Swati Lay, who has more than 20 years’ experience in software development and information security, is the Chief Technology Officer (CTO) at Funding Circle, a peer-to-peer lending marketplace that allows the public to lend money directly to small and medium-sized businesses. Her interest in cybersecurity was piqued at 16-years-old with a course on Number Theory and Cryptography and, having earned her Bachelor’s Degree in Electrical Engineering and Operations Management from Princeton University, Swati started her career at Merrill Lynch in New York as a software developer.  Since then, she’s held leadership positions both at scale in larger enterprises and in higher growth environments, including retail banking at Barclays Bank and gaming, where she was the Director of Information Security at Betfair, what was then a FTSE 250 gaming operator.

Q. Describe your role as a CTO in 300 characters or less. I’m responsible for all of Funding Circle’s technology capabilities globally. Q. You’ve been apart of the larger cybersecurity industry for over 20 years. How did you get involved initially? My first real introduction to cybersecurity was a Number Theory and Cryptography course I took when I was 16-years-old. While I was so fascinated by the subject, I remember thinking that I wasn’t the strongest from a math- perspective and that, because of that, I just wouldn’t be able to get a job in this industry. Fast forward several years later, I’ve graduated from Princeton University, am working at AT&T as a Systems Engineer, and I started to realize that there are actual applications of cryptography in the business world. Importantly for me, its application in the business world is more focussed on implementation rather than the math behind it, so I was able to really get my head around it.  A colleague of mine at AT&T moved to Merrill Lynch to an Information Security team and asked me if I’d be interested in coming along. The rest is history! For me, it really was fulfilling a childhood dream. Q. Why did you initially write off the industry as an option for you? It just seemed so far out of reach. I didn’t understand what skills were required, in part because cybersecurity really wasn’t its own, standalone industry yet.  What’s even more sad, though, is that’s still the case for many people today.  Despite the industry being more defined than it ever has been, there’s still a lot that needs to be demystified to really get people interested and involved. Q. If you were discouraged based on preconceived notions about the industry, what skills and interests can you point to that are actually necessary to thrive in a cybersecurity role? I think people view cybersecurity as a black art. But, it’s really not that obscure! There’s an incredible range of opportunities available, and not all of them require technical skills.  Yes, when you consider more general engineering, technical skills are paramount. But when you think about management roles, you need communication, collaboration, vision, etc.  Then, you look at cybersecurity more broadly. What you really need is the ability to communicate risk in a way that enables decision-makers to do their job.  People don’t always understand the work you’re doing or why it’s important, and that can make you second-guess yourself. That’s why we need people who are willing to do some really deep problem solving, people who are willing to dive into deep issues and not be afraid to have a contrary point of view.  You have to be smart. You have to be disruptive. That’s why it’s so important that we diversify the population of people working in cybersecurity. We need to round out our teams and encourage more than just technical skills. If we don’t, the implications will be quite severe, especially because we’re not just protecting financial institutions and governments anymore. Companies across industries – small, medium, and large – have seen the value in building out cybersecurity functions.  Q. Does your senior role enable you to empower more people to explore the opportunities available in cybersecurity? I think every person in senior leadership in cybersecurity wants to empower more people to explore these opportunities that are available. A big piece of that is role models. You have to see it to be it!  I remember when I was 12-years-old,  someone mentioned an Ivy League school to me and I thought “I’ll never be able to do that!” It wasn’t until I saw people who had the same background and upbringing as me going to these schools that I finally thought I could do it, too. That’s why now – especially because I’ve been so fortunate throughout my career and have had so many incredible opportunities – I want to show the next generation that they can have those same experiences.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, KPMG, Nielsen and more. #TheFutureIsCyber

Amy Johnson is the Information Security Manager at Herbert Smith Freehills, an international law firm with headquarters in both London and Australia. She’s worked in cybersecurity for over six years and started her career as a Lead Investigator at Freshfields Bruckhaus Deringer. Before entering the cybersecurity industry, she worked in Human Resources. While she doesn’t have a formal education that’s focused on cybersecurity, she’s earned five certifications to-date, including her Certification in Information Security Management Principles (CISMP), Certified Information Security Manager (CISM), Certified Data Protection Officer (CDPO), ISO 27001 Implementer, and Certified Information Systems Auditor (CISA).   Next, she’ll aim to earn her Certified Information Systems Security Professional (CISSP) qualification.

