Over his career, Denis Onuoha has seen information security shift from technical backwater to core enterprise capability. As Chief Information Security Officer (CISO) at U.K. communications infrastructure provider Arqiva, he sees the value of responding with a new style of technology leadership.
A Function on the Move
Ten years ago, information security was a last-minute technical check before go-live, says Onuoha. Now, it’s a strategic competence on the board agenda due to high-profile data breaches and growing customer and regulatory pressure.
“Information security is no longer a tick-box compliance exercise. It’s baked into company DNA,” Onuoha says.
But while members of the board engage with the topic much more, there is still often a significant gap in understanding. This is where Onuoha sees emotional intelligence as the key to communicating security risk effectively at a strategic level. “Security leaders aren’t just the do-ers anymore. We need to change how we communicate. We need to listen to understand, not listen to respond.”
For Onuoha, security leaders must understand the perspectives of customers, individual board members, employees, government and regulators.
“When most breaches happen, the impact is public. Take our B2B business, where we are part of our customer’s supply chain. If our service goes down during a major sporting event because we haven’t secured it, that affects our customers, their advertisers and everyone watching the event. For critical national infrastructure customers, the risk could be regulatory or shareholder value. My job is to help the board understand, mitigate the risk and be ready to react and recover if a breach occurs,” Onuoha says.
Equally, boards can get frustrated when solutions don’t deliver tangible impact. This is especially true when facing pressure on total cost of ownership and customer value. Onuoha believes that’s when emotional intelligence really kicks in. Time spent listening to individuals and aligning with their needs outside key meetings is critical.
Managing Insider Risk
When it comes to employees, Onuoha believes it’s all about education and engagement. The insider is still the biggest security risk, he says, despite the public profile of threats from nation-states or corporate espionage. His approach is managing the risk holistically, starting with employee onboarding and continuing to educate and build employee brand ambassadors.
“Everyone is responsible for security. When people ask how big my security team is, I don’t tell them my direct reports. I tell them I’m building a team the size of our company,” he says.
Building the Next Generation of IT and Security Leaders
Onuoha is passionate about the people side of his business, particularly the opportunity to engage more young people in technology.
“Everyone’s concerned about the lack of upcoming AI skills and machines taking jobs. I think we can stop worrying,” he says. “Humans will always have skills machines don’t. But we do need to give young people more opportunities to learn, to get experience.”
Onuoha’s personal experience of someone believing in him and giving him a chance makes this a topic close to his heart. He believes more intervention could make a real impact on individual lives, as well as on companies building skills for the future.
“Offering tech jobs to young people in disadvantaged communities could help them make the right choices. It’s not a complicated world. We’re not nuclear scientists or astronauts. We need to help them not feel scared of trying, to ask themselves ‘what’s the worst that can happen?’ Then, they have a shot at a different future.”