CISO Conversations: Interview with Kevin Fielder

By Sistla Vaishnavi. Sistla is an Associate Director at Zeren, based in London and leading the IT Infrastructure and Security function.

Kevin Fielder is a senior executive with 20+ years of experience in the Cyber Security space. Kevin has been the first CISO for many global businesses and is an expert in building and delivering security strategy across complex FTSE100 companies. In his most recent role, he was the Global CISO for FNZ.

Tell us a bit about yourself and your career journey

It’s been a long journey! I have spent most of my adult life heavily involved in two main areas:

Health and fitness / Training
Cyber Security / Technology / Team building

I am someone that constantly likes to learn and grow (although seemingly not in height!). I naturally gravitated towards Information Security from early on in my career as I found it to be constantly evolving, focused on problem-solving, continuous learning, and (trying) to stay ahead of the “bad guys”.

As my career has progressed, I have become extremely passionate about helping people and building exceptional, high-performing teams. The teams I have built are probably my proudest career achievements and whilst they seem completely different – I am increasingly observing how human nature leads to many of the same issues across health & fitness and Information Security. Especially around people wanting quick fixes and the sale of ‘snake oil’ products.

You have been the first CISO for a couple of firms as well as worked with more established businesses – can you talk about your experience in these environments?

Both of my CISO roles have been the ‘first CISO’, however, prior to these, I have been in more established teams. Personally, I love to build and deliver real change, and therefore, I enjoy roles that are transformational in nature and have the appetite to deliver change. Some people are much better at keeping established things gradually evolving, and some prefer slightly more hectic roles where a lot of change is required. I do not think neither is better, it is just different and best suited to different people.

How can a CISO balance security priorities vs business priorities?

This could be a tricky balance to strike, but not impossible – to start off with, it is vital to work across your peers and leadership teams to really understand what the business goals are and where possible align the security initiatives with how they support the business achieving its goals.

Once the Security function is aligned with the business goal, you can go on to:

Quantify risk and risk reduction in terms that relate to business goals and dealing with business risk.
Understand what your investors’ value is and how you can align with that.
Understand your organization’s financing – do they favour Opex over Capex and look to build business cases that align with this as much as possible?
Review your security initiatives to align with cost savings and/or efficiency improvements

Where should the CISO’s role sit in an organisation to be most effective?

Whilst I appreciate this has been a topic of discussion recently, I personally do not think it matters too much. What matters is being supported to deliver the full breadth of the security programme and being able to access the senior leadership teams and board, to gain support for the programme and report on the current security risk posture.

How has the culture shifted in a Security function?

There have been some big changes from a cultural perspective:

We have almost completely moved away from an environment of blaming ‘users’ and PEBKEC (problem exists between keyboard and chair) and realize that we are all human and that engaged colleagues are one of our greatest assets as a business.
We are empowering people more. Especially with a DevOps way of working, we are creating much faster ways to market, with much-improved security when implemented correctly and early in the process.

Personally, I ensure ‘culture’ is a key pillar of the security programmes I build, as it is critical to the success of security in an organization. Ensuring engagement and understanding across all levels of the organization should be any security executive’s goal. I try to use the term ‘culture’ rather than awareness. Whilst it may not be the most grammatically correct statement, I often say – ‘Awareness does not equal Careness’. We must endeavor to help our colleagues understand why working securely is so important and how it will really help them achieve their goals safely.

What has been your experience hiring Security talent?

Security roles that are senior and niche in nature, can be challenging to identify talent for, especially with the strong market competition and organizations paying top salaries to ensure they get the best talent. On the other hand, junior Security roles can be filled more easily as you can be more creative with what you need and focus on soft skills, transferable skills, and the ability to learn.

Having built and grown successful Security teams from scratch, my advice for hiring Security talent would be to:

Be clear about what the few real non-negotiable requirements are.
Keep the requirements to the absolute minimum so as not to put people off who do not have a laundry list of skills.
Value attitude and willingness to be part of the team extremely highly.
Look at ways to get people into the team from a broad range of backgrounds, I rate apprentice schemes highly to help here, along with looking at people wanting a career change. Think about what new skills and ways of thinking could they bring to your team.

In your opinion, when should a start-up hire a CISO?

This is a difficult question, and it may well depend heavily on the industry vertical and funding arrangements of the start-up. For example, start-ups in Fintech or higher-risk areas are likely to need security leadership earlier than some other less regulated or lower-risk fields. If a business is looking for substantial investment, the investors may be happier to see you are taking security seriously.

My advice would be to hire a CISO as soon as you fiscally can, as building things securely (Technology, solutions, processes, etc) is much easier in the initial stages rather than bolting it on later.

An option for firms that are still navigating through their first CISO hire could consider a vCISO (virtual CISO) capabilities to get them started at a lower commitment and cost. This, however, is no replacement for a full-time CISO who is fully engaged with your business as you grow.

What would your advice be to Security professionals currently?

“Be passionate and positive”

It really helps to love this field as it can be busy and stressful yet there are always things to learn. Be mindful that we cannot get everything done, and we may get breached – however if you are improving your organization’s security, be positive about the benefits you are bringing.

“Diversity really helps improve Security and team performance”

There is no one-size-fits-all, you do not need to be like other people – bring your unique views and ways of looking at problems to your teams.

Any final thoughts you would like to share?

Security can be highly stressful and sometimes a thankless role. We can be blamed for things that are way outside our ability to change within our organizations. However, it is a great field to work in, we have many awesome teams and people in our industry.

Whilst it can be challenging, you must keep learning and staying ahead of the curve. We, as Security professionals, are making a real difference and it is important to remember that your role is directly responsible for protecting people’s data, identities, and money.

Zeren exists to empower the world’s change makers. We do this by building high-performing teams in the world’s most innovative businesses, to accelerate growth by connecting visionary leaders and ambitious talent.

We are a leading global Executive Search & Recruitment firm with teams and offices in San Francisco, Houston, New York, London, Berlin and Frankfurt.

We partner with high-growth, VC/PE-backed businesses and ambitious Corporate brands placing senior leaders, building exceptional teams, or providing critical interim and consulting talent.

View more Zeren news

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjFirstSeen	30 minutes	Identifies a new user’s first session. Used by Recording filters to identify new user sessions. 30 minutes duration, extended on user activity. Boolean true/false data type.
_hjHasCachedUserAttributes	session	Enables us to know whether the data set in _hjUserAttributes Local Storage item is up to date or not. Session duration. Boolean true/false data type.
_hjid	1 year	This is an old cookie that we do not set anymore, but if a user has it unexpired in their browser, we will reuse its value and migrate to _hjSessionUser_{site_id}. Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Ensures data from subsequent visits to the same site are attributed to the same user ID. 365 days duration. UUID data type.
_hjSessionUser_{site_id}	1 year	Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Hotjar does not track users across different sites. Ensures data from subsequent visits to the same site are attributed to the same user ID. 365 days duration. JSON data type.
_hjUserAttributes		Stores User Attributes sent through the Hotjar Identify API. No explicit expiration. Base64 encoded JSON data type.
_hjUserAttributesHash	2 minutes	Enables us to know when any User Attribute has changed and needs to be updated. 2 minutes duration, extended every 30 seconds. Content hash data type.
hjActiveViewportIds		Stores user active viewports IDs. Stores an expirationTimestamp that is used to validate active viewports on script initialization. JSON data type.
hjViewportId		Stores user viewport details such as size and dimensions. Session duration. UUID data type.

CISO Conversations: Interview with Kevin Fielder

More News

The Art of Scaling: A CRO’s Approach to Growth

Is Embedded Recruitment Right for You?