CISO Interview Series: Clodagh Durkan

We are thrilled to announce our next interview with Clodagh Durkan, Chief Information Security Officer and Head of Security at Skybluesec. Clodagh touches on areas like how she sees innovations in cyber security impact how organisations think of cyber security and how we can attract more young people to this field. Make sure to check our previous interviews and also keep an eye out for announcements about our upcoming interviews. Now, enjoy your read.

CISO Interview Series #5: Clodagh Durkan

1. We would like to get some background information about yourself. What’s your background?

In College, I was studying Engineering after transferring from Science. I always wanted to work in the European Space Agency as something… anything 🙂  My college job then was in Eirpage, the national paging Service in Ireland, a joint venture between Telecom Eireann and Motorola. Working at nights to pay huge College Loans. I took a break year after getting Measles (Go Vaccines) and found my DREAM job. Eirpage offered me a full-time role as a Network Administrator. Eirpage / Eircell then became Vodafone Ireland in 2000 and I continued in Telecoms Security for 20 years! Working in 4 country operators Ireland, Ghana, Italy, and Germany.

2. What drew you to cyber security?

Funnily, from taking that years break from college, I was in telecoms at the start of Prepaid mobile. Swisscom and Vodafone Ireland still have a disagreement as to who was first to market. I was the Lead engineer in a small team managing all the Firewalls, VPNs, remote access for vendors, and doing Linux / Unix / DBA work on the core platforms and Ethical hacking to test new systems for the core network engineering like Ericsson / Alcatel / Nokia.  Very geeky:) This was the seed that blossomed into Technology Security Products and Services architecture. The pure operations being spun out into what became Technology Security Operations Centres (or SOCs). We didn’t always get it right the first time, however, would stick with it through the night if needed until it worked!

3. What is the most exciting part about being a woman in technology?

I do not really position myself as a woman in security. I found a career that I have always loved. Security constantly challenges me to find solutions, to enable new innovations in communication, better ways of working, and as we saw in the last few months, how to ensure continuity in a crisis. I do always like busting through the assumption that I am not technical because I am female and wear a skirt! It is nice seeing the rise in more females entering the profession, we are still far fewer than official diversity stats promote.

4. Could you briefly explain your role as CISO?

I have been a Lead / Manager / Head of Security for many years, the terminology has changed remarkably, as the business has seen the value that Security gives in protecting core assets and enabling innovation. When I went to Ghana in 2008 / 2009 the term CISO or CTSO became a thing. Before that HR departments always pushed us as technical leaders or senior engineers within the CTO/CIO team. CISO in a sentence is the one with a calm head, who can figure out how to find both technical and business solutions,  who engages across all departments, understands all the languages and priorities a company speaks, mainly legal nowadays. Protector of the Brand. 

5. What are your thoughts on GDPR, CCPA, and other data privacy regulations? How do consumer data privacy laws affect the industry you are working in?

Hugely, traveling has made me appreciate the difference between countries when it comes to network maturity regarding privacy. For example, in Ireland, we did a lot of payment services and solutions using credit cards early, which meant in the 2000s we had to implement network segmentation for PCI (Payment Card Industry) regulations. Countries historically very card, credit card, and e-commerce averse e.g. Germany faces some remaining network and process re-architecture on top of the regulations. ‘Do you do SABSA, PCI, and IS27001?’ is still one of the biggest questions I get asked here. 

There are also some concerning developments after Shrems II with Legal arguing over Global anonymisation and the potential for CEOs being personally responsible for breaches. Punishing the victims rather than the criminals, I am not sure I agree with. GDPR underestimated the legacy that still exists worldwide in technology, processes, and companies’ strategy. We need to fix not blame. During Covid, I suspect a lot of solutions were implemented in haste, they will need to be evaluated also. E.g. a remote access rollout with employees who access from their home PC, or the storage of faces captured on Zoom webinar screenshots. In some countries that are not allowed! It is a rabbit hole.

6. What are the most critical success factors that a CISO must show to succeed? 

  • Get sponsorship from the CEO / Board, lead from the top down.
  • Learn how to speak with the ‘business’, not scare them.
  • Be brave, stand up for your ethics.
  • Ask questions, ask how, why, what can I do to help?
  • Be humble. Be uncomplicated. De-clutter buzzwords.
  • Know your network. Know your risk exposure, know where your assets are. Where is data flowing in your world? on-premise, remote access, devices, IOT, IIOT, factories, clouds, shadow IT,  global, people … who have fingers on your data, who has fingers on your outsourced providers’ data, and how do you manage that global complexity?
  • Report and manage trends. Investigate anomalies immediately.
  • Update your crisis response and disaster recovery plans constantly.
  • Know your regulatory responsibilities.
  • Know and manage your vendors, they can be your best friends.
  • Know the risks your customer brings to your brand trust.
  • Market Security with passion and fun, it is the heartbeat of the company.

7. Could you share your thoughts on how you see innovations in cyber security impact how organisations think of cyber security?

I see a huge appetite for security as a brand trust factor. Since GDPR Security has become a key evaluation KPI for procurement departments and a hot topic for the board. You can transform security operations cost into a premium marketing feature.

8. Any parting thoughts here you would like to share? It could be on anything like work-life balance and career goals.

I was lucky enough to change my diet radically years ago as I had a lot to lose (165-170 kg …ahem), eating well has kept me calm over the years and that +165 kg taught me about perceptions people often have. My main advice is to eat well, eat lots, eat intelligently, we all know what the rubbish is, feed your brain! be healthy, get enough sleep, and change your perspective often.

9. How do you think we can attract more young people to cyber security?

Lower the barriers to entry and decomplexify the language. I like the idea of apprenticeships very much, especially for building up in-house blue and red teams. There is no one way into security, the best people have come from experience in diverse disciplines. I once met a CISO who boasted about only hiring people with an MSc in Security. He would never have hired me in that case! Accept that people have different journeys, with the right attitude you can teach anything.

10. What would be your one piece of advice to every young cyber security enthusiast?

Go for what you love, read lots, experiment!  If you like solving problems, it’s a FASCINATING career, you will never be bored. A lifetime of learning.