Asking things, being intellectually curious and not being satisfied with a superficial answer – critical thinking is the key
Theresa Grafenstine, Global Audit Leader for Cyber, Resiliency & Third Parties at Citibank
Before taking up a position with Citi as Managing Director/Chief Auditor for Cyber, InfoSec & Continuity of Business, Theresa spent some time as Managing Director at Deloitte. Prior to that Theresa was the first female Inspector-General of the House of Representatives in Washington, and has also been the chair of ISACA, the professional body for IT audit, risk, security and governance.
Her views about cyber and audit are both perceptive and based on wide experience, as the challenges of cyber risk have grown and their implications for audit have evolved.
The relationship between cyber and audit
Through her career, Theresa has seen the role of audit change with the emergence of cyber risks. She sees audit as a crucial necessity for tacking them.
“In the very beginnings of my career, people thought of audit as something financially-focused. Then we had IT controls and IT auditors, but as cyber developed to become one of the biggest risks engulfing society, we now realise that audit has to be part of the measures to tackle it.
Auditors have many skill sets. They can look at problems from beginning to end, across departments and the entire organisation, and so they can understand the problems and risks with abuse or stealing of information. They can call out risks and see if controls are in place to address them.”
What does the Future of Audit look like?
“It’s going to be a different kind of audit. Old audit concepts, such as the separation of responsibilities, are still relevant but we need to do much more. When you bring complexity into systems, it means there are more opportunities for mistakes. People like to talk ‘big data’, but to use big data you need to understand all the data you have, across boundaries, and harness what you have in all those silo database systems. You need to expose and break down data, and see how it all interrelates. The problem is that when you expose data, even internally, this gives rise to access issues, and it creates a new kind of risk.”
The role of audit will increase, but it will also change. Technology will take away the need for auditors to look at the routine and mundane, but it becomes a more technical and analytical task.
The perception of auditors: critical thinking
“I agree that auditors and security people are seen as the ‘Office of No’ and impediments to progress. So we need to be clear and crisp in our messaging about what our role is and why we are advising on risk. The message is that we aim to make systems safe, and you can’t make advances in business unless you are sure that your system is safe.”
Critical thinking has always been important – asking things, being intellectually curious and not being satisfied with a superficial answer.
“To provide value auditors need to understand why something works and question the rules. Do they make sense? We don’t simply ensure that the rules are applied. AI (Artificial Intelligence) will do what its algorithms tell it to and we need to ensure compliance with what seem appropriate. We present problems to people who are in a position to fix things.”
The evolution of cyber security: the need for resilience
“Early on we focused on security at the perimeter of systems – virus protection, then firewalls, and this morphed into intrusion detection systems. Nowadays we say that our system will inevitably be breached because there are so many ways to get into a network. Ransomware, malware – it just requires one person to click on a link. So for good security, we need vigilance. If we know that someone will get into our network, do we have the tools and the people skills to be able to distinguish between malicious activity and normal activity?
How quickly do we spot a breach of systems and how quickly do we do something about it. Do I have back-up so that if they have stolen or altered my data, am I resilient enough to recover quickly without serious loss of reputation? Somebody will get in, but it’s about how we manage that. It’s the world that we live in.”
Some words of advice for starting out in cyber security
People often ask Theresa about obstacles to career progress for women.
“There are glass ceilings, but don’t limit yourself. Get over your fears and don’t be your own self-imposed glass ceiling. If you can’t express an opinion at a meeting, how will you ever become a leader in your career?”
A second piece of advice is to show moral courage.
“The idea that I could become Inspector-General of the House of Representatives was mind-boggling. But you are dealing with people who have power. As an auditor, you need the moral courage to Speak Truth to Power. At the end of the day, if you can’t stand up to powerful people, you shouldn’t be in your role.”
“Networking is incredibly important. People should try to find role models and a mentor – it needn’t be a formal relationship – who you admire and who is willing to give you a few minutes and a bit of advice. That’s something I try to do myself: helping others with your experience and know-how. It’s giving back something to a world of working that has given so much to me.”
The modern CISO: A cyber risk leader who partners with the business and the board
Daria Meyer, CISO at Panalpina
The role of a CISO has changed significantly over the years, as cyber risk has gained visibility at the highest levels of many organisations. So what does it mean to be a CISO today? According to Daria Meyer, CISO at Panalpina: “You become known as CISO when you bring business value to the company but you get appreciated when you successfully guide the company through a cyber incident”.
“My journey in cyber security started with hands-on security 101. After obtaining my degree in telecom and network engineering, I took a job in a remote access support team. I had opportunity to gain experience in hands-on security engineering. I really enjoyed that time in my career and after a few years, I moved on to expand my know-how in project management, where I was managing cyber security for large global merger and acquisition projects. That was when my career really took off.
I started focusing on cyber security operations, incident response and vendor risk management and increasingly gaining leadership responsibilities with security and risk governance roles. I became accountable for running, controlling and strengthening information security protection, managing budgets for the global function as well as for global projects. I also gained valuable experience in working in a highly regulated environment and from managing a global and diverse team.
My hard work payed off and I became responsible for Novartis’ biggest division: Pharma. I was accountable for setting and executing the overall cyber strategy, leading a worldwide organisation and ensuring that the global Pharma business and overall commercial – “go to market” – IT products, projects and services were developed and delivered in a secure and compliant fashion. This role also came with increased managerial and budget responsibilities. Prior to my appointment, this role and organisation did not exist, so I designed and established it from scratch, hiring the people I needed along the way.
When I was asked to become Panalpina’s CISO, I had to say yes. I knew this was the opportunity for me to really shape the organisation’s cyber security vision and have a real impact on society. At Panalpina, I report directly to the CIO and the Board; I’m shaping the organisation’s security vision and strategy and focus on delivering value to Panalpina and its customers. I also sit on advisory boards of leading IT technology companies, cutting-edge start-ups and global security forums."
