Kevin Fielder looks more like an Olympic athlete than a CISO. Not that CISOs can’t look muscular or don’t look fit, it’s just not the first image that comes to my mind.
And yet, maybe there are more similarities shared between athletes and CISOs than meets the eye; discipline, tenacity and resilience are traits required by both.
It’s certainly the case with Kevin, the current CISO of Just Eat, the food delivery service. He sits opposite me in a trendy London cafe, arms laced with impressive tattoos - a dragon on one side and a phoenix on the other. Donning a bright pink t-shirt and whiter than white trainers, I am certainly curious to find out more about what’s drawn this individual to the cyber security industry.
He puts his career choice down to a perennial love of security and problem solving. “It’s an industry where you never stop learning,” he reveals.
With over 20 years in the IT industry, Kevin is Just Eat’s first CISO where he’s built the company’s security team from the ground up.
Also of interest: Do CISOs need an image makeover?
The role of a CISO
Kevin divides the role of the CISO into two distinct parts. The first is risk and helping people understand the nature of that risk. “We have to provide good security, which means understanding the executive board’s risk appetite so they can make risk-based decisions.”
The other side of it is the “enabling” part. “If you say no to employees, they will very often try to go around you,” he explains. Rightly so, he adds, because they're delivering real benefits to the business.
Kevin instead suggests communicating differently with phrases like, “How about we do it like this? Can we help you do that? Or, we can do this to make that safer.”
“You could enable them to do things and be seen as someone who's helpful. The more you're helpful, the more people come to you,” he points out.
Also of interest: “You have to stick to your guns,” Mark Walmsley on life as a CISO at Freshfields LLP
Achieving success with the board
Kevin advises to “understand what the business is trying to achieve, understand what their concerns are, and try to work out how to best talk to them about security”.
He suggests keeping away from acronyms and focus on how the business achieves its goals.
He explains: “The executive and upwards don't care about anti-malware solutions or how we do data leakage protection. They care about how secure our office environment is, how well protected our data is and how likely are we to be breached by an external attacker. You’ve got to relay what the current level of protection is to them, what your concerns are, and where you need to support and help them.”
Also of interest: Spotting the Insider Threat with Lisa Forte
The greatest challenge: complexity and speed
With data spread across 3 cloud providers (Amazon, Google and Azure), offices in 13 countries and a workforce of over 3,600 people, there’s a lot happening at a high and fast rate of change.
Understanding the environment and business, as well as building a strong security team are essential for Kevin to navigate through the complexity and racing pace. But, essentially, he reveals, it’s about “building relationships”.
Developing relationships outside his department gains useful knowledge. For example, one department may be opening a new call centre, another might be launching a new marketing campaign or a website collecting customer information for a survey.
He needs to make sure he’s engaged with all activity to know when change is coming to prepare for it and make sure it's done as securely and safely as possible, he says.
Kevin encourages his team to be visible, helpful and build personal relationships across all departments. He adds that people don't necessarily come to you, so he has to make a concerted effort to engage with all departments.
“One of the things I've learned throughout my career is if I want something done, say, next year, start talking about it now. So when it comes to it, people know you’ve been talking about this for ages and are on board with the idea,” he states.
Communicating the security message to employees can sometimes be challenging. Kevin explains, however, that they’ve “managed to build a really cool culture where there genuinely isn't blame. We have that culture where people can make a mistake and we work on how we can fix it.”
Also of interest: How can CISOs be better leaders?
Dealing with stress
And about that Iron Man look...When Kevin is not putting out cyber fires, he’ll be found in the CrossFit studio. High fives, jumping on boxes and loud music are the perfect antidote to the office environment.
His passion for CrossFit is not just about working a sweat, however. He also finds it rewarding to help people become fitter and achieve their goals.
If the thought of intense cardio doesn’t sound like a relaxing way to wind down, you’ll be pleased to hear that Kevin does take the occasional holiday. For him, the only way to disconnect is the “nothing holiday”. Somewhere with limited Wi-Fi “is the only way to completely switch off, otherwise you’re permanently wired”. Even checking email in the mornings is detrimental to one’s health, Kevin highlights, as you’ll still be thinking about work for the rest of the day.
Also of interest: “I’ve the easiest job in the world – it’s just cyber security” – Channel 4’s CISO, Brian Brackenborough
Kevin is the ultimate philomath, seeking inspiration outside of the security industry. He admires Simon Sinek and values his philosophy of always “starting with the why” - whether selling an idea in business or in life - something which he says can also be applied to security.
“A product alone won’t sell. You have to turn it into the why. Just as in security; cool tech will not work alone. Start explaining security with the why,” he states.
Kevin encourages his team to keep working on their soft skills and recommends they watch TED talks around social science and integrating with people to improve their people and persuasion skills. After all, so much of security is having to encourage people to follow your advice. “The more you understand people, the more you understand how to build teams, lead people, set ideas, the better security leader you can be,” he stresses.
He lists The Fifth Element, Butch Cassidy and the Sundance Kid and The Italian Job among his favourite films. A self-diagnosed optimist, he adores the Confucius quotation, “Choose a job you love, and you will never have to work a day in your life”. And it’s certainly a philosophy he lives by.