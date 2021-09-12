Communication is fundamental in the role of leading teams — what you communicate, how you communicate and when are often overlooked as communicating is seen as one item on your to-do list. As leaders, we need to continue to learn and grow. Each year I invest in my communication skills — from multiple public speaking classes, learning how to engage and communicate with the senior leaders, to writing a book.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Claire Pales and Anna Leibel.

Claire Pales is a best-selling author, a podcast host, and Director of The Secure Board, a consulting company committed to advising executives and boards, and helping businesses to establish exceptional information security practices. She has 17 years of experience in the security industry, leading award-winning cyber strategies throughout Australia and Asia. Claire is a member of the Technology Committee for the Breast Cancer Network of Australia, a Fellow of the Australian Information Security Association (FAISA), a mum to 4 children and an aspiring runner.

Anna Leibel (GAICD) is a Director of The Secure Board, author, a Non-Executive Director and senior executive across the financial services, management consulting, telecommunications and technology industries. With three decades experience in leading customer, business and digital change, she is a sought after advisor to Boards, Chief Executives and IT leaders on transformation, data, cyber, leadership and culture. Anna volunteers as a mentor to elite female athletes and is a qualified yoga instructor.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

Anna: I am the eldest of two girls and grew up in a country town in Victoria, Australia. My parents instilled values, that have influenced my life including my strong work ethic, the importance of giving back, owning your mistakes, equality, continuous learning and dependability. In the early 1980s my Dad bought a computer along with a book to teach himself how to code. Being a curious 8-year-old, I picked up the book and spent weekends teaching myself how to code. I like to say that IT picked me as a career rather than the other way around. As I was finishing high school, the internet was emerging as a new technology, and I started a consulting business to educate others in extracting value from IT. My career has been built based on saying yes to opportunities and taking myself out of my comfort zone. I have worked within many IT departments, established new enterprise global sales streams, worked in management consulting, and most recently as a CIO and board member. After ten years of practicing yoga, to help manage stress and practice mindfulness, at 40 years of age I trained to become a yoga instructor.

Claire: I grew up the youngest of five in a blended family in regional Victoria, Australia. We had what we needed to get by, including a lot of hand me down clothes from my sisters! My Mum worked hard, often in two jobs to provide for us all. I’m so proud to be a sibling to four amazing humans — my brother went off to serve his country in the air force at just 16 years old. Two of us are University graduates and three of the five of us have run our own businesses. My Dad is a decorated leader in the Lion’s club, serving our community for more than 50 years. My parents’ sense of community taught me to have an open-door policy and to welcome all conversations even the tough ones. Early in life I wanted to be an airhostess, then a journalist and by the time I left school I wanted to be a police officer.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

Anna: I watched Good Will Hunting for the first time in my early 20s as I was weighing up the big question “what I wanted to do with my life?” The movie resonated strongly, and I continue to watch it every 2–3 years for inspiration. The key takeaways for me are that your upbringing doesn’t determine your future, the importance and impact a mentor can have on your life, and that true friendships not only support the decisions you made, sometimes they push you towards them.

Claire: In 2014, I slipped three discs in my neck. While reclined for three weeks recovering, I read many books, one of which was ‘The Four Hour Week’ by Tim Ferriss. I had always wanted to work for myself so of all the books I read, this one really motivated me. After working long hours in Asia for several years, I was inspired by the way Tim talked about the freedom working for yourself could bring and the time I could take back to spend with my young children and family. I dived headfirst into his podcast and have now worked for myself for five years, have my own podcast in its 7th season and have authored two books.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Anna: I have enjoyed working in IT for nearly 30 years across a variety of technology domains and management consulting where I have worked alongside the security department. At my most recent role with UniSuper, the Information and Cyber Security team reported into my role as Chief Delivery and Information Officer. As security has shifted from being perceived as an IT function to an enterprise-wide risk, I am motivated by how the business and third-party vendors work with IT to collectively keep organisations safe. I was driven to partner with Claire Pales to co-author the book The Secure Board and to launch The Secure Board Advisory Service, to help fill an important gap to educate all Australian board members on cybersecurity and their critical role to mitigate risk.

