PODCAST

The Modern CISO’s Balancing Act—Security, Business, and Innovation

Sam Coco

The Modern CISO’s Balancing Act—Security, Business, and Innovation

Episode 6 - Season 1

40:15 min

Sam Coco

The Modern CISO’s Balancing Act—Security, Business, and Innovation

Episode 6 - Season 1

40:15 min

Listen on:

About the Guest

Sam Coco
Head of Global Information Security at Fidelity International

Sam Coco
Head of Global Information Security at Fidelity International

Sam Coco is the Head of Global Information for Fidelity International. Based in Hong Kong since 2011, Sam oversees the information security program across the globe while also having oversight for cyber security in Asia Pacific. Starting his career in Sydney, Australia, Sam has over 15 years of experience in the information security space.

Credits:

Presented by: Paul Jackson
Studio engineering and editing: Roy D’Monte
Executive producers: Paul Jackson and Ian Carless
Co-production by: THEOS Cyber and  W4 Podcast Studio

Paul Jackson: Wherever you are in the world. Hello and welcome to THEOS Cybernova podcasts.

Before we begin, I’ve got a quick favor to ask from you. There’s one simple way that you could support our show, and that is by hitting the follow or subscribe buttons on the app that you’re listening to the show on right now. It makes a huge difference in helping to get the show out there to as many people as possible.

So please, please give us a hand and click that button now. Thank you very much for.

The THEOS Cybernova podcast hosted by Paul Jackson.

Paul Jackson: Welcome to another episode of THEOS Cybernova podcast. I’m Paul Jackson and each week I’m digging into the latest trends, challenges and innovations shaping the cyber security landscape. As well as talking to a fantastic mix of leading industry experts, thought leaders, technologists and legal eagles all with a particular focus on the Asia Pacific region.

So whether you’re a professional in the field or simply curious about staying safe in the digital age, we hope THEOS Cybernova will offer up valuable knowledge and actionable insights for everyone. Today, I’m delighted to welcome a good friend of mine, Sam Coco. Sam is based here in Hong Kong and we’re actually set together today doing this podcast to opposite ends of the room.

But actually, Sam, this is the first time we’ve done one of these things together. But in the past we’ve been, sat together on the stage on many occasions doing panel discussions, haven’t we? So we’re quite familiar with, how to get along with each other. But welcome to the show.

Sam Coco: Thanks, Paul. Thanks for having me. An absolute honor.

Paul Jackson: Yeah. No, it’s our honor to have you here because you are a cyber legend in the Asia-Pacific region. So why don’t you tell us how you became a cyber legend? What’s your story? What’s your background? Tell. Tell the audience where you where you’ve got to this point.

Sam Coco: Yeah. Thanks, Paul. So I’d have to say probably like a lot of, cyber people, I started outside of cyber.

In fact, it was, I was in tech and I was doing systems, I mean, and all that sort of good stuff and, and really enjoying solutions and sort of finding the right path for people who had technical issues. But I kind of got a little bit bored with that, to be honest. And I put my hand up one day and an opportunity came up for a information security officer.

And this is when I was back in Sydney, Australia, information security officer and wonder what that is, is what my first thought was. I had to dig into a look into it and I thought, yeah, this this could have legs. This could be a great opportunity. Now, this is over 15 years ago. And so I put my hand up, I got involved, got the role, and, look, I have had quite a journey since.

And, I’ve done a lot of different things and, and obviously I’ve, I’ve made my way here, into Hong Kong. And that happened not too long after, but certainly my career started in technology space, which is kind of my passion to start with, but it’s certainly gave me a lot of different opportunities and which I’ve embraced.

Paul Jackson: Yeah. And I’ve stayed with the same company for many years. Right. It’s really unusual when I get CV’s from prospective hires. You normally see they move every couple of years these days. But you start with the same company. How many years now?

Sam Coco: I think 19 on LinkedIn 19.

Paul Jackson: Wow. Yeah. Wow. That’s pretty impressive. And, is this something you recommend to future, you know, cybersecurity leaders stay with the same company, build your career through that?

Sam Coco: Or an interesting question because I always, always challenge myself. And I always sort of think about what should I be doing differently? Or perhaps what does the grass look like on the other side? And my answer to your question, would I recommend it to other CISOs? I think it really depends on the situation. Right? They say, yeah, you don’t leave a job, you leave your boss and I have touchwood had a number of really great managers in my time at Fidelity International.

I have not sat still. I’ve had lots of opportunities. I’ve had lots of areas to sort of grow into and work in different teams. And like I said, I’ve changed different move to a different country. And I’ve had, you know, put my hand up for everything that’s come my way. So I haven’t done the same role.

