Leading Cybersecurity Transformation as a First-Time CISO

Leadership Profile
Written by Amanda Baldwin

Sam Fariborz

CISO

David Jones

May 2025

Sam Fariborz describes her over sixteen years in IT and cybersecurity as an “interesting journey.” Beginning her career in her home country of Iran, she managed IT for an oil and gas company before relocating to Australia nine years ago. She has since risen to the position of Chief Information Security Officer (CISO) at David Jones, as she has consistently found opportunities in challenging situations.

Now, one year into her inaugural CISO role, Sam reflects on her career path and shares insights as a new leader in the field.
 

The Journey to CISO

While in Iran, Sam progressed through roles in service desk support, computer hardware architecture, infrastructure, and ultimately system and network engineering. However, upon migrating to Australia, she faced challenges in securing employment.

I came here with skill and a visa. I had all the knowledge and experience needed to start working in Australia, but like any other migrant, when you're new to a country, you need local experience.”


Rather than pursuing traditional interviews, Sam sought technical volunteer positions in the not-for-profit sector to gain industry experience in Australia and familiarize herself with the local culture. She also appreciated the relaxed work environment of not-for-profits, which eased her transition. Sam joined the Brotherhood of St. Laurence, a large not-for-profit offering a range of services, where she initially contributed to the IT support team.

At the Brotherhood of St. Laurence, Sam quickly advanced from a volunteer to a contract role to a full-time position. During her three-year tenure, she became involved in an accreditation program that introduced her to cybersecurity and cyber governance risk compliance, altering her career trajectory. Since then, Sam has worked across various sectors – including government, membership organizations, and retail – holding multiple cybersecurity roles. She humorously recalls, “For two years, I was a security analyst working on investigations and the ‘cool side of cyber.’”

A pivotal moment in her career occurred when she joined Kmart Group, where she managed their cyber program and services. After two years, Sam was recruited to join David Jones, a prominent retailer in Australia, as their CISO. Initially, she experienced “imposter syndrome” and was hesitant to take on the role. However, encouragement from another CISO inspired her to take the plunge. She recalls, “I promised her I would say yes to everything coming to me, and now I'm here, a year with David Jones. It's been a massive, great journey so far.”


Sam’s First 3 Goals as CISO of David Jones

Sam joined David Jones during a significant period of transition, amid their separation from Country Road Group, another Australian retailer. Upon taking the role, she identified three initial "missions:"

  1. Successfully complete the security separation: This was Sam's highest priority. David Jones and Country Road Group shared a single cybersecurity employee, which necessitated swift action. She noted, “This was my first challenge. There was uncertainty around the company situation, and roles and responsibilities were not clear.”
  2. Build the cybersecurity function and team:  Prior to the separation, the focus was primarily on the technical aspects of security. While some effective solutions were in place, Sam emphasized the need for risk management and aligning security with the broader business objectives. Building her own team was her first request upon accepting the role.
  3. Define a cybersecurity strategy and get endorsement from the board: Without a mature security function in place, Sam needed to develop a strategy from the ground up. As David Jones was undergoing digital and technological transformations, she saw an opportunity to align these enterprise goals with her strategy. She stated, “That is exciting for our business. When I was thinking about the strategy, I needed to be very mindful about the future of the company and the overall objectives of the company, which transformational programs would impact.”

    Sam developed a two-year strategy with seven streams of work. The first year focuses on governance and establishing a strong foundation for their cybersecurity practice, while the second year targets more advanced solutions. As AI was a hot topic discussed in her early months with the organization, she remarked, “Yes, we are focusing on governance and the foundation, but at the same time, we don't want to miss all the great emerging technologies at the moment.”

I successfully completed all these three goals by the end of June last year – six months being in the role – and I'm super proud of that.”


Having achieved her initial goals within her first six months, Sam is now in the delivery phase of the strategy. She reflects, “It's been quite an incredible journey at David Jones for me because it's my first CISO role. Being able to build everything from scratch and having the opportunity to discuss cybersecurity with the executive team and board in a company with a 186-year history... I'm super proud of that.”
 

