What would you describe as your most memorable achievement in the cybersecurity industry?
Early on in my career, I was presented with challenges that looked daunting to begin with but turned into my proudest achievements. One of which was to write the first cyber policy manual for Boeing alongside various standard bodies.
At the time I was the VP of IT Risk Management and CISO at AT&T Wireless, where we were given 10 months to overhaul Boeing’s security. With a US$41billion merger dependent on having zero deficiencies in the security audit, I was terrified. There were lots of unintended lessons learned along the way, but we did it and the validation I felt was surreal.
What first made you think of a career in cybersecurity?
I first became interested in information security when my graduate school professor in my software engineering class encrypted the final exam. We had to build code-breaking tools all semester long because he encrypted 10 questions with 10 different algorithms and 10 different keys and gave us 24 hours to solve them. I had such a good time with that exam and I wanted to do more! I ended up doing my master’s thesis on fast hardware encryption and as a result, Boeing hired me.
What style of management philosophy do you employ with your current position?
At VMware, I don’t own any dedicated lines of management but I do need to get things done by influencing others. Nothing is solely up to me and the outcome depends on the quality of the work of the people I’m working with. Though I get more of the spotlight sometimes, I always ensure my teams know that I appreciate their work and give credit where it’s due.
What do you think is the current hot cybersecurity talking point?
At a conference I recently attended, the room packed out for a discussion on cyberthreats. People are increasingly wanting to get a handle on evolving cybercrime. But I feel our attention should be on risk management more specifically.
Companies are still engaging in a game of whack-a-mole, where they’re not targeting the right areas of the control environment. This calls for a solid risk management strategy. I like to think VMware is the best security company, particularly when it comes to risk reduction.
We’re running workloads on vSphere – the most secure way to do so – with the visibility and full context of VMware Contexa. We also instrument the virtualisation layer to automate many routine security functions and can do runtime security with VMware Carbon Black for modern apps.
How do you deal with stress and unwind outside the office?
I recently restored my grandmother’s cabinet grand piano from 1900 and took up playing piano again in earnest. I used to play a lot when I was younger and it truly brings me joy and relaxes me. Another way I like to unwind it by going for walks barefoot in the grass with my husband and dog by my side.
If you could go back and change one career decision what would it be?
I don’t like to think about what I would’ve done differently, although I wish I recognised the value in connecting with other people sooner. In my earlier days, I struggled to balance work with making time to speak with those around me – both in and outside of work – which is part of the reason I became a Chaplain. The role required me to deeply connect with people in a way that I never had time to do at work.
What do you currently identify as the major areas of investment in the cybersecurity industry?
The number one investment area right now must be in people – particularly given the talent shortage our industry faces. Consistently, companies are struggling to find the talent they need to increase depth on their bench with turnover high and people leaving the industry for good. We know that one mistake can be costly in retaining talent, so greater investment in mental health and wellness is necessary to help frontline defenders perform at their optimum.
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?
I believe in simplicity. I’ve demonstrated in my own career that when you take an approach that is risk-based or outcome-based from the top down, it simplifies the strategy and is easier for teams to understand. A clear, risk-based, outcome-based approach is essential to a cybersecurity unit, no matter the location.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
We’re working hard to support all field teams with their accounts who have an interest in security, to make sure they have access to the correct data to help inform better decision-making. Having the right conversations with our customers, namely face-to-face ones, will be high on our agenda in the next 12 months. CISO relationships really need to be maintained in-person, so getting in front of the community is key.
What advice would you offer somebody aspiring to obtain a C-level position in the security industry?
I was once told by a manager that I should add that I aspired to be a director in my company performance plan. Sure enough, my director called me out on this, but to say that he didn’t care what role I wanted. He inspired me to think about what I actually wanted to accomplish and how I was going to make it happen. That’s the thinking I would encourage for today’s budding CISOs.