Q. Describe your roles as a Security Manager in 300 characters or less. I monitor system user behavior and I review client security requirements and questionnaires. I’m very much forward-facing and part of my job is to guide the firm and our people on how to work with information and technology in a safe and secure way. Q. How did you get started in this industry?  I don’t have a background in cybersecurity. I actually studied HR and worked in that industry for years. About two years into working at Freshfields Bruckhaus Deringer, Mark Walmsley, who was the CISO at the time and still is, started creating a new group called the Information Security Group (ISG).   At that point, I was ready for a career change. I wanted to do something that wasn’t just exciting every day, but different every day. The idea of protecting people, investigating threats, and creating training materials about the evolving risks in information and cybersecurity really, really interested me.  I decided to go for it and got the job! I was the Lead Investigator there for about five years. Since then, I’ve earned different certifications and have really catapulted myself into a more senior position that I’m in now at Herbert Smith Freehills. Q. Did your previous experience help prepare you for your first role in cybersecurity? Monitoring/ investigating systems can be a sensitive subject which means you have to be hyper-aware of data privacy laws, etc. That’s something I was able to bring to the table because of my previous experience.  But, to really be successful in a cybersecurity role, you have to be familiar with not just the current threats, but the new and evolving technologies. You have to stay on top of that. I didn’t get that exposure until I started. I also didn’t have any technical skills when I started. I learned on the job, which – to me – is far better than going to study.  Cybersecurity is really about putting what you know into practice. Q. Do you have any thoughts on why women only make up a quarter of the cybersecurity workforce? A lot of women in tech might not see cybersecurity as a suitable career path because it is considered quite a masculine profession. That’s probably ingrained at a very young age. It’s important to not be discouraged by that, though. Bear in mind, I came from a HR background; that’s a field where you’ll often work in a team that’s all women. Moving into this industry, I’ve often been the only woman within the teams I’m working in. But, that doesn’t mean I don’t feel like I belong. I don’t find men that intimidating!  Women can be just as successful in this industry and opportunity, recognition, and progression are absolutely available to those who work hard. Q. In terms of progression, do you feel like a career path to a more senior position is clear?  To be very honest, I’m already very proud of how far I’ve come in the last 10 years. When I first moved to London, I was making significantly less than I’m making now. I’ve consistently worked my way up the ladder since then. I’d still really like to learn and grow more within this industry and I certainly have dreams of being a CISO or a head of a department eventually. But, the opportunity for growth can really depend on how big your department is. Cybersecurity is still growing, and not all organizations have large teams which means you may not necessarily see what your next step will look like or what skills you need to develop to take that next step. It can be hard. But, the skills you get at any one organization are really transferable. This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber

Kim Smathers, who has worked in this field since the mid-90’s, is the Head of Information Security and Compliance at Snapdocs. Her resume is extensive and includes big names like Symantec, Walmart, and Jobvite among many others, as well as several years experience teaching Microsoft and Citrix certification courses and Engineering at the Computer Learning Institute. She’s just as passionate about building agile teams as she is about risk assessment and resolution and considers communication the most important aspect of being a leader. 

Q. Describe your role as a CISO in 300 characters or less. My job is all about giving people an understanding of risk and figuring out how to translate, address and resolve that risk. Q. How did you end up in a cybersecurity leadership position? The surprising thing about me – especially given where I am now in executive management – is that I don’t have a significant formal education. While I completed a bit of college, I didn’t earn my degree. But, a few years before Microsoft took off, before laptops were even a thing, I went to The Computer Processing Institute in Connecticut. This was back when computers took up an entire room!  That’s where I got my start and, for some reason, not only was I really interested in it, but it was really easy for me. I had a natural aptitude first towards coding, then networking, then technology, and I just kept going. Every time things changed, I changed. And, you have to remember, when I first started out, security wasn’t really a “thing”. It’s evolved and grown so much since then. Now, there’s so many different facets to it, so much depth. Q. What changes have you seen in yourself since then? For quite a long time, I was the only woman in the room and I would often be leading teams that were exclusively male. It was very, very hard to find any women working in information security or cybersecurity and it was even harder to find these women in leadership positions.  Initially, working in a male-dominated environment led me to think that I needed to adopt more masculine attitudes. I think a lot of women who have worked in the industry as long as I have would tell you a very similar tale. Doing this – trying to act like someone else or act how you think people want you to act – is problematic for so many reasons.  Once I started taking the time to talk to other women, I changed my approach. You’re going to get push-back from people no matter what; this taught me to rely on data instead of adopting attitudes that weren’t mine. That enables a lot more diplomacy and – more importantly – authenticity. That’s what’s really allowed me to thrive and do my best work. Q. Are you starting to see more women in leadership positions like you? There’s still only a tiny percent of women in senior leadership positions in this industry but I do see a shift, yes. Only in certain places, though. In certain companies – specifically really established companies – you still have boardrooms that are filled predominantly with white males. You can’t underestimate the impact that has on a larger organization. It all trickles down. If you’re a woman in that environment with aspirations to be in senior leadership and you’re only seeing one kind of person in those positions, the career path there can seem very unclear.  But, when you work in an organization like I do now, there’s an incredible amount to compare and contrast. There are women, there are people of color. It’s a totally different environment. Q. What advice would you give women who want to achieve the same sort of success you have? Be authentic to who you are and what you’re thinking and let go of the fear of saying “I don’t know” or “Explain it to me” or “Can I have more information, I’m not sure I understand”. Asking these questions doesn’t mean that you’re ill-informed or don’t know enough. Letting go of that fear will give you a lot more control over what goes on around you. When I build out my teams, I avoid people who are absolutely convinced that they already know everything there is to know about a topic. That almost eliminates the possibility of having a conversation and, in cybersecurity, collaboration and openness are absolutely vital. We’re influencers. My job is to bring diverse groups of people together, make them feel comfortable, and let them really exercise their creativity in order to actually influence other teams and solve problems.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber

Sara Zahid is the Assistant Vice President at Jefferies, a global investment banking firm headquartered in New York City. After earning her Bachelor’s Degree in Business Administration with a focus on Finance from the University of Toronto, she started an internship at Scotiabank. Over the course of 5 years, she was promoted several times to eventually become a Lead Business Analyst. After that, she transitioned to a more IT-focused role and gained product management experience at Clarus Commerce. In her current role at Jeffries, she’s combined her business acumen with IT project management to safeguard the company’s Information Security. 

