{"id":15251,"date":"2018-03-14T00:00:00","date_gmt":"2018-03-14T00:00:00","guid":{"rendered":"https:\/\/identifi-global.eu.applyflow.com\/interview-darren-argyle-former-ciso-qantas-airlines\/"},"modified":"2022-12-09T06:16:42","modified_gmt":"2022-12-09T06:16:42","slug":"interview-darren-argyle-former-ciso-qantas-airlines","status":"publish","type":"post","link":"https:\/\/www.identifiglobal.com\/news\/interview-darren-argyle-former-ciso-qantas-airlines\/","title":{"rendered":"Interview: Darren Argyle, Former CISO Qantas Airlines"},"content":{"rendered":"
\n\t <\/div>\n
\n\t\"\"<\/div>\n
\n\t <\/div>\n
\n\tThe airline industry takes cyber security very seriously. As CISO for Qantas Airlines, Darren Argyle\u2019s job was to ensure that safety and security were central to all the company\u2019s day to day operations.<\/div>\n
\n\t <\/div>\n
\n\tHaving spent the best part of 12 months in Australia, we took the opportunity to catch up with him to talk about how cybersecurity has changed, how security professionals can stay ahead of the game, and the future of recruitment within the industry.<\/div>\n
\n\t <\/div>\n

\n\tHow have the information security and cyber security industries changed since you started 20 years ago?<\/h2>\n
\n\t <\/div>\n
\n\tDarren Argyle:<\/strong> Twenty years ago, cybersecurity didn\u2019t exist: it was called information security. When I first started out it was about protecting the perimeter: a \u2018castle and moat\u2019 approach to security. The CISO role didn\u2019t exist either – you were an IT Security Manager or Security Manager. Rather than a boardroom role, it was a low-level technical role that sat within IT.<\/div>\n
\n\t <\/div>\n
\n\tThe role itself was essentially to keep the antivirus software going, to make sure signatures were updated, to ensure that firewalls were configured correctly. In those days, attackers were mainly script kiddies with no real criminal intent: they were simply interested in trying to outdo each other. The first virus I recall was ILOVEYOU<\/a>, which was actually pretty effective in what it achieved: a global meltdown, but without the criminal or monetary element that you see nowadays.<\/div>\n
\n\t <\/div>\n
\n\tFast forward to today, and we\u2019ve shifted away from that perimeter idea. The perimeter now, if you like, is a person\u2019s identity. Businesses have invested a lot in protection, but the boundaries and possibilities have changed. 100% protection now no longer exists. Now, it’s about all companies recognising that security incidents do happen – and how the business detects and responds to these incidents has become more important.<\/div>\n
\n\t <\/div>\n

\n\tIG: New technologies like AI and the Internet of Things (IoT) are gaining plenty of traction. What do you observe CISO\u2019s doing to adopt these cutting edge technologies into business operations?<\/h2>\n
\n\t <\/div>\n
\n\tDA: <\/strong>I think it\u2019s the same as anything new that comes into an enterprise. The crucial part for security has always been ensuring that everything is secure by design. Conversations need to be had at the very start of the integration process so that risks can be articulated to the relevant people from the outset.<\/div>\n
\n\t <\/div>\n
\n\tOne of the biggest challenges for all CISO\u2019s today is shadow IT and digital teams that have been created without the knowledge of the CISO or the internal IT team.<\/div>\n
\n\t <\/div>\n
\n\tAs different business units try to become more agile, to innovate, to become more technically aware, they introduce new IT operations. For example, the marketing team may be looking to improve efficiency by introducing software robotics to speed up tasks, reduce costs or respond to customer challenges – which could create cybersecurity risks.<\/div>\n
\n\t <\/div>\n
\n\tIt’s important for security teams to get engaged into those new projects early enough. To do that, security teams need to build trust, and not block innovation by saying \u201cthat\u2019s not secure, you can\u2019t do that\u201d, security will simply be bypassed in the future without a solid foundation of trust.<\/div>\n
\n\t <\/div>\n
\n\tSecurity teams can benefit from the innovations harnessed by other departments, too; for example, taking advantage of the machine learning and advanced analytics, speeding up the detection of and response to threats within an environment.<\/div>\n
\n\t <\/div>\n

