Financial Services Case Study Chief Information Security Officer


  • Our client, a FTSE 100 International Financial Services business, was experiencing an unprecedented period of growth and change, centred around digital ways of working.
  • At the same time it had become apparent that a major overhaul was needed in the Information Security function, in order to keep up with the pace of change both inside and outside of the company.
  • Norman Broadbent were mandated to appoint a Chief Information Security Officer to lead this cultural change programme across a highly federated, multi product organisation.


  • Norman Broadbent mapped out key industries across regulated environments and identified Chief Information Security Officers that were driving, or had driven, successful technology enabled change. In addition, as functional experts in Technology Security & Digital, we were able to bolster the list with people that we knew well from our own trusted networks.
  • We were able to spread the net wide and look at multiple sectors for this role, as the client recognised that this level of change required experience from different sectors. This in turn would allow for new thinking and innovation to compliment the already existing, wealth of risk management experience within the business.
  • Comprehensive stages of assessment were applied to the selection of the short listed candidates for this role, as they are for all leadership positions. Special care was taken to find ‘board ready’ candidates that could influence at the highest levels in the simplest terms.


  • Within six weeks, we provided our client with a comprehensive short list of highly qualified and diverse candidates. Throughout the clients interview process it became clear that there were two strong contenders for the role and a decision was only made after presentations were made, to the Chairman and non-exec board.
  • This appointment was made completely out of sector but, as the candidate had operated in regulated businesses, shown aptitude for sector change in the past and had excellent influencing skills, they were the right choice. They have been in post for six months now and are achieving excellent results and high praise within the organisation.


  • A leading Financial Services business were starting out on a major information security transformation, they required a highly experienced CISO to lead this cultural change programme.
  • Norman Broadbent carried out an exhaustive search across multiple regulated sectors in order to track down CISO’s that were capable of delivering this major initiative.
  • Rather than focus on the financial services sector, NB cast the net far and wide, looking for talent with multi sector experience. This was essential to bring a broad perspective and innovative thinking to the business.

For a confidential call to discuss how Norman Broadbent Group could help you overcome your business or people challenges please contact Neil Pilkington at or Ross Stacey at

Continue Reading

The Digital ‘Trainsformation’

This month, I’d like to share some thoughts on digital transformation within Rail. Clients are now more focused on the need for Tech and Operations to work closer together, enabling them to effectively and accurately manage, monitor, and maintain their assets to support real-time decision-making.

For digital transformation to provide real value, our Clients are attempting to merge operational and IT data, making it accessible to the whole organisation. If achieved, Operational Technology will be aligned with their business systems; IT will also help drive and deliver innovation, efficiencies, and reduce/remove downtime. To achieve this, IT will need the support of Operations to understand and control the assets. So whilst digital transformation is complicated, when done correctly, the combination of IT (the Internet of Things) and Operational Technology can create platforms allowing businesses and organisations to effectively manage, monitor, and maintain their assets.

This approach will also enable IT to connect with complex assets and Operational Technology systems. This will enable the capture of real-time data, allowing the performance monitoring, deterioration, failure, location, and safety compliance of assets, as well as delivering monitoring systems tracking scheduling and asset utilisation.

However, the creation of a digital railway system that forecasts failures, demand, customer behaviour, and the degradation of assets is not that simple. It can only be effective when all the relevant data points are captured, which includes engineering knowledge. This is because the digital engineering models created during the engineering phase of a project tend not to play a role in the operational phase. This is highlighted by the increasing number of Clients asking us about digital engineering, and how engineering technology forms part of their wider digital projects to boost system efficiency, as well as meeting the increasing demand for new product design. So for digital railway systems to provide the efficiency, customer experience, and commercial benefits desired, they will need to acquire a broad range of data points, covering design and manufacturing. This will allow the system to fully assess the condition of its assets from a fleet, system, probability of a shutdown or delay, and unexpected asset malfunction perspective.

In light of this wave of digital transformation projects, Clients are seeking to leverage our networks and sector knowledge outside of Rail, to pre-inform their digital strategy, and to make key strategic hires, either in a permanent, Interim or consultancy capacity. This is due to their personal and professional networks rarely containing the solutions they seek. More and more the candidates they seek come from out of sector, and can be found in the Consulting, Technology, Financial Services, or Life Sciences space.

