Interview: Former Global Head of Information Risk, HSBC Private Bank 

Date: 26 September 2017

Featured Image

Patrik Heuri, former Global Head of Information Risk at HSBC Private Bank spoke to Amar Singh, CEO and co-founder of Cyber Management Alliance, about his journey in information security, the impact of risk on keeping an organisation’s assets safe, and gave his valuable advice for CISOs in understanding the scope of cyber threats in the financial sector.

My information security journey

Patrik’s career didn’t start in security; his early roles were more in line with project management, working as part of a project team. He was later approached by an ISO (Information Security Officer) asking if he’d be interested in moving into the information security space. Patrik transferred his skills into this field has never looked back.

“Since I made my career in information security, I’ve not looked back. For me, it really is the place to be; it grows and grows…”

Holding an international position at HSBC means, for Patrik, that he has to focus on the specifics of information security and what that means for the largest banks worldwide. Yes, there is a lot travel involved but he believes that this has led him to be connected with security and information security people around the world.

Importance of project management in an information security role

For Patrik, having that project management skill set has been an important factor in helping him to develop the necessary communication and negotiation skills for his CIO and CISO roles. Knowing what is involved in IT projects and the requirements when working with the project management department has certainly made the understanding and communication aspects easier. In addition to that, the project management methods and processes that he learnt has allowed him to successfully manage specific projects and understand his current role, including potential risks and its constraints.

Moving from an information security role into a cyber security role has been challenging. Patrik explains his thoughts in that when you think about information security, you think of it as a technical subject, and that’s correct. In fact, most project leads will, when they start as juniors, learn the necessary techniques and methodologies they will need to develop their expertise as an IT security officer. However, further down the line of their careers, Patrik believes that there is a requirement to better understand the legal aspects to cyber and information security, such as regulations and compliance, and the information production within the organisation. He adds that it will be of great benefit to anyone entering the information security/cyber security space to train and work with the legal teams on IT matters.

Is a good technical background necessary?

It is certainly a good idea, says Patrik. From his own experience, it is better to understand all things technical in order to reach that senior level; having an understanding on the technical dimensions, but then adding knowledge of some legal matters, too. Through Patrik’s international role, he’s also seen that there are some lawyers that have become technically experienced for the CISO role; it’s not seen very often and is possibly not the best approach to the information security/cyber security space, but is very feasible because it’s very important for a CISO to be really good in legal matters as well.

The ideal candidate – what do you look for?

To Patrik, there are two types of employees he’s looking for; one is a junior and one is at a more senior level. From the junior role perspective, he’s more focused on graduates with a minimum requirement that is not necessarily computer science related, but the candidate must have the capability to learn and understand what he is working on. The candidate has got to willing to further his knowledge and make the commitment to the role.

For the more senior role, Patrik expects the candidate to have a level of experience in technical and risk management, including cyber risk. They’ve got to be able to manage people, possess the basics in negotiation skills and be adaptable. Patrik is not averse to potential candidate’s backgrounds being ex-military or ex-law enforcement as long as they are able to bridge the gap between their former national careers and the private business world.

Any candidate, be it junior or senior, has to understand and embrace the fact they they will be in roles where they will be providing recommendations, ‘policing’ information security activity, and enforcing processes and procedures. They have to be able to digest information and have the initiative to conduct ongoing investigations if they are not happy about an aspect.

GDPR and data protection – what’s your advice to organisations?

To Patrik, businesses are entering unprecedented waters where the critical asset of a company could be leaked at any time. It is very important that these new forms of security risk aren’t ignored.

“This new risk to data, to information within the organisation, is increasing. It’s important to understand the dimension of risk and to own that type of risk.”

Engaging in open discussions with other departments is becoming critical. In the past, particularly in banking, it was a case of silos; different departments that operated independently. That’s no longer possible. Departments need to ‘open the door’ and organisations need to develop company-wide processes in order to deal with all the risks, a ‘one-stop-awareness-shop’, over which the CISO has control.

In addition, in Patrik’s view, it is important to keep up-to-date with what’s happening in the marketplace in terms of cyber attacks and security breaches. The more aware you are of your network, your associations, the more alert you will be to anything that looks out of place within your own organisation. It is also very important that any CISO promotes their roles to the board, educating the board as to the potential threats and risks; this is where communication and negotiation skills are essential in gaining the support of any board.

Over the next few years, CISO’s are going to have to deal with insider risk and risk management more and more. It creates a different dimension; so, rather than a CIO or a risk dimension, it wil be an information protection dimension and that, Patrik believes, will be the main focus for CISO’s in the future. There is a necessity to focus on the data itself and ensure that it meets a completed framework within the security environment in order to keep the company’s main asset safe.