\n\tIG: Cybersecurity isn\u2019t just an IT issue, of course, it\u2019s a business issue. How do businesses make sure that security is in the DNA of business?<\/h2>\n
\n\t <\/div>\n
\n\tDA: <\/strong>The CISO and the security team are the enablers, of course, but effective security needs a top down approach.<\/div>\n
\n\t <\/div>\n
\n\tIt\u2019s simply not enough for the security teams to say, \u201cthese are the policies, this is our culture, it\u2019s everyone\u2019s responsibility\u201d – that has to come from the CEO. The executive team are the role models, with the security team making everything happen: which includes educating the CEO and executive team so they understand how important it is to manage cybersecurity, and the impacts incidents can have on the business.<\/div>\n
\n\t <\/div>\n
\n\tPreviously, security was just generally seen as the cost of doing business. Now, it\u2019s become a competitive advantage, and an investment in the brand. The smart companies are saying \u201cbreaches will still happen, but we can reduce their impact, defend our reputation, and increase trust amongst our customers.\u201d<\/div>\n
\n\t <\/div>\n
\n\tTrust is the key word here. Security on its own is a bit benign, but if you think about it in terms of trust, it demonstrates the impact the team can have on the business.<\/div>\n
\n\t <\/div>\n

\n\tIG: You say that security incidents are unavoidable for all companies. Is there a right way and a wrong way to deal with them when they do happen?<\/h2>\n
\n\t <\/div>\n
\n\tDA:<\/strong> The most important thing is transparency. GDPR is driving plenty of transparency, introducing questions like \u201cwhat are you doing with my data, how are you protecting it, what will you do if it\u2019s breached, how will you inform me?\u201d<\/div>\n
\n\t <\/div>\n
\n\tBusinesses have always feared the impact of data breaches on their reputation – which can potentially be more damaging than the breaches themselves. With GDPR looming, the penalties of non-compliance are greater than at present: up to 4% of annual turnover. If you don\u2019t report a breach within 72 hours, the impact will be significant. I really do believe that we\u2019ll start to see far more transparency in the future once GDPR comes into effect.<\/div>\n
\n\t <\/div>\n
\n\tYou also want your employees to be transparent, and focused on security. If they spot something – be it unsafe practices, suspicious online behaviour or strangers in the buildings – you want them to tell you proactively, and not be penalised for speaking up. Again, workplace culture is important: your culture needs to say that security is everybody\u2019s responsibility.<\/div>\n
\n\t <\/div>\n

\n\tIG: With such a rapid pace of change in the cybersecurity industry, what can companies do to stay informed of the latest trends?<\/h2>\n
\n\t <\/div>\n
\n\tDA: <\/strong>There are a number of things, starting with regularly connecting with peers – the CISOs in the local community within your country, and within your specific industry globally. It\u2019s important to connect with peers in which you operate, building a network of information sharing. Typically in that group, you\u2019ll find that somebody will start a conversation about something you haven\u2019t heard before: your relationship allows you to ask the relevant questions, and that knowledge is shared amongst the whole group.<\/div>\n
\n\t <\/div>\n
\n\tIt\u2019s also important to point out that it\u2019s not just about the CISO being tuned into the latest trends,, but also the wider security team, it\u2019s highly unlikely that there will be one person who knows everything. It\u2019s important to define who looks after different elements of cybersecurity – application security, endpoint security, threats, intelligence and others – dividing those up among different leaders who can then specialise and focus on deeper learning.<\/div>\n
\n\t <\/div>\n
\n\tSubscriptions to various thought leader organisations is a fantastic way of keeping abreast of what\u2019s happening more globally – organisations like CEB<\/a> and the Information Security Forum.<\/a> Here, you find papers written by thought leaders as well as case studies from CISOs who have innovated in exciting ways.<\/div>\n
\n\t <\/div>\n
\n\tFinally, staying close to your vendors is also key. Everybody uses a security vendor in some shape or form, and they have plenty of innovation to talk about. You need to keep all your vendors close and find out how they are working together to keep you secure.<\/div>\n
\n\t <\/div>\n

