Trainline Security Director Mieke Kooij on CISO role and cyber security culture

Trainline Security Director Mieke Kooij has almost two decades of security experience, and is a firm believer that building a robust culture around information and cyber risks is one of the best methods of protecting an organisation.

A speaker at IDG’s Security Day hosted by CIO UK in June, Kooij recently discussed the evolution of the CISO role, why security leaders need to focus on people and culture, bringing boards up to speed on cyber risks, CISO reporting lines, the security vendor market, data privacy, GDPR and doing the right thing for your customers. [Also read: Chief Information Security Officer salary, job description and reporting line]

Where do you think the next wave of security innovations comes from – and how do CISOs ‘triage’ the priorities from the hype? Mieke Kooij: What excites me right now is the cultural shift that is taking place around security and privacy, through new regulations such as GDPR. By concentrating on transparency and accountability, at long last we’re focusing on what really matters: people. With this focus on personal data, the needs of the customer are put first in new ways.

At Trainline, people and culture are at the heart of everything we do, including our approach to security and privacy. We’re a human technology company so it’s been a natural progression. This focus on people and culture is at the front of my mind at all times, and acts as my triage tool and test.

Where do you look for creativity and innovation inspiration, and how important is it for CISOs to make times in their schedule to get away from more day-to-day CISO responsibilities and be involved in these agendas to help protect their organisations? Mieke Kooij: I’m inspired by any number of things but creativity and innovation are attributes that are strongly fostered at Trainline, so you could say I’m inspired by the company I work for. This is also a reflection of how I was raised. Growing up, I was taught to be a leader and not a follower and that creativity and imagination were things to be cultivated and this has stayed with me throughout my career.

Security isn’t purely focused on technology, and the role of the CISO is not solely a technical one. Security is about creating a culture where information and systems are protected by shifting how people interact with them. Where possible we use technology and automation to do this, but ultimately, it’s about gaining consumer trust, winning hearts and minds and changing behaviour.

It’s really important that I be well informed on all areas of Trainline. I’m here to not only make sure we are not negatively impacting security and privacy but also protect the business and our customers. To do this, I need to work closely with all areas of the business. It’s easy to get drawn into the day-to-day complexities of our technologies and processes, but I need to stay focused on the bigger picture.

My primary responsibility is to make sure that the board is aware of cyber and information risks. They need to be informed so they can make the right decisions, but it’s also important that they’re excited and driven by security and privacy.

What less mature emerging technologies are you most excited about that could have the biggest impact on security and threat prevention/detection – and which are you most worried about? Mieke Kooij: I don’t spend as much time as people might assume someone like me would thinking about technology. I’m far more concerned with how people interact with it.

I think Trainline is way ahead of the curve when it comes to new technologies. We adopt and adapt with a rare agility in the security space. When we made the move to the AWS we used this as an opportunity to build a flexible scalable security foundation. It also gave us the chance to better understand precisely what data and information we have, which is serving us well as we move towards GDPR.

What’s your best advice for forming a strong relationship between the CISO and CIO role? Mieke Kooij: Mutual respect and trust. In all honesty I wouldn’t work for anyone I didn’t have this with.

Recent CIO 100 research suggested security leaders were overwhelmingly reporting into the CIO function – what do you think are the advantages and disadvantages of this? Mieke Kooij: Reporting lines and their appropriateness can be very organisation dependent. The key thing is to have sufficient independence and a line to the whole board, including the chairman, and not just a single member of the executive team.

I report to the CTO, but I also have a secondary reporting line to our General Council, and at Trainline, this makes perfect sense. In other organisations, this may not give people the independence needed to act as an impartial advisor, which can make it difficult to do the right thing for the company.

Security non-executive directors are one way I see of addressing the need for independence in the future – which also helps get around the shortage of skilled, experienced CISOs – but sometimes a simple re-organisation could make all the difference.

[See also: Eight reasons the CISO should report to the CEO and not CIO]

What message would you give to the security vendor community about how they can align with the challenges of CIOs and security chiefs – and what about the startup world? Mieke Kooij: I have strong admiration for the security startup community and encourage them to continue to strive forward. From a security perspective, they are helping mould the industry, whether from a technical or a non-technical standpoint.

Working for Trainline, a fast-growth, agile technology company, it’s essential we have services that can scale and work for us as we continue to transform. Some of the smaller companies I’ve spoken to don’t always put enough thought into scale and that is something I’d ask them to do. At Trainline, where more than 100 tickets a minute are sold, with over 45 million visits per month, scale and speed matter!

In terms of the broader vendor community my advice would be to listen more, not just tell CIOs and security leaders that they need their services or technology.

How much has the role changed in recent years – what are some of the most important attributes to manage security leadership and how much do you expect the role to change in future? What will the future CISO look like in terms of attributes/skillsets and executive influence/positioning? Mieke Kooij: Hugely! In the past CISOs, including myself, were evangelists creating a limited set of believers. However, having people and culture as a primary focus makes it easier to spread influence across the full business to all employees.

This shift requires a degree of creativity and imagination that could never have been imagined a decade ago. I’m there to drive excitement about security and privacy and make it second nature, security (and privacy) by design.

With a spate of high-profile breaches and attacks much is being made of security as a topic for the board – what is your best advice when discussing security with boards and an organisation’s most senior execs, and do you have any tips for securing executive buy-in/support to ensure you receive the necessary funding and backing? Mieke Kooij: What matters most is having a solid understanding of the data in your control, building security and privacy into your foundations and applications, and then focusing in on early detection and response. I’m very proud of Trainline in this regard and make sure our board is kept aware that we’re in good shape by design.

I’m sure there is many a CIO jumping up and down about beefing up their incident response in the wake of the recent wave of malware attacks, but if they aren’t also asking if they fully know the data they have, the state of their systems and whether they have controls to detect something going wrong, then they are doing their company a disservice.

What do you think are the biggest challenges and opportunities for CISOs and security leaders at the moment? Mieke Kooij: Keeping focused in an industry that is inundated from all sides with the latest and greatest, biggest and baddest, and flavour of the month is very hard to do! I’m keeping my cool by leveraging things like GDPR to focus us in on what matters most – it’s the right thing for Trainline and the right thing for our customers.

[Also read: Chief Information Security Officer interview questions]