Cyber at the Top: Cyber Resilience in Action — Lessons from a CISO
Guest: Emma Smith (Group CISO, Vodafone)
Host: RSAC
Date: March 19, 2026
Episode Overview
This episode of “Cyber at the Top” features Emma Smith, Group CISO at Vodafone, sharing practical insights on building and sustaining cyber resilience within a global telecommunications giant. The discussion explores the distinction between security and resilience, the challenges of embedding controls, the importance of culture and trust, and actionable leadership lessons.
1. Setting the Stage: The Role & Scope of the CISO at Vodafone
[01:18–02:50]
- Emma’s Current Role: Group CISO at Vodafone, overseeing IT architecture, technology strategy, data analytics, and risk governance.
- Vodafone’s Scale:
- Operations in 15 countries (Europe & Africa), investments in ~40 more.
- 360 million customers across mobile, fixed networks, undersea cables, and a large African fintech business.
- Organizational Purpose: Technology as an enabler for sustainable societies, with trust and inclusivity foundational to Vodafone's mission.
- Career Background: Over 20 years in security, including 13 years as a Chief Security Officer at a UK bank.
Quote:
"We really focus on a broader company purpose about using technology to enable people's lives... trust and inclusivity underpins that, which is a great platform to then go and build security across an organization." — Emma Smith [01:54]
2. Defining & Practicing Cyber Resilience
[02:50–05:25]
- Personal vs Cyber Resilience:
- Importance of personal resilience shaped by crisis leadership experiences, especially during the financial crisis.
- For cyber: Adopts NIST’s proactive stance—anticipate, withstand, recover from, and adapt to threats.
- Cyber resilience as a constant journey, not a destination.
- Discoveries from Vodafone’s Journey:
- Key to resilience: “Reducing the blast radius,” minimizing impact and speed of recovery, and preventing repeat incidents.
- Emphasizes humility and continuous learning—never finished, never complacent.
Quote:
"We've built a really strong solid security baseline. But we think resilience is the destination or the journey that we're on..." — Emma Smith [03:43]
3. What's at Stake Without Resilience?
[05:25–07:21]
- Critical National Infrastructure:
- Telecoms sit alongside power and road systems—impact reverberates across governments, businesses, and families.
- Example: Power outages in Spain and Portugal disrupted daily life—telecoms’ outages would be equally consequential.
- Regulatory Implications:
- Heavily regulated sector; unavailability of services is closely monitored.
- Erosion of Trust:
- Disruptions undermine hard-won customer trust, which underpins the digital economy.
Quote:
"We really do take that role as critical national infrastructure really seriously. It can have a massive societal impact... If we have a large significant issue, it can really affect multiple different sectors and economies in the countries that we operate." — Emma Smith [06:15]
4. Making Security Controls Stick
[07:21–10:16]
- The ‘Security Basics’ Myth:
- Hygiene isn't basic; making controls automated and sustained is complex, especially at Vodafone’s scale.
- Challenges:
- Knowing which controls truly reduce risk is vital for prioritizing effort.
- Ensuring controls are correctly configured and have comprehensive coverage across the organization.
- Continuous process required due to evolving threats and technologies. Security is an ongoing, never “done” process.
- Human Factor:
- Success relies on a team that’s curious, engaged, and willing to challenge norms.
Quote:
"There's often a perception—especially from people outside the security discipline—that you kind of deploy a security tool and then you're done. But actually, as we know, it's this continuous operations and engineering... always pushing the dial." — Emma Smith [09:37]
5. Lessons from Transformation: What Drives Impact?
[10:16–14:04]
- No Single Magic Bullet:
- People and operating model are at the heart of security success.
- Vodafone’s Approach:
- Adopted a global but harmonized model: centrally set priorities and consolidated tooling—blueprints applied in every market.
- Annual technology priorities set with three-year targets, tracked to the CEO.
- Transparency: Annual public cyber fact sheet, hands-on board engagement, regular cyber simulations for executives.
- Empowering Teams:
- Cyber leadership culture built through consistent mission and engagement.
Quote:
"We've gone about making everybody really in tune with the mission so that people are part of the big picture." — Emma Smith [12:02]
- On Simulations:
- “There's usually not a good outcome to the simulation. So it makes them kind of feel cyber risk... they're immersed in a real experience and having to make difficult decisions.” — Emma Smith [13:41]
6. Trust, Transparency & Stakeholder Engagement
[14:04–16:37]
- Trust-Building:
- Take accountability and don’t just “admire the problem.”
- Transparency and tailoring your message to the audience are crucial.
- Present the cyber function as a business enabler, not a bottleneck.
