Interview: Jon France Discusses the Unique Role of CISO at (ISC)2
Cybersecurity certifications body (ISC)2 appointed Jon France as its first ever CISO in January 2022, with the remit of leading all of its cybersecurity operations while serving as an advocate for security best practices around the world.
France came into the role with extensive experience in the sector, including as head of industry security for GSMA, a global organization representing the mobile ecosystem.
Infosecurity Europe caught up with France to find out more about his journey in cyber so far, how he is shaping the role of CISO at (ISC)2 and advice for security professionals entering the industry today.
Infosecurity Europe: What inspired you to work in the cybersecurity industry?
Jon France: I didn’t make a conscious decision to work in cybersecurity. I took a traditional route into cyber for my generation – my career began in IT after completing a degree in computer science. I always knew I wanted to work in technology, but as the need for cybersecurity evolved in the early days of the digital era, my interest in the discipline grew.
At my previous company, I transitioned to the role of Head of Industry Security where I led the fraud and security function for the global mobile industry. After many years of working in enterprise IT and security roles, I realised I enjoyed cybersecurity as a discipline the most – not just securing networks and systems from attacks, but also the human aspect of cyber. Considering how a threat actor may go about attacking a system was an intellectual challenge which required both critical and logical thinking, and that’s really what sparked my passion.
Now, as the cybersecurity industry faces a shortage of more than 3.4 million professionals and more pressures than ever in a digital age, my primary focus is on advocating for the profession while protecting my organisation and raising its resilience. When I began my career 25 years ago, cybersecurity as a profession was nascent as a standalone role (the first CISO position dates back to the mid-90s!) Now, while having an IT background can be helpful, a successful career in the cybersecurity world does not depend on it.
As our research shows, technical skills aren’t the only important attributes a candidate can offer and anybody looking to pursue a career in the field can choose a direct route into cyber without having to follow the same traditional IT path. Non-technical skills such as creative and analytical thinking, as well as personality traits such as strong problem-solving abilities, are all equally or more important than specific degrees and certifications.
Effectively fulfilling the role of a CISO is not just about technical excellence.
IE: How did your previous roles prepare you for the position of CISO at (ISC)2?
JF: I have a strong technical background from many years of working in technology, but I also have been fortunate to gain exposure to many aspects of business operations. In my previous security role I also served as part of the company’s leadership team, while supporting the risk management function and acting as a trusted board advisor. I also served as both Deputy IT Director and Business Continuity Manager at LexisNexis for a number of years. Despite what many may believe, effectively fulfilling the role of a CISO is not just about technical excellence and having hands-on technical experience. It’s all about having an awareness of how you sit within a business, how you can help it, as well as strong communication and leadership skills. In my past positions, I gained board and senior stakeholder exposure, which provided an invaluable opportunity for me to learn how to communicate with the C-suite. I was able to listen and appreciate the executives’ perceptions of cybersecurity, business risk and understand what motivates and drives them.
I’ve also had the opportunity to be on the client’s side of security. Now, I’m in a position of advocating for the profession and I appreciate the complex challenges faced by security professionals operating within a business themselves.
Looking for more infosecurity & cybersecurity insights?
Keep up to date with the latest trends and expert insights from Infosecurity Europe.
My aim is to foster an inclusive security culture.
IE: As (ISC)2’s first CISO, how have you shaped this role since arriving in the post?
JF: Since being appointed as (ISC)2’s first CISO in January 2022, our membership base has grown rapidly, more than doubling in size. With our growing influence of more than 450,000 candidates, associates and members to protect, there comes an even greater responsibility. As our organisation expands, so does our employee base and this brings its own new challenges.
I have brought a stronger focus on internal threats, rather than just external. For example, there is an increased need to educate employees on the security risks posed by shadow IT, especially with the rise of generative AI tools. My aim is to foster an inclusive security culture where all employees feel equipped to play their part in keeping the organisation – and our members – safe and secure. Naturally, we’ve required different practices as the value of the information we hold is going up and we have had to technologically innovate. I make sure we adopt the right strategies, tools and techniques to do so securely.
