Cybersecurity is a mission, not a job. Today’s guest has 20+ years of experience to prove that. As part of our National Cybersecurity Awareness Month miniseries, we talk to Laura Whitt-Winyard, CISSP, CISM, CISA, CRISC, a Fellow at the Institute for Critical Infrastructure Technology and International Advisory Board Member at HMG Strategy. Laura got herself to cybersecurity through a slightly unconventional route. Now, she is one of the industry’s respected thought leaders and a role model for women in the space. Tune in as she joins Sherry Bevan to talk about her typical day as a CISO, the challenges she had to go through in her career, what she enjoys about her work, and the wisdom she can impart to women working in the sector.
Listen to the podcast here
National Cybersecurity Awareness Month Special: Cybersecurity Is A Mission, Not A Job With Laura Whitt-Winyard
In this mini-series, to celebrate National Cybersecurity Awareness month, I’m talking to a range of women about their careers in cybersecurity. In this episode, I’m delighted to be talking to Laura Whitt-Winyard. A very warm welcome to you, Laura.
Thanks, Sherry. Thanks for having me.
Laura has a whole string of letters after her name. She’s got a range of qualifications. She has worked for some leading companies, including Comcast and Bloomberg. Let’s jump right in and find out more about Laura’s career in the cyber world. Laura, could you start by telling us how you started in IT and cybersecurity and how your role has evolved over time?
I have been in cybersecurity for many years. I started in IT, and it was by accident that I went into cybersecurity. One of the companies that I was working for was Allstate Insurance Company. They were doing a lot of business with CNA Insurance Company in Chicago. Having talked with the CISO of a CNA insurance company, it turned out that their security architects had sabotaged their networking.
He asked me if I thought it was something I’d be interested in trying to help him fix, so I did. That’s how I got into cybersecurity. Subsequent to that, I realized that cybersecurity was my passion. It’s always changing. You never get bored. You’re constantly learning. You have the ability to affect positive change. Subsequent to that, I moved from CNA to Bloomberg, where I worked for some amazing people. I went to Comcast and worked for even more amazing people. It was a wonderful experience. It’s always an opportunity to learn.
That was quite a start in cybersecurity, being asked to pick up where somebody else has done some real damage, by the sounds of it.
It was crazy. I had to learn on the fly, which is probably one of the best ways to learn.
It’s interesting that you’ve got a slightly unconventional route into cybersecurity. That seems to be a common theme in this mini-series. Quite a few of the women I’ve interviewed already have not actively looked for a career in cybersecurity but landed in it by chance, almost.
Back in the day, very few people intended to go into cybersecurity. It wasn’t a career route that most people even knew about.
It’s very true. Perhaps you could tell us a bit more about what you do on a day-to-day basis in your role.
On a day-to-day basis, you spend quite a bit of time working on strategy and vision, trying to discern where the company is going, aligning the security strategy with business objectives, as well as staying on top of the latest trends, understanding a couple of years ago nobody thought too much about quantum computing. They thought it was so far off. Now it seems it’s on our doorstep. You spent a lot of time looking at what’s advancing in security and the latest trend and factors, but then taking that and marrying it with your strategy and the company objectives.
That sounds like a lot of thinking power that goes on in that type of role because you are having to look at what’s coming and predict how that might influence or affect operations for your business.
Cybersecurity is always changing. You never get bored, you’re constantly learning and you have the ability to effect positive change.
There’s quite a bit of a prediction, and I would venture to say even guessing. You look at what’s going on and try to ascertain how it could impact your company and its customers. Sometimes you get it right. Sometimes you get it wrong. Sometimes you’re too advanced for the company or are a little bit ahead of the time, and you’re not ready for it. A good example was when I was at Bloomberg. I was exploring anomalous detection back in 2005 and 2006. The cybersecurity world wasn’t ready for it, and neither was Bloomberg. Now, everybody talks about anomaly detection.
That’s one of the interesting things about working in this sector, particularly in technology, because it’s evolving quickly. There have been quite big changes as well over the last couple of years. Nowadays, the general public has more awareness and understanding of cybersecurity in general.
It’s extremely beneficial to a CISO. There’s a saying that says, “Don’t let a breach go unutilized.” The fact that it’s become more prevalent in the news, less and less executives and companies as a whole are saying, “That happens to other people. It doesn’t happen to companies like ours. We’re too small. Nobody knows who we are.” Now they’re realizing that is not accurate.