I keep adding more capabilities and responsibilities. So in that it feels like it’s been different jobs, I’ve managed different people. So with the for CISO today, look, perhaps if the role wasn’t right, perhaps you do a look around. Of course you do keep vibrant. You keep on your toes, find things that excite you. But I, I’m grateful for what I’ve got aside the company I work for.

So I’m good with Fidelity.

Paul Jackson: All right. And, Sam, whoever your boss is. Now, if he’s listening in, he or she’s listening in. Yeah. Give him a pay raise for that. Come on. That’s, That definitely deserves one. So you spoke about your move to Hong Kong and, from you, obviously, you’re a native of New Zealand. Is that right?

Oh, I’m glad he’s a native of Australia. I’m kidding, I’m kidding. It’s moving from Australia to Hong Kong. I mean, wow, quite a big step. What prompted that move? And, any regrets to, you know, the legal or negative precedent we, mainly because of geopolitics and, Yeah. How do you find life? You, Well, how do I fight?

Sam Coco: Let me answer in that question first. How do I find life in Hong Kong? It is fantastic. And, you know, just having a couple of conversations today with my fellow Australians and, was saying, what you saying? What are you doing over Chinese New Year? Well, I’m going to go to Japan, for example. Actually, I’m going to Japan.

You know, it’s five hours away. And when I actually put, you know, thought about it, this year, my wife and I have planned like 5 or 6 different trips over Asia, pack a long weekend. And that’s one of the great, I think one of the great benefits of being here. But it’s a variety of people you’re dealing with the proximity to being, you know, working a global organization, which I do, time zones, and there’s lots of lots of great things about being in Asia.

Number one. But Hong Kong specifically, I love the fact that there is there’s a bit of excitement. There’s lots of variety of things to do here. Not to say Hong Kong is perfect. In fact, I’ll go out and say no place is perfect, correct? The Hong Kong, there’s a lot of great things about it. And if you can manage the challenges that you have and you know, we have people who can manage a little bit of risk and adversity.

I’m not saying it’s risky, but you can find the beauty and the opportunities. And that’s what I think I’ve done. And I’m proud to call Hong Kong

Paul Jackson: Fantastic. I think we’re on the same page as, you know, each other. In fact, I actually bumped into the head of the tourism authority or whatever they call it here. And I said, you should get people like me and Sam on your show and, you know, and you, you know, to promote Hong Kong for you because we truly love this place.

Look. And the other thing you do right and you do fantastically, Sam, is you give up your time to be part of the community, right? You’re not just staying in your office complaining about the long hours you get out there. I’ve seen you on the conference circuit so many times. Right? So we’ve become friends really. You know, we’ve participated in so many, conferences together.

And I believe this is hugely important. Right. Sharing of information with the community, helping to, you know, develop talent, nurture, you know, the potential among, you know, people who want to be in this industry and especially here where we live in Hong Kong. But how do you balance, you know, because you’re in quite a sensitive role. You’ve got to protect, you know, your organizations, systems, resources, etc. and yet, you know, to go public, as you often do, how do you balance, you know, the demands, firstly on your time and secondly, on making sure you’re not revealing any sensitivities, for your organization.

Sam Coco: Yeah, it can be a bit of a balancing act. And, and obviously we need to be very mindful about not giving away key secrets or talking about anything, you know, specific brands or anything like that. But fundamentally, the practices that we’re talking about is definitely something that’s approachable, something that you can give in the right level of detail with that sort of, you know, raising the alarm bells.

But importantly, we’re giving back and it gives fidelity some visibility. Right. Which I think is very important. It gives us showing, hey, this is the capability that we have within, within our organization. It’s something we should be proud of and it’s a good way for us to also, I fine measure ourselves against other my peers in the industry.

Part of why, you know, go to conferences is to, you know, learn something perhaps. And every now and then you get a little nugget of gold. But how do I compare against eight other asset managers or be against FSI’s, banks and so forth. But giving back, and I think that’s really what I’ve enjoyed, what I’ve got to say.

You can’t just add this one piece. You might find this surprising, but I consider myself an introvert. I consider myself an introvert. And I really always struggle with public speaking and getting in front of people. And this really took me outside of my comfort zone. And now I feel I can get on stage, particularly when I’ve got people like you moderating pool, and we can have a great conversation that hopefully engage the audience, you know, and ask us big questions that gives back and hopefully instigate some people to really think possibly differently of what they want to be doing.

