Anna-Lisa Miller

Cyber Security Leaders - Anna-Lisa Miller, Group CISO for Spectris plc

Anna-Lisa Miller is the Group Chief Information Security Officer (CISO) for Spectris plc. Spectris is a world leader in specialist engineering and manufacturing of precision technology and services which provides high-tech instruments, test equipment, and software for many of the world’s most technically demanding industrial needs.

Currently based in the UK, Anna-Lisa has broad international, commercial experience. Over more than 20 years, Anna-Lisa has built deep expertise in technology and cyber security across a broad spectrum of sectors, living and working all around the world, from consulting at PwC and EY, through to working with some of the world’s best-loved brands including Nestlé, Johnson & Johnson, GSK, Unilever, Xerox, Royal Mail, Shell, British Airways Engineering, BBC and Merlin Entertainments.

She has a strong track record in aligning strategic thinking with operational excellence in technology and risk at large corporations, while meeting regulatory and compliance requirements. She has a relentless focus on customer trust and empowered teams. She is insightful and creative, able to shape relevant and engaging communications to a diverse workforce. Anna-Lisa believes that great security enables all of us to work efficiently and effectively while protecting the enterprise’s digital assets.

The CISO’s role is a very high-pressure, high-stakes job. What is the right profile for this job? / The job of CISO is never going to be an easy one, no matter what you do. The bad guys only have to be right once. How do you deal with that when it seems like an impossible challenge?

I have read a worryingly large number of articles recently, citing high percentages of surveyed CISOs reporting high stress and burnout. It is a huge responsibility to lead an organisation in its efforts to reduce risk and face up to cyber crime. But it’s not a responsibility that should ever be carried by a single individual and I think too often the CISO is expected (sometimes by themselves and often by others) to solve all of an organisation’s security problems in isolation.

I really do believe that security is a team effort and no CISO should feel they are shouldering the responsibility alone. So in terms of the profile, I think it’s a true leadership role – one where we must identify the needs of the organisation and bring the right people together to secure appropriately and effectively. As a leader in security, I think resilience is at the core of pretty much everything.

Richard Nugent is a superb leadership consultant and expert and he posted this video that I really relate to and I recommend taking a look. As CISOs we have to be resilient in ourselves, we have to look out for the people around us and we must work on the cyber resilience of the organisation as a whole. And that’s across people, process and technology.

Don’t chase the bad guys. By aligning with the organisation’s strategy, bringing the right people together and focusing on the resilience of the organisation, you’ll see that it’s a journey, not an impossible challenge. Every near miss, every incident and even every crisis is an opportunity to learn, grow and strengthen.

How do you communicate information security issues to the board?

It is absolutely imperative the Executive Committee and the Board are armed with high quality and pertinent information, particularly concerning the biggest risks and opportunities to the business – in many organisations, information and cyber security sits in both of those spaces. The Board are time-poor, so it’s crucial that when you communicate information security information and issues to the Board that your communications have a purpose and an intended outcome. I feel that part of my leadership responsibility as a CISO is to be a truly effective communicator.

Think carefully about what change you want to create – action, behaviour, belief, for example – what is your ask of them? Going into any Board update knowing what response you want is, I think, the best way to frame the communication. Understand what they want to hear, think about what they are likely to hear (sometimes those two things aren’t the same) and how you want them to feel. Make sure that they understand what good looks like in the context of the organisation – many Boards have non-executive directors who sit on multiple Boards. Getting to know your Board members a bit better, if that’s possible (remember – they’re very busy people!) is a great way to fine-tune your communications and really get to the heart of what it is they want and need to know.

When communicating issues, in particular, I think it’s important to deal in facts, deliver insights where possible and frame in a positive way that demonstrates and focuses on the value. What has been learned and improved as a result of the issue? The fundamental goal that everyone is striving towards is to help the organisation improve, so make sure all your points explain how revenue, cost structure and risk are impacted. And finally, always align to the strategy, have a point of view, be really clear and never, ever equivocate!

Almost everybody agrees that organizations need a culture of security. How can security leaders help facilitate that type of culture?

I was recently reminded of a famous quote during a presentation from our CEO Andrew Heath – he said “Culture eats strategy for breakfast”. He was quoting the management consultant and writer Peter Drucker. To be clear he didn’t mean that strategy was unimportant – rather that a powerful and empowering culture is a surer route to organisational success. When people talk about culture in their organisation, they can mean different things to different people and the definition can vary quite a lot.

The important place to start, I think, is by asking yourself the question: do you really want a ‘culture of security’ or do you actually want to embed cyber security into your existing culture? Can you align to the organisation’s values and are these recognised and foundational in your organisation? Or is there a look, feel or brand that just ‘feels’ right. You have to listen and observe and get involved in the feedback by really digging into what people think and feel. This will give you insight into what will land well and what simply won’t stick. Is the culture consistent across the whole organisation or are there nuances between divisions and countries? Then you need to choose what direction you’re going in.