Q. Describe your role as an Assistant Vice President in 300 characters or less I am responsible for requirements gathering, simplifying requirements, testing, organizing sprints, managing the sprint cycles, delivering requirements, communicating with stakeholders and management, and other business analysis and project management activities across Jeffries’ Global Information and Technology umbrella. As a manager, one of my key responsibilities is to make sure the team stays organized. Q. Have you always been interested in cybersecurity? When I was younger, I always got feedback that I was creative, so I initially pursued marketing. But, as soon as I started as an undergrad, I realized that I was missing an important piece, which was practical, hands-on work. I actually got an offer for a marketing job straight after college and didn’t take it because it just didn’t seem interesting enough. It didn’t seem like a challenge. That’s what drove me to consider finance, then IT, and now cybersecurity.  I love to critical-think, I love to strategize, I’m great at problem-solving. It’s been a great fit. Q. What did your path into this industry look like, then? A recruiter actually reached out to me based on my experience in product management and business analysis. At that point, I had zero exposure to cybersecurity. I didn’t know what it looked like. But, during the interview, I was told that if you have a background in IT, you’ll be able to pick-up cybersecurity. It’s not rocket science.  That was hugely comforting to me and enabled me to look at the job description with a much more open mind.  They were looking for an experienced project manager who was willing to learn. I ticked both those boxes. The journey from that day until today has been exactly that: all about learning.  Q. Was it challenging to transition from business analysis to a highly technical role? I’d say my knowledge base is currently 50% technical and 50% business analysis. But that’s part of the appeal for me. It’s something I have to work at, especially because IT and cybersecurity change so drastically, so quickly.  That means that I have to learn something new every single day and I’m not afraid to admit that. I don’t think that’s a weakness, I think that’s a strength. I know 50% more about cybersecurity than I did a year ago and that number is only going to continue to grow.  And I’m not afraid to ask questions! I’m not afraid to say that I don’t know.  Asking is the only way that you get an opportunity to get involved and expand on what you already know. Q. Has your work in cybersecurity so far been what you expected it to be? I didn’t fully grasp how many problems the industry solves until I got into cybersecurity myself. Even with a background in IT and business, I didn’t know. You think about logging into your computer every morning at work. We all do that. I never even considered how a functionality like that is safeguarded until I started in cyber. Most people don’t spend time thinking about how many characters their password has or whether or not two-factor authentication is enabled, the work behind the scenes is normally done for us. I’m now the one behind the scenes doing that work. And it’s incredibly important work! Not just for the individual, not just for the company, but for any and all external parties involved in that company as well.  Q. Did you face any challenges related to the disproportionately low percentage of women in the industry? It’s very clear that there are fewer women in this field than there are men, but I don’t feel – or haven’t been made to feel – like I’m less than because of that. If anything, I’ve gotten more respect from male colleagues because of it. It’s actually in many ways empowered me and boosted my confidence. Not only have I taught myself about the industry and progressed by doing so, I’ve progressed in an industry where not many women currently exist. That’s something to be proud of, not burdened by. I also have to give credit to my colleagues and managers and people in leadership; the culture at Jeffries enables me to do my best work. The problem isn’t solved just by acknowledging that there’s a problem. It’ll take time. But, this is such an important industry and we’re solving real problems with a real impact. It’ll continue to evolve, expand, and attract more people. This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber

Tess Frieswick recently started a new job as a Client Success Manager at Kivu Consulting after spending a year working at Uber as a security consultant. She started as a Security Analyst straight out of college and was promoted to a more senior position after just six months.  In addition to earning her Bachelor’s Degree in World Politics with a minor in Islamic World Studies at The Catholic University of America, she’s gained political experience through internships at the International Model United Nations Association (IMUNA), the National Consortium for the Study of Terrorism and Responses to Terrorism (START), and the American Enterprise Institute.

