What is the biggest security challenge that will be faced in 2017? How should it be addressed?
Getting SMEs to recognize that security risk needs to be considered from the start. Risk factors need to be resolved by education without crying wolf.
What are your three goals for 2017?
What is on your desk right now?
What is your favorite blog?
The Barkly blogs. http://blog.barkly.com/. Always topical, easy to read and limited jargon.
What is your number-one piece of advice for other information security professionals?
Never say no to opportunities until you understand what you are turning down.
What do you do when you are not at work?
I am a keen potter. For the last couple of years, rather than filling out cupboards with plates and bowls, I have been creating 2 ½ dimensional ceramic murals. I spend sleepless nights working out how to solve challenges of working with clay!
How do you think the role of the information security professional is changing or has changed?
At the turn of the century, IT security was a role which was starting to become more prevalent; however, many people in these roles had few external qualifications. IT security teams were part of the IT function with the main customers for their advice being other IT professionals, and many of these individuals were “techies.” Any IT security risk factors were only on an IT risk register.
Companies now require that their security professionals have external qualifications to demonstrate their knowledge and professionalism. In many organizations, IT security is no longer embedded in the IT organization, but integrated with other business risk teams. Across the security team, professionals are having to develop a broader understanding of leadership and business skills, regularly having conversations with business leaders and board members explaining threats, risk and mitigations. Most companies now have the risk associated with cyber security threats in their top 10 business risks factors, with boards discussing it several times a year.
How did you develop your career in cyber security and strike a work-life balance as a working parent?
As the primary caregiver, when my children were born my career aspirations were put on hold. When my children were preschool age, it was easy to work full time. During this time, I had endeavored to minimize business trips, often leading to “day trips” to the US. As my children got older, getting back from work at 7 p.m. did not work. After much deliberation, I asked if I could work part time. I had a very sympathetic employer and we agreed on a flexible arrangement. During school terms, I worked short days matching the school day. And during school holiday, I worked normal days, just fewer. Over the eight years that I worked part time, I moved from 60 percent to 90 percent, having longer days as the children got older and spent more time in school. While close colleagues and managers knew that I worked part time, I do not believe that the clients I worked with realized I was part time.
During the first half of my corporate career, I had a range of standard IT roles. Moving to part time, I became an operations consultant, taking on three linked roles of IT security coordinator, IT change manager and disaster planning coordinator.
When the company I worked for formed its IT security function, I was invited to be part of this team. Not knowing many of the security team senior management, they were unsure what to do with a person working part time. I was appointed the team knowledge manager—accountable for designing, implementing and supporting the IT security website for use across the company and designing training courses for end users. As management understood my commitment and capabilities, I moved into a security consultant role, and shortly after this was appointed as the chief information security officer (CISO) for the functions part of the business. For the first three years I was performing the role, I was part time. My last role in corporate life was CISO for the upstream part of the business, delivering a security program globally in-line with risk appetite.
What leadership skills do you feel are critical for a woman to be successful in the field of cyber security?
One of the primary skills is confidence. We need to have confidence in ourselves and gain the confidence of all our stakeholders—the clients at all levels in the organization, including board members; fellow leaders in the organizational hierarchy; and the team supporting us. Then, we need to have the confidence to apply and ask for the roles we want.
What is the best way for someone to develop those skills?
Develop a strong network both within and beyond your organization. You need to have supporters who know you and your capabilities, who will help get you the opportunities you deserve. You need to know who the specialists are on whom you can depend and with whom together you can deliver the extraordinary. Keep stretching your boundaries. If you feel uneasy, remember that is a natural result of stretching your own boundaries. Discomfort equals growth.
Create a reputation for yourself as being someone who delivers. Early in my career, I had a great manager who gave me two pieces of invaluable advice: One, make sure the bad news travels fast to her. Providing her with an honest status report early gave her the opportunity to take steps to minimize the impact. Bad news at the last minute gives no opportunity to take evasive action with everyone coming out badly. And two, where decisions are needed, make one and do not look back. A decisively made wrong call will often lead to better long-term results than a wishy-washy decision that turns out to be right.
How have the certifications you have attained advanced or enhanced your career?
When I started in security roles, though I was an experienced IT professional, I had no qualifications for these roles. My formal training started with a SANS GIAC Security Essentials (GSEC) course. In the following years, I gained much experience on the job and earned the Certified Information Security Manager (CISM) certification and membership in the Institute of Information Security Professionals. As I gained professional qualifications, my roles changed from security consultant to CISO.
What do you think are the most effective ways to address the lack of women in the cyber security workspace?
We all need to become better ambassadors, shifting the perception that those working in cyber security are all highly technical and “geeks.” The field is huge and requires people with lots of different skill sets and passions. Certainly, there is the IT operations end, but it is not all about 1’s and 0’s. What about research, audit and compliance, risk management, and education? Exploring the more exciting aspects—we often know about things that could potentially bring enterprises down and will end up taking to, and being taken seriously by, people much higher up in the organization. Promoting the kudos that the roles can bring.
What challenges did you face when setting up your own business and how did you address them?
Moving from being an employee to being a business owner is a mind-set change. As an employee, I was valued as an expert, I could focus on my expertise with work being delivered to me. As a business owner, I need to have a broad knowledge of how a business works and keep track of the moving parts. I need to prioritize what is important that I do myself and what can be outsourced. At the start, I needed to find opportunities to barter skills. And at the same time, I needed to become a proficient salesperson, becoming my biggest fan and selling my business at every opportunity, showing the same sorts of confidence required to be a leader. I needed to have lots of confidence in myself.