When Keith Howard was appointed\u00a0the Commonwealth Bank of Australia (CBA) CISO,\u00a0he inherited what he described recently at the Gartner Security Summit as five different teams within cybersecurity.It had taken CBA more than a year to find a permanent replacement for their CISO, following the sudden departure of their external recruit Yuval Illuz at the end of 2018. The search ended with appointment of Howard, who had already been with CBA for four years, and at the time was the bank\u2019s CIO for product and marketing and general manager of its customer engagement platform.Howard explained that due to the lack of \u201cfinal authority\u201d for the substantial amount, it meant roles and responsibilities within cybersecurity teams became blurred. \u201cI think when there isn\u2019t precision on that, it can cause teams to occasionally step on each other\u2019s toes, things can fall between gaps, and we\u2019ve got to remember in cybersecurity there are not many black and whites, but lots of greys,\u201d he tells CSO Australia.In a bid to bring cohesion back to the disparate teams, Howard took a three-fold approach: setting a mission statement that clearly outlined roles and responsibilities inside and outside of cybersecurity; reorganising the teams; and defining their purpose and strategy. \u201cCulture ultimately is made up of four things: people, tech, process, and policies. The easier you can make it for people through the processes, through the policies, through the technology, it is easier for them to get the job done,\u201d Howard says.He acknowledges that the role of a CISO is no longer concerned with just technology, but people and culture too.The days of having a CISO being just about security technology are passed, says Howard. To him, it\u2019s now just as much about communication, problem-solving skills and how to lead, in particular, in an area where there\u2019s so much competition for great talent.\u201cUltimately, technology is the playing field, but all the actors are human beings, so culture is going to be fundamentally important. The reason why people are compromised is either the threat actors, or it could be somebody has not configured the system appropriately, or they\u2019ve clicked on a phishing email, or they didn\u2019t patch that vulnerability, therefore culture is a very important in ensuring the basics are done because it\u2019s about the people.\u201dHow CBA\u2019s CISO demystified cybersecurity across the bankOne of the other key responsibilities that has landed with Howard since he took on the CISO role is the need to \u201cdemystify\u201d cybersecurity and educate the wider organisation about cybersecurity.\u201c[It\u2019s] a top to bottom and left to right kind of job because you really want an understanding to propagate amongst everybody that you can't just look to a cybersecurity team\u2026it needs everybody to be involved in that,\u201d he says.Communicating the \u2018why\u2019 and the \u2018why now\u2019 is fundamentally important, according to Howard. \u201cI like to use an example like phishing campaigns \u2014 if you don't engage and help the organisation understand why they're being phished, it can sometimes feel like a bit of a negative experience because you're trying to \u2018catch me out or something\u2019, so you've got to make sure that you're communicating ahead of time what these things are,\u201d he says.He believes creating this narrative around the need to respect cybersecurity professionals and their roles is a\u00a0fundamental aspect of ensuring a high retention level, which is a common challenge currently faced by many organisations globally. \u201cIt\u2019s the respect for the capability, the respect for the profession of cybersecurity,\u201d he says. Howard explained that this comes down to listening to someone\u2019s findings and then take action on what has been found. He believes that this respect across the organisation for the cybersecurity team influences on retention rates as well.He believes this level of respect that has developed internally within CBA for the cybersecurity team has started to really show. \u201cYou can definitely see the interest and knowledge about the threats have increased immeasurably. I'm pretty chuffed when I walk around the group and the number of people that stop me that are not in cybersecurity, but just to have a chat in general about, \u2018I saw this. What does that mean for us?\u2019,\u201d Howard says.He added it\u2019s also important in any role, however, to stay curious and make time to reflect. \u201cThe life of a cybersecurity professional can be pretty serious\u2026[but] it\u2019s very important that you maintain a sense of perspective. You might do that by keeping a close-knit circle of friends that just do very different jobs from you that you can catch up with and have a chat with them; they might be dealing with something far more [serious] \u00ad\u00ad\u2014 they might be a surgeon. So, maintaining that sense of perspective \u2014 in terms of zooming out \u2014 is I think something that's just good for you to do,\u201d Howard says.