Andrew Smeaton is a veteran CISO with over 25 years of experience in banking, financial services, startups, and healthcare. His expertise includes building information security teams from the ground up, enabling sales as a customer-facing CISO, maturing systems to reduce risk, preparing for IPO, and developing streamlined reporting to provide executive insight into data risks. Andrew currently serves as CISO at Afiniti, an artificial intelligence company using patented technology to pair customers and contact center agents based on how well they are likely to interact. Before joining Afiniti, Andrew served as CISO at The Saudi Investment Bank, MIB Group, and DataRobot.
Andrew describes Afiniti as using data and powerful AI technology to deliver measurable value for telco, healthcare, financial services, and insurance businesses through improved customer interactions. Coming into the organization, he saw it as a great opportunity to maintain and mature the existing security program, while implementing security industry best practices.
FIRST 100 DAYS
When joining a new organization, Andrew leverages a process he has built out over the years to quickly acclimate to a new environment and evaluate the current state of the security program. This process includes a document he closely follows and continues to add to as his experience grows.
“Over the years I’ve built my own program of what I do in the first 90 or 100 days of a new company,” said Andrew. “It always starts with a NIST cybersecurity assessment to see where the company stands. This informs my initial approach, which I continuously update over time.”
“There are also some very important relationships that any CISO should establish immediately, including with HR, legal, finance, sales, and others. When you think about security, it’s not just defense, it needs to also be about business enablement.”
To better understand the team dynamic, Andrew feels it is important to understand their talent levels, starting with leadership and then digging into assessing the rest of the team. It is equally important to assess the growth potential for teams.
“From a team perspective, it’s really interesting and valuable to learn where they think they are and where they can grow.”
According to Andrew, aligning yourself to the business is one of the first things a CISO should do to establish strong relationships and promote open communication with executives.
“Coming into Afiniti, I made sure to establish relationships with all departments – we even established key departmental relationships with marketing and communications,” said Andrew. “Now we have standing representation on the commercial committee, allowing the security department to enable the business. We’ve also built a service catalog for the organization, so everyone understands the services that we provide.”
Not all CISOs are able to seamlessly integrate into the organization, and to help this Andrew recommends focusing on relationships first. He says to spend your time with people who you can partner with to enable better outcomes, which can result in gaining security supporters.
“You never want to be the person who says ‘no’, even though you will have to say it sometimes. Have a positive attitude and say you want to work together to enable business opportunities in a secure manner.”
ATTRACTING AND RETAINING TALENT
Andrew believes in focusing on his team’s career progression plans to help retain valuable talent. He says people need to feel like they’re learning and growing as individuals, and must have career aspirations beyond their current role.
He is a proponent of investing time with his team to support them strengthening their skillsets, whether it is helping them study for certifications or giving them time off to attend conferences and engage in learning opportunities.
“I meet regularly with my team to discuss their goals,” said Andrew. “I encourage one-on-ones to ask them what they’re interested in learning, and what goals they have to progress their careers. I ask everyone how they’re continuing to learn, because I never want them to be stagnant in their job.”
Attracting talent is a challenge for most organizations; however, Andrew feels it is easier to attract talent when they understand his approach and the value he places on personal growth.
“I always like to meet any talent personally, make sure they understand what kind of a leader I am and let them know about my approach. I have an open-door policy in the office, and engage in mentorship outside of the office. It’s important for people to know that I am investing in their careers and their futures. I care about my team and their growth and ability to learn.”
Andrew recently began writing a book, inspired by his love of storytelling and his extensive experience as a security leader.
“I talk a lot about vulnerability in the book, and specifically how to communicate effectively with board members. I’ve met with so many boards over the years in my career and sometimes they don’t have the right questions to ask CISOs. I also include a lot of personal stories from over the years and I’m really hoping people will gain knowledge and learn from my experience.”