As our first CISO, my aim was to shift the organisation’s mindset away from cybersecurity as a purely technical function but as a business function too. I am constantly asking my team to question what we’re trying to protect and why. With this perspective, I’ve moved the needle from a 90% technical response to one that is more balanced to consider a business risk perspective too. If our security team suggests we need a certain tool, I ask, ‘What is the negative thing you’re trying to stop happening?’ and more importantly, ‘Why does the business need to care about that?’ I encourage my team to consider the business objective of any decision. I can provide strategic insights to senior management and the Board of Directors and translate what we need to do to be secure.
My overall aim has been to shift security from being viewed as a treatment to a problem, and instead implement principles such as the ‘secure by design’ approach, where security isn’t perceived as an add-on or a reactionary process, but rather an integral and intrinsic part. I work with stakeholders throughout the organisation to ensure security is ingrained in all aspects of our security strategy.
IM: How does your day-to-day role as a CISO at a cybersecurity accreditation body differ from security leadership positions in other organisations?
JF: As an organisation that advocates for the position of a CISO and representation of security at board-level, I knew my role would involve more than just implementing and overseeing the organisation’s cybersecurity programme. In my role, I have multiple mission statements.
The first, and most crucial, is to ultimately protect (ISC)2 from threats – whether these be internal or external – which is in line with a traditional CISO position. The second part of my role is to serve as an advocate for the cybersecurity profession and our members around the world. This involves keeping up with emerging technologies and trends, and working with our advocacy team to ensure we consistently advocate for other cybersecurity workers and for the industry at large.
An additional mission is to further the aims of the association, which involves growing our membership base, building awareness about cybersecurity as a rewarding, enriching and attainable career, and attracting new individuals at all levels into the profession, with the aspiration to close the skills gap. On a day-to-day basis I also handle some IT components, ensuring we adopt scalable, secure technologies.
The sheer number of individuals that we communicate and engage with on a day-to-day basis is probably larger than most B2B organisations too. As a non-profit membership association, we operate more like a B2C organisation in the sense that we are constantly interacting with our client base. Many of our client base are also extremely well-educated on cybersecurity and for this reason we’re held to a high standard and take this responsibility seriously.
IM: What are your main ambitions in the role in the coming years?
JF: My resounding focus will always be to protect the organization against an ever-expanding threat landscape and new attacker techniques. I’ll also be ensuring we’re implementing new technologies in a safe and scalable way. From an advocacy perspective, my aim is to be a committed voice for the cybersecurity profession, promoting the value and critical contributions cybersecurity professionals hold.
Another ambition is to continue to make the organisation as successful as possible in its mission to develop and promote a stronger cyber workforce. At (ISC)2, we are committed to cultivating the next generation of cybersecurity professionals. Since our One Million Certified in Cybersecurity pledge was announced 10 months ago, we have already seen more than 265,000 individuals enrol in our entry-level Certified in Cybersecurity℠ (CC) certification.
I also want to continue to improve awareness of online safety in the public and provide security education to non-cybersecurity professionals with the support of our charity, The Center for Cyber Safety and Education.
Traits such as curiosity are what make an ideal candidate.
IM: What one piece of advice would you give to someone starting out in the information security industry in 2023?
JF: My advice to any aspiring cybersecurity professionals is not to believe you have to an IT guru to succeed and have a rewarding career. Technology can be trained, but traits such as curiosity are what make an ideal candidate. Being curious about business is important too, and understanding why cybersecurity should be part of any business strategy.
Enjoy this article? Make sure to share it!
Keep up to date with the latest infosecurity news and trends in our latest articles.
Stay in the know
Receive updates about key events, news and recent insights from Infosecurity Europe.
Looking for something else?