If you would like to find out more about how Norman Broadbent Solutions can help you, or to discuss a specific assignment, please do not hesitate to contact Nick Behan on +44 (0) 0207 484 0106 or via for an initial confidential discussion.

Continue Reading

Cyber-attack: will you be on the hook?

From December 2019, the revised Senior Managers and Certification Regime (SMCR) framework will come into force. Along with the many new responsibilities and accountabilities, Senior Stakeholders need to understand that they may be partly, or fully, responsible for any cyber breaches that occur. Indeed, a failure to act proactively across the Information Security function could be construed as a breach of the conduct rules. Given the short timescale, what can you do to ensure that your firm, as well as other accountable executives, are ready for the deadline?


With over 90% of all cyber security breaches due to human error, it’s safe to say that mistakes in the workplace are more than costly. This, together with sometimes outdated or badly implemented technology and processes, means that it is “WHEN” rather “IF” an event occurs. Understanding not only preventive measures, but also the potential ramifications, is key to managing Cyber Resilience successfully. The need for having the right people in place, asking the right questions at the right time, is business and risk critical.


For starters, we advise reviewing the CBEST security exercise from the Bank of England. Whilst focused on the technical side, it provides an accurate representation of how secure your systems are, and identifies any weaknesses which need addressing. The following Bank of England CBEST link may be of use:

In addition, experts in the field advise that a full process mapping program is conducted. This may help to identify where human weaknesses in the chain may occur. Training will almost certainly be required to mitigate risk. Your CIO, COO, CISO should be able to evidence these, together with a plan of action. It goes without saying that your CRO should have full oversight. The following link may be of use:


Ensure you have enterprise wide programmes running to address any weaknesses, and that these are owned by an ‘accountable executive’ on the senior Leadership team or ExCo. The threat is ever changing, so it is best practice to ensure this becomes part of BAU. Also run regular simulations to understand what the most effective and appropriate responses are.  Should the worse happen, you need to be able to evidence to regulators that you have taken all reasonable steps to protect the organisation and its clients. Other stakeholders are also important to consider. Being able to show preparedness to the media or other external influencers is important to manage reputational risk.


Marriot, British Airways, Equifax and Facebook were some of the largest Cyber breaches of last year. Cybersecurity experts agree that with the right protection, most data breaches are avoidable. However, if your company does become the next Equifax or Facebook, the manner in which both firms and senior individuals react is critical to the longer term survival and rehabilitation of the brand. The example of TSB, whilst not a malicious data breach, serves to underline how not getting in front of the issue can be damaging to both organisation and careers.

How can Norman Broadbent Interim Management Help?

As a trusted partner to senior leaders for a number of years, our network of Interim Professionals is there to support, supplement and often lead business critical programmes. Bringing someone on board that has “been there, seen it, and done it” on numerous occasions and in different environments, can be the difference between success and failure. With Cyber Resilience, there may be no more important issue the organisation should address.

And as the holder of the SMF authorisation, the buck may stop with you!

If you would like to find out more about how Norman Broadbent’s Interim Management Network can support you, or discuss a specific assignment, please do not hesitate to contact Mike Davies,  Director, on +44 (0) 207 484 0000 or via for an initial confidential discussion.

Continue Reading

The data search market: Where is it at?

According to a recent McKinsey report, the number of analytics skills job opening in the US has grown exceptionally. One source suggested it had grown from 2.3 million in 2015 to 2.9 million this year. This exponential growth has proved that data has become a fundamental aspect to how an organisation understands, interacts and works with their customers. It has also led our clients to look for candidates with a combination of strong data backgrounds and first-class commercial acumen. These clients understand that data can unearth operational improvement that delivers a real impact.

Searches for analytics enabled Chief Executive Officers, Chief Data Officers, Directors of IT, Human Resources Managers, Financial Managers and Marketing Managers are becoming more common. Especially as it increasingly understood that an application of analytics enabled skills in these roles will gain many marginal advantages across the business. To find these candidates, we have seen client’s activity looking at talent out of their sector who can apply their knowledge on data to new challenges. The searches which we have completed are prioritising deep digital and data understating far above sector knowledge.

Given this ever-changing climate, the need to attract and retain ‘next generation leaders’ is paramount. Many of our clients have approached Norman Broadbent Solutions to help with a number of challenges in this arena from developing their bespoke attraction strategies, to building an ongoing talent pipeline, or making their business “millennial friendly” for their next generation leaders.