\n\tIG: The talent shortage in cybersecurity is often talked about. Having been in Australia for the last 12 months, have you seen any difference between there and the UK?<\/h2>\n
\n\t <\/div>\n
\n\tDA:<\/strong> The talent shortage is more acute in Australia, without a doubt. The country\u2019s population is 24 million versus 65 million in the UK, but beyond that, we just seem to have a chronic shortage of full-time employees.<\/div>\n
\n\t <\/div>\n
\n\tThis is because Australia has a huge culture of contracting, leading to a very transient workforce in cyber security. That becomes a challenge, as you want to keep that kind of IT within your company so workers fully understand the business context of the projects they\u2019re working on. With employees moving fluidly in and out of the company, that business context is often lost, leading to far greater risk.<\/div>\n
\n\t <\/div>\n
\n\tThe second challenge is encouraging more women into the industry. I think it\u2019s happening more in the UK – and certainly in the rest of the world – than in Australia, but the effort is becoming greater. Just this week, I\u2019ve seen that Telstra are focusing efforts on increasing the appeal of the industry to women. There are grassroots initiatives in universities, colleges and even schools to tackle the issue, but we need things to happen more quickly.<\/div>\n
\n\t <\/div>\n

\n\tIG: You touched on contracting. Why does this happen? Is it a business reluctance to take on full-time staff, or a failure to offer a proposition appealing enough to attract full-time employees?<\/h2>\n
\n\t <\/div>\n
\n\tDA:<\/strong> I\u2019ve asked a number of contractors why they contract, and a typical response is, \u201cWell, why wouldn’t I? I can earn more money, I have more flexibility, and I can move on to another contract relatively easily.\u201d Some people simply don\u2019t want to be tied in – and in Australia particularly, they don\u2019t tend to do back-to-back contracts. They tend to take some time off for leisure between contracts.<\/div>\n
\n\t <\/div>\n
\n\tThe big brands still attract those looking for careers – often those who want steady employment while they raise a family. Conversely, though, you\u2019ll find that when the kids grow up they want more flexibility – and they then move into contracting work.<\/div>\n
\n\t <\/div>\n

\n\tIG: With all of this in mind, as a CISO, how do you go about attracting the right cybersecurity talent?<\/h2>\n
\n\t <\/div>\n
\n\tDA:<\/strong> This goes back to meeting people: going to conferences and engaging with the people there, plus the mentoring work that I do with various individuals.<\/div>\n
\n\t <\/div>\n
\n\tMentoring across departments within your own company is vital for driving the culture of succession planning. So, for example, it may be that you mentor someone in the operations team as opposed to security – but because they\u2019re being mentored by a security person, they\u2019re more likely to come into that role. Likewise, this can be done externally: I encourage people to mentor junior security professionals in other companies, in the hope that one day they\u2019ll join the company we work for.<\/div>\n
\n\t <\/div>\n
\n\tOne of the things we\u2019ve done to great effect in the companies I\u2019ve worked for previously is to have cybersecurity champions or ambassadors within the company. Once they start to learn about the fact that there are shortages in security roles that have higher than average salaries, it\u2019s easy to build up a pipeline of individuals interested in coming into cybersecurity.<\/div>\n
\n\t <\/div>\n
\n\tWe have a two-tier approach to cybersecurity hires. You need those you bring in as experienced hires, but you also need a pool of individuals who are new to the industry. With everything happening in cybersecurity recruitment, you can\u2019t expect candidates to meet every item on the job description. You hire them for their curiosity and passion, then train them up.<\/div>\n
\n\t <\/div>\n
\n\tMany thanks to Darren for his time, and his insight. If you\u2019re looking for a new challenge in the cybersecurity industry, whether contract or permanent, take a look at the current opportunities available with identifi global.<\/a><\/em><\/strong><\/div>\n","protected":false},"excerpt":{"rendered":"

    The airline industry takes cyber security very seriously. As CISO for Qantas Airlines, Darren Argyle\u2019s job was to ensure that safety and security were central to all the company\u2019s day to day operations.   Having spent the best part of 12 months in Australia, we took the opportunity to catch up with him… Read More »Interview: Darren Argyle, Former CISO Qantas Airlines<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":14378,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[39],"tags":[],"class_list":["post-15251","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-industry-news-trends"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/posts\/15251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/comments?post=15251"}],"version-history":[{"count":0,"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/posts\/15251\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/media\/14378"}],"wp:attachment":[{"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/media?parent=15251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/categories?post=15251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/tags?post=15251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}