Addressing the Gender Gap in Security Leadership

Security is prime for a female revolution to rectify the persistent gender gap in leadership positions. According to a global study done by the Executive Women’s Forum, men are four times more likely to hold C- and executive-level positions and nine times more likely to hold managerial positions than women. The industry is centered around making one tough decision after another while translating tech speak into true business value. Having more female influence would benefit both the overall security and business communities.

In 1995, when I started in the IT space, there was an overwhelming imbalance between male and female IT leaders. In fact, it was quite challenging to find more than a handful of women CIOs within the space. Today, only 11 percent of females are represented globally in the cybersecurity profession. I was fortunate to join the workforce during a time of great change in not only technology, but also in social and moral focus.

Over the past two decades, IT leadership has blossomed into a more balanced and healthier environment though things are still not where we want to see them. Though IT is a career where highly technical skill sets are valued and desired, over time the need for communicating the value of IT solutions across an organization has given way to a more balanced need between technical excellence and focused influence. Women IT leaders grew up in precisely that space and were amazing at explaining the value of IT solutions as a business need. These women actually came from the business side of IT and truly understood how the inner workings of the company and its data flowed.

Cross-functional, business driven careers such as program management, compliance, and business applications spawned a new brand of women IT leaders that ultimately grew into the first true wave of Woman CIOs. I believe that this positive influx of fresh thought leaders changed how IT was viewed, teams were built, and the business of IT was managed. Today, women CIOs unfortunately still hold a significantly smaller percentage of the overall CIO positions. Women make up 9 percent of IT leaders globally and 10 percent in larger organizations according to a study done by Harvey Nash/KPMG. However, they have created a positive mark in the space and possibly a blueprint for other highly technical skill sets (such as CISOs) to undergo similar transitions toward greater balance.

For the Security space, we expect to see a greater selection of career trajectories leading to the path of the woman CISO. We may not see the vast majority move from Sec Eng/DevOps into CISO/CSOs. Perhaps they will arrive to the CISO position through another path such as Compliance, Security PMO, or Engineering Program leadership. But we are not there yet. As I write this, I am aware that there are less than 20 female senior Security leaders (i.e. CSO, Heads of Security) in the San Francisco Bay Area, which is arguably the largest and most mature modern CISO market in the US.

However, the news is not all bad; there are several solid programs working to strike a greater balance. In particular, the National Security Forums and events have been making a strong effort in recent years. For instance, BlackHat has a growing balance of female leaders on both their board and within their upcoming sessions. Parisa Tabriz, a true Sec Ops/SecEng leader, will be kicking off the event as the Keynote. (Yes!!!)
In a follow up piece, we will go over a few ideas for what we and others can be doing in the community to help bridge the gender gap and change this incredibly important space. In the meantime, we would love to hear from others witnessing the lack of diversity in the Security space. What challenges and improvements are you seeing? Please reach out to with your thoughts.

How GDPR Can Be a Good Thing for a CSO’s Career: Part 2

In part one, I discussed how GDPR could positively impact both a CSO’s company and his or her career development.

In part two, I’ll offer a few more suggestions on how CSOs can use GDPR to boost their careers while bringing their team members together.

Know where your Security Program relates to GDPR

For those who have struggled with creating buy-in for compliance issues, you now have a law that provides an excellent teaching moment, but you need an action plan. You can utilize this opportunity to establish, enhance, and/or lock down your security program. With the exception of a few company vertical types, such as those deep in the financial services space, most CSOs have never had anything like GDPR to use as a platform for securing their security program.

Now is the time! You have everyone’s attention and they should be listening. Laws that have penalties large enough to threaten revenue will affect annual margins and in turn affect personal bonuses - which tends to get people’s attention. You will a streamlined plan and one that is ready to execute especially when dealing with compliance-focused projects. If you are an incoming CSO, starting with a new company, you should have the framework of your GDPR compliance training ready to go on Day 1.

Your program will only be successful if everyone knows what is going on, your narrative is clear, and scenarios are tested and practiced. Work closely with your non-technical counterparts and compliance teams to lay out and test your plans. Continuously perform application assessments and identify your gaps. Be ready to share your data mapping and inventory practices. Create real-time scenarios that can answer the questions and prepare everyone for responding to inquiries. Consistently practice and enhance your data breach and incident response plans. Be prepared and ready to execute on your program. Many of these procedures should be commonplace in your world, but perhaps not to the average user of the data.

Know what you have under the hood

Simply relying on your tech stack may not go well. Your privacy strategy and technology may be flawed as it relates to GPDR.

For instance, one of the big GDPR misconceptions is that some companies feel that they have a loophole to avoiding regulations because they can anonymize the data. No such luck. This loophole was considered when the terms were crafted and is covered in the “identifier” portion. Even if you have data sets that the regulators cannot see, the data can still lead to someone’s identity. Bits of information can be pieced together which could identify a person and voila! You have yourself an infraction. Of course, this growing area of anonymization and encryption technology using AI/ML is one of the areas where the regulators will likely focus and test companies.  

