As part of our Interconnection Between People, Process and Technology book produced in partnership with Tanium, we spoke to Andy Piper, CISO Investment Bank & Markets, Barclays.

Andy is the CISO for the Investment Bank & Markets division at Barclays, covering everything from investment banking and wholesale lending to research. He began his career in professional services at Deloitte, specialising in technology risk across a wide range of clients, before focusing more on financial services and finally moving to one of his clients, Barclays.

Andy’s greatest aspiration is to redefine the perception of security and to move away from the old idea of the CISO as “the House of No” towards that of empowering the business to succeed, securely and responsibly.

“I want my team and me to be seen as enablers, not blockers. That means working in partnership with the business, aligning our goals and strategies. The default answer to the business should be “yes, with the right controls in place.”

Andy believes there is a widespread skills and talent gap across the industry, with a growing number of unfilled cybersecurity roles. But rather than technical, Andy argues that the skill most important to the CISO is communication.

“It’s essential for a CISO to be able to explain complex cybersecurity topics to non-technical stakeholders, like boards or regulators in terms they understand. Boards care about how cybersecurity affects strategic goals, risk and business operations, not the technical minutiae. While we rely on SMEs for deep technical input, a CISO must be the translator and strategist.”

Given the nature of the financial services industry, regulatory compliance is a big concern. Indeed, operating in over 40 countries, the team is required to manage more than 74 regulators.

“Each country we operate in has unique cybersecurity requirements, some overlapping and others conflicting. Managing and staying compliant with all of them is a full-time job. Even incident reporting varies with some regulators expecting notification in minutes, others in hours and some when there’s a meaningful update. That deeply affects our incident response processes globally.”