Managing people and workplace culture have become key responsibilities for Keith Howard since he took on the role of CISO at Australia’s largest bank. He believes they’re crucial to retention and helping the wider company understand the importance of cybersecurity. Credit: Commonwealth Bank of Australia When Keith Howard was appointed the Commonwealth Bank of Australia (CBA) CISO, he inherited what he described recently at the Gartner Security Summit as five different teams within cybersecurity.It had taken CBA more than a year to find a permanent replacement for their CISO, following the sudden departure of their external recruit Yuval Illuz at the end of 2018. The search ended with appointment of Howard, who had already been with CBA for four years, and at the time was the bank’s CIO for product and marketing and general manager of its customer engagement platform.Howard explained that due to the lack of “final authority” for the substantial amount, it meant roles and responsibilities within cybersecurity teams became blurred. “I think when there isn’t precision on that, it can cause teams to occasionally step on each other’s toes, things can fall between gaps, and we’ve got to remember in cybersecurity there are not many black and whites, but lots of greys,” he tells CSO Australia.In a bid to bring cohesion back to the disparate teams, Howard took a three-fold approach: setting a mission statement that clearly outlined roles and responsibilities inside and outside of cybersecurity; reorganising the teams; and defining their purpose and strategy. “Culture ultimately is made up of four things: people, tech, process, and policies. The easier you can make it for people through the processes, through the policies, through the technology, it is easier for them to get the job done,” Howard says. He acknowledges that the role of a CISO is no longer concerned with just technology, but people and culture too.The days of having a CISO being just about security technology are passed, says Howard. To him, it’s now just as much about communication, problem-solving skills and how to lead, in particular, in an area where there’s so much competition for great talent. “Ultimately, technology is the playing field, but all the actors are human beings, so culture is going to be fundamentally important. The reason why people are compromised is either the threat actors, or it could be somebody has not configured the system appropriately, or they’ve clicked on a phishing email, or they didn’t patch that vulnerability, therefore culture is a very important in ensuring the basics are done because it’s about the people.”How CBA’s CISO demystified cybersecurity across the bankOne of the other key responsibilities that has landed with Howard since he took on the CISO role is the need to “demystify” cybersecurity and educate the wider organisation about cybersecurity.“[It’s] a top to bottom and left to right kind of job because you really want an understanding to propagate amongst everybody that you can’t just look to a cybersecurity team…it needs everybody to be involved in that,” he says.Communicating the ‘why’ and the ‘why now’ is fundamentally important, according to Howard. “I like to use an example like phishing campaigns — if you don’t engage and help the organisation understand why they’re being phished, it can sometimes feel like a bit of a negative experience because you’re trying to ‘catch me out or something’, so you’ve got to make sure that you’re communicating ahead of time what these things are,” he says.He believes creating this narrative around the need to respect cybersecurity professionals and their roles is a fundamental aspect of ensuring a high retention level, which is a common challenge currently faced by many organisations globally. “It’s the respect for the capability, the respect for the profession of cybersecurity,” he says. Howard explained that this comes down to listening to someone’s findings and then take action on what has been found. He believes that this respect across the organisation for the cybersecurity team influences on retention rates as well.He believes this level of respect that has developed internally within CBA for the cybersecurity team has started to really show. “You can definitely see the interest and knowledge about the threats have increased immeasurably. I’m pretty chuffed when I walk around the group and the number of people that stop me that are not in cybersecurity, but just to have a chat in general about, ‘I saw this. What does that mean for us?’,” Howard says. He added it’s also important in any role, however, to stay curious and make time to reflect. “The life of a cybersecurity professional can be pretty serious…[but] it’s very important that you maintain a sense of perspective. You might do that by keeping a close-knit circle of friends that just do very different jobs from you that you can catch up with and have a chat with them; they might be dealing with something far more [serious] — they might be a surgeon. So, maintaining that sense of perspective — in terms of zooming out — is I think something that’s just good for you to do,” Howard says. Related content news Is China waging a cyber war with Taiwan? Nation-state hacking groups based in China have sharply ramped up cyberattacks against Taiwan this year, according to multiple reports. By Gagandeep Kaur Dec 01, 2023 4 mins Cyberattacks Government news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe