A week in the life of an InfoSec Director

As the world becomes increasingly digital, the role of information security becomes more crucial than ever. These teams are responsible for ensuring that a company’s sensitive data is protected from cyber threats, and they play a critical role in maintaining the overall security of the organisation. In this article, I will walk through a typical week in my life as an information security director, including the approaches our teams take to keep the company secure.

I leverage the Institute of Directors’ four areas of corporate management, which are:

• Leadership,
• Strategy
• Finance
• Corporate Governance

I use those to help run my team. In order to make the approach tailored to information security I have also included risk management and stakeholder management. I theme my week around these areas, making sure to allocate time for each one to ensure that we are operating effectively and efficiently.

It’s worth noting that especially in infosec it’s important to be adaptive. You never know when the next crisis will hit. Yet even if an entire day is lost to another activity, you know the worst case is that you are a week away to get on track. Likewise the teams have their own cadence meaning if I am providing them with air cover or dragged into an important call, they can continue unhindered.

Monday — Strategy

On Monday, I focus on delivering our strategy in order to ensure that the team has a running start to the week. This includes reviewing our current initiatives and goals and identifying any areas that need additional resources or attention. I also work closely with the members of my team to ensure that they are clear on their responsibilities and have the tools and support they need to achieve our objectives.

Additionally, I use Monday as an opportunity to communicate with other stakeholders in the company such as the management team, to ensure that they understand the important role of information security in the company and the ongoing efforts that we are making to protect our assets. This allows me to align our information security efforts with the overall business objectives and ensure that we are effectively addressing the risks that matter most to the organisation.

Tuesday — Leadership

On Tuesday, I focus on management of my teams, specifically I have an hour 1:1s with all my leadership team as well as my line management. These 1:1s are my leadership team’s opportunity to highlight how I can support them (it’s their meeting). We keep our discussion focused on the key areas of leadership, strategy, finance, and governance to ensure we cover the range of topics which impact the team:

Wednesday — Stakeholders

On Wednesday, I focus on our stakeholders. It is crucial for the success of an infosec team that we have the trust and respect of our stakeholders and we have a collaborative working relationship. At JET the infosec team takes the role of doctors as opposed to police officers. What I mean by this is that we focus on influence more than authority. We take our responsibility as a duty of care for the firm, identifying technical risks and working with teams on how best to resolve them. I tend to be in the office three days a week and I make a point to be there on Wednesday to ensure I am able to have face to face conversations with my peers and key stakeholders like our product and engineering partners, as well as internal partners like fiance, people partners (HR), and internal audit.

Thursday — Risk Management

On Thursday, firstly, every day at JET is risk management day and we have a team dedicated to that function. With that said I take the time on Thursday to speak to my teams and review the current risk register to ensure we are on top of it. Continuously the teams need to ensure:

1. We have sufficient coverage of controls and assessments to identify our risks.
2. Keep up to date on the changing threat landscape.
3. Ensure decisions are done at the right level for each risk.

For our technical risk management we have a monthly cycle:

• The first two weeks are spent speaking to the director level about their risks.
• In the third week of the month the major risks and discussion items are discussed at the senior technology leadership level (CTO, CPO, VP level).
• In the last week of the month we report up to the management board (CEO/CFO level).

This ensures at every level of the company we have key risks, reported, discussed, tracked and addressed.

Friday — People

On Friday, I focus on our people and their wellbeing. Ultimately we get things done through people and we are nothing without them. It’s therefore essential that we balance challenging work, with great support and working culture. The teams need to feel we have their back, they are listened to and we give them the necessary time and resources to deliver on our objectives to protect the firm.

From simple coffee breaks with team members, identifying actionable changes we can do to how we can improve our culture, reviewing training, travel, and identifying personal development plans for my team, I put in the time.

Just Eat Takeaway.com is hiring! Want to come work with us? Apply today.’