Cross-border Stories: Rami El Outa, CISO Luminor Group

Asked to comment on the collaboration with Voorhoeve and the particulars of looking for a CISO for the banking industry, Liegis said: “There are positions where the local competencies matter a lot, but when it comes to high-level and very specific positions, such as this case, it was soon clear that we would have to look for a suitable candidate beyond the Baltics. Blackstone, the shareholders of Luminor, initially was hoping to find a candidate from the Baltics, but at the same time were very picky from the start. Luminor reports to the European Central Bank where security regulations are pretty severe, which is why they wanted a candidate with a very strong track record as well as leadership skills, which can be challenging for what we think of as a 'traditional' type of CISO. We did our own search and also reached out to several partners from the Digital Practice.”

Job Voorhoeve commented: “I had recently completed a CISO search, so my candidate list was very fresh – I was able to come back with 10 names, three of which were interested in the position and one (Rami El Outa) was eventually chosen.”

“I believe that it is the core strength of Amrop - this strong collaboration between partners within the industry groups,” continues Liegis. “It's extremely helpful that partners are sharing their recent cases and introducing one another with their competencies. This is something that really sets us apart as an executive search firm, and to a large extent it's based on us strengthening the relationships between partners. You need to be open and generous to create space for collaborations and to have others want to work with you - and this is what we definitely do well in the Digital Practice.”

We also spoke briefly to Rami El Outa after 4 months in the role, after having moved to Tallin, Estonia, together with his family.

Q: Could you say a few words about your most recent role previous to joining Luminor Group?

A: When the process started, I was still the Regional Information Technology Director at Eurofins, a biotech company, where I was managing all the global functions as essentially a CIO for the global functions. Prior to that I did recover the company from a ransomware attack, after which I led a transformation program for infrastructure and cybersecurity. I then took on the role of Cybersecurity Director for multiple departments within the structure.

Q: Can you briefly describe the selection process – the interviews you had and Amrop’s role in facilitating the process for you?

A: After getting to know him as a candidate for a role in the Netherlands, Job said he would keep my CV because he’s interested in potentially working together in the future. To be honest, at that moment I didn’t expect much of a follow-up but a few months later I was contacted by Viesturs. I get contacted about roles very often, and, since I am not actively looking for a new position, I need to find the balance between exploring opportunities and not spending too much time on that. Finding out that Viesturs had reached out on Job’s recommendation made me consider it more seriously.

Q: What interested you in the role?

A: It was immediately interesting because it was a new sector for me – the banking sector, the fourth sector I’ve worked in. It seemed like a good move with a steep learning curve, and we went through the details and expectations of the role. The representatives of the Amrop team in Latvia were very supportive and consistent in giving me updates about the process – there was a lot of feedback and follow-up which I really liked. I needed to give 10 references, which meant I had to contact people from all my old jobs, which was also challenging. Viesturs helped me a lot with landing the role because, even though the interviews went well and things were going smoothly, together we addressed my meeting of the conditions for the role. I appreciated the fact that we also had multiple engagements even after I had already taken the role.

Q: The CISO role nowadays is evolving and, on top of that, you had to meet the requirements of the role within a new sector. Can you speak briefly about the role of a CISO within the banking sector and the unique challenges it presents?

A: I come from a purely IT background and have had a cybersecurity focus for the last seven years, which, in my opinion, is sufficient when you already have a very good IT base across different sectors. I made it very clear during the interviews that it’s a new sector for me, but, as I see it, the cybersecurity framework can be applied to any industry with slight differences in focus points. There are industries, which, like banking, are much more regulated, but I already came from a regulated environment which was biotech and healthcare, though, of course, there are differences in the way the regulations work across the industries.

Q: What are the key aspects in your role as a CISO now?

A: In the role of a CISO, especially, the CISO of the first line, you need to strike a balance between understanding the technicalities and being able to translate these technical details into actionable items that people outside the technical realm can understand, especially your stakeholders like the CIO and the risk committee – the more they understand about the things you’re concerned with, the better. I believe I was able to demonstrate both my technical and non-technical side during the interviews already. I focus very much on communication because that’s often a drawback for a lot of CISOs – and it’s a serious limitation if you lack it because it plays a role on whether you can get budget approved, get investments approved, and getting things done. So, if you’re unable to articulate why something is a problem, why something is a risk for the company, it’s very unlikely that you’ll be successful in your role, and it becomes frustrating.

Q: These issues are often related to the question of reporting line for CISOs. What’s your take on that?

A: I think there are two types of leaders – one who really wants everything to be set up and clear before they can start executing, as in – if I don’t report to the CEO, I cannot do it. And I think this type is a bit more reactive and tends to be more frustrated along the line. I think I’m more of the second type – regardless of what mandate I have; I will just create the way to fulfil it along the way. I currently have many engagements on a regular basis with the management board members. I strike the balance of stakeholder management with investors representatives, internal stakeholders, and my team. And the more you engage across the board with all stakeholders, the more you harmonize your message, the more consistent you are. The more trust you get the easier it becomes to get the tools to execute. So, that’s the journey I’m embarking on, and I use exactly the same methods I used before in other roles.

Q: Do you believe the importance of communication within the CISO role has increased within the last years or has it always been just as important?

A: In my opinion, it has always been important – it’s just becoming more and more visible now: you start seeing a lot of CISOs being frustrated in roles where they feel a bit isolated, not listened to, not taken seriously enough until… a serious attack happens. But we don’t want to wait for the big attack!

Q: How do you find the cultural change, moving to the Baltic States, working within Estonian corporate culture?

A: For a start, the environment at a bank is very different, very bureaucratic, there are a lot of rules and a large number of stakeholders for a smaller organization. It’s definitely much more risk-aware, and we have to measure risk impact thoroughly. When it comes to the Baltic region, everyone was previously telling me that it’s going to be very tough to get used to it, but having worked and lived in 10 countries, I feel like I’ve had my training adjusting to new cultures. I feel as if I’ve really managed to enhance the communication within my team. I realized, for example, that people were often worried about, say, their job security – perhaps more than in other places I’ve worked. Being conscious to that, it was important for me to make sure people are comfortable, because I don’t want them to work under unnecessary stress. I also emphasized that I don’t want people working overtime unnecessarily, like staying after 5pm on a daily basis, or working on weekends, because when there’s going to be a real problem, I’ll ask all hands to be on deck! I always try to add a little personal touch like baking a cake or inviting members for a coffee or a Heineken – it brings a nostalgic feel, and I also enjoy it!

To find out more about Amrop’s technology and digital knowledge, methods and tools, contact Job Voorhoeve, Viesturs Liegis or the Amrop Digital Practice members in your country!