So I enjoy that and I really encourage my team, my team of information security officers, to do the same in their countries and regions as well. It’s a great way to engage, learn, and also challenge yourself.

Paul Jackson: I think you just made one of the best points we’ve had on these podcasts, which is get yourself out of the comfort zone, because it’s time and again, you know, cybersecurity experts will hide behind the fact that, oh, we’ve got such a busy job, I can’t afford the time to go and speak at a conference or you know, my management won’t like me talking at a conference.

And the reality is they’re just not in their comfort zone when they’re on the stage. And I did it many years ago, got out of my comfort zone. I was a cop that, I ended up doing big on television in the police report and being the spokesperson for cyber as it became more prominent with the Y2K bug.

Yeah, I’m showing my age. I know, but, but, you know, it got me out of my comfort zone, and and it made me feel much more comfortable about doing things like I’m doing now. And obviously the panel discussions that we’ve had. So that is some of the best advice I think we’ve had on these shows that get yourself out of that comfort zone, because communication skills are priceless as a cyber security expert.

So I had a guest on previously called Nigel, Nigel Fab and another Australian, and we spoke about the differences a little bit in the approaches to cyber security between Southeast Asia, if you like, and in Australasia, Australia specifically. I know we’re all grouped together as a pack, but I think very often Australia doesn’t view itself as part of Asia in many ways.

But what are the key differences? You’ve worked in both places? Have you noticed any differences in the approaches towards cyber security between, working here in, in Southeast Asia and your work in Australia?

Sam Coco: Yeah, that’s, it can be. It depends on the locations. I tend to see that some countries and just about Asia as a whole, I think there’s a little bit of alignment in some places.

I think our cyber security issues don’t happen here, or they’re allowed to compare themselves to local industry practices. And that isn’t good enough if you’re a global if you’re a global organization, that’s oh, well, this is the this is what I’ve, peers are doing now country that is often below what you look at globally. So maybe that’s a bit different in Australia, I’d say perhaps they are measuring themselves against global organization, global standards, multinationals.

Maybe they’ve also they don’t have that. All that approach I guess. And I think this may be one thing to, to also consider is maybe Australia in my experience was about how do we support the business and clients get the visibility. I think there’s a bit more proactivity there, I think, and I might be generalizing here, perhaps in some areas people really pigeonhole themselves a little bit and perhaps they don’t quite get the but they approach the same way as Australia does.

They? You know, this is our process. This is the way we  go about things. So maybe it’s holding people back a little bit.

Paul Jackson: Interesting. Yeah. So Nigel commented that he believes that cyber security as an industry is better promoted in Australia. So you tend to get more people who are interested in being in that profession, where there’s a perception, perhaps in Southeast Asia that it’s, you know, you’re better off.

We can talk to our lawyer or whatever. Yeah. You drive the kids to be and the smart kids to be in those kind of professions. Do you get that sense, or do you think that’s just a?

Sam Coco: I don’t think cybersecurity is as sexy in Asia Pacific as it is in other locations.

Paul Jackson: That’s a good way of putting it.

Sam Coco: I will say that. And obviously, one thing that we struggle with, I think, in Asia is the, you know, females in the role. Right? I think very much so. We have I will say, though, there is one caveat. I do have a team in China, and I’m fortunate, we have quite a few in the infosec space who are female, which is great.

But outside of that, I think it’s a real challenge. You got to obviously, our conferences pull. Yep. How many? You know, how many males and females. What’s the ratio? It’s not not high

Paul Jackson: 100% degree and shameful of me, but every single guest we’ve had on THEOS Cybernova podcast to date has been male. And I’m trying my best to rectify that. And you will see in future episodes we are trying to balance things out better, but it’s hard because the, you know, the vast majority of unfortunately, of leading professionals in this region tend to be male and diversity is not great. And I think it’s something we need to change, certainly at THEOS, I’m trying to, hire more females and help them to achieve those leadership positions, help with the career development, etc. because it is a big bugbear of mine why we are not able to strike that balance in our industry.

Okay, let’s move on. So when also when I talk to Nigel, there was definitely a perception, I think, that there’s more cyber incidents in Australia than the rest of the region. Maybe it’s because the news is bigger, you know? But, you know, you spoke about the perception that it’s an island and should be right kind of mentality.

And, we are okay. But yet we see lots of stories about breaches in Australia, big ones. What do you think about this? So any of these thoughts on why this might be. Or again, is it just because of the media overblown.

Sam Coco: Everybody wants a piece of Australia. Paul I think that’s probably that’s probably mostly it.