Everyone has been impacted by COVID. People have made big adjustments to their lives – working from home, juggling home schooling and work. Many people have also been impacted by the underlying anxiety associated with the virus – concern for the wellbeing of friends and family. We still need to make sure the workforce have access to the right information so that they know what to do; they know what behaviours are acceptable when using technology in a secure way. We have to think and plan carefully how we get those messages across and that we check there’s room for people to absorb those messages.

We have seen an increased burden on employees adapting to new ways of working over the last year. However, in many cases, they are doing it with limited knowledge and without the necessary training or resources to protect themselves from online threats. It is imperative that businesses now look at cyber security as an investment, not just a business expense. It also important that people realise that security belongs to everyone.

Security culture is what happens with security when people are left to their own devices. Do they make the right choices? Do they know what steps they need to take? A sustainable security culture is persistent. It is not a once-a-year event, but embedded in everything you do. Additionally, it’s really important to establish a ‘no blame culture’. A significant number of cyber attacks go unreported because staff fear embarrassment or punitive measures. Make sure you prioritize a culture where your employees are encouraged to report suspicious activity or possible breaches, even if they are the compromised employee. Even if it is a false alarm. A culture of blame leads to a lack of transparency and that exacerbates the risks to organizational security.

People are at the heart of security, so invest in your employees, speak to them and build trust which in turn will keep your business safer from online threats.

Having given it serious thought, definition and planning, accept that you cannot please all the people all the time. Some parts of your security delivery will fail. Failing is an opportunity to learn and connect with people. If you accept that in making progress and delivering security improvements you will fail, and you welcome feedback and input from everyone then you have an enormous opportunity to collaborate with the entire workforce community. If you keep that door open, and make it clear to all that it’s open and demonstrate that by listening and responding to every person, then you have the perfect conditions to build something very special.

What should a company do if it suspects cyber attackers have been successful?

If you’ve successfully facilitated the right conversations and debate within your organisation, within the context of your culture, people should feel empowered to report suspected incidents. Swift reporting and incident response are key in cyber resilience. Any suspected incident should be treated as a real incident until you have proved that it was a near miss or false alarm.

Having a great incident response process can make this a really efficient and effective way of handling issues and regularly rehearsing incident response is a great way of reinforcing continuous improvement and bolstering people’s confidence in the supporting processes.

I really like the notion of crisis thinking, rather than crisis behaviour, in this context. Act swiftly. Gather the facts. As quickly as you can, rule it in or out as a successful attack. And regardless always learn, pivot and iterate.

How should companies mitigate risks associated with the use of biometrics?

Technology is constantly evolving and I’ve seen huge progress in biometrics systems since the first time I installed a biometrics building access system 20 years ago! Like most if not all other things, it’s important to take a balanced and risk-aware approach with biometrics. There are serious consequences to identity theft, financial crime and medical fraud and so the use of biometrics should be considered carefully. There are huge advantages to using biometrics (personally, I’m a big fan and have been for many, many years) of physiological biometrics. Recently we’ve seen a surge in behavioural biometrics. Both have their advantages and disadvantages. I think the best way for businesses to mitigate the risks is to properly and forensically understand where it’s already integral and balance the advantages against the disadvantages. Most people use biometrics in their everyday lives and in most cases this helps to improve security and privacy. They definitely have their place and understanding the requirements, features, benefits and risks in detail is the only way to effectively use and mitigate biometrics.

Could you offer any advice on how CISOs / Leaders and CIOs can work together effectively?

I really do think that the security agenda, strategy and overarching objective to protect the business can only be successful when done in balance and harmony with all business units and through consensus of priorities and actions. This all starts with a strong, high performing relationship with all closely-related teams and it starts with technology and ultimately the CIO or CTO. Cathy Newman’s book, ‘It Takes Two: A History of the Couples Who Dared to be Different’, compiles all the famous and noteworthy couples of history, and Newman analyses each one to show how they’ve made an impact, how they worked together, or how they’ve become notorious.

She makes the point that extraordinary things are often achieved in partnership. A dyadic approach is powerful on many levels – if you can establish a true partnership between the CIO and CISO that facilitates trust and robust challenge, you will be able to accelerate digital transformation in a secure way. From the Executive Committee and Board’s perspective, if they can see this effective partnership, they will see innovation in technology and security is extremely powerful.

But I’ve gone straight to the importance of working together. The question was asking for advice on how to get there… I think all successful effective working relationships are built on a mutual understanding of shared objectives and, ultimately, trust. This can only be done if everyone buys into the strategy and is working towards it, everyone communicates clearly and honestly and everyone delivers against their commitments.

Closing statement

I love my job, I genuinely do. It’s difficult a lot of the time for a lot of different reasons, but fundamentally we’re doing something important and meaningful and often picking up complex issues that other people cannot or don’t want to deal with themselves.

Working in security has given me amazing opportunities to meet people and make friends, establish powerful working relationships, to understand business processes around the world and develop my leadership skills. Being a CISO has given me the opportunity to put those skills to the test and empower others to do brilliant things. I am excited for the next generation of security professionals.

I know the world will look very different in 20 years’ time, much like it did 20 years ago and I am energised by the prospect of developing and lifting the next generation to do better, brighter things in security that we don’t even know are possible right now.