That general awareness has increased amongst the business itself rather than just being something that IT and the technical people understood. That’s a real positive in some ways.
It helps security leadership be able to explain the ramifications of not doing certain things and the benefits of doing certain things. It makes it much more applicable to the business in their everyday life when they see what can happen to other companies.
Tell me a bit about your career. What’s been the biggest challenge that you’ve had to deal with?
I would say probably as a female being perceived as not technical. That’s the biggest challenge. Typically, you start a new company, they see you as a female, and they assume you understand regulations, compliance, and maybe the legal aspect, but not the technical aspect. It’s always, in a way, a little bit fun once they realize how extremely technical I am and the shock on their face. That’s one of the biggest challenges.
How do you get around that challenge? What do you that makes that less of a challenge?
It takes time working with the engineers, engineering leaders, and product leaders and being able to make recommendations that aren’t so along the lines of checking a box for compliance to say, “Maybe we can’t do this, but here are some opportunities and options that we could do something else.” Security coverage is typically surprised about the technical record I make, and it takes time being able to explain that to people.
That’s true in any organization, but perhaps more so for a female entering a very technical career, which is a bit frustrating at times. Hopefully, over the next few years, we’ll start to see that changing, and it would be becoming less of an issue. What about the things you’ve been most proud of in your career so far?
Becoming a CISO. I was very excited and proud. I must admit I was a little bit too excited and in disbelief that I had made it to the pinnacle of my career. Some of the other things I’m proud of is coaching some of the folks that have reported to me into other security leadership roles. I still maintain those relationships with them to this day and ensure that they pay it forward, and then also take chances on people who have never even once worked in cybersecurity but have a security mindset. Maybe they do Capture The Flag competitions and win in their free time, but they’ve never worked in cybersecurity or been educated in taking a chance on them and watching them flourish. That is also a very proud moment for me.
That must be a real fuzzy feeling moment for you to see people you have taken a risk with and to see them flourish. In some ways, it is even more rewarding than taking someone on who’s got the experience and the qualifications, and they flourished. Taking someone on where you’ve taken a risk is something extra.
Cybersecurity is not a job. It’s a mission. You’re not just there to protect the company. You’re there to protect their customers and their employees.
I hired a grocery store manager who didn’t have a degree at all, had no cybersecurity certifications, had never worked in cybersecurity, but had a massive server environment in his basement and entered Capture The Flag competitions in his free time. These are hacking competitions and had won several. He did not apply for the job. Someone that was a friend of his said, “You should look at this guy.” In talking to him, I was amazed.
It was the fact that nobody would ever pick a chance on him. He’s now flourishing. He’s doing so well. He’s paying it forward. He’s helping bring new people into the security community, which is half the battle. As you know, we have a skills shortage, and there are not enough cybersecurity people. For him to pay it forward to every person that I help pays it forward is a wonderful thing to see.
Paying it forward is so important, particularly since there is a skills shortage in cyber. The more good people, the more good talent we can bring in. Often they can be the ones who will be perhaps better at persuading others who don’t have that cyber experience. This is a field that you can work in and can flourish. That’s good. What is it that you enjoy about the work that you do? You clearly enjoy developing people, coaching, and watching them grow, but what else is it that you enjoy about the work?
It’s the ability to affect positive change to do good. When you work in cybersecurity, it’s not a job. It’s a mission. You’re not just there to protect the company. You’re there to protect their customers and their employees. It has a ripple effect. If I saved one customer from having a security incident or losing their data, that would affect their livelihood.
That also, in turn, affects their family. That ripple effect is part of why I do this. I also love speaking about cybersecurity. I’m passionate about it. You can ask my husband, who rolls his eyes every time we’re watching a show, and I’m talking about cybersecurity. In the cybersecurity community, this mission that we’re on is much bigger than the individual and the company. It’s a global issue.
What do you see as some of the potential barriers or challenges for women, in particular, starting or getting promoted in cybersecurity?
One of the barriers is that they’re afraid of not knowing something and looking like a fool. One thing I’ve always said is there’s not one single person in cybersecurity who knows everything. It’s impossible. Find your niche. Find what you love to do in cybersecurity and focus on it. Don’t let anyone tell you that you don’t have enough skills or knowledge because you will get it. Not everyone has all of it.
What do you see as being the most important skills for anybody working in cybersecurity?
It’s the ability to translate technical into business. Being bilingual is one of the hardest skills to learn to be able to explain to the business something extremely technical but in a manner in which it relates to them and their business.
