Navigating the Cyber Landscape: Q&A with Steve Cottrell

InfoSec People have recently announced the appointment of Steve Cottrell, as our new Board Advisor.

Steve has worked in Technology and more specifically Cyber Security for over 20 years. During his career he has worked across multiple industry sectors including; blue chip, government & defence, financial services, telecommunications, utilities and technology start-up. Steve began his career as a systems engineer with Intel where he developed a passion for Cyber Security. He has since successfully undertaken numerous CISO and security transformation roles for a variety of large and diverse organisations.

We had the opportunity to interview Steve and delve into his motivations for joining InfoSec People. During our conversation, we also discussed his insights on the cyber security industry and its current landscape. Specifically, we explored strategies for effective collaboration with HR or executive leadership to align cyber security strategies, as well as anticipated key changes in the industry over the next 12-18 months…. let us begin!

Steve Cottrell | CISO.

Who are you, and what is your cyber security industry background?

I began my working life as a Civil Engineer but quickly realised that was not where my passion lay. I switched tracks and have never looked back. I’ve now been working in technology for around 25 years and specifically in cyber security for 20 years.

In my career, I’ve been privileged to work in many interesting security leadership roles across multiple industry sectors, including telecommunications, financial services, government & defence, and blue-chip companies. This has really helped me build a broad understanding of the challenges within cyber security and how to best address them.

Why did you join the InfoSec People Advisory Board?

I’ve known and worked with InfoSec People for more than a decade and have always been impressed by their capabilities, ethics, and approach to building long-term lasting professional relationships. Ben and the team have some really ambitious plans for the future, so when I was asked if I would join, it was a quick and simple decision!

What unique insights or expertise can you bring to the advisory board as a seasoned information security professional and CISO?

As someone who has lived the daily challenges of being a security professional and CISO, I will be able to help the team better understand the requirements of specific types of roles, the functions of specific teams within a security function, and how the functions interact to deliver a joined-up and effective security strategy. Another important aspect will be looking into the future and helping the team preempt the types of skills and knowledge that will be needed within a security function of the future. Ultimately, it’s about leveraging my experience to help InfoSec People continuously improve the insight and capabilities delivered to their customers.

Can you share any specific approaches or methodologies you have used in the past to assess the technical proficiency and suitability of candidates for cyber security positions?

When interviewing candidates for cyber security positions, it does, to some extent, depend on the type of position under consideration. One of the great things about choosing cyber security as a career is that there’s a huge amount of variety in terms of the positions on offer. Generally speaking, people outside the industry tend to think of ethical hacking or incident response type roles, but there are lots of other types of roles to consider, such as security risk management, security architecture & design, security culture, etc. All that said, when interviewing for any role (and particularly more senior ones), it’s critical to assess the individual’s ability to put into context the day-to-day activities of the role and to understand how they contribute to the overarching security risks and strategy of the business. Scenario-based questions outlining normal business practices are really useful in this regard.

Can you provide examples of how you have successfully collaborated with HR departments or executive leadership to align recruitment strategies with the organisation’s cyber security goals and needs?

This tends to be an ongoing iterative process – as the needs of the business change, so does the approach of the technology and security teams. When designing a cyber security target operating model, there is a need for extensive collaboration with the HR function, particularly in terms of aligning career paths, spans and layers, etc. Essentially, making sure that the operating model in question is compatible with the broader organisational design. Another key aspect that requires a lot of alignment with HR and Technology and is often missed, is how entry-level talent is attracted to the business (via graduate intake, apprenticeships, etc.).

What key changes do you anticipate in the cyber security landscape and organisational posture over the next 12-18 months, and how do you plan to adapt your strategies to effectively mitigate emerging threats and ensure robust protection of our digital assets?

The key cyber security change that I see currently in many organisations relates to the ongoing rapid adoption of cloud technology and the move to Agile and DevOps ways of working. This presents two challenges from a security standpoint: one related to the operating model, and the other related to skills. Traditionally, security organisations have operated as a central governance function, but with a modern cloud-based Agile approach, a more federated model is required if business targets are to be met and risks are to be appropriately managed. In terms of cloud skills currently, many professionals are still in the process of acquiring cloud knowledge, and learning on the job, often within mission-critical environments, is common. These elements combined, if not addressed with a suitable strategy, frequently lead to breaches as a result of errors being made.

InfoSec People and our Advisory Board have some exciting things in the pipeline coming from our HQ – Keep an eye on our social media and website for future updates.

InfoSec People is a boutique cyber security and IT recruitment consultancy, built by genuine experts. We were founded with one goal in mind: to inspire people to find the careers that inspire them. With the success of companies fundamentally driven by the quality of their people, acquiring and retaining talent has never been more important. We believe that recruitment, executed effectively, elevates and enables your business to prosper.

We also understand that cyber and information security recruitment can genuinely change people’s lives, that’s why we take the duty of care to those we represent very seriously. All our actions are underpinned by our core values:

  • Always do the right thing
  • Be the best we can be
  • Add value

We work with businesses in the cyber/tech arena, from start-ups and scale-ups to FTSE100 and central Government, many of whom are always looking for great people.

Call us directly on 01242 507100 to discuss opportunities or email