In today’s inaugural launch of our “Meet the ICS Expert” series, we are honoured to feature Mike Somers, one of our highly experienced and talented fractional CISO’s. Mike’s career journey, from tech support to safeguarding critical infrastructure, highlights his appreciation and deep understanding of the cybersecurity landscape. With a keen focus on cultural cyber resilience, Mike emphasises the critical role of security as a strategic partner, ensuring its seamless integration into the very fabric of business operations. Join us as we explore the intricate responsibilities of a cybersecurity leader, examining familiar challenges such as board expectations, evolving threat landscapes, and the crucial alignment of security measures with overarching business objectives. 

Interview Questions

1. Could you share a snapshot of your career journey and what makes being a fractional CISO so enjoyable for you? 

“I began my journey in tech support, transitioning from supporting the general public to delving into data analysis while pursuing a degree in computer network technology. My career evolved to include securing smart metering technology and eventually integrating IT security into critical infrastructure for a demand-side energy firm. Over four years, I managed 150 clients, and I later built a security division from scratch for a public sector organisation, emphasising security as a business enabler. 

My passion lies in making businesses secure and promoting the idea that security is a business enabler rather than just a cost centre. This belief led me to become a fractional CISO, allowing me to leverage my expertise across multiple organisations. For me, the joy in this role comes from not just securing businesses but contributing to a safer world by winning hearts and minds on the importance of cybersecurity.” 

2. How do CISOs focus on developing cultural cyber resilience, beyond managing teams and programs of work? 

“In some ways security is shares to the brakes in a car. Security functions as a swift response mechanism when needed. CISOs achieve this by aligning security outcomes with business goals, integrating security into the business by design, fostering agility, and ensuring security is at the core of operations, enabling swift response to incidents.” 

3. How do you perceive differences in CISO job opportunities concerning variations in salary, required skills, and experience? 

“It is crucial for a company to clearly define its expectations for the CISO role. Does the company want someone to strategically advance the business while ensuring security? If such expertise is not essential, the organisation may not necessarily need a CISO. Understanding the diverse roles of a CISO is important, as there are four primary types. The Transformational CISO focuses on a maximum of three years until the transformation is fully integrated. The BAU (Business as Usual) CISO manages mature processes, while the Full Tech CISO involves a crossover with the CTO, emphasizing development and analysis. Another type is the GRC (Governance, Risk, and Compliance) CISO, focusing on policy and control. Occasionally, an engineer may be necessary, but not always. The key is to hire based on specific needs, ensuring the selected individual can make lasting decisions extending beyond their tenure.” 

4. How can organisational leaders effectively manage the board and executive stakeholders’ expectations regarding cybersecurity, considering the widespread potential for cyberattacks and the misconception of being breach-proof? 

“Not all businesses recognise the value of their data, mistakenly assuming they are unattractive to hackers. However, opportunistic threats, like accidental ransomware, can impact any business. Similarly, even if your data is not valuable, being the only business without windows or doors on the street makes you a potential target. It’s important to convey the risks in lay terms, that all stakeholders and not just the board can understand and get behind.”  

5. How can companies effectively track to justify their increasing security spend within the broader context of IT budgets?  

“Companies should recognise that not all security spend is exclusively security related; to do security properly you need IT, a sizeable portion is IT spend. Asking security specific questions during budget discussions helps avoid duplication. Security by design from the outset reduces total cost of ownership (TCO) by 70%, and KPIs for assessing offensive and defensive costs vary based on the organisation’s specific security needs and risk profiles.” 

6. What are the primary challenges and priorities that businesses should focus on in the coming year regarding budget allocation and the evolving threat landscape? 

• Enhancing password management: Not enough businesses are passwordless. AI (Artificial Intelligence) is not the holy grail.  

• Security culture: Looking after people. Helping people understand security in general in their personal lives, achieve that and businesses will automatically become more secure. 

• Generative AI: Considering the significant investment in generative AI technology, it’s highly likely the technology will be leveraged by nation state entities rather than by hackers or cyber criminals targeting everyday businesses. Despite the perceived high risk, caution is essential to navigate vendor hype. The key question to ask is do specific business needs justify adopting this technology. Query all aspects and consult vendor neutral individuals.” 

7. How can the cybersecurity industry address the growing skills shortage of mid to senior-tier professionals amid the recent resignations, evolving threats, and rapid technological advancements?  

“Streamline budgets in cybersecurity by emphasising broad skill sets. Instead of hiring multiple people, invest in solid junior/entry-level programs across targeted skills development areas. Enhance talent retention through increased investment, competitive pay, and targeted reskilling and upskilling training programs for existing teams.” 

8. Which tools are essential for a modern Chief Information Security Officer’s (CISO) toolkit? 

“Key tools include CSET (Cyber Security Evaluation Tool), Panaseer, Stimulate, and a reliable penetration testing company such as Incursion Cyber Security for an external assessment of controls. It’s crucial to prioritise risk profiling with robust maturity modelling. Additionally, having a strong network and community for knowledge exchange is invaluable. Lastly, a board that is open to investing in the right area’s, is essential is you are to achieve cultural resilience.” 

9. Balancing the technical and human aspects of a CISO role is challenging. How do you prioritise your mental health and build personal resilience amid evolving demands? 

“Achieving balance in a demanding role like a CISO involves strategic choices. Recognising when to say no, selectively engaging in battles, prioritising personal time, and encouraging work-life balance amongst your team are vital. Taking control of your schedule, setting sensible boundaries, and making choices that align with your well-being contribute to mastering the delicate art of a work life balance.” 

10. What advice would you give to a company thinking about hiring a CISO but are usure they need one full time? 

Consider scheduling an initial discussion with a Fractional CISO service like the one ICS offers to assess if it aligns with your business needs. This conversation can help determine the key drivers behind the decision and quickly identify whether a fulltime resource is required and the type of CISO that best suits the businesses goals. 

Our skilled CISO leaders will help your organisation prepare for all compliance and security eventualities. Our fractional CISOs are here to solve your crucial cyber security challenges.