It’s that communication piece. That’s true no matter what part of technology you go into, particularly cybersecurity because it has a potential impact on the business itself. You need to be able to explain things in a way that others can understand so that it makes sense to them and that they know what decisions they’re making and what the ramifications are.
I still struggle with that. Many people in cybersecurity are of a different mindset. We’re very technical, logical, literal, and to be able to go into a conversation with varying personalities, if you’re speaking to the board or someone in risk, or development even, and to be able to set aside your technical knowledge and put it into language they understand. I have trouble with it even still to this day.
That’s true, no matter what field you work in. When you’re an expert in what you do and that knowledge is part of who you are, then it’s easy enough to take for granted what other people’s knowledge and understanding are. It’s such a common thing. What are the tips that you might have for women who are thinking about getting into cybersecurity? What would you suggest they do if it’s getting into the sector or want to make progress in the sector?
It’s really important to find out what your passion is within cybersecurity – what interests you, what really drives you. Hone in on that and learn as much as you can.
Read as much as you can. By read, I don’t mean books. By the time a book is released, some of that technology is already legacy. Read cybersecurity news. Set up alerts on your phone about anything cybersecurity. If you read a news article and you’re wondering, “What does this mean?” google it. Learn it. Try and research it. There’s free cybersecurity training out there all over the place. Go to security conferences. The security community nowadays is very different from what it was several years ago.
The security community nowadays is very much a community. Whereas several years ago, it was the most knowledge wins. I’m not sharing my information with you because you’ll be as smart as I am. There are things called BSides. There are tons of security conferences. The one I go to every year is DEF CON. It’s an annual hackers convention where anywhere from 20,000 to 30,000 hackers from around the world attend. It’s a very inexpensive conference compared to the others. Get as much knowledge as you can. Anytime you read something that is not resonating, google it. Research it. YouTube it. Learn as much as you can.
I was talking to somebody on a completely different subject the other day. We’re talking about bike mechanics. I cycle. I remember her saying, “You can learn whatever you need to learn nowadays. You can just YouTube it, and you’ll find out whatever it is you need to know.” The same is true for cybersecurity because so many people now are sharing their knowledge so much more openly on the podcast, YouTube, blogs, and things like that.
How many times have you had something going on at home, like your dishwasher or something, and you go to YouTube for a video on how to fix it? The same is true with cybersecurity. There’s so much to learn. There are so many different aspects of cybersecurity as well. Like I said, it’s important for you to find out, “What is your passion within the cybersecurity arena? What interests you? What drives you?” Hone in on that and learn as much as you can.
Thank you so much for sharing those tips. That knowledge piece is helpful. Often, women tend to have a tendency to think if they don’t know all the answers, therefore, they’re not good enough, expert enough, or don’t have the relevant experience. As you say, you can research so much nowadays online that there’s no reason to feel like that.
That happened to me early on in my career. I would not speak up. I would not say much in meetings for fear of looking like I didn’t know what I was talking about. It’s that insecurity. If I could say something to myself back then, it would be, “Don’t worry about being insecure. Almost everyone at the table is as insecure as you are. Not everybody knows everything.”
It’s such a good thing to remember. Thank you so much for your time, Laura. If people want to get in touch with you, is LinkedIn the best place to do that?
Thank you so much for joining us. I’ve enjoyed hearing about your career in cybersecurity. I love the fact that your start in cybersecurity was less than conventional, but being asked to go in and fix something that had gotten broken. That’s good to hear from that point of view how you got into cybersecurity. It’s clearly an industry that you’re passionate about and love.
Thank you so much for having me. Anyone who would like some free tips, coaching, or any websites I recommend for following the news or free cybersecurity training, can always reach out to me on LinkedIn or Twitter.
Thank you so much. If you’ve enjoyed reading about Laura’s career as a woman in cybersecurity, you can find more episodes at SherryBevan.co.uk. If this has sparked a thought in your mind about how to develop and retain your female talent in cybersecurity, please do get in touch with me, and let’s arrange an exploratory call. Thank you so much, Laura. Thank you to everyone who’s reading. See you next episode.
About Laura Whitt-Winyard
Laura Whitt-Winyard is a Fellow at the Institute for Critical Infrastructure Technology and an International Advisory Board Member and Women in Technology board member at HMG Strategy. Previously, she was the CISO of Malwarebytes, Global CISO for DLL Group, Director of Security for Billtrust, and held senior leadership positions in security at Comcast and Bloomberg, LP.