The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewingEmily Mossburg, Global Cyber Leader at Deloitte.

With more than 20 years of experience in cybersecurity, Emily Mossburg leads Deloitte’s Global Cyber strategy — driving the continued evolution and expansion of the practice’s global reach, innovative cyber capabilities, and team of 22,000+ cyber professionals worldwide. At Deloitte, she has been integral to helping some of the world’s largest organizations understand their cyber posture, transform their cyber programs during business and marketplace shifts, and strengthen their strategy when faced with threats. Emily is a recognized leader and authority on cybersecurity and was recently named one of the “100 Fascinating Females Fighting CyberCrime” by Cybersecurity Ventures.

Thank you so much for doing this with us! Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

As long as it doesn’t make me sound old… I was working with another consulting firm after graduating from college and a colleague there was leaving to start an IT security firm. This was before it was even called cybersecurity. Lucky for me, they asked if I wanted to join them and, thankfully, I was open to the opportunity. I think that’s the great lesson in it all — the technology industry evolves so quickly that it’s exciting to jump into something that is not yet proven but has a lot of promise. And 20+ years later, here I am.​​

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

When I first started my career, I was pretty regimented — in the sense of how I strategized on client issues and approached projects. Based on my experience up until that point, I felt there was only one methodology to address cyber or a specific, singular way to complete tasks. So, when I completed my first project and transitioned to a second one with similar parameters, I thought it only made sense to approach the new project the same way I had with my previous one. I confidently shared my strategy with my boss at the time, who quickly proved me wrong.

Reflecting on it now, I can laugh at my “always” mentality — that you should “always” do this or “always” do that for guaranteed success — but it certainly wasn’t funny back then. I was almost too focused and decisive — which inhibited my ability to think outside of the box and help solve my clients’ unique and varied cybersecurity issues.

That experience has taught me that “the less you know, the more you know; and the more you think you know, the less you actually do.” Cyber is everchanging, so there is never going to be a one-fix-all solution — every issue must be observed from a different lens. It is so important to be able to adapt and pivot when necessary because no cyber issue is ever the same.

Are you working on any exciting new projects now? How do you think that will help people?

Yes! By the time this publishes, my team and I will be in full swing of the Deloitte Women in Cyber campaign, our global awareness and recruiting campaign to attract more women with diverse skill sets and backgrounds to the cyber profession and celebrate those making an impact now.

We hope that the campaign will inspire girls around the world to explore careers in STEM by showcasing the unique depth and breadth of jobs in the cyber industry. So, when asked about what they want to be when they grow up, little girls will say ethical hacker, data privacy professional, or cyber strategist.

Thank you for all that. Let’s now shift to the main focus of our interview. The cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

The COVID-19 pandemic caused companies to move digital transformation at an incredible pace. Companies had to quickly figure out how to shift to remote and virtual environments, migrate to the cloud, and update and create their cyber plans. Many of these changes were made quickly and now companies are beginning to take a step back and think through a more robust and permanent set of changes, which is shaping the future of cyber — and that is exciting!

However, it is important to note that in the wake of the pandemic, with accelerated digital transformation efforts and remote work environments, ransomware attacks are on the rise. And they are increasing in number, persistence and sophistication by threat actors who are adept in evasion techniques. Every organization is vulnerable to ransomware attacks. The CEO and the board must be fully equipped with the knowledge to deal with the prospect of a ransomware attack hitting their organization and are doing as much as possible to ensure this doesn’t happen. In an urgent memo shared on June 2nd to American organizations, the Biden administration urged corporate executives and business leaders to take immediate steps to prepare for ransomware attacks. Ransomware attacks are not going away any time soon, which means everyone must get better at preventing a targeted attack from becoming a successful one.

It is also exciting to see the industry recognition of cyber as an enabler to innovation, transformation, and success. Cyber is about more than saying no but embedding security into the strategic decisions and processes of an organization that will enable it to move faster, more securely, and more successfully into the future. As we all reacted quickly to get our workforces online and get access for our people, we saw the importance of making sure trust remained at the heart of our digital acceleration. We know that trust is crucial to every relationship and cyber is about preserving that trust. Cyber is connected; it is ultimately about people understanding and trusting those connections and empowering our society to innovate and move forward safely.