Q. How did you end up in cybersecurity after studying World Politics and Islamic World Studies? I was fortunately hired to work for IMUNA during my first semester of college after getting involved in the organization in high school. I really lucked out and was assigned to work on the Counter-Terrorism Executive Directorate which, at the time, was focused on the terrorist group Boko Haram in Nigeria. I loved learning about African politics and counter-terrorism efforts in the region which sparked my interest in international security.  By the time I was ready to graduate, I was more certain that was the direction I wanted to take, I just wasn’t sure in what particular specialty. I had a few years of experience in counter-terrorism, but no real experience in cybersecurity. Q. What was it like, then, starting as a Security Analyst at Uber so soon after graduating? When I first started, I was a bit intimidated. I was the youngest on my team, didn’t have my Master’s, and was one of the only women on my team. I felt like I had a lot to prove, but that inspired me to work really hard. I had a manager and a boss who both recognized and valued my skills and trusted me with big projects that had a global impact.  My team actually worked on 565 different tasks from executive protection to assessing phishing emails. That experience really reinforced that cybersecurity was the path I wanted to pursue. Q. What interested you the most about cybersecurity? The 2016 presidential election piqued my interest. I remember learning about Russian interference, bots, and the manipulation of social media after Trump was elected and recognizing that cyber security is bigger than people realize. It provides a new landscape for modern warfare and these things are changing the dynamics of politics. Even something like the recent assassination of Qassim Soleimani; that presents a potential cyber warfare risk. After the assassination, I was doing assessments and considering what retaliatory actions Iran may take. Could it result in cyber warfare? Would they target critical United States infrastructure?  Developing technology is driving all of this; it’s changing everything. Politics is constantly evolving, especially with the development of cybersecurity and cyber warfare. It’s fascinating!  Q. Did you have any specific technical skills that made you especially marketable for jobs in the field? I haven’t taken any cybersecurity-specific classes. Everything I know about cybersecurity I either taught myself by reading or learned on the job. After leaving Uber, I was really upfront during interviews that I didn’t have technical skills. But, that was balanced by the fact that I can learn really quickly. That’s what I focused on. I think my writing background was also something that made me stand out. I have experience writing intelligence products in a strong, thoughtful way. At Uber, I wrote over for a project 70 documents, including style guides for products, global standard operating procedures, and security policies. Talented writers might be surprised that they have a place in cybersecurity but they’re needed to create really polished products that impress clients. Q. You had an internship at an all-female media company while you were in college. Was that a formative experience in your professional development? In every single internship I’ve had, I’ve had a woman that I looked up to for advice and counsel. I’m also just a huge feminist. I’m obsessed with Ruth Bader Ginsberg – she’s my hero, and I love Madeleine Albright. From athletes to politicians, I’m constantly seeking out stories of successful women, and women fighting for equality and change, to motivate me. I still think of some of these mentors years after working with them and I hope I am making them proud. Now, as the only female leader in my new role, I have a responsibility to step up and empower other females, too. This is especially important for women who are shy or aren’t as quick to speak up. Those people – even if they’re smart and capable – can be overlooked. Backing up their ideas, supporting them, making sure they feel empowered…it all makes a big difference.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from KPMG, Funding Circle, IBM and more. #TheFutureIsCyber

Carolann Shields was recruited for a Chief Information Security Officer role at KPMG LLP almost 7 years ago after rising through the ranks at McKinsey & Company. Starting in system reconciliation and deployment, going on to managing development for all of their enterprise systems, and then to becoming the IT Security Program Manager (de facto deputy CISO).  Throughout her career and to date, she’s driven more than fifteen company-wide cybersecurity initiatives and has done so by developing collaborative, positive security cultures and multi-faceted teams. While Carolann had an interest in math and aced computer classes from a young age, she actually studied and earned a degree in Business Studies in Ireland  before starting down the path to cybersecurity. Having a background in business has shaped her style and approach to security, driving a focus on efforts that reduce an organization’s overall cyber risk.

Q. Describe your role as a CISO in 300 characters or less. I lead a team with complimentary talents and skills to work together effectively and bring transparency to an organization’s cyber risk in order to identify and design solutions and processes to mitigate those risks. I also educate and influence behavior to ensure compliance and protection while making security a commercial benefit, not just a cost. Q. What would encourage more women to pursue roles in cybersecurity? Need is the mother of invention. Highlighting the number of open positions and highlighting the fact that there are women with these skills in and outside of the industry is the first step. The fact is, you’re cutting out 50% of the population when you don’t create an environment for women where they feel they can excel and actually progress in their careers. Even if you hire a lot of women – which we’re seeing now they don’t move through the ranks as easily because they don’t have enough role models or advocates. That’s why it’s so important that the women that do become successful reach back to support the women who are coming behind them. Encouragement is incredibly meaningful, and it doesn’t take much for leaders to give it.  Q. With that in mind, can organizations really ever guarantee diversity within teams? When you decide you’re only going to hire the most qualified or the one with the most potential , you naturally have diversity. On the other hand, if you start saying I’m only going to hire women, or men, or this ethnic group or that religious group, the goal of recruitment breaks down. Decisions-makers should only be interested in your brain and emotional intelligence. Who is the most qualified with the most potential? That’s who you should want for that role. Q. Have you had role models or advocates throughout your life who enabled you to achieve the success you have? The CISO at McKinsey at the time I started working there was a woman, Denise Hart, who has since retired, so it never even occurred to me that it wasn’t possible to achieve what she had or that it was in any way unusual that she had because she was a woman. On top of that, I had a father whose beliefs were sort of the reverse of what we typically think of.. He believed that men should be out physically working and that women were much better as lawyers and accountants and doctors. For me, there were no limits as a child growing up about what I could be from a career perspective. Q. What are some of the skills, interests, or personal attributes that lend themselves to a career in cybersecurity? People who care about consequences and the bigger picture and who understand the larger impact of their role in an organization are the ones who will be successful and really excel in this industry. It shouldn’t be about just a paycheck; you need to care about what you do. Why? The vast majority of organizations get hacked because of mistakes; someone clicks on a link, firewalls are misconfigured, access is overly permissive etc. The way to really prevent that is to have people care about their work so that they pay attention to the details, identify mistakes early and correct them before there is any harm done. Q. Are there any misconceptions about cybersecurity that you want to set straight? Security teams believe in the mutual benefit of being safe, which makes it collaborative by nature. While – yes – some of the most talented security engineers are at their desk working alone, a lot of it is about relationship building and collaboration and working with teams to develop and manage secure solutions. This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Nielsen, Funding Circle and more. #TheFutureIsCyber

Gisela Rossi is a Backend Software Engineer at Tessian who’s earned both her Bachelor’s Degree and Master’s Degree in Computer Science. Before starting at Tessian, she gained experience at Intel, Lyst, and Facebook and, for the last several years, has been very involved in the larger software community, specifically those communities that empower women and other minorities.  She’s a co-leader of PyLadies London, a member of the WISE Young Professionals Board, and a former mentor and volunteer at CoderDojo. 