Look maybe it’s, it’s a few things perhaps, maybe because Australia’s got such a great economic situation, maybe it’s greater visibility, maybe it’s the geopolitical situations it finds itself in from time to time, maybe just gets, because of those factors, gets a larger target on its back, as well. Maybe, you know, maybe, you know, depending on, on who the, the attack is, maybe if it is nation state, obviously geopolitical perhaps.

But, perhaps, you know, for it is a financial gain from it. And maybe people think maybe attack us seem to think opportunity exist for greater monetary gain in Australia. Yeah. It is odd because you do see large, large breaches, in Australia. Right. The ones we had a couple of years ago all over the news is pretty much every Australian indictment.

I’m not sure we’ve seen to that scale anything else in Asia. Now that could be also because I think Australia is more mature in the way that I had a breach. Let’s put a hand up and notify and obviously there’s new cyber security laws being discussed and, and drafted around ransomware payments. You know, you pay a ransom, you have to notify, the authorities, which is which is an interesting and quite a forward thinking approach.

But I don’t think, you know, in Hong Kong, for example, I’m not sure we are anywhere near how many actual incidents occur versus what’s reported. I’m sure the discrepancy is very large.

Paul Jackson: I think you just, you know, hit the nail on the head with your last comment that, yeah, I do think there is an underreporting of incidents out here because, yeah, maybe they’re not obliged to, but that’s changing. I mean, the new laws coming in are going to require changes in notification. And, I’m sure we will see more incidents, coming out of this part of the world. So let’s see. Let’s see how it progresses. But it is an interesting dynamic. Certainly. Let’s switch gears a little bit and, talk about talent and the perceived shortage of talent.

So, do you agree with this? I mean, I spoke to again, another previous guest, was in the recruiting business, cyber recruiting business, Craig Johnson and, you know, we spoke a little bit there about the talent shortage is something you see in your role because obviously you’re hiring people. You’re trying to hire people. So we obviously. And do you find issues in hiring good quality people?

Sam Coco: Yeah. Look, hiring at the moment is a little bit is, pretty much slow at the moment because we are not increasing, headcount with, with focuses on costs and so forth. And, but if I cast my mind back not too long ago, the challenges definitely exist, because what you’re looking for, it don’t fit into.

Oh, you know, you want five, ten years experience. And I want all these great skills and all these great capabilities. And I need you to be facing off with management and doing these reports and handling all these kinds of incidents. It’s you know, you’re looking for the unicorns, which isn’t, isn’t realistic. But, I think the challenges do, do exist depending on the location, some location.

I think their skills, probably more surplus or more available than others. And also, there’s perhaps a drift in people’s expectations on salary. Yeah. And that’s also happening. They know there’s a perhaps a shortage, and people are they’re being slighted in what they’re looking for. And budgets aren’t quite accounting for that, particularly in large organizations. That could be a challenge.

So yeah, we know it takes lead time. We one of the things we are think we are looking at is how can we build skills on the inside. Right. How can we perhaps build up right training. Platforms and sort of pathways for staff to it, perhaps include what tech think about me? In my early days, I was in tech.

I wanted to get into security. There’s a pathway for me to build up some skill builds, knowledge. So perhaps I can step into that role if and when it comes available. That’s the opportunities we are looking at. And also graduate programs. So it isn’t always about skilled, skilled professionals. Is  a challenge again depending on location. But finding ways you can supplement that with internal people is sort of what we are looking at.

Paul Jackson: Yeah, yeah. No, this is, some very valid points that you raise there. So when you’re interviewing, and I’ve done a ton of interviews down the years, as you might expect in my previous roles for potential candidates, it’s always I’m interested to try and throw in a bit of a curveball, isn’t it?

And, I kind of like to ask security leaders, you know, when you’re interviewing, do you throw in curveballs? Do you ask a question that, you know, you that just really challenges the lateral thinking of candidates? So there are any good questions you want to share?

Sam Coco: Yeah, I think, I got to ask this one question one time.

And now I throw back to people. So, what role does information security play in innovation. So really makes people think about, well, innovation security. And you know, when you think about, of course they, they go hand in hand. But, but people need to be thinking about there’s no right or wrong answer. I want to see how people approach it right.

Are they thinking about, well, you know, security has a role to do this, this and this or perhaps that thinking about, well, you know, innovation as a whole and perhaps thinking about business requirements and regulations and so forth. So it’s a curveball. And I want to say people respond quickly to these kinds of questions.

