The next expert whom we had the opportunity of speaking with is Helen Rabe. Helen is an experienced Information Security professional who specializes in complex strategic deliveries with a strong emphasis on security service management delivery across a broad range of industry and technology sectors. In this interview, Helen discussed data breaches, what should be the CISO’s first question if a breach happens, and other topics. Continue reading and uncover her insights.

1. We would like to get some information about yourself. What’s your background?

I come from a fairly traditional IT background where I focused on delivering IT network projects for various organizations across different business sectors. My core skills were in project/program management but I also worked as a Service Delivery Manager. My experience is varied and covers the full systems lifecycle, from analysis to delivery and operations. Security was always a part of these program deliverables however it wasn’t the core focus. I was fascinated by the topic and it was always the one item I enjoyed spending more time on where the opportunity allowed me to.

Unfortunately in the past, there were often many entry barriers placed in front of me, and getting into the security sector wasn’t an easy journey. Since my background was predominantly strategic and not technical, my options were limited. I finally decided to freelance for a while and I specialized in managing remediation projects that supported companies that had suffered major breaches. These complex projects required reactive project management in challenging environments and this approach was my stepping stone into the security industry.

2. What drew you to cyber security?

I was always fascinated by the notion of ‘the intelligent adversary’ and the impact these individuals had on an environment that was becoming more challenging to control and secure. As a person, I tend to focus on the long game and it was becoming apparent to me that security was eventually going to be an inherent part of our lives both personally and professionally. This will sound rather shallow but it also meant, to me, an area that allowed me job security until retirement. Obviously, it helps that the topic of security itself is of incredible interest and I love my work.

3. What motivates you to keep pushing ahead every day in the security field?

Simply put, the fact that I am passionate about what I do. It is never boring and there is no comfort zone for me with security…I am always learning and growing. There is also the fact that I feel this job offers me the opportunity to provide a service. I am able to perform pro bono work for charities as well as provide coaching to schools and similar establishments. It is serious work but can be fun at times and provides a great balance as far as a career goes.

4. Could you please tell us what were the 2 most important cyber security lessons you learned in 2020?

The first – no CISO is an island, collaboration across 1st and 2nd line teams is key to the success when delivering security programs, especially if the CISO does not directly manage the operational security teams.

The second – working more proactively with my respective vendors allowed for a valuable, content-rich threat intelligence program that added value in real-time.

5. What do you foresee will be the biggest obstacle for CISOs to overcome in 2021?

Having had many conversations with my peers recently on this topic, I believe it will be the budget investment challenge. Many business leaders are driving assertively for cost efficiencies, by extension is pushing security leaders to channel their security solutions via one vendor to optimise efficiencies and save costs, this approach does have risks and often incurs gaps in the quality of the security controls and services. A one-stop-shop for security sounds like a wonderful approach however for security leaders, this means managing those gaps which often creates operational challenges and resource constraints.

6. Now let’s talk a bit about data breaches. What should be CISO’s first question if a breach happens?

If an incident has been declared as a breach, the first question I ask is “has the CIRT/Incident plan” been put into play.  If you have a robust resilience program and an approved incident plan in place, then you have a path to follow and you have some measure of control around the incident lifecycle. If you do not have a plan in place, your first question is usually one that very few people want to hear, i.e. who owns this incident!

7. Are data breaches unavoidable? If yes, is there a right and a wrong way to deal with them when they do occur?

The answer to this depends on the nature of the incident. Not all are avoidable, some are too sophisticated and despite the controls in place, the attacker will always get through if they are determined. In some instances, yes, poor practice on some of the most basic of controls can allow an attacker to compromise and breach your systems. There is no one size fits all to preventing or managing breaches.

As for right and wrong ways to deal with them, subjectively I believe that your incident plan is core to the success of handling any incident. You need to run annual practices to test the effectiveness of the plan and ensure all parties including the likes of internal communications and Legal are included.  If the incident warrants a communication release to the public then follow the core principles of responsible disclosure. It’s best to handle incident communication with authenticity and transparent communication. If it is a notable breach that affects customers and you don’t responsibly disclose, be aware that if this finds its way to the public domain, it can have an impact on your reputation and credibility.

8. For people who are thinking about a career move from IT general management to security, what are the TOP 3 skills do they need to move up the ladder?

Firstly you will need to decide which area within security you would like to follow i.e. The governance-focused Information Security or the more technically oriented security disciplines. Each has their own specific skill sets to consider and there is a lot of information out there to guide you. However, whether you choose to move into the strategic, governance remit or, the first line-oriented technical field, the following 3 skills are qualities that traverse both areas.

1. You need to be an effective communicator, this includes being an active listener. Security is a business enabler so it is key you know how to communicate with your business as well as your vendor partners.
   
   
2. Stress management – this may sound like an odd skill to mention, but security is highly dynamic and can often be a high-pressure environment – learning to cope and manage stress is important.
   
   
3. You enjoy change and love to learn – the security industry is always evolving. You need to be constantly refreshing your knowledge as well as be able to easily adapt to change.

9. Our last question: if you had to recommend one book to learn for a beginner getting into cyber security what would it be and why?

Believe it or not, this was the most challenging question for me to answer! I have read so many books on Security Strategy & Management, but they could be considered too intense for a beginner. I recently mentored someone and recommended a book that was referred to me called Cyber Security for Beginners by Raef Meeuwisse. The mentee enjoyed reading the book and found it offered a great balance between the governance and the technical aspects of cybersecurity, so this would be my recommendation for a beginner.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.