The roles and responsibilities of the CISO at McKesson

Spencer Mott is the SVP and global CISO (chief information security officer) at McKesson, the global healthcare provider. In his position, his roles and responsibilities include what you’d expect from most CISOs. This includes being involved with compliance risk, assurance trust, and security operations and technology.

McKesson is a company that started in 1833 and it’s one of the three healthcare companies in the Fortune 10, with over $200 billion revenue on an annual basis

Growing in importance

The roles and responsibilities of the CISO have evolved, expanded and gained greater traction within organisations. This is reflected in the CISO salary, which is now — on average — around $180,000 (£137,000). However, in tech hubs such as San Francisco, the average CISO salary is closer to $249,000 (£190,000). Some even predict that the pay package will soon hit £1 million, although few are equipped to command such a salary.

What’s the point? Businesses are now taking security seriously. Media scrutiny and public perception, highlighted daily, combined with more stringent, costly regulations, means that executives have to position security as a business priority.

Let’s say 15 years ago, no one really understood the scope of security: network security, anti-virus and to an extent, access control.

Over time, as a result of more breaches and incidents, executives started to realise that the “function, role and the capability of security and the CISO was important,” explained Mott.

What it means to be a CISO in a changing threat and regulatory environment

In an increasingly complex regulatory and threat environment the position of the CISO has been forced to evolve. Information Age discussed this transition with Matt Palmer, who recently moved from CISO to senior director of Cyber Risk Management at Willis Towers Watson. Read here


“The role from an accountability perspective has changed,” he continued.

In today’s environment, someone has to be accountable for security failings, just as the CFO has to be held accountable if a business’ finances run dry.

A major evolution

“We’re going through a major evolution in the role and responsibilities of what it means to be a CISO,” said Mott.

Thinking about one specific area, Mott pointed to the fact that when he’s trying to build the capability and protect the company, “we’ve had numerous roles created around us that put scrutiny on our role, which means that we spend way too much time answering questions about what we’re doing than we do actually driving the capability,” he said.

The role is also starting to divert from the traditional technical CISO, according to Mott. Here he referred to the “technical security lead that is embedded in CICD or skills relating to DevOps and development work.”

Today, the persona of the CISO is different — “it’s branching off into something that looks more like a risk officer,” he said.

The concept of a risk officer has been around for four or five years, but it only really manifested in the financial services industry.

Now, across industries, “we’ll see a divergence of embedded security experts developing products and services,” suggested Mott.

In this situation, the CISO will provide a broad oversight of risk, one component of which is technology risk.

But, as is the case with the CIO and CTO roles regarding technology, that individual should be able to articulate “the risk of technology in the context of the other risks that any company has to wrestle with,” he continued. “And this would operate at board and executive management level.”

The two — the board, the CISO and the chief risk officer (he doesn’t think the two are mutually exclusive) — have got to work very closely together. They’re a partnership.

Is there too much pressure on CISOs?

Are CISOs really being taken more seriously now? How much do they have to ‘thank’ mainstream media attention for cyber security and data breaches? Read here

The business-savvy CISO

The CISO role, especially in larger companies, needs to get a lot better at actuating, describing and managing risk.

This is because “we live in a really ambiguous world; there’s lots of things happening that we’ve never predicted happening,” warned Mott. “That’s only going to get more common.”

“I think we need to admit that we have this broad spectrum of risks throughout organisations (a big chunk of it is data and technology,) but it also includes managing resources, time and effort,” he continued.

CISOs, employees and executive need to respond to this broader spectrum of risks, rather than just focusing purely on technology as a risk.

Risk management

When thinking about risk management, Mott described it as the “connectivity of risks”. “That is the risk, not the individual risk,” he said.

“It’s one risk manifesting itself that then ties to something else that might be supply chain risk that ties to customer risk, branding risk etcetera.”

Who is responsible for cyber security in the enterprise?

Uncertainty is widespread across companies over who takes the lead on cyber security, according to Willis Towers Watson. Read here

A CISO security solution prediction

In general, according to Mott, the easy answer to an effective security solution would be the consumer (or the patient, in healthcare) driving the change.

It’s all about consumer demand.

If the consumer wants a change and the technology has evolved then businesses have to create solutions to match those desires.

Think Uber, Deliveroo and AirBnB.

Basically, if there is a consumer desire for security, just as there is a consumer desire for a convenient, cost effective taxi service, the companies and industries will accommodate.

“Healthcare, however, is slightly different,” said Mott.

“The interactional control that the patient or even the patient’s family fills over the healthcare system is not quite the same; it’s a much harder animal to change, in the sense that we have all these different pieces that operate in the same environment but naturally work together particularly well.”

“I do think that consumer expectations and the results that improve ways of delivering healthcare and services and medicines is going to make them more aware and educate them more and drive that change,” he continued.

Another security solution Mott referred to was analytics.

“We can all gain from having a better joined-up understanding of the analytics that we will hold and how that can be shared in a safe, secure and compliant way to improve all our products and services in the healthcare ecosystem,” he explained.

From a security perspective, specifically around that, reducing the complexity of all the security tools into a platform and/or API pieces (that can be plugged in or plugged out), to deal with the evolving and very rapidly changing threat landscape will be paramount.

The final solution he mentioned concerned the automation of manual processes.

There needs to be a reduction in human manual processes versus automation and AI-driven technology — machine versus the machine from a threat actor to a defender perspective.

“I predict that very large teams today that are involved in a lot of manual processes are going to be radically enabled by technology to contextualise the risk, address it and then automate the response; that’s going to be huge,” he exclaimed.

The result? These solutions will either free up the security team’s time to do more value-added work, which might include providing insights to the business that aren’t necessarily security-related or they will help build on the trust proposition; or “maybe even reduce the team size,” Mott concluded.

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...