Throughout 2020, this mini-series will interview leaders from around the globe to discuss areas of cybersecurity. The purpose is to help students and those new to the industry gain perspective and guidance from professionals in the field. These interview insights aim to kick-start or re-energise your career journey in cybersecurity.
In this month’s feature, Dave Burg, Americas Cybersecurity Leader at EY, shares his story about:
“I started my career in the healthcare industry where I developed complex data analytics using structured query language. I was then hired into Big 4 consultancy because of this skill where I began to support large corporate investigations. This led to more work with an inter-firm cybersecurity unit where I was pulled into substantial cybersecurity intrusions. We would perform our investigations and build trust with our client. Through this trust we would be asked to fix what we had found. This pattern enabled our team to establish a new, large-scale cybersecurity investigation business unit. These early career successes led to numerous leadership opportunities where I have had the opportunity to teach and mentor others to achieve their own personal and professional aspirations.” These are his insights. What drives your passion for cybersecurity? “I am driven by a desire to find new ways to solve complex business problems and to produce significant value for our clients. This challenge and associated opportunities are extremely rewarding and satisfying. I am excited about our ability to innovate at such a rapid pace. How we can leverage our innovations to solve for enterprise-wide business issues with our cybersecurity teams or in conjunction with our other firm-wide capabilities.” Who has inspired you during your career? What about each was so motivating? “When I was in the healthcare industry there was an incredibly intelligent Chief Financial Officer who ran a multi-billion dollar entity. I was inspired by his tremendous work ethic and his ability to seamlessly drill-down into any issue by asking smart questions. It was like watching someone with their mind peel away layers of an onion to identify the core of the problem. He once used this technique to help us solve a difficult technical problem and was stunning to watch unfold. This was an individual without a technical background that could effortlessly solve a tough problem by intelligently dissecting the issue. Others whom have been inspirational throughout my career were leaders that trusted their people. They would provide opportunities with a wide-array of latitude to allow for their teams to grow at a tremendous rate. With this freedom, I expanded my skill set at a much faster rate than had I been bound by stronger governance and controls. These have been the two types of leaders that have shaped who I am today.” What cybersecurity challenges we should be solving today for a better tomorrow? “Every organisation should be evaluating the cybersecurity and privacy implications of their products and or services. Embedding necessary components from the outset to help better secure the businesses of tomorrow. We see this happening more frequently as this takes an intelligent approach to strategically manage risk to the next level. Embedding capabilities that natively deliver on a company’s promise when they provide a product or a service to the market where cybersecurity and privacy are assumed to be strong and inherent. This is the pledge of the future for organisations to build products and provide services that naturally and efficiently deliver on that inherent promise.” What are your thoughts on legislative policies and regulatory requirements that may impact the resilience of cybersecurity? “We continue to watch regulation spin up around resilience. They are unbelievably important and are the most significant manoeuvre from a law or regulation perspective that we have ever seen in cybersecurity. The days of Payment Card Industry (PCI), Personally Identifiable Information (PII) or Intellectual Property (IP) theft as the grave concern are behind us. While still present, these concerns pale in comparison to business interruptions. The beauty of pushing resilience will create far more capable use and adoption of technologies that are designed from the outset to more easily adapt to massive outages. There are companies like Netflix that have leveraged this principle for years. One of the many reasons why their service delivery is so exceptional from anywhere around the world. They engineered their back-end as highly resilient and adaptive to dynamic situations inside their infrastructure. This is incredibly important and an exciting business opportunity for all cybersecurity professionals.” What advice would you give to your younger self when searching for cybersecurity opportunities? “Had I known I was going into cybersecurity I may have considered other subject areas. I would have studied veraciously and taken the vast array of business, technical and cybersecurity educational opportunities available more seriously. I would urge myself to never, ever stop studying. Never stop learning, reading and exploring. For students and professionals interested in cybersecurity, we have a great career ahead of us. We are in an extremely important and excitingly dynamic space. Our learning will never end as the importance of cybersecurity only continues to accelerate.” Cybersecurity is intriguing, in-demand by the market and considered as an excellent career starter. Please be on the lookout for next month’s issue of Decoding Cybersecurity: Interview Insights with Leaders as the journey continues.
0 Comments
Throughout 2020, this mini-series will interview leaders from around the globe to discuss areas of cybersecurity. The purpose is to help students and those new to the industry gain perspective and guidance from professionals in the field. These interview insights aim to kick-start or re-energise your career journey in cybersecurity.
