How CBA’s CISO transformed a disparate cybersecurity team

Managing people and workplace culture have become key responsibilities for Keith Howard since he took on the role of CISO at Australia’s largest bank. He believes they’re crucial to retention and helping the wider company understand the importance of cybersecurity.

keith howard cba headshot 1200 800
Commonwealth Bank of Australia

When Keith Howard was appointed the Commonwealth Bank of Australia (CBA) CISO, he inherited what he described recently at the Gartner Security Summit as five different teams within cybersecurity.

It had taken CBA more than a year to find a permanent replacement for their CISO, following the sudden departure of their external recruit Yuval Illuz at the end of 2018. The search ended with appointment of Howard, who had already been with CBA for four years, and at the time was the bank’s CIO for product and marketing and general manager of its customer engagement platform.

Howard explained that due to the lack of “final authority” for the substantial amount, it meant roles and responsibilities within cybersecurity teams became blurred. “I think when there isn’t precision on that, it can cause teams to occasionally step on each other’s toes, things can fall between gaps, and we’ve got to remember in cybersecurity there are not many black and whites, but lots of greys,” he tells CSO Australia.

In a bid to bring cohesion back to the disparate teams, Howard took a three-fold approach: setting a mission statement that clearly outlined roles and responsibilities inside and outside of cybersecurity; reorganising the teams; and defining their purpose and strategy. “Culture ultimately is made up of four things: people, tech, process, and policies. The easier you can make it for people through the processes, through the policies, through the technology, it is easier for them to get the job done,” Howard says.

He acknowledges that the role of a CISO is no longer concerned with just technology, but people and culture too.

To continue reading this article register now

7 hot cybersecurity trends (and 2 going cold)