For Daria, taking a position as CISO meant more than just keeping her organisation secure on a day-to-day basis. Daria looked at the bigger picture:
“You need to think about what it is you want to achieve, what you want to focus on to add value to the business and your customers”.
Daria’s motivation is as clear today as it was when she first became a CISO:
“I want to make a positive impact on the company I work for as well as on society in general”.
At Novartis, her purpose was very clear: participate in giving back to those who are ill. Then, when she became a CISO, she made sure she joined a company whose culture and priorities lined up with her aspirations. As a cyber leader, she sees herself not as the head of the department of “no”, but as an advisor and manager of a great team and a steward of data, information systems, and resources. She understands that, as a CISO, she will influence major decisions that affect real people. At the same time, the world of transport and logistics is relatively new to the digital realm, making Daria’s role as CISO a green field. By bringing her experience and expertise, she is not only helping her company, but also her industry.
Daria’s aspiration to help others is fed by her understanding of what cyber security is:
“A few years ago, many equated CISOs with IT. The role was seen as that of securing a company’s systems; nothing more. There was no talk about security as a competitive advantage and business enabler, let alone ethics”.
Oh - how things have changed! In 2017 already, 87% of FTSE 100 companies identified cyber as a principal risk . With this increase in attention, boards are now paying close attention to the topic and increasingly include cyber security experts. This shift comes hand-in-hand with an increased scope for cyber security roles:
“Cyber security went from covering only IT to more broadly addressing risk. It’s also about resilience: preventing incidents while ensuring the company pulls through in the event of an incident”.
In addition, data protection laws and regulations such as the EU’s GDPR protect individuals’ privacy as a fundamental human right, reinforce the notion that this field has a direct impact on people’s lives, both at home and in the workplace and for all age groups.
The time when the line between the physical and digital worlds was clearly defined is long gone and, as a result, cyber security has become too important to be exempt from morals and values. What we can learn from Daria is that it is essential for cyber leaders today to understand the implications of their actions on people’s lives and to be able to stand behind their decisions whatever happens.
Fostering the culture of security in technology organisations and business lines
Elena Kvochko, Cybersecurity and Technology Executive
“Fast changing industries like technology and cyber security attract dreamers, people who want to make an impact, innovate and contribute.”
The financial sector is a critical infrastructure sector, alongside communications, food, agriculture and healthcare. As such, the importance of protecting the sector from cyber risks is immense. We often don’t fully appreciate the value of critical infrastructure until it’s unavailable. For most critical infrastructure sectors, this means the focus needs to be on restoring their services in the event of an outage. However, for the financial services sector - one of the industries most targeted by cyber criminals - the situation is even more complex.
Elena Kvochko, cybersecurity and technology executive who built her current career in the financial services industry believes the emphasis within many industries that is usually made around access and connectivity of systems should be shifted to security. Answering our questions about her journey in cybersecurity, Elena told us more about her own path.
“I started my career in telecommunications technology and its implementation, working to make the world more connected and open. At the time, I was working on large-scale telecom infrastructure projects in emerging economies at the World Bank Group. I saw a great amount of focus and investments in bringing connectivity and new electronic services to previously offline communities. While those efforts brought about new opportunities to millions of people, I hadn’t seen a similar focus on making these new services secure. It was this realisation prompted my stronger focus on cyber security.
I worked at the World Economic Forum where my role was to build better cyber security partnerships and create new ways of addressing global issues that no one company could solve alone, such as assessing the scale and the impact of cyber attacks. I was an Affiliate Fellow at Harvard Law School, Berkman Klein Center for Internet and Society that focuses on the study of cyberspace and Internet-related legal issues. I then moved to the financial services industry as I joined Barclays as the Head of Global Information Security Strategy and Implementation and then became CIO of the security function at Barclays, where I worked on implementing next generation security models and controls. With my colleagues, we developed a new model of implementing cyber security that we called “holistic security” and worked on supporting next-generation security companies solving complex problems through projects, such as Barclays and Techstars Accelerator. I was excited to deepen my knowledge of the financial services industry and continued my career in the industry.”
“Every business today is a technology business.” Organisations today need to keep up with technological trends if they want to stay relevant. Elena says: “We all welcome continuous innovation; Not only because it makes our lives better, but because as users, we are inclined to trust the technology we rely on every day. But just like in the physical world, no system or solution can be absolutely secure. Unlike the binary components of computer code, cyber security is not black or white, right or wrong; it is a spectrum of colours that depends on the assets you are protecting, the controls you are building and the threats you need to consider.”
Indeed, in the financial services industry, the stakes are high. According to Gartner, advanced analytics, chatbots, virtual personal assistants, artificial intelligence, intelligent automation services and robotic automation processes are increasingly integral to how financial services firms support more effective customer service models, and potentially reduce operational costs:
“If we are not careful, we risk having the benefits that emerging technologies bring diminish as potentially insecure products, projects and infrastructure make us vulnerable to attacks.”
Elena cites data that has shown that most security breaches happened due to negligence or through known vulnerabilities, and therefore are preventable by focusing and assessing all aspects, namely people, process and technology. And this is what security professionals help enable.
Although we are moving from security awareness into implementation, there is still a lot of room for improvement. There are many opportunities cyber leaders can explore to conduct business securely and deliver on their promises to customers, while still innovating fast. And Elena is very clear:
“Security is not optional; and should never be an afterthought.”
There are many critical steps to take to defend, detect, react and have a holistic perspective of assets. 50 years down the line, Elena hopes “people will be working together to design technology with multiple perspectives in mind, in which solutions will be both technical and behavioural.”
