Gartner.com

Governing Body Spotlight

Governing Body Member of the UK & Ireland CISO Community

Simon Goldsmith

CISO

OVO

Simon Goldsmith is a seasoned security leader with over 24 years of global experience connecting the strategic objectives of CEOs, boards, and government ministers to security risk reduction across the technology, finance, retail, and energy sectors. In addition, Simon is a chartered mechanical engineer and co-authored the ISO/IEC/IEEE 32675-2021 International Standard for DevOps.

Learn more about the UK & Ireland CISO community here.
 

Give us a brief overview of the path that led to your current role.

Global events have had a big influence on the path to my current role. It started with 2 years as a manufacturing engineer with the Fiat Group in Italy. After 11 September 2021, I moved to UK MOD and worked on systems engineering for helicopter survivability. After the terrorist attacks in London on 7 July 2005, I made a move to work in national security. But instead of chasing and stopping terrorists, I found myself working with intimidatingly smart data scientists and engineers to build and secure new technologies for governments, banks and critical national infrastructure. And that path has led to quite an adventure, both overseas and now back in the UK, helping secure OVO's mission to power human progress with clean affordable energy for everyone.
 

What is one of your guiding leadership principles?

Leave your company, your team, your role in a better place.

  1. Our time as leaders is finite, but the organisation is not. This shifts the focus from short-term personal wins to the long-term health and vitality of the organisation. Our primary responsibility is to hand the company, team and role over in a stronger position than when we received it.
  2. It demands continuous improvement (Kaizen). To leave things better off we must constantly seek incremental gains. It's not about one revolutionary act, but about fostering a culture where everyone, from the executive team to the front line, is obsessed with improving processes, products, and themselves. 
  3. It instils humility and personal responsibility. When done authentically, we demonstrate that responsibility for the company's culture and performance rests with everyone, starting with us. It builds a culture of accountability, not entitlement.
     

What is the greatest challenge security leaders face today, and how are you addressing it?

The greatest challenge is people, and much like medicine in the 17th century, information and cyber security is splintered. On one side, we have the "doctors" – the theorists, framework architects, and GRC experts. They study at the "university" of ISC2, CompTIA and ISACA. They are masters of policy, governance, and risk registers. They can brilliantly describe the anatomy of a secure organisation on paper, satisfying boards and regulators.

On the other side, we have the "barber-surgeons" – the hands-on artisans who honed their tradecraft not in a classroom, but in the digital back-alleys of governments and the internet. They are the red teamers, the incident responders, the malware reverse-engineers. Like the butchers of old, they have an intuitive, kinetic understanding of the tools of the trade – both ours and the enemy's. They know how to cut, where to stitch, and how things actually break under pressure.

The greatest challenge CISOs are facing is that these two groups live in different worlds. This creates friction, infighting and arguments about 'best practice' rather than shared purpose resolving the messy realities of technology. We have organisations that are "compliant on paper" but fragile in practice, because the people writing the policies don't truly understand the messy, practical reality of how systems are exploited. The doctors can describe the disease in perfect Latin, but they've never held the scalpel.

How I am addressing this is by building teams where theory and practice are fused.

  1. Mandate Cross-Pollination: I don't allow these teams to operate in silos. My compliance experts are required to sit in on threat intelligence briefings and watch live red team exercises. Conversely, my technical "surgeons" must participate in policy creation, translating their practical knowledge into scalable, automated controls – "policy-as-code." The surgeons must learn to teach, and the doctors must learn the craft.
  2. Redefine Expertise: We are moving away from "certificate-driven security." While certifications provide a baseline, we value demonstrated skill – the tradecraft – far more. In my teams, the highest respect is reserved for those who can find a novel attack path, reverse-engineer an attack, or build a resilient system from the ground up, not just for those who can pass a multiple-choice exam. We pair people up and are building a growth framework that recognises those willing to spend time passing on this tradecraft.
  3. Lead from the Front: Just as a chief of surgery must still be able to step into the operating theatre, a security leader must understand the tools. I still "return to the tools" myself. By demonstrating a grasp of the technical craft, I signal to the entire organisation that we are not just a paper-pushing compliance function. We are a team of skilled practitioners, grounded in reality.

Ultimately, the 17th-century patient didn't want a doctor who could only theorise about their illness, nor a barber who might kill them with a slip of the knife. They needed a true surgeon who fused knowledge with skill. My job is to stop breeding divided specialists and start cultivating modern security surgeons who can both diagnose the disease and perform the cure.
 

What is the key to success for someone just starting out as a CISO?

Modelling calm, control and connectedness in times of panic, stress and crisis. And in calmer times, recognising that your peers, their teams and your external stakeholders all have a different definition of success for security. Recognise and document these differences, map their user stories and be transparent about plans and progress when addressing their needs.
 

How do you measure success as a leader?

Embedding a commitment to security hardening and resilience so deeply in an organisation  that it continues to advance security when the security team isn't in the room. It is a shift from an individual goal of finding and amplifying weakness to a team goal of wiring security risk reduction into resilient business performance.
 


Gartner C-level Communities Governing Body members share their insights and leadership perspectives to shape the agendas and topics that address the top priorities impacting business leaders today.
 

By CISOs, For CISOs™

Join the conversation with peers in your local CISO community.

Learn More