Female CISO: How (and why) to invest in cybersecurity

When I was 10, the pilot of a KLM flight from Amsterdam to New York invited me to tour the cockpit. As my eyes scanned its many dials and buttons, my heart leaped with excitement. That pilot likely had no idea that his invitation would ignite in me such a strong fascination with technology that I’d pursue a career in it.

For the past 11 years, I’ve been managing security governance and information security to support business and organizational goals, from building customer trust to managing risks to fighting the “bad guys.” Just after giving the keynote speech for the Cloud Security Alliance at Norway’s biggest cybersecurity conference, I started as chief information security officer of EVRY Financial Services, one of the biggest companies in digitalization within Norway’s financial sector.

In high school, I began to embrace my childhood passion for technology. At university, I learned how to manipulate parts of operating systems into doing things they weren’t intended to do. I kick-started my career by breaking stuff, and tying the vulnerabilities to both security risks and business risks. I conducted risk workshops. I became an ethical hacker.

READ MORE ON WOMEN AND JOBS IN CYBERSECURITY

How myth of meritocracy stymies women in infosec
At S(h)ecurity, a focus on infosec industry imbalance (Q&A)
Opinion: To fill cybersecurity positions, recruit veterans
Too many cybersecurity jobs, too few hackers
Remembering cybersecurity pioneer Becky Bace

Learning how to ethically hack would define my career. The further I went down this path, the more I realized three things:

1. There aren’t many other women in technology, especially in information security.
2. There’s an enormous gap between business operations and information security. Rather than integrated, they are typically siloed, with the latter seen as hindering the former.
3. In cybersecurity, the bad guys are always at least one step ahead of the good guys.

In charting my growth from ethical hacker to lead information security risk manager to head of cloud security, I took note of a few common threads. In each role, I had to learn how security affects business, how security can be used to support and promote business, and how to get more women to work in technology and specialize in cybersecurity.

As I continue my journey, I am determined to build security as a business enabler, and to advocate for girls and women around the world to join the cybersecurity community.

A common refrain in technology is that everyone wants to be innovative and ahead of their competitors, but few are willing to change the way they work. So how do we enable business and innovation in a fast, flexible, complex, and ever-changing digital world? How do we shift the mind-set of security from restriction to innovation?

I advise my consulting clients that the key to gaining and retaining customer trust is investing in security that helps businesses do things tomorrow that they were not able to do yesterday. A simple resulting example of that type of investing is the phone.

Technology has rapidly taken the public concept of a phone from a single-function big rotary dial to a slick-and-slim handheld touch screen with which we can read news, watch videos, participate in social media, schedule doctor appointments, and conduct banking. Our entire world is essentially connected to that one small device. Why? Convenience is only part of the story.

One of the most important reasons smartphones have become ubiquitous is the implicit trust people place in the apps that provide us with all those services. We trust that our communications are secure and private until somebody or something uses them to wreak havoc on our personal lives.

According to a May 2017 study by the Ponemon Institute and cybersecurity company Centrify, 65 percent of victims lose trust in an organization after a data breach. The study also found a massive imbalance between what companies think their responsibility toward consumers is, and what consumers think companies should be doing to protect their data. In all cases, improved cybersecurity—by default and by design—can compensate for that imbalance and help ensure that “implicit” trust remains intact.

The cybersecurity industry can help the tech industry improve its trustworthiness. One way is to hire people who better reflect the communities it serves. That means motivating more women and people of color to become—and remain—ethical hackers, CISOs, and everything in between.

Consumers and even organizations generally only take action when there’s a proven track record of untrustworthiness, or damage to reputation or business. The 2017 Equifax breach is a great example of this. In a report on the analysis of the breach, the U.S. House of Representatives Committee on Oversight and Government Reform concluded that a “culture of cybersecurity complacency at Equifax” allowed hackers to steal the personal information of 148 million consumers. In its 2018 annual report, Equifax offered the data breach equivalent of “thoughts and prayers,” stating that the company is now “committed to being an industry leader in security and technology.”

The cybersecurity industry can help the tech industry improve its trustworthiness. One way is to hire people who better reflect the communities it serves. That means motivating more women and people of color to become—and remain—ethical hackers, CISOs, and everything in between. To recruit and retain female cybersecurity talent, we need to have:

1. Vision, mandate, and responsibility. Charting a clear direction is the first and foremost step to ensuring that everyone working in cybersecurity understands his or her role and responsibilities.
2. Competence and development. We need to provide meaningful support—a platform for building competence and continuous learning.
3. Business and soft skills. Technical subject training will only get us so far. We also need to teach the business and interpersonal skills that are necessary to succeed in today’s digital era.
4. Recognition. We need to move the topic of cybersecurity to the board room, and recognize the hard work and efforts of everyone in security from pentesters to the CISO.
5. Bonus systems based on overall security maturity and goals achieved for the entire team instead of individual efforts. Cybersecurity cannot reach its full potential when siloed.
6. Fair pay. Closing the gender gap means taking proactive measures to pay employees fairly for the skill set they bring to their job. It also means advocating and supporting women within cybersecurity, ensuring that their efforts are recognized financially and organizationally.
7. Career advancement opportunities. Cybersecurity is no longer just a set of ad-hoc hands-on tasks. Employees need a list of viable career advancement paths.
8. Work-life balance. Even founders are rarely OK with dedicating their entire life to their job. Companies must understand that employees have a life beyond work—and support needs such as parental leave, sabbaticals, and regular vacation time, as well as flexible work hours and locations.

Strong cybersecurity is easier to talk about than to achieve, but it isn’t impossible. Improving it means talking about it and treating it as an investment—a business enabler—rather than as a control and restriction mechanism.

Many business leaders still see security as a brake on innovation. But while brakes can slow down or stop a car, they can also be used to go faster with confidence. I learned this in 2016, as I dared to blast a Mercedes S350 down the German Autobahn at 149 mph. Brakes help us steer with confidence, to both slow down and safely accelerate.

Brakes are to speed what cybersecurity is to innovation.