As the digital agenda grows around all industries and sectors (as well as the improvements in data processing, the role out of automation and cloud computing) its importance will only grow. As it does, so will the need for individuals who can understand, develop, deploy and improve these technologies. These skillsets are being targeted by a huge variety of different organisations and sectors, all offering exciting opportunities. These have seen the use of headhunting and targeted methodology becoming more important, as firms look to compete for this talent in the market.

If you would like to hear more about this topic or find out how we can help you, please do not hesitate to contact James Wyman, Director of our Technology Practice at Norman Broadbent Solutions on +44 (0) 207 484 0075 or via

Continue Reading

Why Do Boards Hire CIO’s?

Norman Broadbent has run a series of breakfasts addressing the journey CIO’s must take to reach non-executive status. This article shares some key reflections that have emerged at these events over the years.

Why do boards hire CIO’s? The history of the changing role of technology in business is well documented and one that we all know. Academic publications were grappling with the theme as early as the 70’s and 80’s and major newspapers including The Wall Street Journal and The Financial Times frequently call on Board’s today, to embrace the centrality of technology in the future of business. However, like the salesman in Franz Kafka’s novella The Metamorphosis, many companies seem to be, just now, waking up to find themselves changed, often stumbling and tumbling around as they adjust to their new technological skin. Or worse, are watching this transformation take place all around them, whilst clinging to the tried and true of yesterday. Over the last decade or so, CIO’s have established themselves as accepted members of the executive team, but there is still a distinct lack of non-executive representation for technologists, despite the fact that executive CIO’s are now so commonly invited by boards to discuss the challenges they face. Indeed one of the most common anecdotes I have heard on this subject involves the CIO being asked, the day before presenting to the board, “what should we be asking you about tomorrow?”.

The number of technology focused board members ‘is’ on the increase, from 10% to 17% between 2011 and 2017 and for high-performing companies that proportion is almost double at 32%. These figures appear to suggest that there is an increasing need for boards to provide strategic recommendations that are technologically driven and, that there is a link between this kind of insight and high performance.
One thing that has become clear through Norman Broadbent’s breakfast’s around the question of “why do boards hire CIO’s” is that Board’s need an IT professional who understands the executive landscape and can perform beyond their specialist knowledge. As Simon Rickets, now a plural non-executive at HMRC and previously a serial FTSE 100 CIO said, “NED’s must have proven themselves to be good business leaders, above the day to day of their function at the executive level. [One’s specialist experience] that will enhance the Board’s performance… will only get one through the door, what the chairman will want to see most is the ability to contribute on every business issue, from apprenticeships to acquisitions, regulatory to remuneration.”

Peter Brickley, CIO of Coca Cola European Partners and current Chairmen of The Newberry Building Society believes that, in order to cultivate this kind of view on business, a CIO needs curiosity. Peter encouraged CIO’s to, “stay curious, the people who do best in this role are the ones that want to make the company succeed more than they do themselves. They will ask the questions no one else will and challenge constructively whenever it is needed. They are able to think the thoughts that others can’t, join the dots that make the whole and be strategic.”
Our most recent speaker, David Lister a plural NED serving at HSBC amongst others, says that “preparation, preparation, preparation are the top three attributes of an effective contribution as a Non-Executive Director.” He believes that a board hires a CIO who can come into the board room prepared, having thought through the challenges and risks the business will faced from a technology perspective.

What is interesting here, is that what is expected of a CIO in a non-exec role, is no different from the expectations placed on a CFO, HRD or CEO. The differentiator in this case of course is technology knowledge, but the same could be said when a board looks to hire people with specific regional experience or an M&A specialism. I believe that the answer to our question here “why do boards hire CIO’s” is simply that they do so, for the same reasons they hire anyone else, to look after the interests of the shareholders. What has changed is that the demand for business savvy CIO’s at executive level, has created a ready supply of board appropriate talent, at a time when no board should be without technology representation. Some boards have addressed this need due to a specific problem, in say data or security. Some are being strongly encouraged by regulators and governing bodies to appoint tech savvy NED’s to address risk. While some of the more forward thinking organisastions have simply stayed ahead of the curve. What is clear however, is that this is a growing and persistent shift in thinking, that can only be good for business in the UK and good for our professional community.


