Don’t think about your gender. Being the only woman on a team happened to me many times, but I always threw myself into the work or project with gusto. Conversely, fight back if someone wants you on a team just because you’re a woman. “I’d like you to do this presentation as we could do with some diversity in our program” is a phrase I’ve heard on more than one occasion.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading Cybersecurity Industry”, we had the pleasure of interviewing Maxine Holt.

Maxine leads Omdia’s cybersecurity research, developing a comprehensive research program incorporating infrastructure security, security operations, identity, authentication, and access, data security, and enterprise security management. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong understanding of enterprise security management — the Office of the CISO, the security challenges faced and how organizations can look to overcome these challenges, with a particular interest in how all the component parts of security combine to make up an organization’s security posture.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I loved school in the UK but right up to age 17 I had pretty much no idea what I wanted to do. Then I decided to go to college and the only course available that I was interested in was “Computer Studies”, so off I went and then realized that this was going to be my career choice. I studied hard, eventually securing what would today be called an apprenticeship in the IT department of a medium-sized financial organization, and worked my way through programming, systems analysis, systems support, and more. Eventually I realized that I enjoyed the people side of IT, so went to work in consulting, then for an ISP. At the time of the dot.com boom and bust I found my way into IT research and analysis, and under various guises, I’ve been there ever since.

Maxine leads Omdia’s cybersecurity research, developing a comprehensive research program in this area to support vendor, service provider, and enterprise clients. Topics include infrastructure security, security operations, identity, authentication, and access, data security, and enterprise security management. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong understanding of enterprise security management — the Office of the CISO, the security challenges faced and how organizations can look to overcome these challenges, with a particular interest in how all the component parts of security combine to make up an organization’s security posture.

Maxine rejoined Omdia (as Ovum) in 2018, having spent over two years at the Information Security Forum (ISF) developing research in areas including Protecting the Crown Jewels and Securing Collaboration Platforms. Prior to the ISF, Maxine spent 15 years at Ovum covering topics including security, human capital management, and identity and access management.

Starting her career as a software developer in the financial services industry, Maxine gradually progressed into a systems analyst role and then moved into consulting for the financial services and internet sectors. Maxine is a regular speaker at events and writes frequently for Computer Weekly and Dark Reading, covering various aspects of information security.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

Ghost in the Wires by Kevin Mitnick. A great, easy to read book about how someone gets into hacking, and how easy it can be as an organization to fall victim to it. It might be old school but many of Mitnick’s techniques are as relevant today as they were all those years ago.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

No — I fell into it! I had worked in tech research and analysis for about 15 years, including doing a bit on security, when I was asked if I wanted to pursue it more deeply. I did some more research (as you might expect!) and decided that it was an angle to my career that I wanted to give a go. And I’ve never looked back!

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

Well, I didn’t fall for any of the “tartan paint” requests but there’s so much to learn when starting to get under the covers of information security that it’s easy to make mistakes. I’ll probably go with the one that infosec professionals cringe at the most — that technology is the be-all and end-all when it comes to securing an organization. This was definitely how I thought at the start of my first day, but probably by 11am I’d quickly become disabused of that idea…

Are you working on any exciting new projects now? How do you think that will help people?

Probably one of the most exciting right now is working out how COVID-19 passports might work and be secure. I don’t want to call them vaccine passports as there’s a significant portion of the global population that cannot have a COVID-19 vaccination for whatever reason. The pandemic has affected people in multiple ways and I’m keen to see everyone have safe and secure access to do some of the things that perhaps they took for granted back in 2019.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

2020 was a year of massive change, and this is the first area that I’d like to mention. Organizational journeys to the cloud and the necessary innovation to continue business operations were widely evident last year, similarly in 2021, and there’s a huge security angle to this. Infosec functions are grappling with the anticipated hybrid working model (e.g. 2 days/week remote, 3 days/week office) and continued rapid pace of digital innovation to appeal to customers who have significantly changed their buying habits.

The second area is the opportunity to change the make-up of the cybersecurity workforce, again as a result of the pandemic. I am passionate about the Rule of Steve, which states that in a room (physical or virtual) full of infosec professionals there are usually more people called Steve than there are women. The term was originally coined by Dawn-Marie Hutchinson and I have written about it in Dark Reading. There’s a real opportunity with the hybrid working model to encourage more gender diversity into the security workforce, but we need everyone behind the initiative.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

Back to the Rule of Steve, the lack of not only gender diversity but also ethnic diversity really concerns me. To help with this I’d also like to see a shift from too much focus on cybersecurity professional qualifications — absolutely these have a role to play, but people should have the opportunity to pursue them whilst in a role, rather than have them to apply for a role.