In this month’s feature, Fred Thiele, Group Chief Information Security Officer (CISO) of Transport for New South Wales (NSW), shares his story about:
Thiele graduated in the early 2000's with a computer science degree from Fort Lewis College in Durango, Colorado. “I was fortunate to start my career with IBM’s Managed Security Services division. We began with thirty team members and during a five-year period grew to over three hundred. While my university studies were not centred around cybersecurity, I quickly jumped up to speed to help support a vast array of IBM’s services that included:
I have been fortunate in my career to serve in a variety of roles for numerous organisations from large enterprises to owning my own cybersecurity firm. There are three consistencies with my career – my enjoyment to build from the ground up, my desire to learn, and my pursuit of assignments that challenged my thought process. Thus far in my career, I learned how to:
Each step in my career presented unique and challenging opportunities. I was and continue to be motivated by the unsolvable, or the perception that an objective may be too difficult to achieve without putting in the hard work. My curiosity and drive to persevere often opened doors that may not have been otherwise. I often find the key to success is to simply do the work.” These are his insights. How would you characterise cybersecurity, and how has this evolved over your career? “Cybersecurity was all about the technology in the early days. Organisations required network protection with intrusion detection and were advised to perform penetration testing and scan for vulnerabilities. When I left the United States and transitioned to Australia, I felt like our local industry was working tirelessly to adopt best practices that expanded upon the use of these early solutions. Fast-forward to today and there is additional emphasis to communicate in simple business terms how these solutions are protecting the organisation's crown jewels and their return on investment (ROI). This translation has always been a challenge for our industry and I do not believe we have reached our potential. There are frameworks published today like FAIR (Factor Analysis of Information Risk) that help place dollar figures around risk. These types of frameworks will continue to help better enable our cybersecurity professionals speak the language of the Chief Financial Officer (CFO) and the rest of the business.” What aspect of cybersecurity concerns you the most? “Three areas concern me the most. Being Right Every Time. The bad guys only need to be right once, and cybersecurity professionals must be right one hundred percent of the time. This asymmetric relationship and model are unsustainable and unscalable. The innovations around artificial intelligence (AI) and machine learning (ML) are helping to reduce the impacts of this asymmetrical relationship by replicating (not replacing) our security analysts. However, we are still far from a reasonable capability in this space. Translating the Message. Communicating how real this threat is to the business. The inevitable will occur if we, as cybersecurity professionals, are unable to communicate to the business in a common language. Our approach has positively changed over the past fifteen years from ‘pure prevention’ to a 'not if, but when' mentality that has emphasised the importance of resilience. Blending In. Attackers are now using similar pathways that resemble normal end-user behaviours. Consider a college campus and their expansive walking paths to get from point A to point B. Students, faculty and visitors use these walkways to navigate campus. Attackers are learning to do the same and mimicking this behaviour to go undetected. They are becoming less of an anomalous alert at a staggering rate.” How have you evaluated professional opportunities throughout your career? How has this changed over time? “I always knew I wanted to own a business, which is why I helped to start Laconic Security and served as the Chief Operating Officer (COO) for six years. I explored opportunities that provided a chance to expand my skills inside and outside of work. I aim to attain a broad set of experiences across industries or verticals, with large enterprises or start-up companies. I enjoy gaining a new understanding of how various organisations operate. Transport for NSW was intriguing because of the opportunity to build and operate a cybersecurity program across 30,000 people and numerous agencies. I used the breadth and complexity of the opportunity as evaluation criteria as well as the chance to obtain a wide-arrange of experiences in a new industry.” What fuels your passion? Why do you do what you do? “I am what many may call a life-long learner. I always had an interest to experiment and build things growing up. I was on track to be an automotive mechanic in high school, fascinated by engineering. At the last moment I chose information technology (IT) almost by accident. This personal drive translated to my professional career. I am inherently motivated by the challenge to accomplish goals that others may have said were too difficult to achieve. My curiosity is fed when I lean into new opportunities and explore the unknown.” How would you suggest others new to the field get involved? “Three things come to mind. Be ready for anything. When you are a consultant you may on-board as part of an engagement with limited exposure to the subject matter. It is often your responsibility to get up to speed quickly and become an expert before stepping foot on the client’s site. Take this approach with any opportunity and give your best effort. This will often pay more dividends and open more doors than you may think. Do not be afraid of hard work. Jerry Seinfeld once spoke at a leadership conference. When asked about the secret of his success, he wrote three words on the whiteboard - DO THE WORK. Dive in and understand how things work. Learn the mechanics from the ground up. With this approach, you may find it easier to talk to your experiences irrespective if you are interviewing or pitching to the Board of Directors for program funding. You can speak authoritatively about the subject because you put in the effort to understand how things work. Aptitude. One of the things I look for in potential recruits is the willingness to learn. Demonstrating your ambition, passion and interests can go a long way in an interview to help forge your cybersecurity path.” Cybersecurity is intriguing, in-demand by the market and considered as an excellent career starter. Please be on the lookout for next month’s issue of Decoding Cybersecurity: Interview Insights with Leaders as the journey continues. January 2020: In this month's edition, Jacqui Kernot, Cybersecurity Partner at EY, shares her story.1/28/2020 Throughout 2020, this mini-series will interview leaders from around the globe to discuss areas of cybersecurity. The purpose is to help students and those new to the industry gain perspective and guidance from professionals in the field. These interview insights aim to kick-start or re-energise your career journey in cybersecurity.
In this month’s feature, Jacqui Kernot, Cybersecurity Partner at EY, shares her story about:
These are her insights. What drives your passion for cybersecurity? “Finding your purpose and what you are passionate about is always a journey. Some find this earlier in their career than others. Near the beginning of my career I was enjoying my many cybersecurity roles and had not spent much time thinking about my purpose. I had amazing jobs that involved technology. I was exposed to challenging projects and had beautiful places to explore. Over time I identified my purpose to disrupt the patriarchal system we have in place today to build a better environment for humans to live and work. Cybersecurity is a great place for this because its disruptive nature. We are always disrupting ourselves or being disrupted. We must have the agility and capability to make wholesale changes quite quickly to keep pace with the adversaries. People in cybersecurity are known to have the flexibility and diversity of thought that may not be as common in other business units. We often find structured processes and technology builds across verticals; whereas cybersecurity, by the very nature, is quite unstructured. Cybersecurity will continue to serve as a perfect starting point when we look to disrupt the way we work.” What cybersecurity challenges should we be solving today for a better tomorrow? “People are thinking about future challenges, but there are many ideas and concepts we are still wrapping our heads around. Enable Ease of Use. We have had this perspective that technology is something you use. For example, if an end user needs their computer fixed, they go to IT. We have created technology and built clunky systems with inflexible or non-integrated user experiences. This has promoted a view of cybersecurity as an enforcement mechanism. We must lift our game in cybersecurity to make technology easy and seamless to use. This costs money; however, to design a system with a simple user interface (UI) is not significantly different than one without it. The future of cybersecurity is bright as more products on the market are rolled out with better UI and seamless integrations with our IT environments. Empower the First Line of Defence. Our end users are not our biggest problem. Rather, they are often our first line of defence and can be an