Q&A with Mitie, Security Excellence Awards finalist

‘A CISO needs to be much more than the head of cybersecurity; you must be a true business leader’

John Cruise of Mitie is a finalist in the CISO/CSO of the Year category in Computing’s Security Excellence Awards.

Mitie is one of the UK’s leading facilities management and professional services companies, supporting organisations across government, defence, infrastructure and regulated sectors. As Chief Information Security Officer (CISO), John Cruise is responsible for leading the company’s cybersecurity strategy, governance and operational resilience, ensuring Mitie can deliver critical services securely in an increasingly complex threat environment.

John is recognised for positioning cybersecurity as a core element of business resilience rather than a purely technical discipline. Working closely with executive leadership and the board, he translates complex cyber risks into clear strategic insight, enabling informed decision-making and strengthening organisational resilience. Under his leadership, Mitie has continued to mature its cybersecurity capabilities while supporting rapid business growth and integrating newly acquired organisations into a unified security framework.

A strong advocate for leadership-driven cybersecurity, John focuses on building high-performing teams, embedding security into operational culture and strengthening trust with customers and partners. His approach combines strong governance, pragmatic risk management, and clear communication to ensure that cybersecurity supports innovation, operational continuity, and long-term business value.

John believes the role of the modern CISO extends far beyond technology, acting as an enterprise risk leader who helps organisations navigate uncertainty while maintaining trust in the digital services they provide.

What would winning this award mean to you, your company and your team?

Winning this award would represent recognition of leadership in building resilience at enterprise scale. As a CISO, success is not defined by the absence of incidents, but by confidence: confidence from customers, colleagues and the Board that cyber risk is understood, governed and managed in line with our purpose and risk appetite.

For Mitie, the award would reinforce our credibility as a trusted partner delivering essential services. For my team, it would acknowledge the maturity, judgement, hard work, and professionalism required to protect a complex organisation while enabling rapid growth and innovation.

What have been the biggest challenges of 2025 so far and how have you overcome them? How have your people helped?

The most significant challenge has been leading amid sustained uncertainty: a rapidly changing, volatile threat landscape, increasing regulatory expectations, and balancing the need to keep Mitie secure while balancing the needs of the business. In this environment, it is easy for cybersecurity to become either overly restrictive or overly permissive.

Overcoming this challenge requires a CISO to be much more than the head of cybersecurity; you must be a true business leader, shifting the narrative from technical issues and risks to demonstrating the value of security in a way that the board and wider business leaders can understand.

My team played a critical role by bringing clarity rather than noise, translating technical issues into business impact, and working collaboratively with technology, operations and leadership teams to solve problems rather than escalate them.

How has your industry changed over the past year, and what changes do you think it still needs to make?

Over the past few years, I have seen the industry mature in its understanding that cybersecurity is fundamentally a business resilience issue, not just a technical one. High-profile incidents have shown how quickly cyber risk can escalate into operational disruption and reputational damage, particularly for organisations that support critical services.

For me, this has changed what it means to be a CISO. The role is no longer simply about managing technology risks; it is about helping people across our organisation understand and manage business risk. A modern CISO needs to translate complex cyber threats into clear business insight and ensure security is embedded into how the organisation operates and makes decisions.

In my role, that means working closely with the executive team and the board to align cybersecurity with Mitie’s strategy, risk appetite and operational priorities. My focus is less on technical metrics and more on helping the leadership team understand what matters most: where our real risks lie, how resilient we are, and what decisions will best protect the data we are entrusted to hold and the customers we support.

The industry still needs to improve in developing leadership capability alongside technical expertise. Too much attention is still paid to tools, frameworks, and metrics, while the real challenge lies in leadership, governance, accountability, and decision-making.

Ultimately, the most effective CISOs are those who can bridge technology and business, acting as enterprise risk leaders who help organisations build resilience, maintain trust and operate with confidence in an increasingly complex threat environment.

What do you see as the main opportunities for your industry in the coming year, and how do you plan to capitalise on them?

The greatest opportunity lies in using cyber maturity as a source of competitive advantage. Businesses that can demonstrate resilience, transparency and effective governance will stand out in increasingly risk-aware and risk-averse markets.

At Mitie, we are capitalising on this by aligning cybersecurity more closely with customer assurance, strengthening the way we evidence control effectiveness, and using operational insight to inform strategic decisions. This positions cybersecurity as an enabler of trust and long-term value rather than a defensive cost.

We are also focusing on making cybersecurity more visible in how we deliver services. Many of our customers operate in regulated or critical sectors, so the ability to clearly demonstrate resilience, strong governance and effective incident response is becoming a differentiator. By embedding cybersecurity into our operational processes and supply-chain management, we can provide customers with greater confidence that their services and data are protected.

More broadly, I see a significant opportunity for security leaders to engage more closely with boards and customers on resilience, helping move beyond compliance towards genuine operational preparedness. Companies that treat cybersecurity as part of their value proposition will be best placed to build long-term trust in an increasingly uncertain environment.

Which new technology trend are you placing your bets on?

Looking ahead, I see the disciplined use of AI and automation to support better decision-making, not just faster response times. These technologies have the potential to transform how organisations identify and manage risk. AI can analyse vast volumes of data in real time to detect patterns and anomalies, while automation reduces repetitive operational tasks, allowing cybersecurity teams to focus on higher-value strategic work.

When governed properly, AI and automation enable organisations to see risk more clearly, act earlier, and apply controls more consistently at scale. Integrating these capabilities into operational processes improves accuracy, strengthens situational awareness, and ultimately enhances organisational resilience.

However, the real differentiator is not the technology itself but how it is led and governed. Innovation must be deployed responsibly, aligned with risk appetite, and supported by strong governance and skilled people. Organisations that combine advanced technology with clear leadership, accountability, and robust oversight will be best placed to realise the benefits while maintaining trust and resilience.