So, who will these cyber leaders of tomorrow be? “Fast changing industries like technology and cyber security attract dreamers, people who want to make an impact, innovate and contribute. We will still be facing social challenges, but their resolutions should be aided by implementing ethical and sustainable solutions”, as well as creating a culture in which cyber security is directly embedded.
Cyber security is a business accelerator
Darine Fayed, Head of Legal and Data Protection Officer (DPO) at Mailjet
Companies today are more interconnected than ever before, this has placed cyber security at the core of sustainable business models. Now, technical and legal departments are more involved in driving growth with the business than ever before.
Darine Fayed, Head of Legal and Data Protection Officer (DPO) at Mailjet, has successfully led a data protection and security transformation program in order to tackle the legal challenges related to the General Data Protection Regulation (GDPR). All the effort, time and money invested in cyber security and data protection allowed her company to grow its business with minimal risk. In fact, today, under Darine’s direction, Mailjet is accredited by AFNOR Certification as being GDPR compliant, adding to their ISO 27001 certification already obtained.
“After obtaining my law degree and working as a corporate attorney in the United States, I moved to France to continue on the same track. I naturally shifted toward digital and IT topics, working on licensing and software agreements for my law firm’s clients.
After over a decade in corporate law, I became Head of Legal, responsible for risk management at group level, at Mailjet, Europe’s leading email service provider. With the arrival of the EU’s new General Data Protection Regulation in 2016, most companies were obliged to implement actions to comply with the upcoming regulation. One of these actions was the appointment of a DPO. Due to my position and digital experience at the time, I was asked to manage the data privacy obligations and lead the transformation across the business, legal and IT teams as Mailjet’s Data Protection Officer. One of my objectives was achieving GDPR compliance through close collaboration with IT teams.
It took Mailjet over one year to become fully compliant with the GDPR’s strict requirements; one year during which I discovered new aspects of cyber security and learned about data protection challenges.
Simultaneously, I also advocated for legal tech (technology at the service of the law), aiming to combine digital and legal endeavours in companies. Specifically, I worked on including cyber security considerations in the legal yearly goals.”
Darine strongly believes in security by default. Every decision in a business process must be taken with security in mind, particularly when personal data is involved. To do so, Darine describes this industry as follows:
“Cyber security is awareness, cyber security is top-down, cyber security is a team effort, cyber security starts with legal considerations”.
Cyber security is awareness
Because it affects every employee in a company, Darine argues that cyber security is everyone’s business. The process starts with internal training and building awareness among Business, Marketing, HR and IT teams. Once there is a notable shift in the corporate mind-set, people start to see security not as a burden but as a foundation to business. Darine explains how, when working on new features in a platform or a system, a company’s security awareness improves quality and customer satisfaction:
“Product developers now ask the right questions: How do I make this product secure? How will data be collected or processed in this new feature? What system or measures do I have to put in place in order to secure and restrict the access to this feature?”
Cyber security is top-down
As previous projects carried out by Mailjet’s technical teams received pushback from the business, Darine believes that the ownership of IT security inside her company has shifted to the top: “Our CEO has driven the GDPR compliance initiatives that provided the necessary support to carry out the transformation and convince people who were still resistant to change.” Once senior management understands the importance and defines the objectives of the project, it becomes easier to get everyone on board to pursue the same vision.
Cyber security is a team effort
When we talk about team effort, we tend to view only the internal organization teams. A cyber security project can only succeed by involving all the individuals connected to a company. A company is an ecosystem of employees, partners, suppliers, clients and providers. With the GDPR, companies do not just comply with the regulation, but learn who their partners are and how to work with them:
“We had to terminate some contracts with our providers that didn’t provide the level of security that we needed. Each company needs to surround itself with providers for whom cyber security and data protection is a common objective. Indeed cyber security can become competitive advantage when the core business of a company collaborates with third parties and clients.”
Cyber security starts with legal considerations
In cyber security, people that understand applicable laws and regulations must be in charge of legal activities. The GDPR is the perfect example of a regulation that took businesses by storm. Organisations will now be put out of business if they do not have cyber security embedded within their DNA. As Darine explains, a legal department’s objective is to ensure minimal risk for the company, including cyber risk; this must be leveraged in security and privacy efforts:
“With all my previous experience in law firms, it was more natural for me to use my legal logic to manage GDPR compliance projects. I was able to interpret the regulation that allowed me to collaborate with the CTO on this journey. The translation from the legal compliance of a system to IT actions has been very interesting and rewarding for me.”
When reflecting on her career and how she was able to apply her legal background to cyber security challenges, Darine highlights the importance of continuous learning and how it has helped her deal with new situations:
“No matter if it is your goal to make cyber security your career, or if you are just curious as to how your data is processed, or even if you just want to know how to make your password a little stronger, it’s important to be deeply invested in an evolving subject like data protection. It’s no longer only clients’ concerns, but individuals’ concerns that can be leveraged as learning opportunities.”
Will humans be relevant in the future of cyber security?
Nathalie Weiler, CISO at SwissSign Group
Advances in automation, machine learning and artificial intelligence affect all areas of expertise – and cyber security is no exception. In cyber security, these advancements have enabled the delegation of time-consuming tasks such as manual threat detection and analysis to machines, freeing up the human workforce to focus on threat forecasting, cyber security strategy and governance. Dr. Nathalie Weiler – CISO at SwissSign – believes that the role humans play in cyber security has fundamentally changed and with the role, the skills required by the workforce have changed as well.
“After completing my PhD and post-doc in network security at Zurich’s Swiss Federal Institute of Technology, ETH, I realised that I didn’t want to pursue the classic academic career path of hopping from university to university. More importantly, I was most interested in the practical applications of cyber security. So in parallel to my post-doc, I co-founded a technical consultancy company, where we ran projects in secure IoT activities and building security protocols for multi-media devices.
