Stephen Sparkes: The Evolution of the CISO Role Artwork

FinCyber Today

FinCyber Today is a podcast from FS-ISAC that covers the latest developments in cybersecurity, contemporary risks, financial sector resilience and threat intelligence. Our host Elizabeth Heathfield leads interesting and challenging discussions with our special guests, who bring practical ideas on how to deal with the cyber challenges in the financial sector, improve your cybersecurity response and build resilience in business.

All Episodes

FinCyber Today

Stephen Sparkes: The Evolution of the CISO Role

September 20, 2024 • FS-ISAC • Episode 21

Stephen Sparkes has over 30 years of experience in leadership roles across the financial services tech spectrum and is currently Scotiabank’s EVP, Chief Information Security Officer and Enterprise Platforms, and member of the FS-ISAC Board of Directors. Over the years, he says, cyber has become the dominant operational risk, giving CISOs a more prominent leadership role. That role – and the skills CISOs need to succeed – will continue to expand as the threat and business environment evolves.

Episode Notes

How the role of the CISO has evolved. The CISO’s role is more about leadership, strategic decision-making, and resource management than it is a security or infrastructure discipline. Working directly with senior leaders and boards requires communication skills to convert technological discussions into lay terms and the integrity to take a principled stand and consistently interpret risk. Still, CISOs’ calculated risk decisions empower the business, which can be tremendously satisfying.

Regulatory environment: Engaging with regulators is an investment in efficiency. You can’t time a spot inspection or a rapid horizontal but planning for them – and having a deep enough bench to meet your obligations – saves CISOs effort and trouble in the long run.

Fusion centers: Threat intel has cross-functional impact, so converging fraud and account takeover prevention, AML, customer-facing apps, and other teams with cybersecurity amplifies defense. Scotiabank has a virtual fusion center that rotates leadership between teams to cross-pollinate knowledge and preserve clarity during incidents.

Moving to the cloud. Cybersecurity spending must increase as threats do, and cloud providers can out-spend most institutions to fend off mutual threats. Taking advantage of cloud’s scale – especially if cyber, infrastructure, IT, risk, and corporate applications are consolidated in the migration – can be both a business and security strategy. Still, moving data to the cloud can make expenses more variable, requires more control than on-prem operating models do, and is best done with a coordinated set of priorities.

The next 10 years. The CISO role will become a stand-alone function as board demands increase, regulations evolve, and technology advances. Leadership skills will become more valuable and cybersecurity performance definitions will expand – system admins, for example, may need to become service managers setting policies. Prep by bringing in strong leaders, empowering and coaching your people, and explicitly explaining new corporate objectives, KPIs, and KRIs.