How CBA’s CISO transformed a disparate cybersecurity team

When Keith Howard was appointed the Commonwealth Bank of Australia (CBA) CISO, he inherited what he described recently at the Gartner Security Summit as five different teams within cybersecurity.

It had taken CBA more than a year to find a permanent replacement for their CISO, following the sudden departure of their external recruit Yuval Illuz at the end of 2018. The search ended with appointment of Howard, who had already been with CBA for four years, and at the time was the bank’s CIO for product and marketing and general manager of its customer engagement platform.

Howard explained that due to the lack of “final authority” for the substantial amount, it meant roles and responsibilities within cybersecurity teams became blurred. “I think when there isn’t precision on that, it can cause teams to occasionally step on each other’s toes, things can fall between gaps, and we’ve got to remember in cybersecurity there are not many black and whites, but lots of greys,” he tells CSO Australia.

In a bid to bring cohesion back to the disparate teams, Howard took a three-fold approach: setting a mission statement that clearly outlined roles and responsibilities inside and outside of cybersecurity; reorganising the teams; and defining their purpose and strategy. “Culture ultimately is made up of four things: people, tech, process, and policies. The easier you can make it for people through the processes, through the policies, through the technology, it is easier for them to get the job done,” Howard says.

He acknowledges that the role of a CISO is no longer concerned with just technology, but people and culture too.

The days of having a CISO being just about security technology are passed, says Howard. To him, it’s now just as much about communication, problem-solving skills and how to lead, in particular, in an area where there’s so much competition for great talent.

“Ultimately, technology is the playing field, but all the actors are human beings, so culture is going to be fundamentally important. The reason why people are compromised is either the threat actors, or it could be somebody has not configured the system appropriately, or they’ve clicked on a phishing email, or they didn’t patch that vulnerability, therefore culture is a very important in ensuring the basics are done because it’s about the people.”

How CBA’s CISO demystified cybersecurity across the bank

One of the other key responsibilities that has landed with Howard since he took on the CISO role is the need to “demystify” cybersecurity and educate the wider organisation about cybersecurity.

“[It’s] a top to bottom and left to right kind of job because you really want an understanding to propagate amongst everybody that you can’t just look to a cybersecurity team…it needs everybody to be involved in that,” he says.

Communicating the ‘why’ and the ‘why now’ is fundamentally important, according to Howard. “I like to use an example like phishing campaigns — if you don’t engage and help the organisation understand why they’re being phished, it can sometimes feel like a bit of a negative experience because you’re trying to ‘catch me out or something’, so you’ve got to make sure that you’re communicating ahead of time what these things are,” he says.

He believes creating this narrative around the need to respect cybersecurity professionals and their roles is a fundamental aspect of ensuring a high retention level, which is a common challenge currently faced by many organisations globally. “It’s the respect for the capability, the respect for the profession of cybersecurity,” he says. Howard explained that this comes down to listening to someone’s findings and then take action on what has been found. He believes that this respect across the organisation for the cybersecurity team influences on retention rates as well.

He believes this level of respect that has developed internally within CBA for the cybersecurity team has started to really show. “You can definitely see the interest and knowledge about the threats have increased immeasurably. I’m pretty chuffed when I walk around the group and the number of people that stop me that are not in cybersecurity, but just to have a chat in general about, ‘I saw this. What does that mean for us?’,” Howard says.

He added it’s also important in any role, however, to stay curious and make time to reflect. “The life of a cybersecurity professional can be pretty serious…[but] it’s very important that you maintain a sense of perspective. You might do that by keeping a close-knit circle of friends that just do very different jobs from you that you can catch up with and have a chat with them; they might be dealing with something far more [serious] ­­— they might be a surgeon. So, maintaining that sense of perspective — in terms of zooming out — is I think something that’s just good for you to do,” Howard says.