If you would like to hear more about this topic or discuss any other upcoming events, please do not hesitate to contact Neil Pilkington, Director at our CIO Executive Search Practice on +44 (0) 20 7484 0000 or via

Continue Reading

Changing Perceptions of General Data Protection Regulation

For the past few weeks, both the UK and US press have been filled with the alleged misuse of personal data by Facebook and Cambridge Analytica. While the ICO and US Congress begin to hold hearings and carry out their investigations, it’s fair to ask if this and GDPR have created a step change in how the consumer understands the value of their data.

Although arguably smaller than the Equifax and Yahoo data breaches, the scandal around Facebook has grown exponentially and has galvanised clients’ and customers’ minds in a way not seen before. There are many reasons for this, some of which are:

• Facebook is ‘more real’, with 1.40 billion active users logging on each day to the network.

• There is a lack of explicit consent given by the individual and an exposure of what data profiling can do.
• A new understanding by the consumer of how their data can be used.

GDPR and the Facebook scandal have come together in a perfect storm. This has shown the public that the theoretical aspects of data privacy have real-world consequences.

What do you do?

A concept has been created that someone is watching over the consumer’s shoulder, whenever they are online. This has been perpetuated by how relevant ads suddenly appear, seemingly connected to a recent email sent, or a conversation just had.

There needs to be an intrinsic value exchange between those who wish to use personal information and those who offer it up. There are parameters and rules which market-leading firms are currently using, including:


The control of data must sit with the consumer who has created it, which is a fundamental aspect of GDPR. Implied consent is no longer enough for a population that is realising the commercial importance of their information.


There is a balancing act between being relevant and ‘looking over your shoulder’. Creepiness can be avoided by asking, ‘would I do this within my personal life?’ If the answer is no, then the balance is wrong.


When data processing makes life easier and safer, individuals are more open for their information to be used. Advanced analytics is fundamental to anti-money laundering efforts, disrupting organised crime online and making cyberspace safer. As the consumer wakes up to what data can do, we as an industry need to be more explicit in the power that data profiling has.

Can the right talent mitigate this risk?

With an organisation’s relationship with its customers now being more data-driven, and with that relationship now in flux, it is vital to acquire individuals who can navigate this transformation.

Data Governance Consultants, GDPR Experts, Data Privacy Specialists and Advanced Analytics Professionals – all with a strong commercial underpinning – have become vital to an organisation. This will continue, although there is another aspect to consider: highly successful individuals will need to understand what the consumer wants and how to deliver value to them

To find out more on this topic and continue reading our whitepaper, please contact James Wyman, Consultant at Norman Broadbent Solutions.


Mobile: +44 (0) 79 1239 2833 
DDI: +44 (0) 20 7355 6927

Continue Reading

Fear#1: Cyber Security

Cyber SecurityWhen PWC released their annual CEO Survey at the World Economic forum in Davos, Cyber Risk was number one on the fear list.  This was followed by the lack of talent to meet this, and other, digital challenges.  Last year, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021 (Source: The Official 2017 Annual Cybercrime Report).  As stated in the report “This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined.”

With cyber criminals becoming increasingly audacious, cyber-attacks rarely go unnoticed and often make global headlines. Recent examples include:

Without recruiting the right talent, investing in ongoing training and people, and putting in place security procedures and processes, business runs significant cyber risks. These include:

  • Reputational and economic damage as witnessed following the TalkTalk data breaches in 2014/2015. TalkTalk were (very publicly) fined £500,000 by regulators for both infringements and saw a fall in customer acquisition/retention numbers
  • Damage to a company’s employer brand is also a very real risk. Digital, tech and other professionals will be mindful of their personal professional reputation, hence will want to work for businesses that will enhance their careers. Those who have suffered at the hands of the media following a well-publicised cyberattack will be regarded as tainted so may struggle to recruit and retain key staff, making matters worse.

Cyber Security is – quite rightly – Fear#1. Not only can it affect trading in the short term, but the associated reputational risk is significant when looked at in the context of customers, suppliers, regulators, other partners and stakeholders. The real risk of course is a company’s ability to attract and retain key staff once there has been a breach. For without key cyber security talent, a company’s ability to protect itself diminishes significantly.

At Norman Broadbent Solutions we focus on high-potential, high-performing talent. If you would like an initial confidential discussion about your cybersecurity team and the talent challenges you are facing, please contact Joanne Cumper, Director, Digital and Analytics at Norman Broadbent Solutions via or on 0207 355 6936




Continue Reading