While I was organising a conference for peer-to-peer networking at ETH, I got the opportunity to connect with many people in the industry. An architect from Credit Suisse approached me for a one-time project addressing a network security issue they were facing - I ended up working with that bank for twelve years, immersing myself in so many fulfilling and interesting projects.
There is no area in cyber security that I didn’t get involved with in my time at the bank. One day, a head-hunter approached me and asked me to join Avaloq to build up their security governance team and frankly, the position with Avaloq came at the perfect time for me; I was ready for the next big challenge of my career. So I took the position and stayed with Avaloq as their CISO for three years. Now, I’m excited to continue my journey as the CISO at SwissSign.”
The shifting frontier: cyber security skills yesterday and today
In the early days, the role of cyber security professionals was mainly to protect IT infrastructure and data. The role was reactive in nature: when a threat appeared or a risk materialised, it was all hands on deck to eliminate it as quickly as possible. Therefore, deep technical knowledge of IT infrastructure was in high demand.
Today, cyber security has expanded to include third parties, cloud environments, mobile devices and everything in between. Global digitalisation and the IoT have also shaped cyber security needs since these opened up a myriad of new opportunities that cyber criminals can - and do - exploit. It is therefore important for cyber security teams to have a broad range of skills to cover all of these environments and threats. In addition, with an increasingly common understanding that cyber incidents are inevitable, anticipating what attackers are going to do before they do it is key. Employees with the foresight and ability to think like attackers are the ones that will provide the most value. Nathalie puts it candidly:
“Attackers will not always use a hammer to get in. They are constantly developing different skills, tools and approaches, so it’s important that we stay ahead and think like them.”
With visibility all the way to the top of organisations, persuasion has also become an essential skill to master. Nathalie reflects on the importance of her consulting background in helping her implement her cyber security program:
“I wouldn’t be here if I didn’t have a consulting background. As a CISO, you need to be able to convince many different stakeholders to secure funding and get buy-in. Half of my success is based on how persuasive I can be.”
As money and resources are always finite, Nathalie articulates the importance of adopting a risk-based and pragmatic approach:
“You need to be able to get your ideas across, taking into consideration the uncertainty.”
Looking to the future
Solutions in use today will undoubtedly become less effective at some point in the future, and since no solution can be completely secure, security professionals need to be able to embrace failure as part of the process. As a result, Nathalie argues that nowadays, the field has demand for professionals with various backgrounds but with a common trait:
“We need people who can look further into the challenges that they’re presented with and see the big picture. We need people who understand why they need to do things in a certain way and can actually see the implications of their actions on business processes.”
As our lives continue to get more interconnected, the needs of the cyber security workforce will continue to evolve. There will always be new cyber security threats lurking on the horizon and regardless of how the field evolves in the decades to come, Nathalie believes that having the right attitude is essential:
“You need to break out and recognise that it’s a journey. It’s important to take your time with each problem and remember that threat actors will always come up with new methods of attack.”
Adopting this perception from the start lets you actually come to pragmatic solutions that work.
Nowhere is the fog of war thicker than in cyberspace
Chelsey Slack, Deputy Head of the Cyber Defence Section at NATO
For more than a decade, cyberspace has slowly but surely crept into our daily lives, going from being an experiment spearheaded by few to integrating nearly every one of our devices in our pockets, work devices, household objects and infrastructure management systems. This evolution prompted NATO to add cyber defence to its core task of collective defence. Cyberspace has also been recognised as a domain of operations, with NATO allies recognizing the evolution of threats and seeing the need to be just as effective in cyberspace as in other domains such as air, land and sea. Although the principles underpinning the protection of this space are grounded in the same concepts as traditional domains, Chelsey Slack, Deputy Head of Cyber Defence at NATO, highlights key differences between these domains and what these differences mean in the context of international security.
“Growing up in Canada, my favourite subjects were always related to history, social studies and law. During high school, I had my first exposure to international relations; I learned about how countries work together and what they saw as key issues. That really piqued my interest and I decided to pursue my university studies in political science with a focus on international security.
Later, I worked for the Canadian foreign ministry and realised that I wanted experience in a multilateral context. After getting my Bachelor’s degree, I landed an internship at NATO, where I worked on trans-national threats.
One day during that internship, on my way home for Christmas, I wound up sitting at the airport, waiting for my delayed flight. I starting talking to the person sitting next to me; at the time, I was just about to submit my online application to a Master’s program and this man asked me about my research proposal. When I told him that I wanted to look into post-war reconstruction, this stranger, who worked in a similar field, looked at me very bluntly said: “That’s a very interesting topic but there are a lot of people working on it. I think you should consider focusing on something else.
When I got back to my internship after the holidays and my supervisor involved me in the development of one of NATO’s cyber defence policies, I knew this was what I had to write my thesis on… and I’ve been working on that same topic ever since!”
Chelsey sees cyberspace as a vector of potential and innovation that relies on open collaboration and exchange platforms and brings many benefits to society. That’s why she is passionate about her work in cyber defence at NATO:
“It’s about ensuring that cyberspace remains the open, secure and transparent place that we need it to be, to continue to harness those benefits.”
Although the same principle of collective defence – where an attack against one ally is considered as an attack against all allies – underpins cyberspace as it does air, land and sea, Chelsey has developed a deep understanding of how bringing this principle to life in cyberspace is different.
The first difference resides in the nature of this space: it is intangible.
“You can see troops, you can see tanks, and you can see planes that cross your border; but it’s not so easy to see an attack or understand what you’re dealing with in cyberspace.”
The second is that cyberspace underpins our communication systems and critical infrastructure, linking it to every other domain, while remaining a distinct domain of operation. The third is the pace of innovation and technological changes in cyberspace and its effect on established procedures. In the past, you could buy a new piece of equipment, for instance a truck or a tank, and it would be good to go for years.
