Taking risks with security is out of the question when it comes to protecting operations, particularly for well-known bookmaker, William Hill. Killian Faughnan, Group CISO at William Hill, tells us about his role at the company and some of the driving factors behind its ambition to continuously strengthen its cybersecurity posture.
What does your role look like day-to-day?
It’s quite varied. Like most CISOs, a lot of my time is spent trying to enable my teams to deliver on our objectives. This means a lot of time spent leveraging soft skills, coordinating activities and keeping the wheels of InfoSec turning smoothly.
Like most senior roles, a lot of the work is in building relationships and networks across the business and paving the way for my team to be able to do what they need to as effectively and efficiently as possible. There’s also a lot of time spent considering the way we work as a team and as an organisation, how we can provide a better service and whether we’re focusing on the right areas. As time moves on, the priorities you have need to move with it so it’s important to regularly stop and review where you’re at.
What prompted your interest in a career in cybersecurity?
I was always interested in figuring out how to make computers do things they weren’t meant to and to see what happened, so security was a natural fit for me. I started in security as a pen tester, which is a difficult job to not enjoy. From there, it was a lot of time spent figuring out how to identify and exploit issues before turning my hand to the defensive side. I think what kept me in a career in cybersecurity is the variety. For every bit of tech we build, you need security. There’s no getting away from it.
How would you describe the cyberthreat landscape?
Constantly evolving. I think when talking about the threat landscape, it’s important to consider that while some threats are universal, the impacts will differ from business to business.
For the most part, the cyberthreat landscape is still following the same pattern as recent years; unpatched or misconfigured systems, supply chain risk, ransomware, insider threat, etc. Personally, I’ve always been of the view that the biggest challenges we face are the more mundane issues. Feeding, watering and maintaining systems at a sufficient level of quality and robustness are among the first activities to fall away when resource constraints start to bite.
What are some of the driving factors behind William Hill’s ambition to continuously strengthen its cybersecurity posture?
Put simply, it’s our customers. We have a responsibility to them to always strive to improve our cybersecurity stance, to always push to leverage new technologies and methodologies to secure our systems and services, and to keep their security and privacy front of mind while we do so.
Do you intend on making any strategic cybersecurity investments in the coming months and if so, what?
We’ve actually taken a step back from one-off ‘strategic’ investments and have moved towards a more agile approach to investment and delivery. We set out our strategic objectives and the key results we will use to measure our progress towards these (OKRs) and subsequently drive delivery using this agile approach, leveraging shorter feedback loops and continual experimentation to reach our objectives.
In practice, the result is more of a focus on those areas which will drive the most security and business value. One such example is automation, whether that’s building security into the SDLC, our infrastructure deployments, or automated compliance testing, the ultimate goal is driving towards a state of ‘Security as Code’.
How do you ensure a strong cybersecurity culture?
I don’t think I’m going to shatter anyone’s world view by saying annual or seasonal approaches to addressing cybersecurity cultural change don’t work. Cultural change is difficult, irrespective of whether it’s to promote health and safety, security, or just ways of working; and changing an organisation’s culture doesn’t happen overnight. It requires a lot of time and energy, both in terms of driving more tangible components of a change programme such as the communications aspects (i.e. security awareness and training) as well as in building and maintaining relationships with key parts of the business which is necessary to instantiate cultural change at as many functional, geographical and organisational intersections in the business as possible.
The thing I try and keep in mind more than anything else is a saying I came across a few years back which has stuck with me: ‘Change is disturbing when it is done to us, exhilarating when it is done by us’. (Kanter, R.M. (1983) The Change Masters, New York, Simon and Schuster).
What are your priorities when it comes to taking a pragmatic approach to cybersecurity?
Obviously understanding what’s pragmatic and practical for the business you’re working within is key, but typically prioritising complexity reduction, process reduction and automation are a great starting point. I think good relationships are key to building better security and reducing friction wherever possible is a great way to help with that, which these priorities all address in some form or another.
This approach really stems from my belief that we should think of security as a product or service and as such, we should organise, market and productise to create and meet demand of our customers, and anyone who works in a product environment will know that NPS is king.
What can vendors be doing to provide support to their customers during these challenging times?
I think I’d give the same advice today as I would have last year – talk to your customers on how to get the most out of what they already have. If you can help me drive the maximum value out of what I’m already spending with you, I’m much more likely to come back to you for something else later.
What advice would you offer to aspiring CISOs?
I won’t offer any advice on security itself or the path to CISO, but instead focus on approach once you’re in the hot seat.
Play the long game – easy to achieve low hanging fruit and point fixes are good to showcase ‘positive direction of travel’, but focusing too much on this is why we still struggle to get to grips on the basics as an industry. Think about the fundamentals you would like to have in place when you join a business and make sure they’re in place for whoever comes next.
It’s more effective and sustainable to lead through influence than authority. There is a limited amount of times you can hit the nuclear button and force an escalation before it starts to lose its effectiveness.
Remember that your peers are your team too and you are all operating in a zero-sum environment. Every additional headcount or pound/dollar you consume has to be diverted away from some other activity to make its way to you, so use them wisely and appreciate security is a team sport.Click below to share this article