Security Expert Interview Series: Guillaume Ehny
The following is an interview with Guillaume Ehny, who holds the position of CISO at GoHenry – the prepaid debit card and financial education app for kids aged 6-18. His background and formal training are in project management, and he has worked for large multinational corporations until a switch to start-ups, security, and financial services. Guillaume is focusing on working with organizations to communicate and reduce risks linked to information security and allow them to achieve business objectives and vision.
1. Firstly, thank you for taking part in this campaign, Guillaume. How did you first get involved with information security? Could you share a project or inspiration with us that prompted your involvement?
Thank you for the opportunity. I got involved in Security by accident, as it was often the case 10 years ago. I joined a financial services startup as project manager and my first assignment was to ensure the achievement of PCI DSS Level 1 compliance within 6 months. A lot of hard work and collaboration later, we managed to achieve this milestone and so my interest in information security was born. Following this, I had the opportunity to make the switch to the information security manager and the rest is history.
2. We noticed that you are currently serving as Chief Information Security Officer (CISO) at a financial services company. Could you please tell us what are the major challenges that excite you in that position?
The major challenges are also surprisingly major opportunities. One of the characteristics of financial services companies is the pace of innovation, transformation, and delivery. Keeping up with them and managing periods of growth are forcing us to continuously question our choices to make sure we’re aligned with the business vision and are able to provide the best and adequate support with the resources available.
3. Based on your experience, what do you think are the most essential soft skills that CISO should possess?
As a CISO, you are expected to be the subject matter expert, able to answer any technical query but also able to communicate it with a range of stakeholders, with different levels of understanding in the security or technical realm. An important skill the CISO needs to master is emotional intelligence and its core components, self-awareness, self-regulation, motivation, empathy, and social management. All these are critical to maneuver through the daily interactions with a range of individuals, from employees to board members, understanding their goals and expectations and adjusting your discourse accordingly.
4. As a matter of fact, insider threats are a massive problem for organisations across many industries, particularly now with new remote-working arrangements. How can financial services companies stop and prevent these threats?
In short, investing in people. Wellness and appreciation for our teams is the best way to deal with this phenomenon. If we manage to keep our teams motivated and engaged, they are less likely to turn on their companies and colleagues. The last few years have been difficult for all of us and the uncertainty of employment has increased the dissociation of the company with its employees. Creating a culture of mutual support is key to restoring this trust.
5. What advice would you share with other CISOs when it comes to communicating a ROI for security investments to other stakeholders?
Each Board has its own language. Both the Board and the CISO need to be fluent in it and, as for any spoken language, it requires regular practice and effort from both sides. Don’t be afraid to ask what they expect from their CISO and their security function, in general, to be able to adjust the communication. On the other side, as a CISO, you need to understand the business, its processes, missions, and how it makes money, otherwise, the objectives of both parties will be misaligned. This exercise is a continuous effort from all that will bring benefits and ROI in the long run.
6. What do future information security careers look like? Any strategies you would like tell us about to future-proof a career in this industry?
Little by little we see CISOs reporting to COOs, CIOs, or even CEOs instead of the default CTO. It translates a shift of perception in what the CISO role is, allowing it to become a business leader and strategic asset. With the growth of ESG plans into organizations’ strategies and the role the security programs play in its three components, senior security professionals will be expected to bring in soft skills as much as technical skills and to be able to understand and communicate on threats based on the geopolitical landscape.
7. What significant changes do you see occurring within the information security market over the next 3 to 5 years?
Hopefully a better diversity in the sector. There are a lot of groups and individuals doing tremendous work out there, guiding, mentoring, and training young and less young students and workers curious about information security. Beyond reducing the current skill gap, it will foster a diverse community of thinkers much needed to solve the problems of today and tomorrow. All that is needed is curiosity and a desire to reach out, there will always be a hand offering to help and support because that’s what information security is, a supporting function.
Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.