- Embrace Difficult Conversations:
- Openness to challenging board questions fosters trust and brings new perspectives.
Quote:
"The very day that he decided to go and embrace those questions... it led to a completely different level of trust with his board... Those difficult conversations are there for a reason—embrace them, lean into them." — Emma Smith [15:46]
7. Building Resilient Security Teams
[16:37–19:08]
- Leadership Matters:
- Created a Cyber Leadership Academy combining technical and leadership growth.
- Traits for Resilience:
- Tenacity, “restlessness” (never finished), humility, openness, and high integrity.
- Team Empowerment:
- Security teams must be able to engage with all organizational levels and adapt their leadership style.
Quote:
"Cyber is a lot about leadership and a lot about tech and you've got to have both." — Emma Smith [17:30]
8. Structuring Resilience Without Slowing Business
[19:08–21:41]
- Partnership Approach:
- Security by Design: Building reusable patterns and empowering developers to own security.
- Demand vs. Scale:
- Enormous demand for security input (esp. with AI use cases); scaling is a “happy problem.”
- Automation and Prioritization:
- Continuous journey—aim to automate workflows and ensure respect for broader business objectives.
Quote:
"I know that the company objectives are my objectives and I need to work really hard to try and help others be successful." — Emma Smith [21:28]
9. Metrics for Cyber & Resilience
[21:41–25:39]
- Metrics Challenges:
- Relies heavily on key risk indicators (KRIs) around control effectiveness.
- Looking to move beyond static measures—leadership, culture, crisis responsiveness also matter.
- Four Focus Metrics:
- Reducing scale of impact (contains “blast radius”)
- Speed of recovery (beyond time-to-respond)
- Learning from incidents (comprehensive Post-Incident Review, no repeats)
- Controls effectiveness (measuring events stopped “in time”)
- Measurement as Motivation:
- Data & dashboards maintain focus; league tables drive healthy competition among regions.
Quote:
"Having that data that's regularly refreshed and then for the right audience tailored... Sometimes have league tables that show how different countries are performing against each other and that sometimes helps to drive momentum." — Emma Smith [26:03]
10. Sustaining Resilience Over the Long Haul
[25:39–27:14]
- Visibility Challenge:
- Resilience enablers are often invisible if working well (e.g., asset inventory).
- Collaboration:
- Simulation drills, storytelling, and inclusive governance processes (fact sheets, budget tie-in) keep resilience top-of-mind.
11. Top Advice for CISOs
[27:14–28:31]
- Action Over Admiration:
- “Don't admire the problem for too long. Understand the problem and start to take some action. Try things and if it doesn't work, adapt and change.”
- Double Down on Personal Resilience:
- Don’t deprioritize personal wellbeing; rely on internal and external networks for support.
Quote:
"It's not an easy job. Actually, that humility and leaning on others and knowing when you're having a bad day, ask for help. The personal side of the job, don't deprioritize that." — Emma Smith [28:17]
Notable Quotes Recap
- “Resilience is the destination or the journey that we're on... We know that adverse conditions and threats will keep getting worse and keep challenging us.” — [03:43]
- “We are never finished, never complacent… the ability to learn and adjust and adapt.” — [04:50]
- “It's anything but basic to get controls in a way that they are automated, sustained, they really stick.” — [08:10]
- “Transparency and consistency of reporting is important... making what can be quite intangible, tangible.” — [13:32]
- “Cyber is a shared responsibility… being seen to take accountability and not just admire the problem starts to build reliability.” — [14:52]
- “We created a Cyber Leadership Academy. It's really obvious to me that cyber is a lot about leadership and a lot about tech and you've got to have both.” — [17:28]
- “Try things and if it doesn't work, adapt and change. But have an impact and be clear on risk.” — [27:38]
- “Have a network of friends and contacts inside and outside the organization... The personal side of the job, don't deprioritize that.” — [28:16]
Key Timestamps
- 01:18 — Emma introduces her role, Vodafone overview
- 03:14 — Emma defines personal and cyber resilience
- 05:45 — What's at stake if resilience is lacking?
- 08:06 — Challenges in making security controls stick
- 10:26 — Most impactful changes in Vodafone’s security transformation
- 14:36 — Building and maintaining trust with stakeholders
- 17:24 — Essential qualities for a resilient security team
- 19:44 — Structuring cyber resilience to enable business, not slow it
- 22:23 — The challenge of cyber and resilience metrics
- 25:39 — Making resilience a sustained priority
- 27:36 — Elevator pitch: Top advice for CISOs
Tone & Style
The conversation is candid, reflective, and practical, blending strategic insights with real-world lessons—anchored by Emma Smith’s commitment to humility, continuous improvement, and people-centric leadership.