Taking on cyber security’s unknown unknowns has been saved
Taking on cyber security’s unknown unknowns
Karin D’Amico, former Corporate Information Security Officer at Givaudan
The former US Secretary of Defence, Donald Rumsfeld, famously said: “there are unknown unknowns – the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones.” In cyber security, there seem to be more unknown unknowns than in any other field. And although this may seem like common knowledge today, 20 years ago – when there was no such thing as security departments or even cyber security degrees – this statement may not have been so widely accepted. Karin, former Corporate Information Security Officer at Givaudan, was one of those who was able to appreciate this aspect of cyber security early on and successfully built her career with it in mind.
It all started when I was working as an executive administrative assistant and my boss saw that I was hungry for new challenges. He also saw that I had a particular interest in IT, so he started to give me more tasks in that area and encouraged me to move into a position as IT Support Manager. A few years later, I obtained a diploma in IT project management while working as a consultant for Givaudan.
At the beginning of my career in IT as a network and server engineer, security was not at the top of any company’s priority list; the security topic at that time was the chase of some of the first viruses. Over time, security projects started to come in, little by little, with broader scope and higher ambition. Given my experience in project management and IT infrastructure, I was given the responsibility of managing Givaudan’s first global security project, which was to set up a corporate antivirus system. It’s amazing to think that, back then, not having such an antivirus was the norm! After that project and as Givaudan’s needs for security experts grew exponentially, so did my interest and competencies in the field.
When I was on maternity leave after the birth of my second child, I received a call from my boss, Givaudan’s then CISO. He had received a great opportunity to work on a big integration project and asked me if I would be willing to take over from him; which, of course, I was. As I started in this new role, I decided to pursue information systems security studies to enrich the expertise I acquired in the field by working on security initiatives.
Having been actively involved in Givaudan’s security team from its very early days, Karin was one of those who was able to appreciate this fact early on and developed a highly effective coping strategy built on three pillars: continuous improvement, knowledge of the business and a strong focus on stakeholders.
Progress one step at a time
Cyber security is an arms race; in this field, keeping up with the pace of changes requires continuous improvement:
You need to take the time to identify what is most important to your organisation and improve its maturity one step at a time.
This is how, over 10 years, Karin raised Givaudan to a firm with a comprehensive and coherent cyber security programme.
Know the business inside out
Being able to secure a business requires a deep knowledge of that business.
You need to get to know the company, from different angles and perspectives.
Knowing the business also means understanding its people and their ways of working. Karin fondly recalls learning to adapt her Swiss mentality – where being on time means being five minutes early – to a more international approach. For Karin, it is also crucial to take into consideration the organisation’s maturity level and risk appetite when implementing new processes and tools. She argues:
The latest technology is not necessarily the best; I always put these considerations in the context of the company, the industry and the people before making an important decision.
Invest time in getting key stakeholders on board
Security is a collaborative effort; it’s not only the IT or security team’s problem. It’s important for everyone to understand that.
In any organisation, it’s not surprising that employees don’t want their daily tasks and creative processes to be disrupted by having to put their passwords in three times. So it’s important to appreciate that and find the right solution to keep the firm safe while maintaining a good employee experience.
What we can learn from Karin is that CISOs have an enterprise-wide responsibility. They are responsible for building up their organisation’s lifeline: the tools and processes that will keep them safe in the long run. Ultimately, cyber security leaders cannot predict the future, but Karin is the perfect illustration that preparation is the next best thing:
Nobody is born an expert; but those who put in the effort will be rewarded.