organisation's greatest solution. We must shift this paradigm by working alongside our end users and educating them with increased emphasis for how we design and deploy cybersecurity awareness. This will help empower the end user. We will consistently face more issues if we continue to design controls that are too clunky to use and explaining to an end user how they cannot do X or Y. Listen First, Act Second. We cannot be arrogant about how we design secure systems, and we should not serve as the police officers. We must become better listeners and view our end users as part of the extended team rather than part of the problem. In cybersecurity, we have several technology-focused individuals and often miss out on those with people-related skills. These are critical skills for cybersecurity teams to improve their ability to speak the same language as the business. This will enhance our perception as an enabler rather than a blocker. We would see a monumental shift of organisation’s cybersecurity posture if our purpose was to empower our business units and align our cybersecurity objectives with their goals. This will help more than any single technology or project.” What advice would you give to your younger self when searching for cybersecurity opportunities? “Toxic work cultures exist. It is interesting as a female in technology. I speak with many women and we, by nature, tend to internalise problems more frequently. There is gender bias within technology and how each person approaches a problem or issue. I would tell my younger self to:
Who has inspired you during your career? What about each was so motivating? “Over the years I have had many inspirational people in my life - less so formalised mentors and more so people, coaches and leaders who have helped me along my career journey. I have been very fortunate to have great experiences with numerous clients that fostered informal mentoring that have supported me during points of my career. As I reflect, two distinct individuals stand out. Terrie Anderson, Country Manager for Australia and New Zealand at Forescout. When I met Terrie I happened to find myself in a toxic work environment. I vividly remember her saying ‘Jacqui you are awesome and will continue to do amazing things’ and here I was thinking to myself I could not do anything right because of the negative workplace culture I was in at the time. This was incredibly important and motivating to have another person view me for who I was. She would continue to mentor me over the years. Her support empowered me to shift my mindset rather than continuing to blame myself, lose self-confidence or to not take that next step. Marie Cabrera, Vice President at IBM. I had previously been exposed to a toxic culture where I had been used to doing things on my own, which is not a great way to work. I remember her saying to me 'Jacqui you are fantastic - I want you on my team. However, you must understand that you are at IBM now. We do not work as individuals. You are part of this team.' At the time I did not quite understand her message; though, after reflecting I realised I was unable to trust my colleagues in my previous environment. She was instrumental to help me develop this collaborative workplace model.” What recent regulatory changes may impact the resilience of cybersecurity? “The Australian Prudential Regulation Authority's (APRAs) Prudential Standard CPS234 is an excellent piece of legislation centred around cybersecurity that takes a strategic position and provides a high-level approach for resilience. While the framework is creating thought-provoking operational questions, it is driving boardroom accountability and their responsibility for cybersecurity. We cannot control all data breaches; however, if the Board can demonstrate their organisation's cybersecurity implementation practices then we are taking positive steps forward. For the longest period, we often found organisation's making statements like 'what can you do, we were breached!' and this practice is not sufficient anymore. We are moving in the right direction for cybersecurity.” Cybersecurity is intriguing, in-demand by the market and considered as an excellent career starter. Please be on the lookout for next month’s issue of Decoding Cybersecurity: Interview Insights with Leaders as the journey continues. Throughout 2019, this mini-series will interview leaders from around the globe to discuss areas of cybersecurity. The purpose is to help students and those new to the industry, gain perspective and guidance from professionals in the field. These interview insights aim to kick-start or re-energise your career journey in cybersecurity.
In this month’s feature, Ben King, Chief Security Officer (CSO) for EMEA at Symantec, shares his story about:
These are his insights. How would you characterise your cybersecurity journey? King reverts to his time with Commonwealth Bank of Australia where he spent 11 years and served in a variety of IT roles. “Early in my career, I began to understand how the source code I was developing could be exploited. At CBA, I had the opportunity to watch the origination and expansion of the cybersecurity team from just a few people, often in non-specialised roles, into the huge team it became. I witnessed the exponential growth of the awareness of cybersecurity at executive and board-levels, and the demand for skills and talent that followed. In my current role at Symantec, I see a huge range of awareness and understanding of cyber risk across the entities I work with. Often it seems to be the board members who are best briefed, with the business they oversee playing catch up. “The Commonwealth Bank CISO at the time, Ben Heyes, was a visionary who was amazing to work with. His mindset was while encouraging schools and universities into STEM is important and necessary, it would not address a gap today. His solution was to rotate people from other parts of the organisation into cybersecurity, enable them with training and then have them rotate back to their position in the business to increase the organisation’s cybersecurity awareness. This included the usual feeder roles such as IT, but also across non-traditional entry points such as finance, legal and HR. These people have unique and useful skills to address the varied and dynamic challenges we face, while being able to communicate effectively back into the areas of speciality they have been recruited from – yes, sometimes cybersecurity risk needs some translation! In 2016, I took advantage of an opportunity to serve as the bank’s cybersecurity lead for Europe, and then after a long, memorable and extremely fun 11 years at CBA I moved on and into my current position as the Regional CSO for EMEA at Symantec mid-2018. From being based in London with a boss in Sydney, to a boss in California – it seems I will never avoid the late-night conference calls!” How would you characterise the evolution of cybersecurity? King emphasises how cybersecurity started off as a niche space within a great information technology discipline structured around hygiene. “This was how we secured data, endpoints and networks; however, the mass exploitation had not yet occurred or hit the front page. Once this happened, it was easy to characterise the industry as one of fear, uncertainty and doubt, much publicized. Playing on this was often used as the strategy to secure investment. But as with any strategy, it would only work for so long as investors and Boards inevitably want to see progress and maturity against their investment. Cybersecurity is a business risk, owned by the businesses I support, with governance, advisory and risk mitigation facilitated by the cybersecurity team. Approaches vary widely within the industry given the fluctuation in maturity and an organisation’s capability to manage risk in line with business expectations (and what those expectations, or risk appetite, may be). One challenge (among many) is the pace of change of technology and hence the change of risk profile. This complicates an organisation’s ability to define impact and likelihood of risk. An organisation may need to re-solve for the same risk at different times and adjust their approach as their landscape shifts.” What aspect of cybersecurity concerns you the most? King’s concerns are the ones that bleed over to the real world as opposed to purely corporate. “As a father with a young family, my biggest concerns are those our children need to face. The expansion of IoT devices, without much thought toward security or privacy, means the world they know is very different to the world I grew up in. This world includes social media of course, with young people and adults targeted or manipulated in new, inventive and nasty ways every day. This world is frightening to many. So, to wake up every day to work with a team that continues to develop solutions to keep our families, communities and workplaces safe is really inspiring. In the near to medium future, watching developments in encryption, mobility, ML/AI and then quantum computing will be fascinating to watch. Each will make our lives easily, and present new challenges.” How have you evaluated professional opportunities throughout your career? How has your approach changed over time? King reflects on his career and initially being wide open career-wise. “I needed to be challenged and learning to stay motivated. I look for roles which I can evolve over time. The most important things to me are having:
What fuels your passion? Why do you do what you do? King leads with his love for technology. “I grew up with computers and learned how to code in simple languages at a young age. I love technology because of how it empowers us. Nothing makes the geek in me happier than when a simple script turns a boring, repetitive task into an automated, on-demand activity done in seconds. The integration between business and technology has been phenomenal. When I started my career the number of people who could translate between business and technology were relatively few. New opportunities will continue to arise as the pace of innovation and disruption increases within cybersecurity, analytics, robotics, machine learning and AI, and their integrations. In another decade, add quantum computing to that list and watch how cybersecurity changes again. Having an opportunity to serve in a role and organisation so close to the cutting edge is hugely satisfying.” How would you suggest others new to the field get involved? King reverts to his time and advice from past mentors. “I encourage everyone to follow their curiosity. Be courageous, engage whether through job interviews or informal networking opportunities. Take someone in your network out for coffee and ask what they do. Evaluate if cybersecurity is an area of interest, and where you would be most excited to get involved. Understand every organisation will operate differently. When I evaluate opportunities, I connect with those in my network to gauge the landscape prior to engaging in more formalised discussions with the organisation. Training opportunities are endless and often quality content can be found free online. While pathways to some cybersecurity roles are well-understood, there are many others continually evolving, which can use skills from many different backgrounds as an entry path. This is just as much advice for those just starting out in their careers as well as those more experienced looking for a change and a challenge.” Cybersecurity is intriguing, in-demand by the market and considered as an excellent career starter. Please be on the lookout for next month’s issue of Decoding Cybersecurity: Interview Insights with Leaders as the journey continues. Throughout 2019, this mini-series will interview leaders from around the globe to discuss areas of cybersecurity. The purpose is to help students and those new to the industry gain perspective and guidance from professionals in the field. These interview insights aim to kick-start or re-energise your career journey in cybersecurity.
Privacy encompasses cybersecurity, is an in-demand skill set by the market and considered as an excellent career starter. If done well, privacy can serve as a competitive differentiator and business enabler for any organisation. In this month’s feature, Natasha Mazey, the youngest woman to graduate from the University of Canterbury with a Doctorate, and now Privacy Officer at Fisher & Paykel Healthcare, shares her story about:
I would say my privacy career was unintentional. I was earning my PhD in trust and perceived privacy risks, and was unsure what I would do career-wise. I thought I might find a job related to ‘digital trust’ given its ‘topicalness’ and recent main stream attention. I had always been intrigued by all things data - information management, data governance, understanding data flows. I wanted to understand how organisations make use of their data in a structured and proficient manner. How they gained business efficiencies with “less is more.” However, I was mostly interested in the people component.
These are her insights. How do organisations view privacy? “How organisations’ view privacy varies widely based on the organisation. Some organisations aim to ‘tick the box’ to facilitate compliance with the most current regulation(s). These organisations want to ‘play by the rules’ to protect and maintain their ongoing business activities. Other organisations have leveraged the momentum of the new privacy and personal data regulatory changes to uplift processes to promote more ethical behaviours and reputational trust. Privacy facilitates transparency for how an organisation uses our personal information to build a more positive relationship with their customer. This can foster customer trust. It also encourages organisations to be more respectful and accountable for their stewardship and use of an individual’s information. This enables more choice and control. Privacy can be difficult for some organisations and business units because this discipline asks for more all-around due diligence with questions that start with How and Why. This can challenge decisions about innovation and growth. For some, privacy can be perceived as stifler or blocker that slows an organisation down. This can create further challenges for those organisations who already have messy data, old legacy systems or processes that have been part of the status quo for many years. Practicality can get in the way of designing and implementing enhanced privacy practices. For these organisations, there can be a lot more work to do upfront. From a personal perspective, I have yet to meet an individual that misunderstood the importance of privacy or that of a privacy professional’s objective. Often times the difficulty is to reconcile this to business objectives and norms. Fortunately, awareness and advocacy for better business privacy practices has gained momentum in recent years as organisations attempt, and succeed, to gain competitive advantages through transparency, trusted behaviours, and the adoption of more effective control of their data.” What privacy challenges should we expect to face tomorrow? “I am genuinely excited about the future of privacy. I believe this discipline will continue to evolve outside of the area of personal information as organisations attempt to better manage data in an ethical manner. The lines of the privacy profession have traditionally been reasonably clear; however, they are beginning to blur with other disciplines. This could lead to a new area of study and or industry as our information ecosystems grow and become more digital. I am keen to watch how privacy supports, or potentially merges with, emerging issues around digital content moderation, the right to free speech, politics and democracy, and corporate ethics. I would be disappointed if privacy stays the course as a legal requirement – compliance as a checkbox. This facilitates bare minimum behaviours and will likely be more difficult to correct in the future as regulatory requirements continue to evolve. It would be disheartening for privacy to veer towards the direction of carefully telling customers only what is required. While withholding details to elude accountability or using clever shortcuts to avoid the intentions of the law. We could miss a tremendous opportunity if we went down this path, commercially and socially. This discipline allows organisations to understand and utilise their data to identify reasons for why they have it. This itself is a value added exercise as organisations become leaner in their management of data to avoid information and data analytic waste.” What criteria have you leveraged to evaluate career-related opportunities? “I wanted to a career where I would be continuously challenged and constantly learning to obtain new experiences and skills. With the ever-changing technology landscape, public expectations, and evolution of legislation, the privacy profession has been a great enabler to nurture my continuous growth and develop my professional skills. This discipline has continued to present challenges that engaged and motivated me throughout my career. Working in privacy is rewarding as I help to make a positive difference in the way we treat and think about people’s personal information.” What information you would have liked to know starting out in your career? “Firstly, do not hesitate or second guess yourself. Early in my career, I questioned whether I was on the right track, or if I had locked myself into a role for the duration of my career journey. I have, however, been fortunate to take on several exciting positions with excellent mentors that have enabled my growth and skill development in areas that I was interested in pursuing. Secondly, be courageous. Evaluate each opportunity that presents itself. If it seems right and you aren’t sure you can do it, roll with it and accept the challenge. If it does not work out, other opportunities will arise. Hopefully you would have learned something along the way regardless. I have found tremendous satisfaction working for organisations that are eager to embrace privacy and embed responsibilities into their day-to-day business operations. My job gives me the privilege to work with talented people across many specialties. I enjoy the opportunity to collaborate with them to understand and overcome business challenges together. People and culture make all the difference.” Cybersecurity and privacy are intriguing, in-demand by the market and considered an excellent career starter. Please be on the lookout for next month’s issue of Decoding Cybersecurity: Interview Insights with Leaders as the journey continues. Throughout 2019, this mini-series will interview leaders from around the globe to discuss areas of cybersecurity. The purpose is to help students and those new to the industry gain perspective and guidance from professionals in the field. These interview insights aim to kick-start or re-energise your career journey in cybersecurity.