Claire: Being a youngest of five kids, by the time I came along my Mum had her rules locked in and she had a lot of them. Mum saw rules and restrictions as a way to keep us safe. Those early years of conforming to Mums rules taught me to feel confident in structure and boundaries. I believe this is what led me to the career I have today. I originally wanted to pursue a career in policing but working in security, fraud and cyber has allowed me to flourish and saw me promoted to management at just 24 years old. I’ve often look back and reflect on my Mums rules as foundational for my career direction and influential in seeing the need for all staff to understand cyber rules to keep the organization safe.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

Anna: As a super-keen 22-year-old, I was asked by a manager to help build servers for a large client order. As the Service Desk Manager, I had experience building laptops and PCs, but never a server. At that young age I didn’t feel comfortable admitting that I didn’t know how to do it, so I sat next to an experienced engineer and took detailed notes on every step he took. As a team we got all the servers built and delivered on time! My boss was none the wiser.

Claire: When I was 19, I wanted to be a police officer. But I didn’t think through the fact that I would have to carry a gun or weapon! It got halfway through the recruitment process before it dawned on me the responsibility I was about to take on. I retreated to the safety of University and completed a Police Studies Degree instead, learning about the police as a business, women in policing and how crime impacts society.

Are you working on any exciting new projects now? How do you think that will help people?

Anna & Claire: During our research for our book The Secure Board and our consulting work, we have found common themes in what keeps CEO’s boards and executives awake at night. We have taken this information and launched a Masterclass dedicated to helping CEOs and company directors learn about the critical elements of understanding cyber security risk — from the importance of being prepared, to the role each person in your organisation must play in keeping information safe and secure. The course provides participants with practical advice, ensures they can ask more informed questions and understand the consequences of decisions on security, and includes a complimentary copy of The Secure Board book as an informative resource. Designed and facilitated by experts in cyber, digital, corporate governance and boards, the learning experience includes case studies, discussions, interactive peer reflection and ensures company directors and C-suite leaders from any discipline can grow confident in cyber literacy.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

We are excited by the opportunity to support every organization to prioritize cyber risk at a time when leaders want more confidence on this topic. While company directors know balance sheets and due diligence reports, the current threat environment is such that all company directors must also understand cyber risk. This is a somewhat of a daunting topic, but if you put aside the jargon and the technical reports, managing cyber risk is something all board members can do when committed to uplifting their knowledge and building relationships with their cybersecurity leaders. In The Secure Board Book, and through our advisory work, we advocate for being prepared for a cyber-attack. We work with organisations to ensure they have incident response plans in place, have a detailed communications plan to manage various stakeholder interests such as customers, and the importance of practicing response plans through simulations. Not all organizations are the same size, have access to the same funding or have the same regulatory requirements. We are excited to provide pragmatic and fit-for-purpose cyber risk management advice for any Australian organization.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

The perception that cybersecurity is still a problem IT can manage on its own. Relying solely on technology controls will is not the answer to managing cyber risk. Boards, executives, all employees and third parties must understand the role the important role they play in keeping an organization safe. There are still organizations in Australia that have not invested in appropriate cyber resourcing such as a Head of Information Security or a Chief Information Security Officer. As such, there are many Australian boards not hearing directly from a cybersecurity leader with the context of their organizations risk profile. The security leader should have a relationship with the board and CEO along with a recurring agenda item at board meetings. There is a lot of focus at the board and executive level on meeting compliance obligations. Compliance alone will not keep an organisation safe. While company directors and executives don’t need to be technical experts, they do need to understand the contributing factors and controls to oversee cyber risk management. Our book, The Secure Board, builds confidence for company directors and C-Suite leaders in governing cyber risk management through five key elements and without any technical jargon.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

Cyber threats are evolving and have been for some time and will continue to do so as businesses become better at detecting cyber-attacks. Most organistions cannot get ‘ahead’ of cyber criminals. This being the case, the best thing an organisation can do is be prepared. Post incident reviews often show that stakeholders could have been more involved in drills and scenario role play to ensure responsibilities are clear in the face of a crisis. No matter what threats come over the horizon, stakeholders who knows how to be resilient and work together will recover better and reduce the impact of an attack than those who have no cyber leader and a plan that gathers dust.

Best practice — There are many companies who are not regulated or required by law to comply with best practice have no incentive to invest in cyber security controls, programs, or strategic initiatives. This increases the likelihood and consequence of a breach. This can have long standing implications for operations and customer trust.