Paul Jackson: Interesting. Yeah. No, that is a great question. And yeah, I think the challenges there and lateral thinking and communication skills, perhaps more importantly that is the key. And yeah, I we started questions that challenge them in a way that there’s no right or wrong answer. It’s how you express yourself and how you communicate. So any aspiring future leaders be aware that the expectation is not on a right or wrong.

And so just how you articulate things and how you can reason and how you logic, how you use logic in your answers. So good one. Good one. I like that, without getting into specifics, you know, head of cyber security, etc.. With your current organization, what are your main priorities at the moment? What do you what are you really focused on right now?

Sam Coco: Just to clarify, it’s a head of global information security. So my role is very much a GRC side, you know, a big a big part of what we do. My team, I’ve got information security offices, across the globe. We got the cyber risk team, under my group, and we look at vendor risk and so forth. Priorities, you know, is definitely around understanding regulations and how we can work better with the business, not just, you know, you know, making sure our applications are safe or make sure that projects are going through the right, you know, checks and balances, but also with, client engagement. How do we utilize security as perhaps a differentiator to say, hey, this is how great our organization does with information security, cyber security, and how we protect your information, because there is a growing focus from clients are on due diligence, right.

Just like we do due diligence on our vendors, they want to know, all the ins and outs, not just security, but all the ins and out, but we really want to sell, you know, how much we invest in folks and security. So there’s that part. And, you know, how can we use it as a differentiator through the regulation piece.

That’s that is not a small piece of work. And that’s complex and harmonizing it all and then bringing together global requirements and internal reporting requirements. And of course your operational resilience is there’s quite a lot happening. In that space. I think finally, a big part for us, you know, in the next 12 to 24 months, how do we get better understanding on a how we measure cyber risk and bring that to the boards and, and bring it in a way that means something to, to the organization?

Why not just, oh, the ransomware is such a big threat this is what it means to us. This is our controls. And actually this is our risk appetite. And what should we be doing differently, if anything, in order to reduce our risk appetite? But, on the flip side, also, how do we measure our compliance? Kind of fundamental, but how do we measure controls, measure compliance, and so forth.

Oh, sorry. Just one more thing is a real big focus for us. And we look at January is all over the headlines, but we really want to utilize that in a way that will help us to achieve that compliance. Fundamentally,  we create all these policies and standards. We make it so damn complex, right? We make it so hard for people.

How can we utilize these tools to simplify the wording, help people to consume that, or distill it into something meaningful to them so they can comply? Because sometimes we bamboozle people, right? We don’t do those Facebook favors. Oh, I just look at a library of 20 documents over there. I mean, let’s help people and, really hope that we can we can utilize these great capabilities to simplify what people need to do and then hopefully get us to a better position of compliance.

Paul Jackson: Absolutely. And then I think we were both at a conference recently where the focus was on using AI for, you know, for security, for the benefit of security and compliance. And there was some brilliant ideas that were brought out of that conference. So again, it’s there’s a lot of value, isn’t there? And getting out into the community and hearing different, different points of view and different thoughts.

So yeah. Great point. I was reading and I shared this with you a LinkedIn post just recently. That’s proposed that a CISO is no longer needed. And I’ll quote from it, it said, that cybersecurity is a shared responsibility not owned by a single executive, and that boards now expect other executives, CIOs, CTOs and CEOs, etc. to demonstrate cybersecurity literacy, reducing reliance on a single point of expertise. And quote, the end of the traditional CISO does not mean the end of cybersecurity leadership. It means evolving beyond a single point of accountability to a model that is integrated, dynamic, and resilient. It’s an interesting, interesting way of thinking, isn’t it? And what do you think about that?

Sam Coco: That’s, I think that’s well, I think we are somewhere away from there. I agree with the first part of that statement, that kind of ability to board the literacy 100% and that’s not new. But again, let’s be clear here, we’re talking about organizations that have cyber maturity right there in the conversations. Oh well with this with that level of maturity, not the, you know, the bare bones. And we don’t have an I you know, I did security function.

We’re talking about mature organizations. And how much of that is a whole population. It’s not a great deal I don’t think. But in terms of the CISO role, there is has to be accountability across the senior leadership. But when push comes to shove, people need to learn to make decisions, right? People somebody to make a decision on how we’re going to, you know, what’s going to be our baseline on doing this level of control, what’s going to be our, choice in terms of this solution or, hey, how are we going to set up a, a function in this part of the world or that part of the world, or have a geopolitical risk?

Do we have to manage that? You need somebody at the forefront to make those calls, because it’s all well and good to say, well, it’s greater accountability. But, so look, if I talk about cyber security, sometimes people don’t make the decisions right. And they always look up and at the board for every single decision that’s not feasible.