Last, I am very happy to see the industry beginning to acknowledge the importance of having cyber teams comprised of individuals with diverse skillsets and backgrounds. Global security will suffer if greater diversity is not brought to solving the complex cyber challenges ahead. We must expand the vernacular used today around careers so that when asked, ‘what do you want to be when you grow up?’ the answers include roles like ethical hacker, data privacy professional and cyber strategist. We should break down the common misconceptions about the type of work that exists for cyber professionals and the type of experience you must have to do that work. This is why we launched our Women in Cyber campaign. We created this global awareness campaign to highlight Deloitte’s women in cyber and all the powerful work they do to keep us safe while bringing greater attention to the need for more women in this industry. While there are many opportunities for young women in this profession, there is a disconnect between people understanding what cyber professionals do and the skills needed to work in this industry. This campaign intends to spotlight and share insight into the women currently leading cyber in hopes that other professional women and younger generations will better understand what a cyber expert looks like and are inspired to explore the many facets of this crucial and exciting industry.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

The cyber industry is currently facing a threat of its own. Demand for cybersecurity is at an all-time high amidst a growing skills shortage. According to an (ISC)2 study, the global cyber workforce would need to grow more than 145% to meet current demand. Organizations can address this issue by making sure that the incoming workforce includes women.

Where the industry stands now, opportunities in cybersecurity are failing to attract women. To meet the increasing demand for cyber experts, organizations must change the way we speak about cybersecurity and the opportunities the lie within the profession. The boys club mentality must be broken, and women must be spotlighted for the invaluable work they do to protect nations around the world from cyber threats. As more women and young girls start to see themselves represented in this space, and we expand our language on the types of skills and experience needed to work in cyber, we will start to make progress in tackling the talent shortage.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

I think companies must understand that no organization is immune to a cyber-attack — as if the ransomware attacks of the past week and months are not evidence enough. Organizations that don’t prioritize and constantly reflect upon their cyber posture are opening themselves up to costly and sometimes catastrophic consequences. Strong cyber hygiene practices should be prioritized, regardless of industry, to reduce the threat of ransomware attacks, which includes workforce training on sound cyber practices. CISOs and their teams need to prioritize their resources as they cannot afford to put off dealing with potential cyber risks.

When an organization does get hacked, it is essential to approach the attack through various lenses — underscoring the need for cyber teams to comprise individuals with diverse skillsets and backgrounds. The first step is to quickly understand the nature of the attack to help answer and address the questions of what, where, how and how much. The type of attack will determine how teams respond. This is when it’s beneficial for organizations to have a crisis response playbook, enabling teams to have a well-placed chart to figure out next steps. Once the attack’s origin is understood, teams need to educate those involved to explain how to prevent them in the future and introduce a heightened level of management and controls that can strengthen their IT and business processes.

Common perceptions about the impact of a cyberattack are typically shaped by what companies are required to report publicly — primarily theft of personally identifiable information (PII), payment data, and personal health information (PHI). Potential impacts that are less understood and rarely revealed to the public eye — many of which are intangible costs that are difficult to quantify — are damage to trade name, loss of intellectual property, or costs associated with operational disruption. Consider the cost of paying ransoms after cyber adversaries have locked networks. In many cases, like with recent major incidents, the operational disruption experienced by the victimized organizations can be devastating. It can take months to recover, as it often results in the need for organizations to rebuild systems, networks and more. Executives should invest in risk-focused programs to gain greater confidence in their organization’s ability to thrive in the face of a cyber incident. It involves the ability to respond effectively and repeatedly, to plan proactively, to defend your critical systems and data assets vigorously, to get ahead of evolving threats, and to recover thoroughly when attacks do occur.

