M&S CISO: I have to remind our board that we are going to have data breaches and get hacked

Matt Denny was launched into a 'here be dragons' type situation

The head of information security and compliance at retailer Marks & Spencer (M&S), Matt Denny, has claimed that he has to remind his board that the company will suffer data breaches and will get hacked, because all companies suffer from cyber-attacks.

Denny, who was addressing delegates at Computing's Enterprise Security and Risk Management Summit today, said that he has had to try to change the mind-set of the board in terms of security.

He also stated that he has a good working relationship with M&S's CIO Darrell Stein, who is to step down from his role this summer.

"I have a very supportive CIO; [when it comes to budget] I sort him out and he sorts me out," he said.

In his presentation, Denny explained that when M&S had hired him, the firm hadn't dealt with information security as it does today. Instead he was launched into what he joked was a "Here be dragons" type situation.

His team was made up of some permanent employees and contractors, but Denny suggested that he needed a team of specialists, all in-house.

"So on day one I sat down with my team and had 45-minute one-to-one interviews with them, and it took until the middle of the day before I found someone who I could say was ready for a security career," he said.

Many of the team that Denny did settle with did not have any experience in the information security field and had to be trained. He believes the investment in training and time with the employees has meant that there hasn't been a huge turnover in staff. Only two people have left - one had been made redundant, and the other moved to another division.

"Anyone that we wanted to stay has stayed here," he said.