We recently had the opportunity to interview information security professional Monika Geitlinger on her journey and experiences in the security sector. Having worked as a consultant with a focus on regulatory compliance and risk management, as well as an Information Security Officer concentrating on security awareness, Monika offers her perspectives on being a woman in technology and the challenges of GDPR in small businesses. Read more about Monika’s great insights below.

1. Everyone has their unique story of arriving at the Information Security Officer role. What is yours?

After working in information security consulting for the last five years, which meant I was always on the other side of the client-consultant-interaction, I realised I wanted to switch perspectives to encounter new challenges, have new responsibilities and broaden my expertise. Additionally, I’d be able to better understand my counterpart’s needs, if I ever wanted to go back to consulting.

When you’re a consultant, your projects never fully belong to you: your counterpart usually has the last word. Often, the end result only scrapes the surface of compliance but doesn’t cover everything you’d like to accomplish. As an ISO, I’m excited to actually implement changes in company culture and go beyond simply ticking the boxes to be compliant with regulations. 

2. As we saw from your profile you did your bachelors in International Management for Business and Information Technology. We are wondering how your background has prepared you for success in the infosec industry.

I studied in the German Dual Study programme, which allowed me to switch between studying and working every three months. The fast-paced (and occasionally high-pressure) nature of the programme enables you to move around the business environment early on, gaining hands-on experience before graduating. The focus on giving presentations and learning business behaviour throughout the programme gives you an advantage over students studying in traditional programmes.

When it comes to the course of study, International Management of Business and IT is essentially a business informatics course with a focus on communication and the influence of culture as well as a management view on the various topics. Although we didn’t have a lecture on security at all, the programme helped prepare me to communicate security awareness topics on different levels within the company – for example, discussing the issues on a management level and also with the techies – without losing the audience.

The same applies to designing campaigns or working in multi-national environments, as the approach you choose sometimes has to be adjusted depending on a country’s / company’s culture and your target audience. Additionally, the mixture of IT and business administration allows you to understand management needs as well as technical discussions, which is a must in information security job roles.

3. What TOP 3 soft skills do you think are most important for infosec officers?

• Varying communication skills: For information security personnel, the ability to discuss the topic on various levels in a company is essential, so you can communicate the needs on every company / hierarchical level.
  
  
• Flexibility and the willingness to compromise: Enabling people to do their work more securely and efficiently without compromising your company’s data and security should always be your goal. If that means you have to change some of your plans to fit the needs of the company better, allow some degree of flexibility to accomplish both the goal and compliance with your policies and guidelines.
  
  
• Engage with your colleagues: The more engaging you are, the more people will be willing to work with you to enhance their security behaviour! But just as important, if they have an engaging person training and helping them with security issues, they’re more likely to be invested in the topic and build an emotional connection with you and with the topic of security.

4. Please walk us through the most dangerous threats to the security of personal data on the Internet today. How can we protect ourselves from these threats?

We continuously make ourselves more vulnerable and trackable. At any given time, someone could know where we are: for example, when we log into a public place, leave our GPS running, or constantly post what we’re doing. This constant activity leaves us open to attacks – be it physical ones like a break-in while we’re not at home or in the digital environment. Most of us either don’t pay attention or don’t care about what information is public, especially when sharing personal data enhances our lives in some way. Take gaming apps: many require additional permissions that the apps don’t actually need – when granted, they scrape your data.

To counter this, we can start being more mindful of whom we share our data with and how said data is then used. Try to find a better balance between convenience and protection – small steps, such as multifactor authentication and checking app permissions, go a long way. Additionally, we need to be aware of other people’s data we might be sharing alongside our own. Apps like clubhouse, Facebook, and so many others require us to share information not only about ourselves but also people we know. I believe it’s important to keep this in mind when making a decision on whether or not I will use an app. 