In this September edition, Anthony Robinson, Oceania Cybersecurity Leader at EY, shares his story about:
“I always found myself enamoured with solving complex business problems that have never-before-been addressed or attempted. Early in my career, I would piece together cybersecurity elements to help create an appropriate solution. Today, I help Chief Information Security Officers (CISOs) and their management teams better:
These are his insights. What aspect of cybersecurity concerns you the most? “Understanding normal versus abnormal behaviour. Our biggest challenge is to improve our ability to sense when something is wrong before our adversaries are aware we detected and contained their movements. Working in cybersecurity has always been about defining and deploying controls with appropriate measures to counter threat actors. We continue to engage with clients who believe they have not experienced a large-scale cybersecurity incident…until they do. This consistent inability to sense when something is wrong is worrisome. We often see this pendulum for an organisation shifting quickly from generally-speaking:
Misguided investment. We invest in technology and continue to misunderstand how this will mitigate our risk. We often do not have the structure or discipline to link investment to risk reduction. We invest in technology because our:
How have you evaluated professional opportunities throughout your career? How has this changed over time? “Learning. I am going backwards if I am not continually learning, pushing myself or being challenged by others. With learning comes personal and professional development along with growth. For each opportunity I may ask:
People and mentorship. After a long, memorable and exciting 18-year career with my first firm, I moved on and into my current role as the Oceania Cybersecurity Leader at EY. This provided new learning opportunities to share knowledge and experiences gained throughout my career with our clients and our people. I am most satisfied when I have an opportunity to share an experience with our people, which provides them with tools to act on new knowledge and reap the benefits. We are a people-first organisation because without our people we do not have a business. Experiences and growth. My wife and I had an opportunity to transition from Australia to the United Kingdom and travel the world early in my career. We place a high-value on global experiences because of the unique perspective they provide that support our personal development. As we progressed in our careers we made the decision to return and watch our family grow up in Australia. When we evaluated opportunities we often looked at how they help us attain personal experiences and balance this with the professional growth opportunities to make the best life decision for our family.” What fuels your passion? Why do you do what you do? “Strive for excellence. I am quite competitive and like to win. I tell our people we should aim to create the best cybersecurity team in Australia. I want our teams to strive for excellence and be the best. This drive to be excellent is part inherent and part learnt. Over my career, I have seen what happens when you lack the determination and perseverance to achieve excellence – you do an average job with a trickle-down effect to the business. I want our people and our teams to always feel proud of our accomplishments and achievements.” How would you suggest others new to the field get involved? “Have patience. Early in my career I remember thinking ‘I want to be a Chief Executive Officer by the time I was 25’. While not impossible, it is difficult to have the perspective necessary to set yourself, and your teams, up for long-term success. If we apply this view to cybersecurity and survey non-IT leaders, they may say cybersecurity is niche and narrow; however, there is so much to learn and absorb across the domains. No one cybersecurity domain is more important than the other and can be challenging to obtain this knowledge without experience in the field. Prioritise your interests. Do not search for that perfect opportunity. Rather, spend the time and energy developing and striving for excellence in your areas of interest. You may find your areas of interest change over time, or that you deep-dive into a subject matter to continue to satisfy your curiosity. Stay flexible. I see some graduates and professionals with rigid career plans that often miss out on ‘once-in-a-lifetime’ opportunities. To be successful and effective is to make the most of every opportunity. Whatever you do early in your career you will gain invaluable experiences and learnings. You may experience challenges with a hard project, difficult client or working in a new area. This may create a level of discomfort but be prepared for this! We often learn most when we find ourselves in these demanding positions. Perform post-reflection exercises and ask internally about the key takeaway – we are often surprised with a sense of satisfaction and accomplishment for what we had achieved through these strenuous times. Be adaptable and resilient. Be comfortable not having all the answers. In some cybersecurity roles we are expected to have this knowledge to operate autonomously as the front-line defender. There are many other roles where we may not know everything about our client, their concern or a potential solution. We work in teams of experts with a wide-array of experiences to learn about their industry, to help define the root cause and to support the development of solutions that support our clients. We are customer-focused as consultants. We must quickly define needs and adapt how we operate based a client’s sector to be successful.” Cybersecurity is intriguing, in-demand and considered as an excellent career starter. Please be on the lookout for next month’s issue of Decoding Cybersecurity: Interview Insights with Leaders as the journey continues. Throughout 2019, this mini-series will interview leaders from around the globe to discuss areas of cybersecurity. The purpose is to help students and those new to the industry gain perspective and guidance from professionals in the field. These interview insights aim to kick-start or re-energise your career journey in cybersecurity.
