Steve Wright, CISO and GDPR advisor at the Bank of England, offers insight into his career path to date and explains how he believes a tailored, personal approach is key to creating a behavioural shift and embedding a strong security culture at an organisation.
The Bank of England is the UK’s central bank, responsible for regulating other banks, issuing banknotes, setting monetary policy and maintaining stability.
Steve Wright is the Bank of England’s current CISO and GDPR advisor, having previously worked as interim Data Protection Officer (DPO) at the organisation.
Previously, he has held the position of CISO and DPO at retail giant John Lewis, and Chief Privacy Officer for Unilever, having worked in technology, risk, data security and data privacy for over 20 years.
His background experience is in designing, developing, managing and delivering or turning projects into operational structures, including the governance, privacy and security programmes necessary to maintain a good posture.
His style as a pragmatic and charismatic leader ideally places him as the ‘trusted advisor’ to the Board on all matters relating to privacy and security risk.
He is also a published author, a non-exec director and is regularly invited to speak at industry events, trade associations and thought leadership working groups.
He tells us about what his experience to date has taught him and considers some of the challenges he faces day to day.
What are some of the key cyber challenges that the Bank of England faces?
The bank is just a major target. It really is the whole plethora of risks and threats, whether state actors from Russia and China etc. At John Lewis the threats were daily and we got to a point where we called it a ‘white noise’ – it was just constant.
It’s similar at the bank. That’s why the SOC and the SIEM are so important and you need to have that joined up and have some calm people steering the ship.
We have our own SOC, which is a strategic decision, and capabilities for that are probably best in class. We work closely with GCHQ, as you would expect. On the SOC team, we have more than 30 employees and on the CISO side it’s around 35.
In terms of capabilities and capacity, there are some strategic partners that we do work very closely with including the intelligence services.
Day to day
Apart from checking emails and flying from meeting to meeting, the day always begins with what Wright calls ‘morning prayers’.
“There are briefings with the team to find out what’s happened overnight, whether any lessons can be learnt from that and whether any further analysis is needed,” he says.
This is followed by report writing for senior leadership.
Delivering the message to the board
“Language. Simplify your language, stick to the same definitions. We did a taxonomy of definitions because trying to explain what various acronyms mean to you and different departments is phenomenal,” he says.
“It’s important that I keep my messages short and sweet and use consistent language.”
Wright says he regularly writes reports and that it is important to simplify language, making it easy to read, with the backdrop and context summarised in two or three sentences.
“It’s also really helpful to have dashboards of some description so you can track and monitor threats, vulnerabilities, what you’ve done about it, what the programs are that are mitigating them etc.
“When I say dashboard, I’m talking about a ‘heat map’, and then that would be accompanied by a memo style report.
“You might typically do 20 versions of that until you get it right because ultimately you have got stakeholders on the board and you need to know who they are and what influence they have.
“The Chief Finance Officer might be completely opposed to something which the Chief HR officer wants to put in place, or the general counsel. Essentially, you’re producing information and reporting it and sometimes it’s not palatable.
“You have to simplify the language into – ‘what’s the risk, what’s the exposure and what’s the money’?”
Wright describes his hybrid role – in privacy and security – as being ‘two sides of the same coin’.
He added: “The common denominator is risk.”
The importance of collaboration and threat sharing
Collaboration, Wright believes, is the only way that the ‘bad guys’ can be stopped.
“At John Lewis, alongside the National Cyber Security Centre (NCSC), I helped set up a retail threat intelligence threat sharing group – we were one of the first outside of the bank sector.”
This, he says, was a long process due to the sensitive nature of threat sharing with competitors but the NCSC was able to provide a platform for regular meetings to be held in a transparent way.
The role of a CISO
“It’s a high-pressured job and I think a lot of people go into it and don’t fully appreciate that. I don’t class myself as a really successful DPO or CISO, I just try to do the best I can. But there are some people that are really in the stratosphere.
“The difference there, in my humble opinion, is that they really get what a board needs and what makes them tick, but have grown from an IT or infrastructure or software background, so they really understand it as well.
“Being able to deal with a board takes gravitas and you’ve got to believe what you’re saying.”
Building a strong security culture in an organisation
One of the key requirements of building a strong security culture is time – enough to facilitate a real behavioural change.
Wright says: “You’ve got to link it to things that people can relate to, so it has to be personalised.
“An example is, if I was to do a enforce a password length and wanted alphanumeric characters etc, I would actually talk about how you set your privacy settings on Facebook.
“That’s personal to the individual. They will say, for example, that they didn’t know there are 27,000 entry points on each individual Facebook profile, so they really need to lock down settings and, subsequently, understand why they need a strong password.”
It also takes different messaging to different audiences. E-learning, Wright says, has a place but doesn’t necessarily instil a behavioural change.
“I think it takes a long time and has to be done on multiple levels and you really need to think, ‘what does the lorry driver or the call centre agent think about it?’ and the board and the executives? I think you need tailored, audience specific training.”
Champions, he added, are also important.
“To maintain that culture, you need a whole army of people who feel responsible. There’s a lot of people who have been in organisations for 10, 20 or 30 years and it’s all they know and they’re passionate about protecting the brand and the business and you can leverage that loyalty. They want to help as it’s so precious to them.”
Advice for future CISOs
“I think you have got to have a love for it and a passion for the subject. You also need to consistently keep developing yourself.
“I think it’s also really important to do different types of training. It could be how to do a presentation for example.
“I did one years ago with a theatre company – I had to sing. And it was so left field but really helped understand those things. I also did ethical hacking.
“I would advocate trying to balance the soft with the hard-technical skills.
“Also, remember not to work in isolation – collaboration is critical. Constantly test yourself, work with others, join thought leadership, think tanks and stretch your mind.
“That really helps develop you as a person and it makes you a better employee.”