Another area to consider is how you deliver your service. If delivered purely in the Cloud, on-prem, or a hybrid, you will be under the scope. In GDPR, there is not a huge difference. If you are billing customers, collecting data and creating telemetry then you are under the obligations. It may even start at the code level if you are a SaaS company. That is why it is critical to work closely with your Engineering and Product teams to create better visibility and enhance their awareness of policies and best practices. (see Privacy by Design as a reference).

Don’t forget about your third-party vendor relationships and related obligations. This is the likely chink in the armor for most companies and an area that the GDPR regulators will surely focus on. You may be in a situation where you need to drive revisions or even replacements for your User Agreements, 3rd Party Data requirements.

Know how GDPR can position you to help drive Sales enablement

As highlighted in previous blogs, the sales enablement function of the modern CSO is becoming one of the larger scoped components and a key metric of success. This is also another area where GDPR provides a unique opportunity to get closer to the business side of things.

You will need to pay close attention to the following things:

  •  How your marketing and sales departments are using data
  •  How your User Agreements are written
  •  What policies are listed in your customer contracts
  •  What do your 3rd Party Agreement look like

In any scenario where data is collected, mapped, stored, and otherwise used, there is an opportunity to teach the user community the best practices moving forward. Use your skill set and knowledge of the collective to become an advocate of privacy rights. If you see intentional or unintentional infractions for how personal data is used, accessed, and stored – speak up!

There is no certification for GDPR; it is law. Some of the new language discussing the basic rights such as ‘the right to be forgotten” is broad and can be open to interpretation. Learn the law and how to apply it and you can be the company’s great mind in this space.

Reference material:
Article 29 Working Party (WP29)
Article 83 – General Conditions for Imposing Admin Fines
Privacy by Design framework

How GDPR Can Be a Good Thing for a CSO’s Career: Part 1

GDPR is on everyone’s minds and in everyone’s inboxes right now. But what does it have to do with today’s CSO and his or her career track?

GDPR provides a rare opportunity for a CSO to place his or her fingerprints on the company’s data privacy approach and practices. CSOs are in a unique position to both help guide their companies through a difficult process and benefit from career development and exposure. GDPR is a compliance forcing function at a scale that we haven’t seen in nearly 20 years (i.e. SOX). If a CSO is able to bring together the many pieces, he or she will lead their company and ultimately their career to success.

As of May 25, 2018, GDPR became enforceable. The challenge for CSOs is to consider how prepared they are to drive this initiative and lead their companies to success. Most security and compliance regulations require a cultural change within the ranks to take hold, but many think that GDPR is the big one that will govern us all or at the very least will set the tone.  Though the EU took the lead on data privacy, this law affects all companies.

In this two part series, I’ll share a few suggestions for CSOs who want to use GDPR’s arrival as an opportunity to further their company’s success as well as their own.

Know your role as it relates to GDPR

As the CSO, it will be your responsibility to rally around the cause of data privacy and use this opportunity to bring everyone in your company (and its many third party relationships) along for the journey. It sounds difficult, but the good news is that you already know where and how the data flows throughout the company and how the specific people functions intertwine with that data.

In many ways, you (and your teams) are the true data source providers and keepers. Whether ceremoniously or officially, you are the Data Protection Officer. The knowledge from being in this position provides a unique opportunity for you. You are one of the executive leaders within your company that can appropriately drive collaboration and guidance and help mentor those directly affected by GDPR. Do not let this opportunity pass you by.

Your first step is to identify who, in the company, fits into the two main roles under GDPR; Data Controllers called “Controllers” and Data Processors called “Processors”. If your company is processing personal data in any way then both roles exist within your company. Your knowledge of the subject can be used to reach out, bring people together, and build a strong training program that will bring your company into compliance.

Weaving together the many parts of your company to ensure that data privacy is handled correctly is no easy task. You may be hamstrung by the complexity of your own proprietary technology. You may have hundreds of groups all contributing, in different data sets, to the data collective. Bringing these disparate teams together may be challenging as each group may come to the table with a different data collection and dispersal approach.

Every entity that works with data is under the same obligations for data privacy. Though the initial projections are that the bark of GDPR will be smaller than the bite, the threat of 4% of top-line revenue will hopefully motivate the correct behavior.

In part two, I’ll be discussing knowing where your security program relates to GDPR and how GDPR can help position you to help drive Sales enablement.

**I am not a CSO practitioner nor a GDPR expert. I am however a zealot and advocate for the CSO’s career development and the promotion of their increasing impact within today’s organizations.

Reference material:
Article 29 Working Party (WP29)
Article 83 – General Conditions for Imposing Admin Fines
Privacy by Design framework