Paul Key
Global CISO
Smith & Nephew
Paul Key serves as the Group CISO for Smith & Nephew, a $6 billion medical device manufacturer. With over 30 years of experience in IT service management and information security across various sectors, Paul is a seasoned security leader. He is passionate about continuous transformation in all aspects of information and cyber security, ensuring compliance with regulatory requirements while fostering innovation, efficiency, risk reduction, and driving security as an enabler across the business.
Outside of work – you’ll find Paul either walking his dog Monty, a crazy Cockapoo, looking for peace and quite away from a busy household with 3 grown-up kids, or under a classic car trying to stop the constant oil leaks and battling the dreaded rust problem on 50+ year old cars.
Learn more about the UK & Ireland CISO community here.
Give us a brief overview of the path that led to your current role.
Back in 1990, I started my career providing support via a helpdesk in a small business, over time, this morphed into desktop, server, network and eventually into security around 2000. In 2003, I started to become more focused on the softer side of security management, policies, risk and people etc. For the next 10 years, I maintained a leg in both camps – technology and security management. From 2013 onwards, I continued to learn, build and adapt in different ways to ensure my messaging landed correctly for the different levels and functions across the business.
My first global role landed in 2016, with an opportunity to define and build a global security team and practice for a managed service provider. From 2019 onwards, I became a global CISO, utilizing my knowledge, experience and ways of working to assess and improve information and cyber security across different organizations. I feel having a background in both technical and management allows me to communicate to all aspects of the business and leadership to gain buy-in and support for risk reduction and security enablement.
What is one of your guiding leadership principles?
Take time to listen. To be a good security leader you have to take a step back, allow all parties to be part of the discussion, listen, and clarify all points of view, impacts and risks before any decision can be made. Learning from experience, making short, sharp decisions without knowing the whole picture will come back to bite you.
As a CISO, you do not know everything, you need a team to make a difference.
What is the greatest challenge security leaders face today, and how are you addressing it?
The speed of change around AI. Every business leader wants to use AI. As a CISO, I need to support them to achieve the right outcome whilst trying to balance the risks for the business. Whilst this could be for any technology change now or in the future, AI is proving to be more challenging, as it has the ability to impact people, process and technology.
To help address this, I am educating the senior leadership team on the risks, whilst implementing a balanced risk-based governance approach to help control and manage where my teams need to focus. In the world of AI, there is no one-size fits all, hence the need to define and implement specific policies and procedures for different parts of my business.
What is the key to success for someone just starting out as a CISO?
Being able to juggle, listen and communicate at all times! Any CISO will tell you, at any time in the day, you will have several balls in the air trying to juggle at all times. You need to stay calm, analyze, prioritize to be effective, whilst listening and communicating.
Saying no is not an option, instead learn to say 'Yes if.' Security is about being pragmatic, listening to the requirements, working with the business to find a solution, and using tools and techniques in your toolbox.
As a CISO, you cannot do everything, you need a team to make a difference.
How do you measure success as a leader?
Personally, I measure how successful I am in my role via two keys aspects:
- The business is aligned on my strategy and vision and supporting the journey to get there.
- My team is aligned and embedded into the strategy and vision that we have built together.
All the usual KPI's and measures are used to drive continuous improvement and management reporting across all areas of my team's responsibilities. You cannot manage what you cannot measure!
What is the value of being a member of Gartner C-level Communities?
Being a CISO is at times a lonely position, having the ability to network with like-minded leaders in the same role can greatly help reduce stresses and strains that come with the role if others are tackling the same challenges.
It’s also about giving back – being in a position to share what works well, or what has not worked well, may help other CISOs or organizations in the future, we are all trying to combat the same threats. Sharing is caring.
Gartner C-level Communities Governing Body members share their insights and leadership perspectives to shape the agendas and topics that address the top priorities impacting business leaders today.
By CISOs, For CISOs™
Join the conversation with peers in your local CISO community.