Organizations who are not prioritizing cyber as a way of doing business, could impact the talent they attract and the customers they retain. Equifax was one of the first organizations to admit that their culture of complacency lead to their global, major cyber incident. Their investment in technology, education and leadership has shown a complete change in their commitment, however the aim is that not all organizations need to have a global or public breach in order to significantly change their commitment and investment in cybersecurity.

Cyber hackers are no longer purely motivated by financial gain. We are seeing recent threats disrupting the community, for example: fuel shortages across the East Coast due to the Colonial Pipeline breach, attacks on healthcare have risen 55% in the USA with over 26 million people impacted, 9News coverage and printed press were affected when the media outlet was under threat, and global food processing company JBS was hit by ransomware with consequences to employees unable to work and impacts to supply to customers.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Anna was involved in an incident was declared on a Sunday morning when a customer reported having access to account details of other customers through the digital channel. IT and cyber teams commenced investigating and attempted to recreate the customers experience. After 45 minutes we made the decision to shut down the digital channel to protect customer account information. Investigations continued for several hours with due diligence leading to the incident being resolved efficiently with the key takeaways:

We made the decision to shut the digital channel down with the information available to us at the time, and we made that decision promptly to protect all customers and their data.

Don’t underestimate the value of your incident response plan!! This incident took place on a Sunday. With everyone at home rather than in the office, we relied on the incident response plan to know what action to take and by whom.

We kept the customer that reported the event informed throughout the incident. This retained customer trust and enabled an efficient management of the incident.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

All organizations need to have a baseline of technical security controls and in our experience, this is not necessarily where the weaknesses lie. Organizations need to use more than technical tools to address cyber risk. Some of the key areas we see lacking that we recommend for best practice include:

Cross-organizational relationships are built on trust. Day to day, every part of an organization plays a role in reducing and managing cyber risk. From procurement to technology to customer service, every team and employee need clarity on the role they play in protecting the organization. This only comes about through a culture where cyber is part of the daily conversation and there is trust and accountability where people do what they say they will do to play their part in addressing cyber risk.

Contextual board reporting with actionable insights. Traditionally, board reporting on cyber is filled with large amounts of data detailing vulnerabilities and access management logs. Boards and executives need information that is relatable to their objectives or duties. Contextual board reporting allows the right decision to be made about risk-based investments in cyber security. There is no template, and each business needs to identify the right metrics and measurements they can provide to the board.

Incident response drills. Organizations often test their disaster recovery and business continuity plans without considering cyber as a potential scenario. Cybersecurity needs its own incident response plan and process with appropriate decision makers identified. This document must be a living, breathing document to ensure it is up to date when needed and not gathering dust. Each person who would need to be part of a cyber incident event must know their responsibilities and accountabilities. Victims of cyber-attacks often reflect that they wish they had have practiced their response more often.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Urgent or out of cycle or unusual requests from leaders to act. This is called whaling and is like phishing but for executives. Whaling is a form of ‘business email compromise’, a cybercrime which uses fake emails to defraud or negatively impact the target organization.

An increase in customer calls to your contact centre about suspicious emails or difficulty logging into their accounts.

Employees notice that they have access and visibility to sensitive information that they don’t require to perform their job, or they have not previously had access to it.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Activate their incident response plan to minimize the impact of customers and the business.

Communicate with transparency to customers, staff, partners, and regulators.

Conduct a post incident review and examine all the learnings.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Thinking it’s a technology issue — not taking an enterprise-wide approach to cybersecurity.

Not preparing for a cyber-attack (big or small) — make sure you have an incident plan in place and practice it regularly.

Not investing early enough in non-tech security controls — educate yourself on the elements contributing to cyber risk management outside of IT, for example third party risk assessments, robust procurement processes and contracts, and employee engagement in relation to cybersecurity.

Not recognizing it as a risk on your risk register and setting an appetite — acknowledge that cyber is now in the top three risks for every organization and treat it appropriately.

Not having a strategy (even part of the tech strategy) linked to the business strategic objectives — understand the role cybersecurity plays in contributing to strategic business outcomes like M&A and create a cybersecurity strategy which enables broader business objectives.