Right. So I think there is a role to play, a role there’s a figurehead. Someone is visible, someone who’s engaging externally, as well. But I will evolve in time for sure.

Paul Jackson:  Yeah, that’s a good answer to that. You know, I think it’s important, though, that we put these points out for discussion because, you know, the role of the CISO is ever evolving, right?

It’s ever changing. It’s a dynamic role for sure, isn’t it?

Sam Coco: I’d say every role in cybersecurity is evolving. Right? Okay. Back to when I might. My early career. Maybe I didn’t mention, but when I picked up this role, I was the only person in information security. Cybersecurity, I should say, in Asia-Pacific. You know, I grew the team.

And, you know, today we’re about 50 or 60 people. But I was only person and, you know, thought of having, you know, the granularity of folks that we have today didn’t exist. So it is a fast evolving space. We all have to, of course, learn, keep up to date, understand the regs, certifications. There’s so there’s so much to do.

We all have to adapt with that business. And to the point about the evolving role of the CSO. I’d say a big step forward. I should say an important step will be that greater collaboration, right, that they are a business partner, that they are at, you know, how do we enable the business, not just the our world?

This team says no, this team is going to push the button to stop things, whatever else. No, it’s more than that. How do we add greater impact in a positive way to the business? Understanding? I think the CISO need to be obviously understanding the tech, but the business, the regulations, the privacy aspects, bringing all of that together, I think there’s a lot of gray area.

Certainly I find in my role as an AI, so if there’s a lot of gray area, but I kind of enjoy that gray area because I get to engage with so many different people. And that’s what I love about, my, my job. Right. Working in teams up and down. I mean, yesterday, you know, at a board meeting, doing some cyber awareness.

So I really enjoyed it. You know, obviously, our board members are really, really, you know, enjoyed the conversation. We engaged well and hopefully took something away from it. But being able to converse, being able to engage and have those different conversations I think is an important role. And I see I see that happen. So what’s different teams.

Paul Jackson: Yeah that’s fantastic. And I love your energy by the way. Your passion for this is coming across loud and clear here. But one of the questions I listed down here actually related to boards and goes and I know you’ve been with the same organization for a long time, so you’re probably only seeing one, one perspective.

But, you know, obviously you’re part of the community, the cyber legends community. And then how do you how do you see, you know, others discussing this? Do you feel the boards and exco’s are now taking cyber much more seriously than they were, say, five years ago?

Sam Coco: Yeah, I think they have to. I mean, there’s obviously the regulations are sort of pushing in that way.

One of the roles that, you know, it person in my role, for a person in my position in region is regulated responsibilities. So, I have a duty to making sure that, you know, board members and senior management are aware of their accountabilities, are aware, and they are, sufficiently aware of, you know, perhaps processes and how to handle an incident and so forth.

So there’s definitely there’s definitely an understanding, a level of understanding. So, that’s changing. I don’t think it’s changing dramatically recently, though. I think it’s kind of, I think it lifted a lot. And I think it’s kind of tapered off. Right. We had Singapore, Hong Kong put in some regulations, Taiwan’s new requirements for larger organizations. You know, we’ve got to send in other locations that you have to provide cybersecurity specific training to some boards.

So it’s happening in pockets, but I think it’s more that can happen.

Paul Jackson: Absolutely. I do a lot of board briefings, exco level briefings. And I think you’re right, I am seeing definitely taking this extremely seriously as they have to in their roles, managing risk for organizations because cyber risk is probably top of the list these days for many organizations.

But again, it’s tough because their skill sets tend to be in different areas. It’s more business driven and, finance driven, etc.. So it’s a whole new world for a lot of them. And I think one of the skills that leaders in cyber or information security need to have is when it comes back to those communication skills and being able to translate what are very complex concepts into business language. Right?

Sam Coco: 100%. I mean, how do you keep the narrative relevant, right. It’s all well and good to show stats and all these, you know, this and these are incidents and this is what we’re saying here, but how do we keep it relevant for them? How do we make it meaningful for them to say, hey, this is what I’m doing for you to keep your entity or your organization, safe.

So that’s, you know, it’s not easy, right? Because you’ve got different countries, different requirements, different this, different that. It’s not easy, but making it relevant. And to your point, you said, bringing in language, you know, distilling it in a language that helps them to understand and consume in a way that that is meaningful and, and the fundamental thing, you know, always think about your audience when you do your update or whatever you’re doing.

Are they going to say, so what? So what might you be able to enter into that? So I think, making sure they know what that so what is and how we did this with this happened early. And this is why it’s important for you and why we do it better here or whatever. The message is changing. That narrative is certainly, one we need to work on.