5. What are the greatest challenges that small businesses have to overcome in relation to the EU GDPR?

For most small businesses, GDPR is an overwhelming topic. Small business owners are focused on specific topics that are usually quite far away from the topics covered within any data protection regulation. It’s what they’re good at and what they want to spend their time on. Additional resources to cover tasks related to GDPR, as well as the specific knowledge that is needed to implement all requirements, are often missing – and expensive if you are looking to outsource. This leads to the need for investments not everyone can cover – or to a best effort attempt which might still need a high time-investment, but which might fail in the end. What is really needed is a less complex way to approach GDPR even if you’re not an expert – to enable everyone to be compliant with the regulation without having to invest ages to dig into the topic.  

6. What are the things you have learned being a woman in information security?

When you are a woman in Security, you’re often the only woman in the room – and not everyone is willing to listen to what you have to say. I learned to fight to be heard, for having the opportunity to join the conversation even when someone tried talking over me.

I also learned to still be myself, even though colleagues or counterparts might expect me to be different. Being a woman in this industry, especially a young woman, I usually stand out. That doesn’t mean one has to blend in or play tough. In a feedback session, I was told I was “too nice”. Although the feedback was overall helpful, this specific point doesn’t ring true to me. Why should I change the way I am? I don’t think it’s useful to threaten or intimidate people to reach a goal. Instead, we should strive to engage people in what is an interesting and important topic. It’s not necessary to change and adapt to everybody else’s behaviour. Just be yourself, be authentic.

7. What do you think we should be doing more to encourage more women to consider a career in tech and information security?

Even though it was possible for me to study business informatics without having any IT background from high school, having prior IT experience before entering university would have been helpful. Introducing girls to STEM early on and encouraging them to take part and develop their interest in these topics allows them to see another possible career option. IT courses should be provided in schools for all children. If girls were surrounded by tech and the opportunity to play with it early on, their ability to perform well in technical roles wouldn’t even be a question. Instead, they and everyone else would already know they can.

Additionally, we should step away from labeling what children play with as “for boys” or “for girls”. Often, boys play with Legos as children whereas girls play with dolls. When a boy wants a doll, he’s often laughed at by other children and it’s a bit uncommon for girls to play with Legos. Encouraging children to explore what’s out there gives them the opportunity to play around with different options – without biases. That will then also lead to more girls realising that they’re not the “odd one out” when interested in maths or science, but that there are a lot of girls like them, thereby encouraging them further.

8. What are your 2 most important pieces of advice you would give to women who want a career in information security?

• Do it! Do not be intimidated by being one of the few – it has a lot of advantages and you will learn more than you think. In the roughly 5.5 years I have been working in the industry, it was never boring: there are so many different topics one can focus on and it’s such a fast-paced line of work. As long as you are interested in tech, you are good to go – and maybe you can be a role model for others, the role model you might have liked to have yourself.
  
  
• Find a mentor (or even better: a few!) who can help you grow and who can be a sparring partner when needed. Ideally, this works in both directions, so it’s a lasting experience. 

9. What do you wish you knew at the start of your career, that you know now?

When I started working in Security, I always wished for a shared knowledge base, so I’d be able to read up on certain topics. Using Google to search for detailed information only gets you so far, in most cases. A lot of sites tease a topic but if you’d like more information, you’d have to pay. But there are loads of free resources and events out there to help you dig deeper into various topics – they are just not the first thing you find when you don’t know what to look for. Some examples are the BSI IT Grundschutztag, and events hosted by universities, such as the Trinational Cybersecurity Days. 

10. Where do you find inspiration, news and industry trends?

I check infosec news blasts like threatpost or infosec insider on a regular basis but also listen to podcasts like “down the security rabbit hole” by Rafal Los, “Security Awareness Insider” by Katja Dörlemann and Marcus Beyer, or “Paul’s Security Weekly” by Paul Asadoorian and a few others. LinkedIn can be a surprisingly good source as well. Nothing beats conversations and discussions with peers though, which is why it is important to build a strong network from the start.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.