What qualities does a good CISO need as 2021 progresses?
Guest blog: Gavin Ellis, Atkins and Robin Oldham, Cydea as part of our #Cyber2021 week
If the past year has taught us anything it’s that organisations that were IT-secure enough to face the challenges of a global pandemic have probably fared better than those that weren’t.
Covid has brought the need for organisations to be adaptable, pragmatic and resilient into sharp focus. The more astute risk managers would have had ‘a disruptive event that prevents staff access to the office’ on their risk register, at the very least in recognition of bad weather, fire or travel disruption. These organisations should have ensured it had modest spend and resource set aside to allow secure remote computer access so that its critical workforce could transition smoothly and securely to working at home if they couldn’t get into the office.
The IT security equivalent of handwashing
Perhaps those that weren’t so well-prepared had instead focused on the possibility of a more dramatic event happening – a major incident that would make much a much better Hollywood blockbuster – and not something as seemingly mundane as a flu virus. When seeking investment at board-level, it can be tempting to lean on these dramatic doomsday scenarios. But it is a chief information security officer’s (CISOs) responsibility to keep the c-suite grounded. Covid has forced us all to go back and revisit the simple things in life like washing our hands. In the same way, CISOs must remind the board to keep asking the question: “Are we performing the basic cyber hygiene?”
Organisations are more vulnerable when they neglect the basics – and nowhere is this issue more apparent than when it comes to the people who use company IT systems. Cybercriminals have been quick to exploit the learning curve faced by many employees when getting to grips with new IT tools and new ways of working. Communicating basic hygiene to the workforce has, therefore, never been more important.
Learning and looking ahead
It is also the CISO’s responsibility to continually improve their organisation’s security position. The last 12 months have provided plenty of challenges, but also opportunities. Every CISO should now be better prepared for any future crises, because they’ve faced one. Any experience gained from resolving incidents – be that a near-miss or a wide-scale headline-hitting computer hack – provides valuable insight into how CISOs, their organisations, and their technologies, can cope. It is crucial that we learn from the lessons that the experiences of the last 12 months have taught us.
Good CISOs will emerge from this pandemic as having been highly effective in a crisis. They will have a renewed understanding of how the disruptive nature of a major world event, like a flu pandemic, can affect every touchpoint of their organisation. They will have an improved appreciation of their business, a better understanding of their dependencies and which services are truly critical to operations, and they will be able to confidently scale their people, as well as their technology, to adapt to changing circumstances.
A good CISO seeks expert advice
Many organisations are accelerating migrations to the cloud and changing office infrastructure to ensure that they can flex and scale to adapt to these new ways of working. The cloud market offers an enticing range of solutions for businesses whose IT systems have struggled to cope with covid’s impact.
Software giants that are prepared to invest more than US$1 billion every year on their own cybersecurity look like a sensible move, but it’s important to ask: is your traditional IT team best placed to advise on the transition? A good CISO will also be open to seeking out expert advice.
Trust and awareness in the workforce
They must also be able to communicate clearly that security isn’t something being done to the organisation – it’s collaborative, it needs to be embedded, and it’s something won or lost as a team. He or she will advocate for a cyber-aware organisational culture; one that trusts and empowers its people and instils in them the importance of taking data security seriously, backed by employee training and awareness campaigns.
This is especially important when employees are faced with sudden, mandatory, new ways of working. The c-suite must in turn understand that robust cyber security is not a matter of doom and gloom scenarios, and what might go wrong. It’s about supporting their CISO to ensure their systems remain vaccinated, and their organisation stays well-protected.
Gavin Ellis is a cyber security architect for Atkins, a member of the SNC-Lavalin Group. Working with managing consultant Robin Oldham of Cydea the partnership advises clients cyber security and cyber resilience.
Jill Broom
Head of Cyber Resilience, techUK
Jill Broom
Head of Cyber Resilience, techUK
Jill leads the techUK Cyber Resilience programme, having originally joined techUK in October 2020 as a Programme Manager for the Cyber and Central Government programmes. She is responsible for managing techUK's work across the cyber security ecosystem, bringing industry together with key stakeholders across the public and private sectors. Jill also provides the industry secretariat for the Cyber Growth Partnership, the industry and government conduit for supporting the growth of the sector. A key focus of her work is to strengthen the public–private partnership across cyber to support further development of UK cyber security and resilience policy.
Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.
Olivia Staples joined techUK in May 2025 as a Junior Programme Manager in the Cyber Resilience team.
She supports the programs mission to promote cyber resilience by engaging key commercial and government stakeholders to shape the cyber resilience policy towards increased security and industry growth. Olivia assists in member engagement, event facilitation and communications support.
Before joining techUK, Olivia gained experience in research, advocacy, and strategic communications across several international organisations. At the Munich Security Conference, she supported stakeholder engagement and contributed to strategic communications. She also worked closely with local and national government stakeholders in Spain and Italy, where she was involved in policy monitoring and advocacy for both public and private sector clients.
Olivia holds an MSc in Political Science (Comparative Politics and Conflict Studies) from the London School of Economics (LSE) and a BA in Spanish and Latin American Studies from University College London (UCL).
Outside of tech, Olivia enjoys volunteering with local charities and learning Norwegian.
Annie is the Programme Manager for Cyber Resilience at techUK. She first joined as the Programme Manager for Cyber Security and Central Government in September 2023.
In her role, Annie supports the Cyber Security SME Forum, engaging regularly with key government and industry stakeholders to advance the growth and development of SMEs in the cyber sector. Annie also coordinates events, engages with policy makers and represents techUK at a number of cyber security events.
Before joining techUK, Annie was an Account Manager at a specialist healthcare agency, where she provided public affairs support to a wide range of medical technology clients. She also gained experience as an intern in both an MP’s constituency office and with the Association of Independent Professionals and the Self-Employed. Annie holds a degree in International Relations from Nottingham Trent University.
Programme Marketing Assistant for Public Sector Markets, techUK
Tracy Modha
Programme Marketing Assistant for Public Sector Markets, techUK
Tracy supports the marketing of several areas at techUK, including Cyber Exchange, Central Government, Cyber Resilience, Defence, Education, Health and Social Care, Justice and Emergency Services, Local Public Services, Nations and Regions and National Security.
Tracy joined techUK in March 2022, having worked in the education sector for 19 years, covering administration, research project support, IT support and event/training support. My most outstanding achievement has been running three very successful international conferences and over 300 training courses booked all over the globe!
Tracy has a great interest in tech. Gaming and computing have been a big part of her life, and now electric cars are an exciting look at the future. She has warmed to Alexa, even though it can sometimes be sassy!
Programme Team Assistant for Public Sector Markets, techUK
Francesca Richiusa
Programme Team Assistant for Public Sector Markets, techUK
Fran serves as the Programme Team Assistant within techUK’s Public Sector Market Programmes, where she is responsible for delivering comprehensive team support, managing administrative functions, and fostering strong relationships with members.
Prior to joining techUK in May 2025, Fran built a meaningful career in the charitable and local government sectors. She worked extensively with both victims and perpetrators of crime, and notably led the coordination of Domestic Homicide Reviews across Surrey—an initiative aimed at identifying lessons and preventing future incidents of domestic abuse.
Outside of work, Fran is an avid traveller and a proud cat mum who enjoys unwinding with her feline companions.