In this month’s feature, David Neuman, Global Chief Information Security Officer (CISO) of iHeartMedia, shares his story about:
Prior to that I was with the United States (US) Air Force as a Cyber Warfare Officer. I was responsible for the defence of Air Force Operations and the protection capabilities for air and space. I was fortunate to lead the Offensive and Defensive global planning at the Top Secret-level to help the Air Force impede threat actors and adversaries. My career journey started, though, as a blue-collar kid from Philadelphia. No one from where I grew up went to university. You made your own opportunities. Thus, I enlisted in the Air Force as a senior in high school to learn a trade, see the world, and earn an education. Within three years of enlistment, the US was engaged in first Gulf War. My four-year plan turned into a 28-year career that included radio and satellite communications, and electronic physical security. During my time with the Air Force I completed my degree, became an officer and served as the Commander of the Air Force’s first Cybersecurity Hunting unit. I want to emphasise to anyone reading this - it is a myth that you will stay in the same role for the duration of your career. Every two or three years you will change roles and or jobs, which leads to quite a unique set of experiences and challenges you may or may not have foreseen. I completed three combat tours over the span of my 34-year professional career. I am a product of my experiences in how I lead, my perspective of cybersecurity as a domain and how we get things done.” These are his insights. How would you characterise cybersecurity? How has this evolved over your career? “My career evolved with the Internet and communication technologies. I started in an era that predates the Internet. We had point-to-point systems and microwave links. Through this, I achieved a strong foundation and core basis in communication networks. I learned to approach everything analytically. This evolved when the Internet exploded. Coincidentally, the Air Force is the most dependent upon technology to conduct operations today more than ever before. As a result, we were most vulnerable. I would like to say I was at the right place at the right time in my career as I transitioned to a base in England where we setup a Local Area Network (LAN) shop. We were amid a transition from traditional communication technologies over to this new set of Internet protocols. I came back from a deployment and my boss at the time said 'we have this cybersecurity thing that seems to be coming very relevant - would you like to lead it? Absolutely!' I was locked-in and called upon my network to consume their knowledge and experiences in this new space. I read numerous books and had great commanders and leaders whom were enabling. By putting protection mechanisms in place, we were more capable to proactively identify malicious activities. As I fast forward, the cybersecurity space forced the Air Force to think about their landscape differently from the traditional sense of tanks, aircraft carriers and planes to ones and zeros. This better equipped me to understand how to effectively operationalise cybersecurity for business enablement and how to provide better protection mechanisms in a unique manner. It was not a simple path of growing up in IT or DevOps and falling into cybersecurity as a logical succession of requirements and needs to protect the information and technology we are responsible for in our enterprises. Rather, my path was more innocuous as we were applying cybersecurity tactics to various military operations.” What aspect of cybersecurity concerns you the most? “Artificial intelligence, human interface, virtual reality, blockchain and trusted transactions. We spend too much time on the past and less on the future challenges without enough agility to pivot or integrate the components. What does the workforce of tomorrow look like? We will need to disrupt ourselves if we are going to be prepared for challenges moving forward.” How did you identify and evaluate the next step in your cybersecurity journey? “This is in my nature. I always sought opportunities that presented a diverse set of challenges. I spent 28 years in the military, travelled to 13 countries with countless jobs, interacted with numerous cultures and nationalities. I loved this about the Air Force. I found these diverse challenges at EY. I had to change my vernacular to be successful in the private sector. Once we achieved the translation, we identified a definite need for the skills and experiences I brought from the military. My evaluation was more primal than what we may consider to be sophisticated. I am always seeking career opportunities that present complicated challenges. This is how my bucket of satisfaction is continuously filled via solving complex problems and working with incredibly talented teams. Cybersecurity is a true team sport that brings smart people together to solve complicated business problems. Now, as an even more experienced professional, I evaluate opportunities by asking:
What fuels your passion? Why do you do what you do? “The people – they are part of my DNA that was crafted over my many years in the military. I draw on my military experiences and leverage my network every day that all evolve around people. Today, what I find most satisfying is to give back to the community and those around me. Cybersecurity, like many professions, is a team sport. Over the last 30 years I have been fortunate to work for great teams with incredible leaders whom established the baseline for success. I am excited to help people think about their career and support them along their journey either directly or indirectly. There is always someone in your network that knows someone else that may have a career-related opportunity that is ripe for exploration. We often find young professionals seeking cybersecurity opportunities asking how they can become a something like a penetration tester. When this comes up in conversation, I tend to ask the simple question of 'why a penetration tester? Why that?' When the individual teases out their response, penetration testing may not be the area they want to pursue and rather a common misconception about cybersecurity. As leaders, we must help and support the person to think through and consider the other domains of cybersecurity. I also like to help my fellow military veterans transition to the private sector. One naval officer whom was primarily an aviator had started some vocational training in the security industry. He felt a draw but did not know how to get involved. They had a natural interest in the Internet-of-Things (IoT) with the core skills and capabilities but had not been able to tie the interest with an opportunity, and we are off to the races to match the skills and interests with the right opportunity. What drives me today is setting the conditions for the success of others. This will help bring organisations to great fruition. My only ask in return is for people to pay it forward. Get up every morning and ask what you will do for someone else. This will not only setup others for success but create stronger teams and a better planet in the process. I love watching and participating in the success of others and have been for the past 34 years with great satisfaction.” How would you suggest others new to the field get involved? “Make discovery part of your objective. Seek out those whom have experiences and are willing to share with you. Find those cybersecurity domains you are most passionate about. Talk to people whom have walked the path previously. Consider not just what is happening today, but also tomorrow. Become a forward thinker. What other areas are emerging as enabling or disruptive to organisations? AI, trusted transactions, blockchain, human interface. One thing is certain - change is constant. We did not have mobile devices growing up. What will this look like twelve years from now? Will we even have mobile devices? Challenge yourself to think about the future. This will help you identify your passion. Work hard to learn all you can and understand that failure is feedback. Do not be reluctant to take risks. Stretch your ambitions by working with creative thinkers and doers. Most importantly,
Throughout 2019, this mini-series will interview leaders from around the globe to discuss areas of cybersecurity. The purpose is to help students and those new to the industry gain perspective and guidance from professionals in the field. These interview insights aim to kick-start or re-energise your career journey in cybersecurity.