Advice for New CISOs

Transitioning into a CISO role can be challenging, with 40% of C-Level executives feeling they are underperforming in their new positions, according to Gartner research. Here, Sam shares valuable lessons from her first year as a CISO.

  • Build Relationships with the Business
    For Sam, building strong relationships within the organization is crucial for a CISO. She states, “If you don't have influence at your organization, if you don't build strong relationships with other key stakeholders or leaders in the company, you're not going to be successful.” She acknowledges being “lucky” that senior management, the Executive Leadership Team (ELT), and the board at David Jones are all supportive of cyber programs.
  • Have a Flexible Mindset
    Sam emphasizes the importance of being adaptable and open to modifying plans based on company objectives and feedback from others. She notes, “That's a big problem in our field. We have big egos.”
  • Focus on Cybersecurity Culture
    Sam’s philosophy is: "The key to true cybersecurity success lies in understanding and empowering the individuals behind it all." Her approach prioritizes people over tools, fostering a culture of security and collaboration within her team and across the organization. She explains, “It's very much connected to building relationships with the business and being open to hearing from people, because my program cannot be successful if other team members or business units don't support me.”
  • Embrace Emerging Technologies
    Sam acknowledges the challenges some industries face in adopting new technologies, but she strongly advocates for the use of AI and emerging technologies. “They’re going to help us, especially in security, automation, prediction, threat detection, and in educating our junior analysts. We're leveraging all these new technologies, and I'm supportive of that.”

From a security perspective, I'm always supportive of new emerging technologies.”

Sam explains, “We have a policy around the usage of AI, and I think it comes down to training people. Yes, we encourage everyone to use AI, but we have to educate them.”

  • Engage with Peers in the Gartner CISO Community
    Sam highlights the impact of engaging with peers in her Gartner CISO Community during her first year as a CISO. She shares, “Last year, I changed my approach to attending events and conferences. My time is limited, just like everyone else, and I have to prioritize which ones I should go to. These events are always the ones that I prioritize, because I know that if I go there, I can gain industry insights, I can catch up with my peers, and it's been really helpful.”

Sam Fariborz is the CISO at David Jones and a Governing Body Member of the Melbourne CISO Community. To connect with CISO peers, and participate in discussions on your mission critical priorities, join your local Gartner CISO Community. If you are already a member, sign in to see your community’s upcoming gatherings.
 

Special thanks to Sam Fariborz and David Jones.

by CISOs, for CISOs®
 

Join the conversation with peers in your local CISO community.

LEARN MORE

Suggested content

TOWN HALL INSIGHTS | MAY 4, 2025
TOWN HALL INSIGHTS | MAY 4, 2025

Guarding the SaaS Landscape - Integrating Threat Detection and Posture Management

As SaaS adoption skyrockets, so do breaches and data exposures. Safeguarding SaaS environments demands a proactive, integrated approach to threat detection and posture management. CISOs in our DACH Community gathered recently for a Town Hall discussion on protecting the SaaS landscape – these are their takeaways.
TOWN HALL INSIGHTS | APRIL 28, 2025
TOWN HALL INSIGHTS | APRIL 28, 2025

Getting Your Data AI-Ready

Rapid data creation and escalating needs for storage and processing may lead to strain on legacy infrastructure across an organisation. Recently, CIOs and CISOs in our Sydney communities discussed how to navigate the explosive growth of data and identify the solutions needed for an AI-ready infrastructure – these are their takeaways.
INFOGRAPHIC | APRIL 23, 2025
INFOGRAPHIC | APRIL 23, 2025

C-Suite Community Pulse on Global Unrest and Its Impact on Your Business

In today's volatile geopolitical and economic landscape, C-level executives are navigating a complex web of challenges – from tariffs and inflation to supply chain issues and global conflicts. Here, we explore insights from 680 C-level executives on their sentiments and strategic decisions around the current economic climate.
VIEW MORE CISO CONTENT