What makes a good CISO? As we have now launched CISO interview series, we wanted to take a look at what are the factors that set successful CISOs apart. This interview with Rosa Stéphane (CISO at ELCA) was conducted in September 2020, and sheds some light on what does working as a CISO look like, some critical success factors that a CISO must have, and the ways to attract more people into this dynamic field.

1. We would like to get some background information about yourself. What’s your background?

I have a very mixed background. My first diploma was Software Developer in the early ‘90s. I then moved into Network Architecture, then back to Software Project Management. Then again to Network & Security to finally focus exclusively on Information Security since roughly 2010. In parallel and for many years I slowly pursued a Bachelor of Science in Information Systems Security and graduated in 2016.

2. How did you come into cybersecurity as a profession?

I’ve always been a techno-geek and hacker since the age of 14, when I discovered Modems and BBS. Learning programming on one side, and network technologies on the other prepared me for the Internet and the web. Trying to access hidden things on BBS naturally evolved in doing the same in the early ages of Internet. Doing it professionally was just a matter of opportunity, which surfaced when I was hired by Silicon Graphics, one of the silicon valley early companies with a hacking (in the good sense) spirit.

3. What is anything you wish you knew when you first went into this career?

Today, the world of knowledge is at hands. A simple natural question correctly formulated to Google provides an immediate valid answer on absolutely any subject. When I started it was not so easy to learn things, especially on subjects like systems and network vulnerabilities. I wish I had so much resource available to learn when I had the time to do so.

4. Could you explain your role as CISO at ELCA, and what you do at this company?

ELCA is one of the biggest independent Swiss full-service providers for business and technology solutions, and a leader in the fields of IT Business Consulting, Software Development and Maintenance, and IT Systems Integration.

We have a very broad community of talented engineers and provide dedicated and cloud-based hosting for projects as well. We have offshore and nearshore subsidiaries in Vietnam, Mauritius and Spain, as well as several products sold internationally such as SecuTix ticketing systems.

My role is at group level and reporting to the CFO. From a CISO point of view, I lead the Information Security strategy of the globally certified ISO 27001 scope. I interface with the Executive Board and all departments (Engineering, IT, Legal, HR, etc.) on a variety of risk mitigation discussions and I’m also in charge of the Enterprise Risk Management (ERM). I’m as well Data Privacy Officer (DPO) as required by GDPR and other data privacy regulations. In this regard, I work on customer and supplier contracts for privacy provisions, give advice to solutions design teams, conduct Privacy Impact Assessments and Privacy Audits, respond to customer privacy inquiries, etc.

5. It’s the fact that the role of the CISO is highly dynamic. Given that, what is (are) the most critical success factor(s) that a CISO must show to succeed?

There are 3 key success factors, in my opinion.

1. Broad (but not specifically deep) IT technical and operational knowledge. Even though the role of CISO is often strategic and managerial, closer to the Board than to engineers, the CISO must understand all concepts of systems architecture, network architecture, software development, security technologies, vulnerabilities, etc. Without it, it’s very difficult to correctly apprehend threats and risks or take appropriate risk mitigation decisions.

2. Ability to deal with Senior Management. The CISO role should ideally be positioned no lower than 2 levels below CEO to be effective. This essentially means reporting to an Executive Board member, and by all means it should be any other member than the CIO to avoid conflicts of interests. It means that the CISO must be able to talk corporate finance (budget, P&L, TCO, ROI, etc.), legal & compliance (security provisions in contracts, DPA, NDA, etc.), human resources (employee awareness, contracts, sanctions, etc.), operations (BCP), facilities (physical security) and any other managerial subject.

3. Capacity to provide solutions as opposed to become the “no-no” guy that everybody wants to avoid. The role of the CISO is to enable the business to grow within the limits of the company’s risk appetite. The personal point of view of a CISO on whether or not something represents a security risk isn’t necessarily the right answer. What is important is to match the company’s risk appetite.

6. What are some of the biggest challenges for a CISO such as yourself at a company like ELCA?

The biggest part of our employee population is made of engineers. They’re all very creative and agile, so sometimes enthusiasm goes a bit faster than security and privacy processes can cope with. We have also been growing very fast so there is a lot to catch up on bringing newcomers to the right level of security and privacy awareness. Finally, we have a very diverse business so the security and privacy program must cover all of software development projects for customers, cloud hosting and managed services.

7. Do you have advice for someone looking to start a career in cybersecurity?

Although it’s possible to become CISO with an MBA and no technical background, I strongly think that learning the technology is very important. Young people should go deep enough into computer systems and architecture, network technologies, programming. Then spend a lot of time on CTF (catch-the-flag) games online to start practicing hacking and developing logic while having a lot of fun. Later, certifications like CISSP or CEH are a must to acknowledge a skills baseline.

8. How do you think we can attract more young people to this field?

I’m really a fan of war-games, catch-the-flag and other hacking trivia. I think developing some form of Swiss championship for technical schools could bring a lot of young people to the field if the right incentives are present (gamification, ranking system, medals, etc.).

9. Is the cyber security workforce shortage a reality for you? How this can be solved?

I believe it’s always possible to find the right people at the moment but clearly from an education standpoint there is, in my opinion, still a knowledge gap to fill for younger kids well before they have the opportunity to reach out for HEIG/HES cybersecurity diplomas.

10. Is there any specific advice you can offer leaders in cyber security on how to build a resourceful security team?

Don’t believe resumes’ experience and diplomas too much. When hiring, drive them through scenarios, technical and non-technical questions, including very complex questions for which they have internet access. The important is to understand how they think, how creative and logic they are, what’s their capacity to quickly find the answer to anything. We’re not hiring computer security books, we’re hiring natural intelligence!