Paul Jackson: Fantastic. Okay. Let me switch things around a little bit because as you know, I recently joined this as their CEO. Bit of a bold step for me. A step into the unknown. But, you know, a few months in, I’m loving life there, but what I like to do is listen, right? Understand from the client side what we could do better. And, you know, I’ve sat on your side of the table as well in the, in big banking world, and, I was thinking, you know, what advice would you have for cybersecurity, information security vendors in this day and age? What would you like to see done better? And I know we have a lot of vendors who listen to this podcast, so maybe this advice could be useful for a lot of the listeners.

Sam Coco: Let me first of all, just say, again, congratulations on the poor, this, sorry, graduation on the role. Paul, because this, you know, super happy and, it suits you very well. And you’ve even got a special hat. So good on you. But I have the guidance to do vendors. This is a tricky one, because, probably, like, a lot of late, is inundated with.

Can I say crap sometimes? Yeah. Look, we get inundated with stuff and noise. What, what I hate the most is, vendors who are trying to trick you or perhaps being a little bit coy about what they message is, you know, a few emails. Oh, hey, Sam, I understand you do this. Is this. Well, we found a, A, B and C and sort of suggest they may have found an issue or a vulnerability, and that’s using that as a gateway.

And of course, you engage. Right. You got a duty of care. What? You found something great. Tell me about. Let’s have a conversation. Oh, no, we didn’t find anything, but we could. And this not and that’s cheeky. And I don’t agree with.

Let me let me tell you what. Engage me really positively. A little while ago. So it was about the, the panel conversation I was doing. I think it was in December. And of course, it’s on LinkedIn and, and talks about AI and cybersecurity, the topic and, and somebody and organization saw that and they reached out to me and they said, Sam, hey, listen, here’s some material from us which relates to your panel, which you might find useful. That’s the they sent me a few PDF slides consultancy.

I won’t name any names. Yeah. They sent me a page, a couple of PDFs saying, hey, this is the this relates to your topic. You might find this useful. Good luck for your panel tomorrow. You know what I was impressed. How easy that that is good employer giving away this person sacred. So I was super impressed. And I said yep, you want my time.

Good on you. Yeah. Let’s have a catch up. Let’s talk about it. Presentation. Right. But just a little bit of finding something meaningful and change to narrative to say, hey, this might help you. Yeah. You got the front door.

Paul Jackson: Great advice, great advice. Thanks for that, Sam. Okay, look, now, when we’re on panels, you know where I’m going with this story, where we’re on pedals, you often turn the tables on me, and, you know, I’m the moderator and you’re one of the panelists, and you start asking questions back to me, and there I think I’m in for an easy ride, and I just get to sit there asking all the tough questions, and they you throw them back at me. So I’m going to give you another chance at this. So if you are hosting this show right now, what key question would you be asking me?

Sam Coco: I’m taking a moment to think about this one. Look, obviously you’ve had a while from where I’m sitting, a very varied and exciting and probably, exciting career full of stories.

Paul, if there’s one thing that you would change in your career, what would it be? And you can’t say nothing.

Paul Jackson: That’s not fair, because, I think, yeah, there’s very little I would change that. I’m not saying that in an arrogant sort of way. I’m a great believer in having no regrets. Okay, so yes, there have been disappointments along the way.

You know, my previous company, shut down, the capability in Asia just as it was growing and becoming the brand to go to right here for certainly for fear and for many other things. And those were out of my control, beyond my control. So how can I have a regret about something that’s out of my control, beyond my control?

It’s a really great question. And I know I’m copping out by. But really, there’s nothing because I’ve made mistakes. We all make mistakes, but I’ve learned from all those mistakes. I don’t dwell on them. I don’t, you know, sit down and mope about them. I go, I’m not going to let that happen again and move forward. Right. And by taking this step into being the CEO of a company, it’s I could have easily gone back to being, you know, an MD again, same old role of, you know, being a regional MD in a larger company, but instead of which I’m embracing a new challenge and doing things outside my comfort zone.

To your point, earlier and, you know, trying to leave a legacy. And I will make mistakes on the way I know it, but I’ll learn from those mistakes and do it better. So, it’s very hard for me to pick on a specific thing that I regret because I try not to have regrets in life, so cop out.

I know, but that’s my answer.

Sam Coco: Paul, that was a good answer. I think it’s, well, you know, not hugely. Surprise. It’s about resilience, right? I think in our roles, you have to be resilient. And I’ve always been a believer that you make your own, your own, you make your own luck, and, you know, you make things happen.

