CISO Conversations: Interview with Kevin Fielder
By Sistla Vaishnavi. Sistla is an Associate Director at Zeren, based in London and leading the IT Infrastructure and Security function.
Kevin Fielder is a senior executive with 20+ years of experience in the Cyber Security space. Kevin has been the first CISO for many global businesses and is an expert in building and delivering security strategy across complex FTSE100 companies. In his most recent role, he was the Global CISO for FNZ.
Tell us a bit about yourself and your career journey
It’s been a long journey! I have spent most of my adult life heavily involved in two main areas:
- Health and fitness / Training
- Cyber Security / Technology / Team building
I am someone that constantly likes to learn and grow (although seemingly not in height!). I naturally gravitated towards Information Security from early on in my career as I found it to be constantly evolving, focused on problem-solving, continuous learning, and (trying) to stay ahead of the “bad guys”.
As my career has progressed, I have become extremely passionate about helping people and building exceptional, high-performing teams. The teams I have built are probably my proudest career achievements and whilst they seem completely different – I am increasingly observing how human nature leads to many of the same issues across health & fitness and Information Security. Especially around people wanting quick fixes and the sale of ‘snake oil’ products.
You have been the first CISO for a couple of firms as well as worked with more established businesses – can you talk about your experience in these environments?
Both of my CISO roles have been the ‘first CISO’, however, prior to these, I have been in more established teams. Personally, I love to build and deliver real change, and therefore, I enjoy roles that are transformational in nature and have the appetite to deliver change. Some people are much better at keeping established things gradually evolving, and some prefer slightly more hectic roles where a lot of change is required. I do not think neither is better, it is just different and best suited to different people.
How can a CISO balance security priorities vs business priorities?
This could be a tricky balance to strike, but not impossible – to start off with, it is vital to work across your peers and leadership teams to really understand what the business goals are and where possible align the security initiatives with how they support the business achieving its goals.
Once the Security function is aligned with the business goal, you can go on to:
- Quantify risk and risk reduction in terms that relate to business goals and dealing with business risk.
- Understand what your investors’ value is and how you can align with that.
- Understand your organization’s financing – do they favour Opex over Capex and look to build business cases that align with this as much as possible?
- Review your security initiatives to align with cost savings and/or efficiency improvements
Where should the CISO’s role sit in an organisation to be most effective?
Whilst I appreciate this has been a topic of discussion recently, I personally do not think it matters too much. What matters is being supported to deliver the full breadth of the security programme and being able to access the senior leadership teams and board, to gain support for the programme and report on the current security risk posture.
How has the culture shifted in a Security function?
There have been some big changes from a cultural perspective:
- We have almost completely moved away from an environment of blaming ‘users’ and PEBKEC (problem exists between keyboard and chair) and realize that we are all human and that engaged colleagues are one of our greatest assets as a business.
- We are empowering people more. Especially with a DevOps way of working, we are creating much faster ways to market, with much-improved security when implemented correctly and early in the process.
Personally, I ensure ‘culture’ is a key pillar of the security programmes I build, as it is critical to the success of security in an organization. Ensuring engagement and understanding across all levels of the organization should be any security executive’s goal. I try to use the term ‘culture’ rather than awareness. Whilst it may not be the most grammatically correct statement, I often say – ‘Awareness does not equal Careness’. We must endeavor to help our colleagues understand why working securely is so important and how it will really help them achieve their goals safely.
What has been your experience hiring Security talent?
Security roles that are senior and niche in nature, can be challenging to identify talent for, especially with the strong market competition and organizations paying top salaries to ensure they get the best talent. On the other hand, junior Security roles can be filled more easily as you can be more creative with what you need and focus on soft skills, transferable skills, and the ability to learn.
Having built and grown successful Security teams from scratch, my advice for hiring Security talent would be to:
- Be clear about what the few real non-negotiable requirements are.
- Keep the requirements to the absolute minimum so as not to put people off who do not have a laundry list of skills.
- Value attitude and willingness to be part of the team extremely highly.
- Look at ways to get people into the team from a broad range of backgrounds, I rate apprentice schemes highly to help here, along with looking at people wanting a career change. Think about what new skills and ways of thinking could they bring to your team.
In your opinion, when should a start-up hire a CISO?
This is a difficult question, and it may well depend heavily on the industry vertical and funding arrangements of the start-up. For example, start-ups in Fintech or higher-risk areas are likely to need security leadership earlier than some other less regulated or lower-risk fields. If a business is looking for substantial investment, the investors may be happier to see you are taking security seriously.
My advice would be to hire a CISO as soon as you fiscally can, as building things securely (Technology, solutions, processes, etc) is much easier in the initial stages rather than bolting it on later.
An option for firms that are still navigating through their first CISO hire could consider a vCISO (virtual CISO) capabilities to get them started at a lower commitment and cost. This, however, is no replacement for a full-time CISO who is fully engaged with your business as you grow.
What would your advice be to Security professionals currently?
“Be passionate and positive”
It really helps to love this field as it can be busy and stressful yet there are always things to learn. Be mindful that we cannot get everything done, and we may get breached – however if you are improving your organization’s security, be positive about the benefits you are bringing.
“Diversity really helps improve Security and team performance”
There is no one-size-fits-all, you do not need to be like other people – bring your unique views and ways of looking at problems to your teams.
Any final thoughts you would like to share?
Security can be highly stressful and sometimes a thankless role. We can be blamed for things that are way outside our ability to change within our organizations. However, it is a great field to work in, we have many awesome teams and people in our industry.
Whilst it can be challenging, you must keep learning and staying ahead of the curve. We, as Security professionals, are making a real difference and it is important to remember that your role is directly responsible for protecting people’s data, identities, and money.
Zeren exists to empower the world’s change makers. We do this by building high-performing teams in the world’s most innovative businesses, to accelerate growth by connecting visionary leaders and ambitious talent.
We are a leading global Executive Search & Recruitment firm with teams and offices in San Francisco, Houston, New York, London, Berlin and Frankfurt.
We partner with high-growth, VC/PE-backed businesses and ambitious Corporate brands placing senior leaders, building exceptional teams, or providing critical interim and consulting talent.