Security As Team Sport: Interview with Simon Goldsmith, CISO of OVO

Welcome to the second edition of Interview with a CISO.

This week, we spoke to Simon Goldsmith, Director of Information Security at OVO.

Simon has lived and worked in the UK, mainland Europe, the Middle East, and Asia and spent the last 20 years building security and resilience programmes for military aircraft, central banks, oilfields, and Ultraboost sneakers.

He believes that Security is a Team Sport and brings a collective approach to the security field.

We thoroughly enjoyed listening to his take.

Q. What are the top 3 traits you look for when hiring direct reports?

Integrity, Passion for Collective Improvement, Initiative

Q. What is the best part of your job?

I see the job as a pretty unique blend of engineer, emergency responder, strategist, and lawyer. Every day I get to apply systems thinking to complex and sometimes chaotic problems. And I am surrounded by colleagues who have committed themselves to solving humanity’s biggest problem, the climate crisis.

Q. What is the biggest misconception about being a CISO?

That a CISO owns security risk for an organisation. If you don’t have the authority to change the asset (data, system, contract), you can’t be the risk owner.  The best CISOs I’ve worked for have been custodians of the security culture – able to inspire change by explaining why security matters and how good security feels, specifying ‘these are the things we care about’ and why.

Q. How long will it take for the CISO to be part of the board as standard?

I’m not yet convinced every board needs a CISO to be a part of it. It is an easy thing for lawmakers and regulators to demand, but it’s a stopgap for more standardised board governance for cyber/infosec. More to the point, there are very few CISOs who are board-ready, and the professional development structures aren’t yet in place to fix that problem. Another, more scalable approach is a non-exec with in-depth InfoSec experience who can make sure the right questions are asked. There are existing Board positions who are well placed (with a good CISO in their team) to respond to those questions accurately and challenge the rest of the board to fulfil their security responsibilities.

Q. What will the CISO of the future look like in 5 years?

A little less white, middle aged and male. Accelerating that change will require more outspoken recognition that mono-cultures of people with the same lived experiences are objectively worse at security than diverse and inclusive teams.

Q. What is your most unusual interview experience?  (Either as the interviewer or interviewee)

One of my interviews, as I was leaving the Ministry of Defence, involved one of the big strategy consultancies flying a group of applicants to a race track in Germany. Jutta Kleinschmidt gave us a lesson, the first (and only) woman to win the Paris Dakar rally.  After driving a few laps and a bit of high-speed handling, we had ‘informal chats’ with some of the managing consultants. I didn’t get the job but still my best interview experience!

Q. Favourite movie or series with a security theme?

Anyone who doesn’t answer this question with Star Wars is not a real CISO.