ISO in the Spotlight - John Graham from Pilz

Written by: David Henderson on Apr 25, 2024

John Graham from Pilz chats to us about his role as ISO and shares his thoughts on the challenges of implementing and maintaining a great information security culture in large organisations.

JG Cover

Can you describe a challenging experience you had while implementing or maintaining ISO27001 compliance and how you overcame it?

A big challenge was dealing with the breath of the security controls in ISO27001 from technical IT controls to HR onboarding and offboarding procedures to company legal compliance. It’s very important to ensure you develop good working relationships with the key ISMS stakeholders across the various company departments. Its key they can see the benefits of the ISMS aligning with the business to ensure long term business success.

What emerging cybersecurity threats do you believe will have the most significant impact on businesses in the next year?

Phishing emails and ransomware continue to a serious threat as they continue to evolve and become more sophisticated. Continued secure awareness training for all employees is key to ensure vigilance to such threats along with strength in depth security controls.

With increasing use of cloud technologies along with AI and increased EU regulation there in no stop to the increasing threat landscape for companies.

In relation to regulation it is important to embrace the regulations that are relevant to your business sector and the regulation and standards relevant to countries where you have customers.

How do you prioritise and manage risks in your company?

In my company we have a low appetite to risk and corporate risk management policy and processes define how risks are identified, assessed, and risk treatment defined to ensure all risks are progresses to an acceptable risk level. As part of the ISMS we have monthly risk management meeting where all risks are reviewed to ensure risk treatments are progressing in line with company risk management governance. Risk metrics also help explain to company and department stakeholders the overall status of risk within the company. Again good stakeholder engagement from all departments is key to ensuring company risks are identified and progressed to an appropriate level of residual risk.

What key qualities do you think are essential for effective leadership in information security, especially in the context of ISO27001 compliance?

The key qualities that I think are essential for effective leadership in information security for 27001 include:

  1. To be able to build strong relationships across company departments under the scope of the ISMS to ensure the physical, technical, and process controls that are stated in ISMS 27001 can be implemented efficiently and effective across departments for the overall benefit of the company and aligning information security with the business.
  2. Strong communicate skills are key to be able to share with all company stakeholders and all employees the overall vision for information security, and how the time and effort invested in the new information security management system or ISMS will help drive organisation transformation within the company that will contribute to business now and into the future.

Good project management skills are also important to help drive the overall information security programme within the company and with external interested parties like customers, (from a supply chain compliance point of view) and with auditors etc

Can you share an instance where a security incident provided valuable insights or led to significant changes in your ISMS practices?

Valuable lessons can be learned from information security incidents provided they are logged, assessed and an effective root cause analysis or (RCA) is completed to ensure the lessons learned can be captured and security controls adjusted to improve the overall security posture of the company.

One such security incident we had identified gaps in our offboarding process to ensure all access to all IT systems has been revoked in a timely manner and a reminder to departing employees of their continued obligations to confidentiality of company information.

What advice would you give to someone starting their career in information security?

The Information Security Officer role is a challenging but rewarding role with lots of cross department interactions in the rollout out of the information security management system. You will get to know your company in a much greater level of detail as you work with stakeholders in the implementations of the security controls.

You will work with staff that have possible a much greater level of depth of knowledge in specific areas as you implement technical security controls for example. This is not something to be afraid of. Part of the role of the ISO is to have the overall ISMS view across the organisation and along with the necessary skills mentioned earlier to be able to communicate in all directions with the organisation and drive organisation change that aligns with the business.

About Pilz

Pilz is a supplier of automation solutions and whose name is synonymous worldwide with safety for human, machine and the environment, providing automation solutions for all industries and sectors. From Pilz you can expect automation technology that considers both machinery safety and security requirements.

In addition to their head office in Ostfildern near Stuttgart, Pilz is represented by 42 subsidiaries and branches on all continents.

Need help?

Email Us
email hidden; JavaScript is required

Or send us a quick message

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.