“In cyberspace, you have to constantly keep up with the development of technology. The minute you buy a new piece of equipment, it’s already out of date.”
This speed does not only affect the technology:
“You need to make sure you train the people so they are able to operate in this constant state of change.”
In addition, although NATO allies recognized that international law applies in cyberspace, the domain’s specificities pose challenges:
“How do you impose consequences? What is the best way to enforce the international law that we have to draw upon?”
Lastly, the number and diversity of actors involved in cyberspace is far greater than on land, in the sea or in the air. Each one of these actors, many of which are private, is a potential target. This makes governments’ role in managing cyber threats and responding to them significantly more complicated.
As the fog of war is thicker in cyberspace, there are still plenty of questions being debated amongst allies. When NATO recognized cyber defence as a part of its core tasks of collective defence, there was deliberately no threshold set to determine what it would take for a cyber attack to be considered an act of war:
“This decision is context-dependent and ultimately needs to be a political one”.
Additionally, if a cyber attack were to be grounds to invoke Article 5, it would not mean the allies’ response would have to leverage cyber capabilities.
“That’s part of the cross-domain approach; cyber is but one tool in our toolbox.”
Many of us do not think about cyber security through the foggy lens of war. Professionals like Chelsey bring cyber security from a commercial concept to one of international security, and ultimately, will have an enormous influence on the world we live in.
Hard work, ambition, and a strong academic background are the recipe for success
Dolores Perez, Head of Group Data Protection at KBL European Private Bankers S.A.
Hard work, ambition, and a strong academic background are the recipe for success for Dolores Perez. Unmatched by her predecessors, Dolores held the position of CISO at the international private bank KBL for more than 6 years. Her previous experience in consulting developed her perseverance and ability to make an impact with top management. These two skills have been key to her success.
Dolores started her career armed with an engineering and finance diploma from the esteemed Louvain University in Belgium. “From my point of view, a career needs to be built on confidence. Having a good diploma is very important as it already gives you credibility and confidence in what you can do. It shows that you have some grey matter in your head”. She entered the professional world with an adventurous mind looking for new challenges and travels. Dolores first joined a consulting firm and seized the opportunity to work all over Europe in core banking system integration. Then Dolores joined KBL as a supervisor of KBL & Subsidiaries Internal Audit. She evaluated the risks at subsidiaries located in many places including Spain, Germany, England, and Ireland for eight years. This first position at KBL helped her to gain a deep understanding of all the processes within the company.
“Being an auditor of the group requires strength and direction. You usually end up in a new country where, as an auditor, you are not always well received, and you need to fight your way in”.
After her success in audit, Dolores was promoted to the group’s CISO, and more recently DPO. Dolores’ journey is a good example of how you can flourish in a large international company.
Having climbed to the top of the corporate ladder, Dolores takes a step back and explained what she called the “rubber band” effect, an effect one can experience in a career. Dolores then gives her advice on how to react to this effect, i.e. how to pull the rubber band, specifically in cyber security.
Rubber band effect
Dolores has a good metaphor for a career, especially for women in cyber security. Rubber bands are stiff at first just like careers: You need to pull on them to grow and progress. Sometimes, the rubber band will snap back into its original position if pulling too hard, and this can hurt. But eventually, the rubber will stretch and grow if you keep pulling it continuously.
“I mean several things by this. First, you need to accept failure and never expect to succeed every time. When you fail, it usually means that you need to change. Second, you need to have a lot of resilience. It is easy to say “be resilient”, but this can only be achieved if you believe in yourself and never compare yourself to others. Last but not least, do not be naïve in moments of difficulty. It is only the spring back, and it means you need to keep pulling.”
For Dolores, pulling the rubber band actually starts very early in life. Dolores believes that it is very important, especially for young girls, to have a role model and not to be subject to any limitations. During education, children must receive encouragement, ambition and self-confidence to tackle the world’s challenges head-on. Even if you are the person pulling your own rubber band career, Dolores recognises that other people can add a little strength in pulling. Networking should be seen as part of your job although it can be challenging at the beginning.
“It is something I hadn’t understood in the early start of my career. When networking, I had the impression I was not actually doing my job. I felt guilty. But that’s the wrong vision. Networking is part of your job and usually is a mutually beneficial activity. You learn from others and others learn from you. More than that, working hard 100% of the time is not always the way. Sometimes you need to step back and take time to build your career”.
Dolores’ recipe to pull her rubber band
Consulting gives you an incredible advantage in a CISO level position
“I was always a high-level person seeing the big picture. Consulting and audit jobs made me go deeper into details, which is a necessary skill for your career. It is easier to master a subject you experienced, not just read about. Consultants also gain experience very quickly as they interact with many different clients. Finally, I was exposed to management and executives very early on in my career, which taught me to synthesise”.
With her consulting experience, Dolores was armed with strong skills and deep knowledge to pursue her career at an international private bank.
Break down bias and don’t hesitate to seize opportunities for yourself
Dolores acknowledges that as a woman you sometimes face additional challenges, especially when it comes to breaking down biases. Dolores recalls a particularly intense moment in her life. While she was still on maternity leave for her second child, a position as group auditor opened up in Spain. She deeply believed she was the best fit for the position and she applied by sending an email directly to the bank’s CEO. As one key advice, Dolores stated:
“you should not be afraid to put the tennis ball just at the limit of the court: on the white line”.
Having the courage to apply, Dolores got the position of Group Auditor and moved to Spain.
Don’t hesitate to deep dive into a new subject
Dolores entered into Cyber Security later in her career. She is a good example that it is possible to jump into a moving train like the ever-changing field of Cyber Security. Dolores had to learn about Cyber Security through trainings, certifications and by consulting expert advice.