In this month’s feature, Volker Rath, Head of Security Consulting Australasia at BT (formerly British Telecom), shares his story about:
This has often been thought of as a male-dominated area, to which you will always find a similar outcome. I am excited to support the diversification of our cybersecurity space as this is imperative to our success.” These are his insights. Why did you choose cybersecurity? “I was lazy as a kid because there were enough jobs growing up in Germany. I became an eager learner once I attended an IT college. I almost forgot what the word ‘learning’ meant because I was obsessed with consuming as much knowledge as I could. I began to explore and read more than I had in the past. That is how I stumbled upon my passion for computers. Shortly after college, I was about to join an internet start-up when the first dot com bubble burst and the investment funds evaporated. This ended my internet start-up career. I then received a call from a recruiter to join Symantec as a Security Consultant. I recall thinking I did not want to be known as the person that fixed computers for a living. I quickly realised Symantec had an enterprise division of consultants, and thus my career in consulting began. I was working closely with Symantec technology early in my career. While I was never enthralled with the technology, I was enthusiastic to help make security operations work at scale. I did not understand how vast the cybersecurity space was at this stage in my career. I had very little knowledge of disciplines like penetration testing, risk management, threat management, maturity assessments or security frameworks. My journey had only just begun and I was hooked!” Why do you do what you do? What motivates you as a cybersecurity professional? “It has always been about the people. I completed courses in ISO27001 to establish better risk management skills and began to develop my own tools to better facilitate security operations. I quite enjoyed consulting and the work at Symantec. I loved the travel, interacting with global organisations and engaging with senior leaders. I was fortunate to see the geographical make-up of the world and from the inside of large enterprises…an exciting way to begin a career! I began to ask myself about my purpose – what motivated me? Did I want to be a product manager? A sales person? A consultant? I continued to ask myself what was most fulfilling. I loved working with people around the globe in consulting. I was (and continue to be) motivated to help fundamentally change lives for the better.” What do you see as the biggest challenge we face in cybersecurity? “Communicating the message! This is why our attention span is so low,” laughs Rath. “Quite often I hear cybersecurity is too nerdy, and to some degree this is true; however, this perspective should not restrict our recruiting strategies to technical areas or specific concentrations. We should focus efforts to teach our professionals how to better communicate the message irrespective of their background or skill set. I recently spoke on a panel that addressed the Chamber of Commerce for Australia and Israel where only forty percent of the audience comprised of cybersecurity professionals. We had a world-class line-up of speakers that could bridge the gap between a cybersecurity issue and the real world with layers of fun facts and humour delivered to a lively audience. The crowd’s energy was fueled by the panel’s ability to deliver the message that encouraged more insightful questions with genuine curiosity – we could not get off the stage because of the crowd’s enthusiasm!” What would you have liked to know starting out in your career? “I always loved hardcore technology, the cloud and how the IT environment was architected. If I was starting out my career, I may consider four areas.
How did you identify and explore opportunities during your career? “This is a difficult question because not many people ask. I have experienced three interchangeable approaches.
Please be on the lookout for next month’s issue of Decoding Cybersecurity: Interview Insights with Leaders as the journey continues. Throughout 2019, this mini-series will interview leaders from around the globe to discuss areas of cybersecurity. The purpose is to help students and those new to the industry gain perspective and guidance from professionals in the field. These interview insights aim to kick-start or re-energise your career journey in cybersecurity.
In this month’s feature, John DiMartino, Director of Global Network and Security Operations for an international business support services company, shares his story about:
Why cybersecurity? “There were not many computers around when I was younger and by the time middle school rolled around they were everywhere! Computers fed my natural desire to tear things apart and put them back together. I aspired to understand how everything inside a computer worked. My journey started in high school with my co-op at a computer repair shop and transitioned to university where I had an opportunity to explore disc forensics that peaked my interest. After some great years with Deloitte, I moved onto law enforcement as part of a search for personal fulfillment to serve and give back to the community with the skills and talents I had acquired in consulting. I went to work for the US Federal Government and the feelings were just right, like Goldilocks and the Three Bears. I was making a real difference protecting critical assets and doing the things I really enjoyed such as:
In my management role, I discovered a renewed passion for mentoring and coaching. I came up in my career knowing that I wanted to be the kind of boss I had when I was an analyst – an individual supporting the growth of the team and sharing in the excitement and passion for cybersecurity. I do what I do because my role provides opportunities to give back to my team and my network. More than anything, I love leading a team because I can support, train and build the careers of the next generation of cybersecurity analysts." How would you describe cybersecurity architecture, incident response and monitoring, and their role in the capability landscape? “Each area is vastly different and ever-evolving; however, there are common threads. Cybersecurity architecture. How can you put together a series of systems that all interconnect either within the system itself or between systems? How can you make this as secure as possible while still allowing the systems to work as they need to move the business forward? Cybersecurity architecture – the blueprint of the IT environment. Incident response. There is an input and or event that initiates action to understand what happened. The faster you can:
What excites you about today’s cybersecurity landscape? “An entirely new world of connected devices with an endless number of places where cybersecurity incidents can occur. This, combined with a new class of systems that produce never-seen-before events that require you to monitor alerts and respond appropriately to minimise business impact. This infinite number of interconnects between systems creates more ‘noise’ and cybersecurity risk with a plethora of internet-connected devices in your environment. There is hope! As with every interconnect there are opportunities to layer cybersecurity, place a sensor, or build automation to securely enable your business. In my current role, I strive to provide cybersecurity-as-a-service for the business. This requires a team with coding skills that can offer services that allow development teams to ingest cybersecurity as part of their core processes. Our approach enables these teams to build protections seamlessly into their product pipeline with low overhead via API's. There has never been a more exciting time to be a cybersecurity professional!” What, if any, information you would have liked to know starting out in your career? “I would tell myself to:
For those in Industry?
