Getting to Know Goher Mohammad, CISO at L&Q

Goher Mohammad’s path into cybersecurity may feel familiar, and for good reason. Starting in IT, then moving into risk and compliance before stepping into security leadership, his journey followed the same path that played out in the industry.  

We recently spoke with Goher about how the CISO role is evolving, what it takes to lead through an incident, and the challenges of securing organizations spanning both the public and private sectors. 

How Did You Begin Your Career in Cybersecurity? 

GM: I started off working in IT. My first job was at what I’d call a “big bank,” doing first- and second-line support. From there, I moved into second- and third-line support at a media company. 

Then I was offered an IT manager role, and that’s where things really shifted. Around that time, the whole Enron situation happened, and companies had to implement Sarbanes-Oxley. I had to implement those controls in a relatively small organization that just wasn’t used to that level of governance. 

It was painful, but it was also a really good foundation. Making sure things are trackable, traceable, segregation of duties, all those best practices. That was my first real entry into governance, risk, and compliance. 

From there, I stayed on the IT leadership path (head of IT, responsible for ISO and other accreditations) and over time, cybersecurity became more and more prevalent. As attacks on businesses increased, hacking became a real business issue, not just a technical one. 

At that point, I took a bit of a step back after about 15 years in IT leadership and thought, this is the next evolution. I started applying for security roles and was told I didn’t have enough experience, which I challenged. 

Eventually, I was brought into an e-commerce company as Head of Risk and Compliance, and that’s where it really came together for me. 

How Has the Role of the CISO Changed Over Time, and What Are the Essential Skills for a Modern CISO? 

GM: Historically, CISOs were very much about putting rules in place, best practices that were largely non-negotiable. The reality today is very different; everything is far more integrated and technology is evolving at a breakneck speed, moving so quickly that you simply can’t get in the way. 

The modern CISO has to enable the business. You have to work with the business to deliver. Security must be part of what people do, part of the organization’s best practices, not something that comes in at the end to review what’s already been built. 

If you’re a CISO who stops processes and says ‘no’ a lot, you won’t stay in your job for too long. The business won’t tolerate it. 

A role that becomes critical overnight? 

It used to be a very technical role. Now, the CISO has to be a business leader, too. You’re there to help the business move forward, not slow it down. 

It’s interesting: CISOs are generally not important until they’re really important. Then suddenly, they’re the most important thing. A big challenge is navigating that. You’re trying to get airtime with the organization, saying, “this is important,” and then suddenly there’s an incident, or a regulatory request, and everything becomes urgent overnight. 

It’s a constant swing between extremes. There isn’t always consistent attention. 

There’s also the question of responsibility. Cybersecurity is a collective responsibility, yet CISOs still tend to bear the brunt. The business still sees it as your job to make sure we don’t get hacked. That’s slowly changing. 

There’s increasing pressure globally, too. In some regions, CISOs can be held personally accountable if things go wrong. That hasn’t fully translated everywhere yet, but it’s a real consideration. 

How Should Organizations Handle the Aftermath of a Cyberattack or Major Incident? 

GM: I’ve had to deal with a couple of major incidents, and I’ve also run tabletop exercises. The first thing is staying calm. It’s very easy to get emotional or make rash decisions, but you have to remain calm and collected and deal with what’s in front of you. 

These situations are constantly evolving. You’re always uncovering new information, so it’s about bringing that together in a meaningful way and staying grounded throughout. 

Transparency is also critical. There was a time when companies would try to keep incidents quiet, but those days are gone. For me, it’s always been about how quickly we can share information with the right people so they’re aware and can protect themselves. If you don’t do that, you’re not helping the situation; you’re making it worse. 

How Do You Support Your Team’s Mental Health and Prevent Burnout in Such a High-pressure Role? 

GM: Managing people’s mental health is critical, especially during high-pressure incidents where the whole business is leaning on your team. Without the right support, it’s easy for people to burn out or feel overwhelmed.  

I’m a mental health champion in my organization, and being open about that is important. You have to lead by example. If you act as if nothing affects you, others feel they have to do the same. But if you’re open, it creates space for people to talk. 

Regular checks matter 

It’s also about enabling people to manage their time. The lines between work and personal life are blurred now. So if someone needs to step away during the day, that should be okay, as long as the work gets done. 

It goes both ways. Regular check-ins matter. Just asking someone, genuinely, “how are you?” makes a difference. 

In terms of signs to look out for, people don’t always volunteer how they’re feeling. So you have to pay attention. It could be absenteeism, presenteeism, changes in behavior, someone being more irritable or quieter than usual. 

If something feels off, just ask. That simple check-in can go a long way. 

What are the Biggest Cybersecurity Threats Facing Your Business? 

GM: L&Q sits across a few areas: not-for-profit, real estate, construction, and care. We build homes, manage them, provide energy, support communities, and work with vulnerable people. That creates a unique risk profile. 

We face the same threats as any organization, but there are some that are more targeted. Reputation is a big one. Disruption to services is another because what we deliver directly impacts people’s lives. We’re also closely affiliated with government, which means we could end up in the crosshairs of nation-state actors looking for a way in. 

There’s also a financial angle. We turn over a significant amount, so naturally that makes us a target. Then there’s a human element. Sometimes people are unhappy with services, and that can lead to attempts to disrupt or expose information. 

You can’t keep everyone happy all the time, so it’s about balancing transparency with protection, making sure we’re open where we need to be, but also safeguarding sensitive information. 

What Keeps a CISO Up at Night? 

GM: I think it’s the possibility of walking into a bad situation. 

That said, I think it’s misunderstood that CISOs don’t sleep. If you’re doing the right things and acting with integrity, you can sleep well at night. If you’re taking shortcuts or doing things you can’t stand by, that’s what will keep you up. 

Of course, no one wants to deal with a major incident. Especially in environments like ours, where the impact isn’t just financial, it affects real people, often vulnerable people. That’s the hardest part: the knock-on effects. Having to say, we tried to do the right thing, but you’re still impacted. 

You can’t take the role and then say you don’t want to deal with incidents. That’s part of the job. I signed up for this. I have to deal with it, and see what happens. 

----------------------------- 

Goher Mohammad is the Head of Information Security at L&Q where he is responsible for developing cybersecurity strategy and enhancing the security capabilities of the company. He has more than 17 years of experience in the technology industry, including 14 years in senior management positions. He has worked across various sectors, such as IT, risk management, and compliance. This includes his work as an interim Head of Risk and Compliance at Photobox Group, as well as his PCI and GDPR projects. Additionally, he held the position of EMEA Head of IT at Merrill Corporation, where he has managed the IT governance, strategy, and infrastructure.