“I ended up in the security field by accident. Entering a new field, one needs to be humble and re-evaluate what one knows and needs to learn about the subject. I had to study very hard and would always suffer from headaches at end of the day during that period. You need to do something 21 times to change a habit.”
Aided by her scientific background and perseverance, she quickly embraced her new responsibilities.
“When I took the job, the CISO position was perceived as high-risk due to the increasing volume of cyber-attacks and breaches being discovered in the Financial Sector. Despite the warning of my friends and colleagues, I persevered. I’ve always liked to protect others, which is probably linked to a maternal instinct. I am not afraid to make decisions and assume the responsibilities for them, even in a high-risk position. That is probably why I stayed on as a CISO for 6 years.”
Communication skills and support from others are of great value
During her time as CISO, Dolores recalls that it was challenging to convey messages regarding security to top management.
“As a CISO, you need to be able to communicate in a simple and understandable way with all levels from operational to top management. Marketing skills are as important as hard technical skills. Yes, computers are very interesting, but as CISO, you also need to understand people, and especially the people sitting in the chairs of the Board.”
Dolores was recently promoted to the role of DPO where she will work hand-in-hand with the new CISO.
“In my opinion, DPOs and CISOs are strong supports one to another. The CISO focuses on security and the DPO focuses on compliance but both have the common objective to protect data. With the compliance dimension, DPOs can position CISOs at board level. When two voices are raised together, it makes a bigger impact.”
Becoming a cyber leader, bit by bit
Dr. Maya Bundt, Head of Cyber and Digital Solutions at Swiss Re
To all those who fear their careers have so many twists and turns that they will never get to the top, Dr. Maya Bundt, Head of Cyber and Digital Solutions at Swiss Re may help you reconsider. As she puts it “if I look back from where I started, it looks like I picked each and every job at Swiss Re in order to get to where I am now. But while I was on that journey, it didn’t seem that way.” Whether in cyber insurance or cyber in general, Maya’s advice to those who want to step into the field is “accept non-linearity in your career.” From the outside, what may seem like a straight dash to the finish line, feels more like navigating through a giant jungle gym from the inside. However, as non-linear as it may be, Maya has seen every role change and every risk as a critical step in the journey that is her career.
“I’m a natural scientist at heart. My passion for the topic and our planet led me to pursue my education in environmental sciences. With my Master’s degree in hand, I decided to continue in this direction and obtained a PhD in soil physics. As many of my fellow doctors, I was then faced with the question of what to do next: stay in academia or move into industry? Having spent most of my life in school, I decided to make a change and got a job as a strategy consultant. Three years later, I joined Swiss Re as a senior project manager. After fourteen years with Swiss Re, I’m now the Head of Cyber and Digital Solutions.
Looking back, it’s clear that each move I made and job I took was exactly what I needed to get to my current role. But at the time of taking all of these decisions, there was no such thing as cyber insurance. So, at the start of my career, I wasn’t looking for this job because it simply didn’t exist; the entire field didn’t exist! However, with time, it became evident that what Swiss Re and other financial service providers could do in a new digitalised world would also create great vulnerabilities. I thought that was fascinating!
Now, I absolutely see myself staying here. Cyber insurance is the most exciting field you can imagine. There is so much to do and there are so many facets, which means that there’s room for people from all kinds of backgrounds.”
Maya breaks her journey down into three phases – getting started, broadening her skillset and leading her own team – and highlights the lessons she has learned along the way.
The early years
Reflecting on her experience in more junior roles, Maya remembers learning how to convince and negotiate:
“You often don’t have the formal authority to get things done”. She argues that a key skill for those starting their careers is to work with others to achieve one’s own goals and ensure those who help also benefit and get recognised. Maya highlights that, along with technical, theoretical and practical knowledge, one must never underestimate the importance of personal networks, soft skills and collaboration: “It doesn’t matter who you are or how good you are. Nobody can achieve great things by themselves.”
Stepping up your game
Maya strongly believes that everyone has room for improvement. She quotes the popular saying:
“If you’re the smartest person in the room… then you’re in the wrong room.”
Although it may be more comfortable to be the big fish in a small pond, true personal development requires constantly seeking to gain new skills. She emphasises that even those that have mastered one particular area of expertise can and must learn from their colleagues and branch out. This is especially true in cross-functional disciplines such as cyber insurance, where each member of a team should bring a certain expertise, be it underwriting, technical cyber security or law, and make the effort to become proficient in other relevant areas. Not only does this contribute to great team dynamics; it inevitably results in better solutions.
Taking on the responsibility of leadership
In her current role, Maya is not responsible for protecting Swiss Re’s infrastructure, systems or data. Instead, she is in the business of building cyber insurance solutions and developing the market. For these tasks, she needs a team with many different skills and argues that she would be very hard pressed to find all of them in the same person. However having fostered a multi-disciplinary team means that Maya is regularly presented with questions or solutions that challenge her views. Regardless, she sees this as a gift and when asked what advice she would give other leaders in cyber security, she replies “listen to what you don’t want to hear.” She believes that leaders should not only be open-minded; they must also proactively encourage and reward those that constructively disagree with them.
In summarising how she became the Head of Cyber Solutions at Swiss Re, Maya reflects:
“How I got here? Some luck, good choices and a lot of really hard work.”
Maya has taken each phase of her career, each obstacle in the jungle gym, as a stepping-stone to her next role. As the challenges in cyber are in constant flux with ever-evolving threats, the field needs the agility of people who are driven by change.
Taking on cyber security’s unknown unknowns
Karin D’Amico, former Corporate Information Security Officer at Givaudan
The former US Secretary of Defence, Donald Rumsfeld, famously said: “there are unknown unknowns – the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.” In cyber security, there seem to be more unknown unknowns than in any other field. And although this may seem like common knowledge today, 20 years ago – when there was no such thing as security departments or even cyber security degrees – this statement may not have been so widely accepted. Karin, former Corporate Information Security Officer at Givaudan, was one of those who was able to appreciate this aspect of cyber security early on and successfully built her career with it in mind.