How would you suggest others new to the field get involved? “Sometimes the best path is to start with an entry-level job. This can be tough but swallowing your pride for the right company or right opportunity could jump-start your career. Start as an analyst and inhale as much knowledge as you can consume and digest. I would not get into cybersecurity because this is the ‘hot’ field. Cybersecurity is a very demanding industry no matter your discipline - Security Operations, Governance, Business Engagement, Security Services, etc. If you do not love cybersecurity, the demands will take their toll. Pursue a cybersecurity path if you are passionate about it and understand this path is a constant up-hill battle to stay ahead of the knowledge curve. There is no better industry if you love it. If you are passionate and have the drive, there are endless streams of new information to dig into every day. There is an infinite amount of knowledge to build from and there are entire fields we have not discovered yet. I could not be more excited for the future of cybersecurity - I love this stuff!” Cybersecurity is intriguing, in-demand by the market and considered as an excellent career starter. Please be on the lookout for next month’s issue of Decoding Cybersecurity: Interview Insights with Leaders as the journey continues. Throughout 2019, this mini-series will interview leaders from around the globe to discuss areas of cybersecurity. The purpose is to help students and those new to the industry gain perspective and guidance from professionals in the field. These interview insights aim to kick-start or re-energise your career journey in cybersecurity. This month’s edition features Aaron Johnson, Global Cybersecurity Governance, Risk Management and Compliance Leader at Dana Incorporated, as he shares his story about:
“When joining the Navy, they administer a standardised test called the Armed Services Vocational Aptitude Battery (ASVAB). ASVAB does not tell the individual what they are proficient in; rather, the test demonstrates where they may achieve the best results. I wanted to be military police officer. However, I was instead recommended as an electronics technician. While I had no prior electronics experience, I was eager to dive-into the experience.” Johnson’s early career as an electronics technician drove his desire to pursue computing and networking courses at university. “I had not initially considered cybersecurity; however, I connected with a government cybersecurity assurance professional in my network and they asked if I was interested. I jumped at the opportunity!” These are his insights. How would you characterise your role within the cybersecurity ecosystem? Johnson describes his role as the Cybersecurity Governance, Risk Management and Compliance (GRC) leader for a global manufacturing organisation. “The role of GRC can serve various purposes based on the company and the sector. The scope of the conversation can also elude to the differences between the role and responsibility of an enterprise resource planning (ERP) system GRC team and their Corporate Information Technology (IT) GRC counterparts. In this global organisation, I am responsible for cybersecurity:
In cybersecurity, we are laser focused to secure our environment leveraging the Confidentiality, Integrity and Availability (CIA) model in line with business expectations. This model is at the forefront of every governance-related decision. Our goal is to securely enable the business to achieve their goals and objectives.” How did you identify and explore various opportunities during your career journey? “I never had a pinpoint focus around what I wanted to do; however, I was always open to new opportunities. I may not have always had a specific target company when I was exploring the job market. Rather, I had a general idea of what I wanted to do and evaluated the needs of an organisation against my interests. I continued to find career-related success by leaning on my professional experiences, continuously learning new skills and leveraging the leading practices I had acquired during my journey. I leveraged ASVAB to apply a similar approach with cybersecurity positions – evaluate open roles and their requested skills or qualifications against my prior experiences and desire to continuously up-skill. While organisations may have targeted specific skills, I tailored my approach around my experiences to demonstrate my ability to adapt to numerous situations and learn quickly. I see many young people today that analyse if they are proficient in the skills advertised in a job application and refuse to apply if there is a mismatch. This may be less about a person’s proficiency, and rather their aptitude and curiosity to learn something new. If cybersecurity is an area of interest, I would first suggest gaining an understanding of the foundational components and ask how these apply to your current role as a student or working professional. A similar approach can be applied at home to drive more risk-aware behaviours. This approach has continued to open doors to new professional opportunities. This change in mindset is why I believe I have 30,000 cybersecurity professionals working side-by-side to deliver more secure outcomes for our business.” What, if any, information you would have liked to know starting out in your career? “I wish I would have started my IT education earlier. When I was younger, my grandmother would recall how my grandfather advised to ‘stay away from computers. They were just a fad that will go away. You did not want to find yourself working with something that would not be be around in 10 years.’ This was a wide-spread theory in the mid 1980's - computers were only a trend and would vanish in a decade. I stayed away from computers due to this pressure; however, I wish I would have started my learning earlier. Always pursue your passion and interests irrespective of your career path. This, in combination with your life lessons, education and experiences can serve as a cornerstone to any professional journey. Be prepared for any opportunity - you never want a road block like the lack of formalised education to prevent professional doors from opening.” What motivated you to pursue your passion? “I always had two primary motivations:
How would you suggest others new to the field get involved? “I have three recommendations for those pursuing opportunities within the cybersecurity space.
Cybersecurity is intriguing, in-demand and considered as an excellent career starter. Please be on the lookout for next month’s edition of Decoding Cybersecurity: Interview Insights with Leaders as the journey continues. Please leverage the comment box below to suggest future topics or guests, provide feedback or share with others. |
AuthorElliot is a Senior Manager in the EY Cybersecurity practice. Elliot enables organizations to build in risk thinking from the onset, enhancing global innovation with confidence. He leads global teams to reduce response times and minimize the impact of security incidents by building and operating mature security, logging, monitoring, alerting, and incident response practices. He successfully led response to and recovery from complex security incidents, such as data exposures, third party compromises, and vulnerability exposures, by coordinating across large enterprises through effective incident response procedures to minimize business impact. Archives
April 2020
Categories |