The Amrop Digital Interviews: Jessica Conquet, CISO Randstad
"I feel empowered and trusted by the company’s global CIO, as well as members of the Executive Leadership Team. But theirs is not a blind trust – I need to come forward with a really good storyline and good narrative."
Jessica Conquet, Global CISO at Randstad, spoke with Job Voorhoeve, Amrop’s Global Digital Practice lead, about the differences in managing risk in a financial institution vs the talent services industry, the sources of tension between the CIO and the CISO, as well as the strategies to reduce them, and about the importance of the CISO being aligned with the organization’s business goals.
Job Voorhoeve: Can you talk a bit about your previous professional experience in the banking industry and what are the main differences when working in the field of security management in banking and in the human resource/talent services?
Jessica Conquet: The core difference is that the banking industry is highly regulated. If you’re a CISO in the banking industry, where you have the three lines of defense, your function either sits in the second or the first line of defense. So, it’s quite clear what your position is – what your mandates are. Besides that, your strategy is fully bound to the legislation. If you’re in the Netherlands, the European Central Bank for instance demands that you’re regularly being audited, that all changes in your IT infrastructure have security integrated from design phase, that you regularly perform security testing and that certain critical processes are certified for security standards. In the staffing industry we do not have an overarching globally managed organization that oversees and regulates security but that does not mean that the staffing industry is not risk averse. Randstad is a reliable partner for talents and clients. The crown jewels are literally our talents, their careers, and their income at the end of the month. To keep their trust, Randstad is responsible for making solid security decisions and being disciplined in execution.
JV: What, then, was your process of introducing security management?
We manage Security within Randstad through the lens of our own Cyber Resilience Framework that matches all law and regulations that applies to us in the 40 countries in which we operate. Of course, we also use the common market best practices to build up our maturity to resonate with our peers, requirements of our clients and the risk appetite set by the board of directors.
JV: Are there any other differences between the staffing industry and the banking environment which you perhaps find surprising?
JC: Not surprising but slightly different is how the company is organized internally. Many times, in a bank you’d find that the CISO functions in the second line of defense to help ensure that risk and controls are effectively managed, while the operation (IT and Business) is accountable for managing the risks with their first line operations. The role of a Business Information Security Officer (BISO) in operations is a common practice. Within Randstad our model is slightly different. The Global CISO office runs both 1st and 2nd line of defense, taking responsibility on one hand for designing and deployment of security controls and on the other hand setting policies and guardrails, controlling and monitoring operations. Both sides are delivered by different teams with segregated duties. The 2nd line team works in tight collaboration with the Business Risk and Audit Function which sits in the 3rd line of defense.
JV: You have CISO’s in many regions working in more than 39 different Randstad markets. You have built the Global CISO office which worldwide CISO’s report directly or in-directly into. Can you talk a bit about the way this organization functions in relation to the IT organization and CIOs?
JC: Within Randstad the IT organization, led by the Global CIO, is managed by regional CIO’s who report directly to the Global CIO. Every regional CIO is supported by local CIOs of the different operating companies. I found this model to be well-functioning and decided to organize my CISO community in the same way. Now my regional CISO’s are partnering seamlessly with their peer regional CIO’s in supporting the business. Where the IT department supports the business with delivering IT infrastructure, we, the CISO community, mandate policy adherence and monitor the infrastructure and applications to ensure a secure IT platform and applications.
JV: That makes sense – to mirror the IT organization. But your CISO’s organization has various subsections which are very different and don’t mirror the IT organization, right? You have the leadership, which is aligned, but then diverging parts of the organization beneath.
JC: That is correct. Our Global SOC (Security Operations Center) with its Cyber Defense Center (CDC) works with the follow-the-sun principle, supporting Randstad globally through different hubs around the world. We have also developed several shared services like for instance Pentest services, Internal Compliance Review, Third Party Risk Management, Data Security, Awareness and Training, incident response education and gamified tabletop and training of our development teams.
JV: In the study that Amrop’s Global Digital Practice did in collaboration with our strategic partner in the US, JM Search, we explored the sources of the tension which can sometimes be observed between CISOs and CIOs – and which often comes down to the priorities of enabling business objectives through technology versus maintaining a robust security posture. What, in your experience, are the specific areas where this tension most clearly manifests itself? And how does a successful CISO go about building the relationship with the CIO and alleviating these tensions, if there are any?
JC: First, I want to be clear: me and the CIO at Randstad managed to build a relationship which is free of tension. I have been frequently asked what makes this combination work and only recently I’ve arrived at what really seems to be the right answer for me. It’s not really about the reporting line for me - what’s crucial is to have a direct line to the board, the leadership community, and the executive board, because, I believe, if you don’t have that, at a certain point the tension can become too great, the responsibility areas can collide and you’d be set up for failure as a CISO.
JV: Can you talk a bit more about the sources of tension that can occur?
JC: The tension mostly can arise when the IT infrastructure (OS, Servers, Network, Middle-ware, Applications, IT providers) consist of critical vulnerabilities that need to be mitigated within a short timeframe and IT cannot guarantee the business its full availability and/or functionality after mitigation takes place. Here is when the CIO and CISO needs to find a solution to mitigate in time while keeping the security posture of the company up to par and still keep the business processes running smoothly. The CIO and the CISO both support the same business, thus in situations like this it is important to understand one another, communicate clearly and transparently and keep the risk management with the rightful owner of the risk - often being a business owner.