“It all started when I was working as an executive administrative assistant and my boss saw that I was hungry for new challenges. He also saw that I had a particular interest in IT, so he started to give me more tasks in that area and encouraged me to move into a position as IT Support Manager. A few years later, I obtained a diploma in IT project management while working as a consultant for Givaudan.
At the beginning of my career in IT as a network and server engineer, security was not at the top of any company’s priority list; the security topic at that time was the chase of some of the first viruses. Over time, security projects started to come in, little by little, with broader scope and higher ambition. Given my experience in project management and IT infrastructure, I was given the responsibility of managing Givaudan’s first global security project, which was to set up a corporate antivirus system. It’s amazing to think that, back then, not having such an antivirus was the norm! After that project and as Givaudan’s needs for security experts grew exponentially, so did my interest and competencies in the field.
When I was on maternity leave after the birth of my second child, I received a call from my boss, Givaudan’s then CISO. He had received a great opportunity to work on a big integration project and asked me if I would be willing to take over from him; which, of course, I was. As I started in this new role, I decided to pursue information systems security studies to enrich the expertise I acquired in the field by working on security initiatives.“
Having been actively involved in Givaudan’s security team from its very early days, Karin was one of those who was able to appreciate this fact early on and developed a highly effective coping strategy built on three pillars: continuous improvement, knowledge of the business and a strong focus on stakeholders.
Progress one step at a time
Cyber security is an arms race; in this field, keeping up with the pace of changes requires continuous improvement:
“You need to take the time to identify what is most important to your organisation and improve its maturity one step at a time.”
This is how, over 10 years, Karin raised Givaudan to a firm with a comprehensive and coherent cyber security programme.
Know the business inside out
Being able to secure a business requires a deep knowledge of that business.
“You need to get to know the company, from different angles and perspectives”.
Knowing the business also means understanding its people and their ways of working. Karin fondly recalls learning to adapt her Swiss mentality – where being on time means being five minutes early – to a more international approach. For Karin, it is also crucial to take into consideration the organisation’s maturity level and risk appetite when implementing new processes and tools. She argues:
“The latest technology is not necessarily the best; I always put these considerations in the context of the company, the industry and the people before making an important decision”.
Invest time in getting key stakeholders on board
“Security is a collaborative effort; it’s not only the IT or security team’s problem. It’s important for everyone to understand that”.
In any organisation, it’s not surprising that employees don’t want their daily tasks and creative processes to be disrupted by having to put their passwords in three times. So it’s important to appreciate that and find the right solution to keep the firm safe while maintaining a good employee experience.
What we can learn from Karin is that CISOs have an enterprise-wide responsibility. They are responsible for building up their organisation’s lifeline: the tools and processes that will keep them safe in the long run. Ultimately, cyber security leaders cannot predict the future, but Karin is the perfect illustration that preparation is the next best thing:
“Nobody is born an expert; but those who put in the effort will be rewarded.”
Gender equality commitment
“Gender equality is important for businesses to attract and retain the best talent. The Executive team and I have committed to increase our senior female leadership to 30% by 2020. In addition to this commitment to increase senior female leadership, Deloitte Switzerland is committed to increase the number of women in technology roles in our organisation by 5% within the next year.
To support this at Deloitte, we launched our ‘Women in Cyber’ initiative. We aim to narrow the gender gap by spreading awareness of the various opportunities that are available to women in cyber, by addressing gender biases in the field, and by initiating a dialogue that helps women navigate the profession and its opportunities.”
Simon Owen - former CEO Deloitte Switzerland and current North South Europe Cyber Lead Partner
The Women Tech Boot Camp is one of our tailored learning and development programmes at Deloitte Switzerland. Hear from participants how they seize the opportunity to upskill for a job in the tech field.
Building a secure digital world is a legacy we owe future generations
Prof. Dr. Solange Ghernaouti, Director of the Swiss Cybersecurity Advisory & Research Group and Professor of Cyber Security at the University of Lausanne
The image of cyber security relying on lone hoody-wearing teenagers hacking in the dark needs to change. In reality, to improve cyber security, engineers, lawyers, economists, criminologists and policy makers need to collaborate to address cyber threats with comprehensive strategies. Prof. Dr. Solange Ghernaouti, Director of the Swiss Cybersecurity Advisory & Research Group, President and Founder of the SGH Foundation - Social Good for Humanity and Professor of Cyber Security at the University of Lausanne, has found success in building her career on such an interdisciplinary approach.
“During my PhD and the first years of my professional career, I gained experience in most areas of computer science, such as databases, operating systems, programming, electronics ands telecommunication networks. I discovered a particular interest for networks and technical network security and quickly realised that technical security would never be enough; vulnerabilities will always remain. This led me to study network management, a field that I found particularly fascinating and still do. That realisation brought me to focus on cyber risk management and I joined the University of Lausanne’s business school as professor.
As a consequence of wanting to better understand cyber criminals’ motivations, I started exploring the field of criminology. Then, understanding that politics and the economy are what make the world go round, I started becoming active in those aspects as well.
Throughout my studies and career, the trust I received meant a lot to me. For example, before starting my PhD, my advisor told me that if I wanted to graduate with him, he expected me to teach him something. The fact that this expert believed that he could learm from me powered my will to do good research and not disappoint him. I had a similar experience when writing my first book. I had never done anything like that before and didn’t know where to begin. Having the editor’s trust and support went a long way in helping me achieve that milestone in my career.”