Common mistakes we see include:

Limited coordination between operational technology (OT) and IT, leading to siloed views of cyber threats and segregated incident response and resiliency plans

Lack of segmentation of OT and IT networks to confine an attack from expanding into critical networks and control systems

Limited awareness of attack surface vulnerabilities and paths to critical systems and assets

Lack of ransomware incident response plans to bring critical systems back online and enable business continuity

Companies need to remember to continuously strengthen their core cybersecurity hygiene to minimize the impact of cyber risks. For some organizations, this may mean delving into your third-party liabilities and obligations. For others, it may involve categorizing your special interest vendors and assessing where you fit within the larger supplier ecosystem. For each of us, it’s helpful to remember that we’re all in this together. By collectively strengthening our cybersecurity postures, we can enhance not only organizational resilience but also raise cyber maturity across the board.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

To put it plainly, no, I am not satisfied with the current status quo for women in STEM. There’s a lot of change that needs to take place, particularly in how we as an industry promote STEM to women and girls. With the industry’s current shortage of talent failing to fill the increasing number of job positions, women play a pivotal role in transforming the field.

Regarding education, we need to revamp the way we showcase the breadth of opportunities available within every industry sector. This could be done by developing clear school courses or curriculum goals, emphasizing the many facets and positions in STEM. If people feel safe exploring the different avenues associated with STEM, they are more likely to actively and openly learn more.

Education also doesn’t have to start in a classroom. Think of how young you were when you started thinking about what you wanted to be when you grew up — it’s never too early to start having conversations at home about STEM careers. The more we normalize intentional conversations around STEM and its associated careers, the more comfortable young women will feel about exploring opportunities and that this industry has a place for them.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

It’s easy to assume that working in cybersecurity means you need in-depth technical experience to succeed in the field. Yes, some positions require more science and math-heavy analysis, however, people with backgrounds in social sciences or business are needed here as well. What makes cybersecurity unique is that it requires various perspectives to properly solve complex cyber issues and threats, so we openly welcome people with unique experiences and skillsets. You don’t have to be a math genius to thrive here.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why?

Take (thoughtful) risks

Understand where you can push and encourage yourself to step outside of your comfort zone. For example, working in cyber, you will never be in a position where there is no risk — risk is almost always guaranteed. What’s important is how you mitigate that risk by assessing all possible outcomes and make the best decision at that moment for the benefit of your client or organization. It’s the same way I approach my career. Take that step even if it seems a bit scary (change is never easy), but always know what you’re getting into.

2. The more you know, the less you know

As I mentioned earlier, no cyber incident is ever the same. And the more I’ve grown in my career, the more apparent it is to me that we simply don’t have all the answers. However, despite this, we must remember to lean on your team members when necessary. With so many unique experiences and backgrounds, you’re more likely to problem-solve when working together. With that said, I encourage you to take pride in what you don’t know and use that to build a diverse team that can help fill in the blanks and create a holistic perspective that isn’t possible on your own.

3. Manage through empowerment

Managing others is challenging; many women in this position tend to question themselves or feel that there is only one right way to be a manager. When I learned to let go and empower my team to take ownership of their projects and trust their instincts, it was amazing to see how they grew and succeeded. This isn’t to say that you should take a completely hands-off approach; instead, it is an opportunity to encourage your team, ask challenging questions, and empower them to lead. Instead of asking yourself what your team can do to help you, ask what you can do to set your team up for the best chances of success. This is my advice for teams of any size, whether big or small. Being a leader isn’t about being in control of a hierarchy but knowing how you can support those around you to reach their full potential.

4. Be open to surprises

As I am sure most of us have learned in life, nothing is ever guaranteed. Life is full of unexpected twists and turns, and most of the time, we’re just along for the ride. Nevertheless, we should be open to these curveballs because they are always learning opportunities. Cyber is constantly evolving and changing — be open to roles that help you explore those changes and define your path. That is where I’ve found some of my greatest successes.

5. Create paths for the next generation of women

To break the “boy’s club” cycle and mentality in the STEM industry, it is vital that those of us in positions of power help create opportunities for future women to thrive. Making time to mentor women in the field or actively advocating for women to be included in decisions and projects will be key in creating a more gender-diverse STEM community.