Q. Describe your roles as a Backend Software Engineer in 300 characters or less I work with Python to build and create products that are used by Tessian’s clients to protect their Human Layer from data breaches. I work closely with product and customer success teams to ensure we’re building solutions that make an impact. Q. For those who might not be familiar, can you explain what Python is? Python is my favorite programming language. Different languages have different styles and different communities around the language. There are conferences, online groups, and other events and Python has one of the more diverse and inclusive groups around the language. I’m actually one of the organizers of PyLadies London. It’s not just the community, though. The language itself is really thoughtful.  You can compare a programming language to what those of us in computer science call a “natural language”…English, French, Japanese. At the end of the day, they all serve the same purpose. You can have the same conversations but in different languages. Just like you’d have a preference in a natural language, you can have a preference in a programming language.  Q. And what about PyLadies London, what’s that? The real goal is to encourage minorities to be more active participants in the Python community and, for some maybe do a career change into the industry. There are talks, workshops, etc. It’s really about mentorship and empowerment. Q. Do you think more mentors or role models would encourage more women to get involved in the industry? I think mentorship is especially important for minorities – not just women – because we have to overcome different challenges. And those challenges aren’t necessarily big hurdles. For some people, it can be several small things.  It could be a professor you have or a bad internship. One bad manager or experience isn’t representative of the whole industry, but it can be demotivating if you don’t know that there are more positive environments where these things don’t happen. That means those of us already in the industry have to fight the fight! More than anything though, you need more minorities to be decision-makers. You need those people in higher positions to demonstrate what’s possible and empower others to do the same.  It’s especially important because the problems you solve in this industry are interesting, the work is fun, you’re well compensated. There are a lot of benefits if you can overcome the lack of diversity. But, you do need a diverse group of people to have a better chance of solving those problems. Age, race, gender…the more diverse the group, the more diverse the ideas. Q. What problems have you been most interested or focused on so far in your career? Data. All of our data is available online and when you consider all the people who could potentially access that data, you can start to see how big the industry’s scope is.  The average person doesn’t realize how valuable their data is. People hand over their personal information for a free voucher without thinking twice about it. They don’t have bad intentions, of course, but from a security perspective, that’s a big risk. If you input your email address, home address, and phone number into a site that isn’t secure and that site gets hacked…you’ve got a big problem. At the end of the day, you are your data. So, what happens when someone steals it?  But, it’s not even just scary from the perspective of hackers. Massive corporations and governments hold a lot of our data, too. What happens if they misuse it? That’s something that we’re trying to figure out in this field. We’re trying to mitigate that risk.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from KPMG, Nielsen, IBM and more. #TheFutureIsCyber

Niki Tailor is a Platform Engineer at Tessian, where she’s worked for almost two years. Since starting, she’s been promoted to Team Lead and manages three people. Prior to joining Tessian, she worked first as an Analyst at Nomura, then as an Equities Technology Development and Operations Engineer at Bank of America.  Before entering the field, she earned her Bachelor’s Degree in Computer and Management Science.

Q. Describe your role as a Platform Engineer in 300 characters or less Security, stability, scalability, reliability, and automation of our Human Layer Security platform. As a Team Lead, I have people management responsibilities too, but day-to-day work involves solving problems, building new architecture, and empowering our engineering teams. Q. Have you always been interested in cybersecurity? Even though I studied Computer Science and Management, I didn’t always know I was interested in the field. My A-levels were a random mix of Math, French, Art and Economics. I didn’t know what I wanted to do so I chose a broad range of subjects that would allow me to pursue pretty much anything later on.  But there are a few tech professionals in my family, so I was exposed to it throughout my life. I was always taking a peek at what my dad was working on so, unlike a lot of other people, I knew the industry existed and what the path to it could look like. Q. How did you isolate Engineering as your area of interest from the larger umbrella of Computer Science? I’ve had a lot of opportunities both at University and through the work experience I got during and afterwards that have helped direct me towards what I enjoy the most.  My business-focused courses showed me that the technical, hands-on work was what I was most interested in and the work I did coding as a developer made me realize that sort of role probably wasn’t the best use of my skills. I think those experiences are really important. Even though I didn’t enjoy the work, it’s good to have an understanding of the theory behind each of these things. It’s helped me do better work in the roles I really like. Q. What interests you the most about the work you do? Working in a start-up that’s trying to solve really interesting real-world problems is the best part for me. The challenges around securing sensitive data are immense, but that’s where the most interesting challenges lie. As a comparison, I’m not working in a corporate environment where bureaucracy is a challenge. The work I do isn’t done with the goal of making rich people richer. I’m actually doing something good.  You read articles where businesses or charities get scammed and organizations lose millions and people lose their jobs. It’s rewarding to be a part of what’s preventing things like this from happening. Q. Does that sort of work lend itself to unlimited growth potential? The field is only going to get bigger. The problems we solve are only going to get bigger. I mean, right now, Tessian is solving the problem of security on email. Eventually, we’ll be solving the problem of security on all platforms.  That means there are so many opportunities to learn new things and exercise creativity. This is a field that really encourages trying, even if it means failing which means you never get bored. No two days are never the same.   This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber

Amber Pham is an Information Security Officer at iovation, a business unit of TransUnion. After earning her Bachelor’s Degree in Psychology, she transitioned into IT where she worked for over nine years, first as a Systems Administrator and then as a Systems Engineer for software and technology companies like Webtrends and Intel. She rounded out her IT experience with consulting and contracting and was able to gain a broad range of experience; this inspired her to go down a slightly different path and pursue a career in cybersecurity. She’s been working for iovation since then – except for a three-year stint in Amsterdam where she also worked as an Information Security Manager – and has watched both the organization and the industry grow exponentially. 

Q. Describe your role as an Information Security Officer in 300 characters or less I’m a people manager, which is probably my most important role. I ensure people feel supported and in cohesion with other teams to learn and grow. I’m also the central point of contact for the corporate business and, as a part of that, I work with Development and IT teams to get security work done. Q. How did you make the transition into cybersecurity after earning a degree in Psychology? When I came out of college with a Liberal Arts degree I had basically zero technical skills. But, tech companies were growing so fast that they were really willing to give people a chance and train them.  I got my “chance” thanks to a really good manager who recognized that I was a diligent worker and that I’d be able to figure the work out pretty quickly. That was working as tech support on a Help Desk, which is how I got into IT. I paid a lot of attention to the training and really just wanted to learn as fast as I could so that I could genuinely start contributing.  I didn’t actually even use my psychology degree until I got into my current role in security leadership. Understanding the psychology of motivation has been a key part of building a team and security program. Q. When did you make your move from IT to cybersecurity? I went out to do some contracting and consulting. That’s really where I grew the most. You learn a lot faster because you’re throwing yourself into different situations at different companies at a really high rate. I was able to sample a lot of the opportunities available in physical security and networking security that way, and that’s what’s really missing in recruitment for this field. People just don’t know the huge variety of roles that are available from social engineering to forensics to risk assessment.  Q. After you got a taste of all the different opportunities available, did you take any more steps to prepare yourself for the roles you were most interested in? I went on to get my CISSP which was a huge launching point for me. I know it’s just a test, but the studying that I did on the way to that really rounded out my knowledge and was a really strong signal to future employers that I had real experience under my belt and knew what I was talking about. This also gave me some confidence.  For a young person – or anyone really – who wants to launch into a professional career in cybersecurity, certifications like that are a good place to start, especially because it’s hard to jump from 50% system implementation or another aspect of IT all the way to 100% cybersecurity without taking a little bit of a step down and back. That’s something people are reticent to do. But, by doing that – by taking on a role with slightly less responsibility than I was used to, but that was a 100% security job – I was more prepared for the industry and got recruited just nine months later into what has turned into my current job. I was their first “security person” and was able to build a security program from scratch. Q. Having really run the gamut of IT and cybersecurity roles, has gender bias been an issue for you? I’ve almost always been the only woman within the teams I work in. Currently, out of about ten Information Security Officers, I’m the only one. It continues to be the trend but, more often than not, people completely disregard my gender. As long as people don’t talk about it, I don’t really feel it. When I was in my 20’s, it was more daunting. The combination of being young and a woman made me feel it more acutely, especially because I didn’t have a mentor.  You know, most men I work with that are at a certain level credit their success to a mentor. I feel like I’d be years ahead if I’d had one. That’s why I say “yes” every time there’s a Women in Cybersecurity function, a mentorship program, a local event, anything. I always say yes. My dental hygienist asked if I would mentor her daughter because she’s interested in security and, of course, I said yes. It’s so important!  You don’t have to be an activist to get involved and help someone.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from KPMG, Nielsen, Funding Circle and more. #TheFutureIsCyber