As our society becomes increasingly digitised and connected, more security requirements and challenges naturally arise. Solange, who has been involved in the development of cyber security technology, standards and policies from their early years, believes there is still a lot of work remaining to improve the current state of cyber security and to create a safer world for future generations. Solange explains: “If we want to serve the common good, think about our youth’s future and the legacy we will leave behind, we should care much more about cyber security, including data protection, mass surveillance and the means we will use to address these issues”.
When asked why we are struggling to keep safe in the digital realm, Solange points out: “The biggest mistake we are making is thinking that technology alone can solve a human problem with socio-economic and political entanglement. Technology can help to solve certain issues, but it can also create others.” According to her, there are three critical obstacles in the way of robust and effective cyber security:
- A lack of cyber security awareness within the general population;
- Insular cybersecurity measures that fail to comprehensively address complex cyber risks; and
- Insufficient collaboration on national and international scales due to the fear of reputational damage in case of a security incident.
Let’s take a closer look at each one of these obstacles.
Lack of cyber security awareness
“How many campaigns or public service announcements related to cyber security risks have you seen in Switzerland recently? None? Exactly.”
Solange currently sees a paucity of resources and funds dedicated to cyber security on a federal or cantonal level in Switzerland. Solange believes that our authorities and the private sector need to invest in educating all of their citizens in cyber security risks.
Solange sees a power imbalance between those that control and those that use technology and strongly disagrees with claims that our children will all naturally be digitally fluent and security aware. She believes that we must adapt our education systems to the increasingly digitised world around us if we want to develop proper digital skills: “Having children use tablets in schools is not enough! Students need to be taught how to programme; not only to create new applications, but also to de-code what is happening within the devices we use every day.” She believes that awareness is the first step in understanding the long-term consequences of our word’s digital transformation.
Solange may be onto something, and not just for youngsters. How many of us can say we understand how our everyday tools work, be they SAP, Facebook or even email services? Today, most of us use these as black boxes, not knowing how they function and make use of our data.
Insular cyber security measures
“There is a certain over-confidence of technical people with regard to others with non-technical backgrounds; similar to lawyers and non-lawyers, doctors and patients.”
This can make collaboration tricky amongst experts in engineering, law, politics, social sciences, industry and research.
Instead of seeing cyber security as an issue that only engineers can solve, Solange argues that we need to recognise and value a wider variety of professional experience as well as education. For example, professionals should have the opportunity to complement their existing work experiences with courses to obtain specialised technical, managerial or legal skills.
Solange cites understanding the need for surveillance and intelligence as well as that of the fight against cybercrime as challenges where a variety of different skills are essential. Solange is very clear about this: “It’s not reasonable to assume one single profile can cover all facets of these complex issues and diverse expertise and experience ads significant value in cyber security.” This is why she believes that an integrated approach to cyber security is vital for our society and that efforts should stretch beyond traditional boundaries, whether they be geographic, political, military-civilian, left-right, black-white-purple. According to Solange, there is an urgent need to overcome conventional political divergences if we want to master cyber risks.
No company wants to grace the pages of newspapers because they fell victim to a cyber attack or because they produced or used vulnerable technologies or services. However, the reality is that major breaches occur regularly and there are many lessons to be learned from vulnerability disclosures:
“We should not let the fear of reputational damage stop us from sharing these lessons learned and hinder our progress towards true cyber security, but instead should understand the benefits in sharing knowledge, expertise and experience.”
To overcome this obstacle, there needs to be more encouragement from the top, be it from regulators or the government. In addition, processes and tools such as anonymised reporting and privacy-preserving data sharing must be developed to enable and encourage companies and people to share valuable information while protecting data subjects’ privacy.
Reflecting on Solange’s career path and her views, it is clear that greater collaboration from all relevant areas of expertise is in everyone’s best interest. We all have a stake in cyber security; it’s an issue that we as a society and individuals cannot ignore. We all need to work towards security in cyberspace and the physical world. Although the path to true cyber security may be long and at times tedious, Solange keeps a pragmatic and positive attitude: “We might as well enjoy the ride!”
Women in Cyber
Women are still underrepresented in the global cyber security workforce. What can organisations do to bridge this gap?
Cyber security has become one of the hottest and fastest-growing fields in technology across the globe today. Despite the continuous growth in cyber security spending and opportunities, women’s representation in the cyber workforce remains low - even more so than in IT. This is against a backdrop of a growing skills shortage in cyber; by 2022 there could be a global deficit of 1.8 million cyber security professionals.
How can organisations begin to bridge this gap? One way is to encourage more women into cyber security; another is to offer them equal opportunity to rise to senior leadership roles. At Deloitte Switzerland, we are committed to addressing this gender imbalance with our EMEA Women in Cyber initiative. As a global Women in Cyber team, we are collaborating to develop and execute various joint activities that promote diversity in the cyber security industry. Watch the space below for regular updates on all activities.
Stories & insights
Our Women in Cyber vision
At Deloitte Switzerland, we share a common vision with the EMEA Women in Cyber team and work hand-in-hand to promote gender parity in cyber security across all levels from analyst to Vice President. To initiate the dialogue we developed the Women in Cyber Leadership Interview Series.
We interviewed female security leaders across industries and academia to create awareness and foster a community that inspires female talent to consider a career in cyber.
They spoke with us about their journeys to cyber security, lessons learned and perspectives on their current roles. Whether it is overcoming challenges, advice on how to build a career in cyber or skills needed to succeed, these inspiring stories provide in-depth, diverse and bold insights that will help drive the dialogue in Switzerland and across regions.
Read their portraits in the stories & insights section above.
Dr Klaus Julisch is the Cyber Lead Partner at Deloitte in Switzerland. Contact Klaus if you would like to know how your organisation can benefit from participating in Deloitte’s Women in Cyber initiative.
Kristina is a Senior Marketing Assistant who is driving the Women in Cyber initiative for Deloitte Switzerland. If you are interested in sharing your Cyber story or have any questions, please contact Kristina.