The second area of concern is complexity. Tool complexity to be precise. The average organization has around 75 products in its cybersecurity tech portfolio, many of which don’t work alongside each other. This results in the SOC with a ever-swiveling chair to look at different alerts and so on. It’s high time that we reduced the amount of time and money that organizations spend on “security engineering” to make products work together, and instead focus on reducing the complexity that they face. Plenty of vendors are trying to do this but back to one of my earlier comments — tech on its own is insufficient in infosec.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

There’s plenty of near to far-out “exciting” things that we could talk about here, but I think that one of the biggest critical threats that organizations are still struggling to get to grips with is cyber-resilience. How swiftly would your organization be able to recover from a cyberattack? If the attack were ransomware, what would you do? Only just over one-quarter of organizations are confident that their organization would continue to operate efficiently if they were struck by such an attack (Dark Reading poll, n=587, 7-May-2021). These kind of issues are real and they are here today, and organizations must be focused on cyber-resilience to ensure that they can continue minimum viable operations in light of an attack.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Sorry, not my background.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Sorry, not my background.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

I’ll answer this from a user layperson’s perspective, rather than the security professional. Social engineering is by far the easiest way for an attack to make its way into the organization. I always suggest that people start with “if it looks too good to be true, it probably is” if someone is being offered an amazing deal. I also talk a lot about targeted phishing, where an attacker goes to significant lengths to impersonate someone (e.g. CFO, CEO) to ask for money — really think about why this request is being made, call the person potentially being impersonated on the number that you have for them, and so on.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Follow all relevant compliance rules, secure systems and data to prevent further loss or compromise (this will involve understanding the scope of the breach), notify affected customers, and implement measures to prevent the same thing happening again (remediation).

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

One of the biggest issues that organizations face is the data that it has. The core tenet of information security is to protect the confidentiality, integrity, and availability of information, and for cybersecurity, to protect the confidentiality, integrity, and availability (CIA) of digital information. However, given the information lifecycle — create, process, store, transmit, and (hopefully) destroy — there’s so much data out there that very few organizations fully know what data they should be protecting; the footprint is huge. Organizations must find all the data that they should protect, determine how it should be protected (so, you would protect employee bank account information in a different way to a non-confidential internal report), and then implement appropriate protection (easier said than done). Subsequently, controlling data through the information lifecycle then enables appropriate protection to be applied throughout.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

No, but things are improving. I’d like to highlight two changes that are required. Firstly, when we think about women in tech, we shouldn’t just limit it to STEM. Yes, we need all those technical capabilities, but we also need people with an “arts” focus — often referred to as STEAM. Those techies amongst us then work with the more creative arts people amongst us to come up with even greater ways to move forward.

Secondly, to get more women into STEAM we need to go right back to primary school and at home. We should start these discussions with 5-year-olds — and younger, no giving dolls just to toddler girls to play with and toy cars just to toddler boys. No gender stereotyping at home or at school. I shouldn’t describe myself as lucky but I grew up with quite progressive parents who never entertained an idea that as a female I couldn’t achieve the same things (or more) as my brother. As individuals we must constantly challenge anyone who comments about females in the tech workforce — explain how gender decoding of job vacancies works, ensure that diversity (ethnic and gender) is evident throughout our organizations and where it isn’t, work to change that, and so on.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

It’s not about working in dark rooms with people who wear hoodies, never show their face, and are permanently attached to a keyboard. The reality is that working in the cybersecurity industry can be anything you want it to be. You can be a deeply technical person who loves getting into the nitty gritty of cybersecurity and can “ethical hack” day and night. Equally, you can be a business-focused person who engages with a line-of-business lead who is working on a new system and needs help with understanding the risk and security implications of what they’re doing. The best thing to do with cybersecurity is find your way in and then try as many different things as you can, until you discover your niche. You may end up being spoilt for choice!

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

Don’t think about your gender. Being the only woman on a team happened to me many times, but I always threw myself into the work or project with gusto. Conversely, fight back if someone wants you on a team just because you’re a woman. “I’d like you to do this presentation as we could do with some diversity in our program” is a phrase I’ve heard on more than one occasion. Be yourself. In the 1990s, when I was starting out on my tech career, I did occasionally make the mistake of trying to be “one of the guys”, but rapidly realizing that this wasn’t really me. I learned this pretty quickly, in the first few years of my career (with some great male and female mentors in my first role) and I’ve never looked back. Get stuck in. Tech can be tough, whether it is learning a new skill or dealing with awkward users. I remember being “on call” as a young programmer and having to decode a system failure using hexadecimal. It was a nightmare, but I stuck at it. Treat everyone as individuals. As I became a manager and a leader, I treated my team as I would like to be treated myself. This worked to an extent, but then I realized that of course not everyone was like me, and different people liked to be treated in different ways. Recognizing that everyone is an individual, and playing to their strengths, really encourages teamwork and retention. Provide clarity. I’m lucky enough right now to be leading a team that is developing products from a vision that we’ve created between us. I own that vision and the execution, and it is vital that as the work moves on I am providing clarity on the next steps to deliver on that vision.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

Baroness Martha Lane-Fox

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!