Bridget Kenyon is the Global CISO for Thales eSecurity where she manages operational information security across the organization. Previously, Bridget has served as the Head of Information Security at University College London where she built and matured the information security governance function for the university. Bridget is a member and editor for the International Organization for Standardization where she has edited and developed the management standards in the 27001 series. Additionally, Bridget has published a book on ISO 27001, which serves as an ideal guide for organizations preparing for the certification. What are the greatest challenges you’ve faced while being in the role? Have these changed over time? One of the greatest challenges that I have faced at Thales eSecurity has been the ongoing divestment, acquisition and merger activity that is currently taking place across the organization. With this occurring, it is important that we are appropriately transitioning all of the systems as well as spinning up new IT environments as required. With the merger, we have two separate environments that need to merge, and we need to ensure that they become aligned. For example, our organizations had two separate classification schemes for data. We had to work out how the schemes would fit together, considering things such as how policies and processes were being used in practice. One of the most exciting things with this merger, though, is that it has unblocked some of the security initiatives that I was trying to get started. Finally, with the merger it is a good chance to re-assess who has access to what, such as elevated privilege on certain systems. Are there any core security principles you are guided by in your approach? First – clear and simple communication. With the changes that are currently taking place across the organization, it’s important that clear communication is maintained at each level. One of the great things about this organizational change is that it has given us the opportunity to re-define aspects of our reporting and ultimately fine tune and simplify it so that it can become more effective. A second principle is to make sure that ideas are actionable. There is a tendency in information security to provide a lot of technical details dressed up as KPIs. Ultimately this heap of data becomes more of a talking point rather than an actionable item. Third, as security professionals we should be coming up with strategies and solutions to support the business. In the end the business is our customer, and everything that we do has to help it become better, not get in the way. How important is the human factor when it comes to your role and what impact does human error have on your cybersecurity planning? I think of human error not as a fault in our make-up, but as an intrinsic part of human behavior; we have evolved to find and use the most efficient and energy-efficient solutions, so it’s totally normal to want to write a password down if it’s hard to remember, for example. Making security work for us is about understanding how people operate, and the decisions they make in real life situations. It’s also vital to equip people with a better understanding of the risks. Giving staff a to-do list without any context, for example, is not a reliable approach- while half of your audience may indeed just want to know what to do in what order, the other half will ask “why” something is being required, and balk at adopting a seemingly arbitrary set of rules. The other side of this is the idea of changing business processes and technology to better support employees. I believe that the purpose of IT is to support people performing business operations. If the IT processes are fit for the business purpose, then employees are not expected to stretch and bend their essential behaviors to fit the technology- and security issues are prevented. To avoid people writing passwords down as in my previous example, you could provide a password manager, or use fingerprints instead of a password for logging in. Within your role, have you led any projects to make IT fit people’s needs? At UCL, we had a password management system where students and employees had to change their password every 150 days. The worst problem with this system manifested when students had been away from UCL during the summer months; when they came back to UCL in the autumn term they had either forgotten their password or it had expired. This resulted in massive queues of students at the Service Desk during the first few weeks of term, as passwords had to be reset in person. We realized that we needed a way to improve this system and, due to our set-up, it had to be an in-house solution. After much thought, I invented a password reset system where, when the end user typed in their new password, there would be a colored bar underneath, indicating the strength of the password (nothing new here, but bear with me). Next to the bar was a number, and that number increased when you created a stronger password. The truly novel part was that the number represented the number of days that you got to keep that password! We had this system implemented, coupled with a system that would help you reset your password with SMS, and it helped solve the problem. Trends show a gap in women leadership within the security landscape, what do you think it will take to get more women involved in the industry? I believe that there are two elements. First, there are a lot of role models out there – but they’re unreachable. Somebody who is considering coming into cybersecurity may look at these role models and feel like they represent an unattainable ideal. A woman may work as a CISO; however, how many other women fell by the wayside? I would like to see more stories of women in reachable security positions. The second point is to encourage recruiters to suppress their bias when hiring and be less surprised when they are faced with a woman applying for a technical or leadership role in information security. Looking forward – what kind of security culture are you working towards at Thales eSecurity? I strive for a culture where the different parts of the organization are aware of how they can have an impact and contribute to security. I want people to feel a sense of agency and have the ability to propose change within the organization. We need a collaborative approach to security. The board, for example, could prescribe an outcome, and then it is up to the employees throughout the organization to work towards fulfilling it. I believe that it’s important for people to play a part in designing the policies that they themselves must comply with.

