What does a CISO actually do?

8th November 2019


Cath Goulding

Cath Goulding
CISO

While it’s generally understood that the Chief information Security Officer (CISO) of an organization is responsible for the information security of the business, one of the questions I’m often asked is what being a CISO involves on a daily and weekly basis.

At Nominet – the registry for the .UK domain – we run IT infrastructure that is critical to internet operations in the UK. This means we have more oversight than most organizations, and yet many of my tasks will still be similar to CISOs in general. To demonstrate the breadth of work as Nominet’s CISO, here are some of the things on a typical to-do list:

Monitoring potential disruptors

Technology never stands still, and neither do the cyber criminals. Keeping up-to-date with threats, vulnerabilities and the changing environment are key parts of the role. My team will be analyzing the multitudes of information we collect via our monitoring systems, subscriptions to data feeds and contacts from various groups, and then make decisions on our response. Occasionally an issue may need to be highlighted to the business, which can involve ‘translating’ complex technical information into a form all can fully understand. A recent example was the Global DNS hijacking incident that has affected multiple organizations in our community and is an ongoing threat. We assessed the impact on Nominet and ensured our defenses were equipped to deal with the threat. We believe it is important to support the whole community, so we also provided and analysis and briefings to our partners, helping foster a broader understanding of the risk.

Strategic planning and risk analysis

I compile various security reports to provide oversight of our security posture. These could be for our Board, the Senior leadership team, part of UK Government or my colleagues. The breadth and depth of detail may vary but the messaging needs to be clear and any recommendations be considered and justified. I aim to highlight successes as well as concerns, as security should be seen as a strength to our business. If a change in direction is required, I will often present the recommendations to my colleagues, providing an opportunity for the wider business management and leadership team to ask questions and for us all to agree a strategy.

Culture of Security

Creating a workplace that keeps security front of mind is a priority. All our new starters receive a security induction session to ensure they understand what our policies are and how we expect them to behave to keep Nominet secure. These are largely relaxed and informational so that people to feel they can ask for help and flag up anything suspicious without fear of punishment.

We also run a ‘Security Competition’, with the whole company split into teams and points awarded or deducted for various security behaviors. A central security platform manages the competition and incorporates training materials, phishing simulations, risk assessment surveys and incidents. Everyone, from the reception team to the CEO, has a part to play in security and is considered our first line of defense.

Supporting the wider business

It’s important to support the activity of other business units, such as recently attending a CISO dinner in New York with our Cyber team. My attendance helped them to share best practice and raise awareness in the US of the work we do as CNI to keep the .UK domain namespace safe and secure. We also socialized our cyber security product, Nominet NTX, which operates at the Domain Name System (DNS) level to predict, detect and mitigate cyber threats. Another key talking point was our recent CISO research, Life Inside the Perimeter: Understanding the Modern CISO. Events like these are an excellent opportunity for relationship building and discussing external cyber threats and security risks with fellow CISOs for their point of view.

Service provider meeting

Like most businesses, Nominet outsources some services. Part of my role is to regularly meet up with the providers to maintain strong working relationships and keep track of their operations to ensure they are as secure as we need them to be. Information security is a serious business; we complete reviews and audits of providers’ work regularly and will replace them if required to ensure we maintain the integrity of our security systems.

Review everything ‘new’

Everything that is new at Nominet – products, services, or even our buildings – must be reviewed to ensure they meet our existing security standards and don’t create new vulnerabilities. This can be difficult, as it’s so easy nowadays to subscribe to a new online service, so educating staff on the importance of security is crucial. Staff need to know what questions to ask of a new supplier to make sure they can be trusted with managing our data. I also support Nominet when we are bidding for an external contract, such as seeking new business, as increasingly we need to share details of the security measures we have in place to provide assurance to the potential partner.

Advocacy

Opportunities to help educate the wider public on cyber security are often available. This might include providing comment to be sent to media following an incident, sharing insight for blogs to be posted externally or on our website, or being interviewed live on TV for the BBC. I know that being a woman in this role is rare, so it’s important to be visible and take part when time allows.

Inspire the next generation

I’m passionate about young people and the potential they have in our industry, so take part in events or activities that target them. Recently this has included giving talks at local schools, speaking at one of the National Cyber Security Centre’s CyberFirst courses, and writing blog posts that show younger readers why my job is so fun. A colleague’s daughter even took over my role for the day in Takeover Challenge! I’m fortunate that Nominet supports and encourages youth engagement and recognizes the importance of getting the next generation excited about cyber security and roles in technology.

Team management

Like most people, there are far too many things going on for me to do them all myself. I have a fantastic team of people to whom I delegate tasks such as analyzing data and researching, or monitoring campaigns and initiatives we are running. I couldn’t do my job without them. In my opinion, the key to success is having a supportive, reliable, capable, engaged and friendly team. With that in place, every day is something to look forward to as you all take a step in the same direction

In honesty, no two days are alike when you’re a CISO; I am always learning something new or being challenged in a new way. Cyber security is an endlessly evolving landscape and one in which being open-minded and agile are vital, not to mention being creative and always planning, keeping the business prepared for whatever might happen.

Does it sound like something you’d enjoy? We are always looking for enthusiastic people to join our cyber team and help us in our work to keep the country’s namespace secure. If you’re interested, visit our careers page to find out what openings we have and get in touch.