So, similarly. Right. I’m answering my question here. I’ve got no regrets. You know, you learn from things, you develop from things, and you decide to take that as opportunities to grow and sort of pivot. But it’s life and you’ve got to be ready for the ups and downs. So, you know, I wouldn’t be where I was today with, you know, making some, some wrong choices.

But, you know, you go to the right place, and I think that’s a journey. That’s, you know what it’s all about.

Paul Jackson: That’s a wonderful way to close out the show. But I always have one last question for my guests. And I’m a music lover right here, you know that. And I get fascinated by it because I don’t know any fancy answer.

Right. So I always get fascinated by the music choices of my guests. I think it speaks a lot about the personalities as well, and I’ve had a few surprises along the way. So tell me what do you listen to where you know the music on in the background when you’re working? Do you use it to decompress after work or do you not music person at all?

Sam Coco: I wouldn’t let me answer your question this way. So you say you try to told about somebody about their music choices. You know, you can’t look past the 1990s classic by, Robert Van Winkle, aka known as Vanilla Ice. Ice Ice baby, one of the world’s best songs ever written. Now, I’m not sure have what you can take from that, Paul, but,

Look, I do I do like Ice Ice Baby. That was definitely one of the classic exponential question. I do a lot of running. As you know, I try to keep in some sort of shape, so I like music that energizes me and keeps me going. And maybe on the 1990s sort of theme that I do listen to a lot of 1990s, 2000s, two tens, like top of the top of the hits was a bit a bit of everything.

But I’d probably say I do probably favor towards this might be surprise to you, but, EDM, electronic dance music, that gives me a bit of energy. So, yeah, it’s probably my, probably my favorite genre.

Paul Jackson: Fantastic. Great way to end the show, Sam. Coco, you’ve been a nice, cool guest. Thank you very much for joining me today.

So, THEOS Cybernova was presented by myself. Paul Jackson, the studio engineer and editor was Roy D’Monte. The executive producer was myself and Ian Carless. And this podcast is a co-production between THEOS Cyber and W4 Podcast Studio.

The THEOS Cybernova podcast.

Episode Summary

Is the traditional CISO role becoming obsolete?

In this episode, Sam Coco, Head of Global Information Security at Fidelity International, joins host Paul Jackson to discuss the evolving responsibilities of cybersecurity leaders. With increasing regulatory pressures, board expectations, and the rise of AI-driven security, today’s CISOs must go beyond technical expertise—they must be business enablers, risk strategists, and strong communicators.

Sam shares his insights on how cybersecurity leadership has shifted from a purely defensive role to one that directly influences business outcomes. He also dives into talent development challenges, the need for security to drive innovation rather than hinder it, and how organizations can use cybersecurity as a differentiator in a competitive landscape.

Whether you’re a security professional, an aspiring CISO, or just curious about how leadership in cyber is transforming, this episode delivers essential takeaways from an industry veteran.

 

Episode Timeline

Explore More Podcast

Episode 1 - Season 1

11:49 min

Building THEOS Cyber, Embracing Growth, and the...

Discover the story behind THEOS Cyber, its growth journey, and future aspirations.

Episode 2 - Season 1

12:45 min

From Cybercrime Investigator to Private Sector Leader

Follow the transition from cybercrime investigator to a leader in the private sector.

Episode 3 - Season 1

30:19 min

Cracking the Code to Cyber Talent and Recruitment

Explore strategies for finding and nurturing top talent in the cybersecurity industry.

Episode 4 - Season 1

11:49 min

Building THEOS Cyber, Embracing Growth, and the...

Discover the story behind THEOS Cyber, its growth journey, and future aspirations.

Episode 5 - Season 1

12:45 min

Crisis Leadership When Cyber Attacks Strike

What happens when a ransomware attack hits, and every decision counts?

Episode 6 - Season 1

40:15 min

The Modern CISO’s Balancing Act—Security, Business, and Innovation

Is the traditional CISO role becoming obsolete?
 

Episode 7 - Season 1

38:33 min

The Leadership Playbook for Aspiring CIOs and CISOs

What does it take to transition from a cybersecurity practitioner to a strategic leader?

Episode 5 - Season 1

12:45 min

Crisis Leadership When Cyber Attacks Strike

Dives into the realities of managing a breach, from evaluating ransomware demands...

Episode 6 - Season 1

40:15 min

The Modern CISO’s Balancing Act—Security, Business, and Innovation

Discuss the evolving responsibilities of cybersecurity leaders.