Can you give an overview of your career history prior to joining Abcam? I’ve had a fairly linear career journey in IT in general where security has always been a feature given that I’ve worked across the full systems lifecycle from project management to service delivery. A lot of my earlier career focus was on reactive remediation projects for organizations that had been compromised. More recently, I made a conscious decision to specialize and moved into a dedicated security role at Costa. It proved a successful decision and it’s led me onto CBRE and more recently Abcam where I am the Global Chief Security Officer (CSO). Can you give an outline of your responsibilities as Global Chief Security Officer of Abcam? It’s a wonderfully diverse role with many fascinating security considerations and unique challenges. Physical building management systems and specialized laboratory equipment are within my remit and they are an important part of our holistic security strategy. Abcam is a life-science company with a strong e-commerce element which facilitates external feedback on products using reviews and ratings submitted by customers. Abcam has a corporate culture driven by altruistic and humanitarian values which creates a unique security and risk profile that’s different from industries like banking and telecoms that I’ve been in previously. What are some of the challenges you’ve faced since being in the role? Abcam is undergoing a major digital transformation as part of its growth strategy. Trying to establish a security program in an organization already impacted by a large change initiative is not easy. I need to ensure the security program does not contribute to ‘change fatigue’ and lose its effectiveness. I’m attempting to deliver security across an organization in a way that emphasizes helping people to understand that security adds value rather than being a process blocker, it requires a major communication initiative. I’ve had success with this by positioning security more as a lifestyle choice, this involves helping employees understand how security behaviors can benefit their personal lives as much as it can in the business world. It’s about embedding a security message in a relatable context, that’s how I believe you create positive security behaviors. How important is the human factor when it comes to your security considerations? To me personally, it’s a key factor in the success of my strategy. The human element in cybersecurity is complicated and it shouldn’t be treated as mutually exclusive from the technology enabling solutions we implement. One of the things that technology cannot fix outright is the insider threat, whether malicious or unintentionally negligent. Training employees in order to mitigate the insider threat can’t be a one off and training only goes so far in mitigating this risk. There needs to be a balanced approach in providing human intervention through validation processes alongside automated technology solutions, one should not be relied on over the other. I also support the notion that any security initiative or new policy requires a proportional internal ‘PR’ campaign around it to be effective. For example, if we’re taking something away from users like USBs and pulling away norms you’re going to get the inevitable backlash so we have to communicate what value the users are getting out of the situation to sell it internally prior to it being implemented and impacting them. I don’t think we can easily solve the human problem, human behavior is too variable for us to nail down entirely, and we shouldn’t rely on AI technology as the panacea, but what we can do is prepare for the known threats coming at us. Security needs to be more front line and supporting users for things like phishing and whaling BEC that we know are growing more sophisticated and involve critical human decision making. When cybersecurity technology is at its best, what can it bring to an organization? Value creation…if the technology offers users an intuitive, seamless experience and ensures security, it adds immediate value. This doesn’t necessarily have to be a tangible thing, if your users embrace the solution, by extension security benefits from the success and longer-term support for its initiatives. End users ultimately want to have to have a symbiotic relationship with technology. The best solutions have to be a meshing of technology and the soft line of people, understanding how each of these couple into each other and add value is crucial. What are the common misconceptions about the role of cybersecurity? There is a belief that security owns everything, that it provides oversight for all risks but this is a huge misconception. Most of the time we’re responsible but not accountable, security awareness programs should also include a basic overview of who security is and what it is accountable for. An example would be an introduction to the classic 3 lines of defence model to help business users understand the engagement model between business risk and security. This is why it’s important to have an understanding of the softer elements of security in order to make sure it works for end users, that’s the sign of a successful security program. To achieve this, my advice is to step outside the line of what’s considered the CSO role and to be creative.  

Craig Hopkins has been Chief Information Officer and IT Director for the City of San Antonio for over two years after spending more than 20 years in financial services. San Antonio is the seventh-most populous city in the United States, and as CIO Craig manages systems integration, user experience, cyber and physical security, and portfolio prioritization for the city. This includes aligning the City of San Antonio’s 42 departments and almost 13,000 employees and developing a business strategy to ensure that each department accomplishes their mission, takes care of their employees, and remains secure. What are the greatest challenges that you’ve faced being in the role? Originally when I came into role, my primary responsibility was to build new technology relationships across the 42 departments that make up the city. This included looking at different departments’ business strategies and helping them leverage technology to support it. The second area of focus was to set and strengthen the culture inside of the IT organization and to work with our municipal partners across San Antonio as well. I think we’ve done a great job over the past two years on these focus areas. Now the team is integrating systems and processes across departments with a focus on common platforms and prioritizing the user experience. We’re utilizing design thinking techniques and are becoming more of a consultant to the departments rather than building individual technology silos. We’re also having the departments work together on a common set of platforms that help with user problems, not just individual problems that are department specific. As the CIO of San Antonio, are there any core security principles that help guide your approach to security? In the first year we were really focusing on the information security foundation and making sure that we were as strong as we could be with our policies and tools. However, we wanted to make sure that information security was not the only component. It’s really about understanding your overall security posture, which is a combination of physical, data and cyber. In the past year we’ve improved our principles based on the NIST framework with a focus on a comprehensive training programs for our employees, network hardening, updating obsolete systems, threat profiling and vulnerability analysis. This has helped with communicating our policies and procedures and raising the cultural awareness within our organization. Security is everyone’s responsibility. What unique pressures and dynamics do you face when it comes to cybersecurity decisions in the public sector? Typically, people that work in tech will tell you that technology is the most important factor when it comes to making decisions about cybersecurity. What I’ve learned is that in reality, it’s about people. The human factor is incredibly important because people can be great at detecting threats and abnormalities in the system– more so than any tool – but they can also be your greatest internal threat, either intentionally or unintentionally. What we try to do here is to teach behaviors and have protocols that can minimize the risk of intentional and unintentional issues, such as only giving systems access to those who need it and constantly refreshing and validating the user rights. This sounds basic, but it’s the foundational practices and business processes that solidify your position. We also provide peer oversight, technical training, and teach how to combat social engineering. Ultimately, we want people to understand these threats to make sure that we are always leveraging our people first and our technology second. What are the common misconceptions about the role of information security? One of the common misconceptions that I hear is that an organization’s best defense is their technology tools. My response to that is actually that the best defense is a workplace culture that prioritizes cyber and physical security and creates aware and engaged employees and leaders. A second common misconception is that cybersecurity is for the IT team to solve. I believe that cybersecurity isn’t just an IT problem, it’s for leadership to solve for across the organization. It’s the job of all leaders to support and protect our employees on our teams. Looking forward, what type of security culture do you want to create within the City of San Antonio a few years from now? A security-conscious culture where cyber, data, and physical security is naturally integrated into everything we do and every design decision that we make. It can’t be the only thing that we think about, because you can’t run a business that way, but it must be embedded in our thinking and our architecture, as we seek to improve the lives of our citizens and our employees in San Antonio. That is the culture that we want to build into our organization.