that promote openness, honesty, and empowerment, John observes. Admitting failures is difficult but important for continual learning and improvement.

When it comes to vendor relationships, despite big promises in the sales process, it often comes down to relationships. Is the vendor looking just to close a deal or to add real value to the business? 

Everyone is optimistic about success at the beginning of projects, but how many work perfectly? Few suppliers openly admit their failures for fear of reputation impacts. 

As custodians of security programs, CISOs must manage suppliers through robust processes. This includes considering all potential risks upfront and assigning dedicated vendor managers. When reporting upwards, they must discuss the full picture and ensure the board is comfortable with exposure levels.

Overall, both buyers and suppliers need to develop more maturity and be transparent about failures with each other. Suppliers also need frameworks for accountability in admitting shortcomings and achieving success.

At Chaleit, we couldn’t agree more that the success of cyber security initiatives depends on strong relationships. By prioritising collaboration, transparency, and accountability, we add genuine value to organisations and help CISOs effectively manage complex challenges.

We also encourage knowledge sharing through our conversations with top security leaders. Subscribe to get video updates, and let’s talk solutions.