7. Cyber security - thoughts from an expert

With working from home becoming the new normal in the past 12 months, our online security is more important than ever. I had a really interesting chat with Claire Pales from 27 Lanterns, a cybersecurity consulting firm with some really interesting views on how to hire a security leader, the common mistakes many of us make when it comes to our cyber security, and why we're not seeing more women in security leadership roles. Here are some of my takeaways from our chat.

Why (most) companies bring on a cyber security expert - and where they go wrong

There are a lot of security specialists with potential to fill senior roles in Australia. One of the key problems cyber security specialists face is that the people who are hiring for these roles, don’t understand what the role actually entails. An organisation might hire a security leader because there has been a breach and they need someone to lead, or the board may have asked why there’s a gap in the IT department that needs to be filled with a cyber security specialist, or an audit or regulator may have put pressure on the organisation to hire someone to lead at a strategic level.

The job descriptions we see for Security Leaders often read like a wish list that has been developed from the results of an audit. Often, the needs of the role are too broad for the skills that most applicants in the market possess. Security leaders often climb the ladder from a very technical position, a governance or compliance role, or even a corporate security role. So while a candidate may be a great leader, but their depth of knowledge around different pillars can vary wildly.

The gap is in the organisation’s ability to articulate what they need, then go out to market and find a good fit. Be clear about what you’re trying to achieve today, and get clear about what technical and soft skills candidates need in order to be considered for a leadership role.

One way for CIOs to find a great security leader is to look at what you need right now, and beyond that for the next 18 months, and then hire for that. Look at the skills your current staff have, and find someone who fills the gaps you currently have within your organisation. The 'doers' who need to sit below that leader can complement the skills of that leader. 

There’s a difference between strategic leadership and the ‘doing’. There are many security leaders out there who are hiring people who have incredible skills, then teach them to put a security lens over that. Once you have that strong leader in place, you can hire architects, analysts, network engineers or developers in, and then teach them the security component.

If they have the curiosity and the technical skill set in their particular area, you can then put that security layer across the top. From the perspective of needing to fill some of those positions, sometimes it’s a better idea to hire someone with the technical skills you need and then teach security skills over the top, rather than trying to find a unicorn with the precise combination of skills that you need. 

Women in Security

Most organisations currently have 20% -  30% women in their organisation from an IT perspective, with less in infrastructure roles. There are more University courses on offer now that are dedicated to security, and I think there’s a great opportunity for organisations to create an environment in which women a) want to work (security can be a male-dominated industry),  b) have the opportunity to thrive through reskilling and c) have the freedom and opportunity for programs like job sharing, should they wish to have children and come back to work. 

So, where can we improve the likelihood of more women taking on leadership roles in security?

For the small number of women who advance to senior leadership roles, they haven’t received the same level of support and mentorship that their male counterparts received on the way up. Claire believes that in order for more women to consider security leadership roles, 

often it’s a case of those women having to be vocal and determined to take on mentor roles within the company.

It’s also vitally important to nurture your network throughout your career. Word-of-mouth recommendations are often given more weight than an application that comes in cold. Your network is particularly important if you’re an Aussie who has been working overseas, as the industry can be really difficult to crack into when you return home.

What should we focus on, in terms of security on an individual level?

It’s important for adults in general to become more security aware, and to understand where their data is going; to understand what it means when you download an app on your phone and don’t take it for granted that organisations are protecting your information in the way you would like it to be protected. Educate yourself so that you understand the risks and can make an informed decision about how much data you provide, and to whom.

For those who are parents or guardians of small children, look at the way your kids are learning about cyber security. In the current environment where kids are forced to learn online and require passwords, observe how their education providers discuss passwords. Using basic passwords, writing them down or sharing passwords are all problematic as they encourage bad habits when it comes to cyber security. The fundamentals of security are learned at an early age, so it’s important to review how passwords and data are treated at that basic school level.

Look at what you’re downloading: do you trust the company to use your information responsibly? Have you spoken with your children and family members about what they do and don’t share online? Have you covered the basics when it comes to simple things like using a password app? Claire suggests that you protect your data just as you would your banking details. 

I loved this chat with Claire. I’m so impressed with Claire’s experience, the career she’s built and the business she has created. You can listen to the whole podcast, here.