Just Eat CISO: How to earn respect in cybersecurity

Engaging an international team of more than 3,000 at a fast-moving startup is no mean feat.
24 May 2019

London taxi advert for Just Eat. Source: Shutterstock

Cybersecurity has an ‘image’ problem. A recent survey by Thycotic found that the majority of UK professionals say their company views security teams as a ‘necessary evil’.

Those working to maintain the security of their businesses can be perceived as ‘policemen’ and ‘naysayers’, effectively stifling their organizations’ ability to grow, and freedom to experiment and take risks.

Others said the cybersecurity function was something that runs in the background of the business— a whirring cog that you wouldn’t notice.

Talk to anyone in this comparatively new boardroom seat, and the perception problem will likely be one of their biggest challenges and is likely at the root of why a CISO‘s average tenure is so short.

But this challenge— and the many others that accompany the role heading security of a disruptive, fast-growth startup— have never deterred Just Eat’s CISO, Kevin Fielder, a speaker at this year’s Infosecurity Europe 2019.   

While Fielder has praised the open doors of his employer’s executive team and their desire to hire a CISO with substance (not just in the title), leading the cybersecurity division in such a fast-growth company is not without challenges.

Accepting the newly-created position as Just Eat was still in the process of “blowing up”, Fielder was tasked with spearheading an entirely new cybersecurity strategy for a company that now boasts 26 million customers and 100,000 restaurant partners.

Fielder oversees “everything to do with security”—  from development, compliance, training and culture — for an international team of 3,600 people, nearly 800 of which are in technical teams based across four countries.

Faced with the monumental challenge of winning the hearts and minds of that many ground troops, Fielder must also navigate how to build a security function that moves as fast as the business. But in his eyes, the two objectives aren’t exclusive.

In an exclusive interview with TechHQ, Fielder explained that his team’s success so far was most closely linked to assimilating his team’s work with the rest of the company.

“Every business has these ‘gaps’, right, and it will take some risk to grow, or some risk to move fast […],” Fielder said.

“Understanding that risk and understanding the business context is key. If you’re in a hugely competitive landscape, your business may take more risk than one in a monopolistic position.”

An understanding of the context of business— the goals it’s striving to achieve— puts Fielder’s cybersecurity function in the best stead to achieve its goals.

By matching the broader business’s approach, his team can leverage the tools and processes used, and more naturally influence the right stakeholders when required.

“By working to the context of the company, people understand that you’re not an old-fashioned security function that wants to say ‘no’, you’re one that wants to enable,” Fielder explained.

“The more joined up you can become with the organization, the more you become a part of the fabric, so you’re not just the security team, you’re a helpful team that does security.”

To put this into perspective, Fielder’s team works with the same approach as the technical teams. With full visibility of and access to the development pipeline, the cybersecurity team can integrate directly to that pipeline at the speed development teams work.

“Any time any code gets checked into our repository, we automatically scan the code and any third-party libraries so you immediately get a check on how everything is working— how it works from a security standpoint and whether there are any concerns from the code or third-party libraries before being released,” said Fielder.

But Fielder has also been able to engage and raise awareness around cybersecurity through gamification, encouraging developers to write code that scores highly across a range of standards, including security, ultimately contributing to the quality of Just Eat’s products overall.

“[…] all our components have a scorecard, and score for things like security, reliability,” said Fielder. “As soon as the code is scanned and checked, it’s assigned a scorecard and score, and then we feed information into the scorecard enabling the tech teams to understand any issue.

“Rather than trying to tell the developers what to do, we provide the scorecard with relevant information on it and the developers can take ownership of that. We advise on minimum steps to take to be secure, thereby having a minimum impact on developer workflow,” Fielder said.

“I think gamifying is a powerful way to get people engaged in cybersecurity,” he added.

Of course, a c-level title means that, away from the coalface, Fielder must also have clout within the boardroom: “If you understand security alone, you probably have a place in the security team, but it won’t get you far in leading the team,” he explained.

“Especially in technology, you have to be strong enough and technical enough that people respect you. I have to be able to talk to my peers across technology leadership and have enough technical insight to understand what’s going on and be respected.”

On the flipside, however, a good CISO must also be able to adapt the granularity of reports to their audience. A CEO or CFO, for instance, may not understand the IT nomenclature befitting a CTO.

Being prepared and adaptable in reporting can be a tactical approach that secures necessary funding, or justifies the genuine efforts and value of the security team in a way stakeholders understand.

In Fielder’s perspective, far from being a gatekeeper (or ‘naysayer’), it’s the traits of empathy, awareness, adaptability and judgement that are core to success in driving successful and sustainable cybersecurity uptake within a business.

Asked what keeps him up at night as a CISO, Fielder replied: “It’s the unknowns and what’s coming next. You don’t know what the bad actors out there are going to do, or what will happen on a macro level.

“But, that’s the thing that’s awesome about security too— you have to learn constantly.”

TechHQ is an official media partner of Infosecurity Europe 2019 (June 4-6). You can hear more from Just Eat’s CISO, Kevin Fielder, on the  ‘Cracking the Complexity Conundrum: How to secure, patch and protect complex dynamic organisations’ on Wednesday, June 5 (12.25-13.25).