A substantive personal post. After the brief Vodafone interim and the RBGE consulting engagement, I have joined Gala Coral as Chief Information Security Officer. The role started this past Monday; the first week is nearly through; the cumulative experience to date is genuinely interesting.
This is going to be a longer post than usual. The role transitions are infrequent enough that they deserve careful treatment, and the structural properties of this role are worth recording.
What Gala Coral is
Gala Coral is a UK gambling and gaming operator — one of the largest in the country. The business spans bookmaking (Coral retail betting shops), online gambling (multiple online brands), bingo, and casinos. The operational scope is substantial; the regulatory environment is specific to gambling; the threat profile is non-trivial.
The cumulative business pattern: high-availability online services that depend on continuous availability for revenue, operating across multiple jurisdictions, holding sensitive customer financial data, processing real-money transactions at high volume.
What the role is
Chief Information Security Officer with full operational responsibility for security across the group. Specific responsibilities:
Operational security. The security operations centre, incident response, monitoring, threat intelligence. Specific staff, specific procedures, specific cumulative discipline.
Security architecture. The defensive design of the infrastructure — segmentation, authentication, audit, encryption. The cumulative architectural decisions inform every subsequent operational choice.
Compliance. Specific gambling-regulator requirements, payment-card industry compliance, data-protection compliance, anti-money-laundering. The cumulative regulatory load is substantial.
Risk management. Identifying and prioritising security risks; allocating defensive investment; making cost-benefit decisions about specific defensive controls.
Communication. With board, with operations leadership, with regulators, with auditors, with specific other stakeholders. The cumulative communication burden is real.
The role reports into the executive level; the operational responsibility is substantial; the cumulative scope is the largest I have held.
Why this role
Several specific reasons this role made sense.
The operational variety is appealing. The gambling sector has the high-availability constraints I have written about; the regulatory complexity is unusual; the threat profile is varied. Specific defensive disciplines from previous roles apply; specific new disciplines will be needed.
The leadership scope is the next step. The cumulative experience across previous roles supports leadership-level work. The specific role title formalises responsibility I have been moving toward.
The cumulative defensive challenge is substantial. Specific known threats — DDoS extortion against gambling operators, phishing infrastructure targeting customer credentials, specific commercial-cybercrime interest — all are operationally active. The defensive work is meaningful.
The cultural fit is good. The pre-hire conversations with the existing team and leadership were productive. The team is competent; the operational discipline is established; the cumulative culture supports security investment.
What is different about this role
Three structural differences from previous roles.
The accountability is sharper. A CISO role has specific board-level visibility, specific accountability for outcomes, specific personal exposure to consequences when things go wrong. Previous roles had operational responsibility; the CISO role has cumulative-outcome responsibility.
The time horizons are longer. Operational decisions affect months; architectural decisions affect years; cumulative cultural decisions affect decades. The discipline of thinking across multiple time horizons matters more than at the operational level.
The communication load is qualitatively different. Translating technical reality into board-appropriate language; translating regulatory requirements into operational practice; translating threat-landscape evolution into risk-prioritised investment. The cumulative communication burden is substantial.
The role is, on balance, the next logical step. The cumulative experience supports the responsibilities; the specific responsibilities will produce cumulative learning that previous roles could not.
What I am paying attention to in the first weeks
Three things during the initial period.
Understanding the existing operational state. What does the current defensive posture look like? Where are the specific gaps? What disciplines are mature and what disciplines are immature? The cumulative observation produces the basis for prioritisation.
Building relationships across the organisation. Specific operational staff, specific business stakeholders, specific board members. The cumulative network informs subsequent work; the early investment is bounded but valuable.
Identifying the immediate priorities. Specific gaps that need quick attention; specific projects that should accelerate; specific areas where the cumulative current state is acceptable. The triage informs the first quarter's work.
The first weeks are observation more than action. The cumulative learning during this period will inform the subsequent work substantially.
What this means for the notebook
The weekly cadence continues unchanged. Specific operational content will be bounded by client confidentiality; the general patterns can be discussed; the specific work cannot.
The notebook may shift slightly in character. CISO-level reflection — about leadership, about communication, about risk prioritisation — will sit alongside the operational and reading content. The cumulative writing trajectory continues; the specific composition adjusts.
For specific topics: the DDoS-extortion category I have been writing about is now operationally relevant. Specific subsequent posts will address what I am observing in the role; specific structural patterns will be visible.
A reflection on career trajectory
The cumulative trajectory through the past ten years:
- DEC, 1996-2003. Foundation years. The operational discipline established; the first machine that became the basis of everything subsequent.
- The Laverock Von Shultz / gaming-operator engagement, 2003-2005. Operational responsibility at substantial scale.
- RBGE consulting, late 2005 - early 2006. Cross-organisation perspective.
- Vodafone interim, early 2006. Telecommunications-scale operational experience.
- Gala Coral CISO, from April 2006. Leadership responsibility.
The trajectory has been more varied than I had planned. The cumulative experience supports the new role; the specific work will produce cumulative learning that will inform whatever follows.
A specific commitment
For the first six months in the role: substantive engagement with the operational team, the existing infrastructure, the cumulative culture. No major architectural decisions until the cumulative observation is sufficient. No major personnel changes until the cumulative relationships are established.
The cumulative discipline is to listen first, decide second.
For my own continued professional discipline: more on this role as the trajectory develops. The notebook will document what is professionally appropriate to share.
More in time.