"I was very raw, it was by accident,” recalls Francis Kaitano on the first time he spoke before the board and the executive team.
At that time, he was the information security manager at an insurance company. He was asked by the the CIO to talk about cybersecurity issues.
“I started to talk to them in technical lingo,” he says.
The upside was that the board understood it was his first time to present to them. They told him cybersecurity discussions will be part of the upcoming agenda so that his presentation was not a one-off.
But they also advised him: “We want you to talk to us in our language.”
The company then sent him to study for a course at the Institute of Directors – an opportunity that his peers had not been fortunate enough to have been given.
“When you are in security and working under a CIO, the CIO will understand your requirements as well as the technical terms. But talking to the board and the executive is different,” he says.
Kaitano is now cybersecurity leader at Fusion Networks New Zealand, based in Wellington where he leads a capability aimed at delivering business and risk driven, simple, innovative, practical and measurable services.
But on the side, he teaches and mentors people who would like to work in cybersecurity.
Don't just have people who think like you, have people who think outside your box, who challenge you in your comfort zones.
He is involved in the IT Pathway programme at Fusion Networks which aims to grow practical digital skills in students as early as possible.
Kaitano is only one of two instructors in New Zealand for the International Information System Security Certification Consortium, also known as ISC2 for its Certified Information Systems Security Professional (CISSP certification).
CISSP is a globally recognised certification in the field of IT security, but people used to have to go offshore, to prepare for it. A lot of the students also opt to self-study, says Kaitano. “There are people coming out of university without these certifications.”
“The net effect is we are struggling to find enough people who are certified to join the industry,” says Kaitano. “And yet, if you look at every security job out there in New Zealand, in the job description, you must have CISSP and CISM (issued by ISACA) certifications.”
So when Dr. Ryan Ko of the University of Waikato, who is working with ISC2 put out a call looking for people who can help with teaching and preparing students for these examinations, he lifted his hand up and attended a five-day day Instructor Course.
When ISC2 gets five to 10 people in a course, Kaitano will work with them; provide tutorials to make sure they pass through weekly boot camps.
Generally, students take between three to six months doing self study, though some may take longer. The time frame is similar to the preparation for the CISM certification issued by ISACA. There is an instructor, and then students study on their own.
Kaitano helps the students by simplifying the coursework and giving them the best approach to understand the modules.
In both cases, however, he takes extra steps and teaches other skills that are outside the course syllabus.
These are essentially around soft skills – leadership, communication, and stakeholder management – that he views as critical to succeed in the role.
“You can be certified but when you put a technology person in front of business stakeholders, they may not be able to convey the message.”
His students include people working in consultancy firms who put RFPs for security projects.
“These are people who interface with senior executives and they have to be trusted advisers,” says Kaitano. “So how do you communicate as a trusted adviser? If you ask for more funding, but you don’t convey your message well, you may not get it.”
He also incorporates discussions around supporting innovation, working in a digital environment to help the business to be innovative.
All organisations are going through massive transformation and these shifts involve working on digital programs involving internet of things, analytics and cloud technologies.
You have to look at these technologies from a security perspective, he says.
“Put on your security hat, assess what the organisation needs to do to enable IoT, for instance, communicate that with the leadership team and be part of the innovation journey.”
No skill set is not useful in security
Part of that communication is the ability to manage change.
Organisations are shifting faster, change is ongoing and it is not happening in peaks, he says.
So the question is, “how do you manage with change across the domain and be relevant continuously?”
People in the security field realise this is what needs to be done. This topic, however, is not included in the certification courses, he says.
Kaitano also teaches about the basics of finance management by explaining that when funding is secured, CSOs need to manage programs cost-effectively.
But the return on investment from a security programme should not just be measured in financial terms.
To highlight this, Kaitano said he was once asked to attend a meeting on an initiative around customer experience. The presenter explained the project, the return on investment, and how it will provide a competitive advantage to the organisation.
He contributed to the discussion, talking about the security measures needed for this new technology, once the customers use them.
As he explains, security is important to reduce damage to the company’s reputation.
“Imagine if you go out to market with a mobile app which is insecure and the next day there is reputational damage for you in the news,” he says.
Finally, Kaitano mentors some people around stakeholder management.
There is so much happening in your industry and beyond that. How do you condense that into something useful that you can offer to your internal stakeholders?
He points to an experience working on a project involving several agencies. Each organisation had its own CIO with their own goals and different vendors.
“How do you bring them to the same wavelength and see a single goal, on how it should be done? It took a lot of level of understanding politics and egos,” he says.
Career turning point
Kaitano began as a software developer, working for an insurance company in his native Zimbabwe. EY reviewed the systems and identified the security gaps. The CIO looked for somebody to resolve these things.
He was then eight months into the job. “That was my first role after university, I had lots of energy,” he says.
He worked with the rest of the team what needs to be done and within three months was able to close 90 per cent of the findings. The EY partner then invited him to join their team in Southeast Africa.
That was 2004 when security capability was needed to be integrated with the rise of internet banking and online shopping in that part of the world.
Upon joining the consultancy firm, he started to see the need for certifications. Some of the security team have certifications but none with CISSP. As a result, he was the first certified CISSP in Zimbabwe.
He then moved to New Zealand, working in Deloitte, and then spent time at a range of organisations in finance, health, public sector, energy and utilities.
He joined local information security groups. “I wanted to learn from them and understand the New Zealand operating environment.”
“Without exposure to all those new things that are happening, you will struggle to deliver value add security,” he explains.
An avid reader, he blogs regularly, and also attends conferences on security and emerging technologies.
“If you are in a defined industry, there is so much happening in your industry and beyond that. How do you condense that into something useful that you can offer to your internal stakeholders? That is one of your most important tasks,” he says.
Put on your security hat, assess what the organisation needs to do to enable IoT, for instance, communicate that with the leadership team and be part of the innovation journey
“You also have to avoid groupthink.”
Thus, Kaitano tells his mentees to open up and welcome diversity. He encourages them to hire people with different perspectives and not just hire somebody with a qualification in security.
Hire someone from a communications background, or a fashion designer – they will bring different thinking to the role, he says.
“Or, hire a salesperson. If you are struggling to sell your message, the salesperson will help you.
“You need diversity around your perspectives, around gender,” he says.
He says the security sector is also being disrupted, with machine learning and analytics being used in the job. When Kaitano started studying security, students needed to know how to write every command.
“Times have changed, machines can do that now. Somebody who understands data can look into security data and pick up a meaning. So why would you not hire a data scientist? The industry is changing, requiring multiple skill sets, he says.
“So, no skill set is not useful in security. Whatever skills you have, put on a risk hat on top of it, and develop an intuition for risk, and you will fit into security.”
Having a technical side is brilliant, but it is important to combine it with non-technical skills.
“Like the letter T, you develop the depth and also the breadth of skills because things are moving faster. It does not mean you have to wait to be a technical master,” he says.
“Once you do that, start asking your technical peers, what does this mean from a technical perspective?”
Kaitano continues to be active in groups helping migrants from Africa. He says most of the migrants came as refugees and need help in understanding and settling in the new environment.
He helps them with technologies that can connect them with their families back home.
He talks to the younger people so that “they don’t get sidelined”.
Get the latest on digital transformation: Sign up for CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.