Stephen Bennett, Domino’s group chief information security officer (CISO), described his organisation as “the largest startup I’ve ever worked in.”
As the first person to hold the role, he was to some extent able to define what the position involved. At first, he “couldn’t even find the elephant,” so he sat next to his senior staff to find out what was and was not working within the security function. He also became “a meeting pest” to find out what the organisation needed, as it was initially hard to get any time with senior executives.
Bennett’s first meeting with the board was a turning point, as he realised he had to understand security from both business and technical perspectives. The rest of the business does not really care about technical matters, because they are focused on matters such as making a profit. So, the CISO’s role needs to be about enabling business, and on rare occasions stopping it from making a serious mistake, such as the Netherlands operation’s planned Domino’s dating app that had serious privacy issues.
It’s about identifying the organisation’s “crown jewels,” what’s needed to protect them, and how much that…