Not hiring a dedicated cyber leader/resource in the organization — organizations require cyber expertise within to develop and retain IP in systems, processes, and relationships. You cannot outsource the accountability for cyber leadership.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

There is still much more we need to do to improve female diversity in STEM roles. We believe, diversity is broader than gender. Building diverse teams must also include age, education, and cultural background. We recommend building diverse teams that represent existing customers and your target customer base to influence engagement, product design, customer service and strategic direction. In our experience solely focusing on gender quotas can drive the wrong behavior in some organizations. True innovative thinking can only be achieved with diverse perspectives.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

You must be technical and have a technical qualification — cybersecurity professionals and leaders come from all walks of life. There are CISO’s who are ex-military, ex-internal audit and ex-behavioral science. Cyber needs great communicators, strong influencers and values-driven leaders who can complement the much-needed technical leaders in a healthy cybersecurity operating model.

Cyber leaders can’t report directly to the CEO — the debate continues over who the CISO should report to. There are pros and cons of them reporting to the CEO, CIO, CRO or COO. The right reporting line will vary for each business. Ultimately the CISO needs to have the authority to perform this critical role. In time we expect the CISO sit on the chief executive’s leadership team, particularly for digital businesses.

One cyber employee can do it all — when helping our clients hire a CISO the wish list of skills, experience and education is lengthy. We work with our clients to understand the business and prioritise the non-negotiable capabilities and attributes. Having a wish list means youre looking for a unicorn and the role is likely to sit empty for a long period of time while you wait for one.

Thinking every organizations cyber risks are the same — every business needs to make risk-based decisions to inform their investment in cyber security. You cannot take a one-size-fits-all approach to cyber security — defining risk appetite, mitigating risk, developing a strategy, and reporting need to be established with your specific business in mind.

Compliance = security — many organizations take a compliance-based approach to cyber security. For some this can create a false sense of security in the organizations preparedness, response and recovery from a cyber event. Achieving compliance will not keep your organization safe. Every organization needs a customized cybersecurity strategy which includes people, process, and technology.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

Anna:

Communication is fundamental in the role of leading teams — what you communicate, how you communicate and when are often overlooked as communicating is seen as one item on your to-do list. As leaders, we need to continue to learn and grow. Each year I invest in my communication skills — from multiple public speaking classes, learning how to engage and communicate with the senior leaders, to writing a book.

The ability to deal with ambiguity is rare. Foster that quality in yourself and others and be adaptable, flexible and comfortable with change.

You are only as good as your team because you are only one person. If you do not delegate and/or don’t trust your team, then you become a bottleneck which stifles progress and frustrates others.

Showing vulnerability is a strength, not a weakness. Being an authentic leader and sharing my experiences with others creates more genuine connections and fosters a growth-mindset culture.

Don’t try to be like everyone else, focus on what makes you unique. I spent the first decade of my career trying to make myself like everyone else — from how I communicated, what was on my CV and LinkedIn profile, to what types of jobs I was applying for. It took me years to realise that the things I do differently to others are appreciated, valued, and deliver better outcomes.

Claire:

Accept you can’t have it all. I am a parent to four children, a wife, a daughter, a business owner, and member of the community, so there are many demands on my time and resources. I have found out the hard way over the years that as a leader, I can’t be all things to all people, or I will certainly burn out. Taking a balanced approach is hard work but essential to being a good leader and role model.

Your network is the most important tool — throughout my career, I have been fortunate to meet some amazing people (many women) through my network including my co-author, Anna! My business has thrived through my network connections as has my career, both through what others have done for me and how I have been able to lend my support in return. The value of networks and communities as a leader cannot be understated.

Build a team of experts around you. As a leader, I am grateful to have inherited and recruited some brilliant staff who I see as my peers rather than direct reports. In cyber, while some businesses believe one person should have all the skills necessary to keep a business safe, investing in a diverse team of experts is key to achieving cyber resilience.

Believe in yourself. As women, we are often serving others and when it comes to our own goals, we are not always our own cheerleader. If we believe in ourselves, we can overcome self-doubt, have the confidence to act and show our peers what’s possible.

In leadership, particularly in cybersecurity, there can be some major challenges every day. From influencing the board to attracting talent to managing a crisis. These situations are testing on resilience and are often thankless. While they seem like a heavy load, every situation makes us a better leader.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

We would love the opportunity to dine with Michelle Zatlyn. With extreme success as co-founder of Cloudflare, she inspires us as a self-made woman working in our industry.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!