JV: And you are, of course, also building those security functions, so, identifying and fixing these vulnerabilities is where you and your team plays a highly important role.
JC: Yes, we are playing a crucial role in identifying vulnerabilities. But before IT or the Development teams can start fixing them, they need to understand the classification and impact of the identified vulnerabilities. And this is where we face within Randstad the challenge we see nowadays with a lot of companies. The Security team is constantly trying to find a counterpart within the business and within IT to mutually conduct cyber risk assessments and threat modeling and make the ways free to decide for the best way forward keeping our business secure and free from the identified vulnerabilities. The capability of cyber risk assessment is not fully embedded yet in the functions in business and IT and therefore we find it somewhat difficult in times to come to a unified plan which is free of temporary risk exceptions.
JV: So, besides resources and investment, you need time to guide a corporation like Randstad through this transformation.
JC: The whole transformation will definitely take time. But as a CISO you always need to showcase the progress – your main stakeholders need to be able to see that you’re growing in maturity. Cyber threats will very likely remain high at the top of threats corporations are facing. As we are transforming towards a more cyber resilient organization, we need to be vigilant of our threat landscape and ready to respond in all kinds of areas where we can be hit.
JV: So, it’s not just about managing what’s coming from outside but also about the stakeholder management and showing progress. You have a good reporting structure – with the Board and also the Audit committee, and you’ve built a good relationship with the CIO because you often need to be working on the technological side of things too. Much of that has to do with communication. What are your best practices when it comes to communicating the security status and concerns to the Board and the Executive Leadership Team? What do you find works best?
JC: My background is IT, Security and Audit. I like the field of communication, but it is clearly not my core competence. When I started working at Randstad, I decided immediately to put somebody in charge of communication and support me in getting the right message across. Also, I can advise every CISO to claim their time with their stakeholder. Only by connecting to your stakeholders do you find out what makes them tick and where you need to support them to understand better or deal with challenging situations. The other day I learned that an executive board member had seen a news piece about a company which had fallen victim to a deep fake attack and had lost millions of dollars. This news piece clearly made an impression. So, we had a simple chat about it and, as a result of it, we presented a short video to the Executive Board and the Leadership community on how to recognize these deep fakes. Within a few days we were able to launch this little training to the right community, so they’d get more insight into it.
JV: So, you listen well!
JC: I try to... yes! But it would be utopic to expect that whoever initiates a new business or a new deal with a client tomorrow will immediately come to me and say: Listen, I already shared the requirements for security with my team and started assessing the risk with the external parties! – that is not very likely to happen! But the fact that the business understands cyber as an enabler, knows when and how to interact with the CISO office and seeks help - that’s already a big step in the right direction!
JV: And, when you do that, is that aligned with the CIO and the IT organization, or is it more of a general, informal discussion you’d have with people? It’s not a strategy where IT and security are aligned, but you have to respond quickly, right? So, this aspect of your work has a different focus, doesn’t it?
JC: Yes, absolutely. We do have our town hall meetings together with the CIO, where we make sure that all the CIO’s are also aware of what’s happening with security, and we also have the CISO town hall meetings, where, besides all the CISOs, we also invite some of the IT and business stakeholders who are working very closely with the security organization.
JV: So, you invite the leadership teams to also demonstrate that you and the CIO are united and working together – that way you can align. And what are the more formal ways you work and connect with the Board and the Executive Leadership Team?
JC: There’s a Leadership community with all top leaders and last year I joined some of their off sites in different regions. The second half of last year I started what I called a gamification exercise, where the leadership teams were learning how to respond to incidents through gameplay. That was great, because we formed a circle of trust and played the game for two and a half hours, and that allowed me with my main stakeholders to really find out the level of preparedness we had. And all that without putting somebody on the spot.
JV: It’s clear from what you’ve said that as a CISO you’re also a teacher and an advisor to your organization – you’ve taken it onto yourself to teach them how to deal with the risks which they’re facing in this very complex environment.
The final question I want to ask you relates to the business strategy and perspective. To what extent do you as a CISO need to be involved with the organization’s business strategy and goals in order to achieve the necessary alignment between business priorities and security posture?
JC: The staffing business of Randstad is very interesting and enormously diverse, which also drives the complexity. At Randstad it’s not one size fits all, so I need to understand the company’s business strategy and I need to know how to align to that strategy so that I can make my risk assessment and know what our potential risk is. If the strategy changes, I need to know that because every change means that I need to maintain the security in the “old world” and at the same time transfer it to the “new world” – so during each period of change I have two environments where I need to ensure the company is secured.
JV: So, you’re supporting the businesses, increasing the quality of the services, meaning that you’re creating added value for the business.
JC: Well, yes, nowadays for corporations like Randstad business-oriented CISOs are in high demand!
A very special thank you to Jessica Conquet for her insights and thoughts!
For more perspectives from CISO’s and CIO’s, read our study on “CIO & CISO: Managing Tensions and Working Together” by Amrop’s Global Digital Practice and Amrop’s strategic partner JM Search.