A

You're listening to the Cyberwire network. Powered by N2K.

B

The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot at Thales. They know cybersecurity can be tough and you can't protect everything, but with Thales you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S Learn more at.

A

Hello, my name is Helen Patton and I am an Advisory CISO at Cisco. So I grew up in the country in Australia in the 70s and 80s, so I'm dating myself tremendously and computers were not a thing where I was growing up. I thought I might be a landscape architect, I thought I might be an English teacher, I thought I might be an economist. I'm okay at math but I don't love it. But I like the human interaction which actually served me really well in security once I got there, but no idea about computers, networks, certainly not security. When I was growing up it was a combination of dumb luck and a little bit of hard work and serendipity. I left high school and I did what a lot of Australians do and I took a gap year and I started working in a bank and I really enjoyed having money because I was working and I didn't want to go back to school full time. So I started doing a business degree part time and this was in Sydney, Australia. About that time I met this American Navy guy and we became very good friends and wouldn't you know it, the next thing I know I'm married and I'm living in Ohio. When I was very young and I had no degree, I had no idea what it was like to live in the United States and so I started just doing temp work around Columbus, Ohio, trying to work out which end was up and I ended up in a job at the Ohio Restaurant association as a membership administrator. Right at the time they were doing a database conversion, they had an old IBM 36 mini mainframe. This was in the early 90s, and they wanted to convert it to this newfangled client server, SQL 6, I think, database. And I was the only person in the office under the age of about 40. And so they figured I must be somewhat comfortable with computers. Like, I don't know why they thought that, but they did. And so they assigned me to work with this consulting company that was doing the conversion. And the consulting company hired me off the back of that gig. So I accidentally got into it, and I was really fortunate. I had the guy who ran the company. It was a small business. He taught me on the job. So I spent most of the early 90s on my hands and knees underneath desks of small nonprofits in Ohio doing very small network implementations, getting people comfortable with understanding what Windows 3.1.1 is and why they needed a PC on their desk. And I moved from there to a software development company where I was responsible for infrastructure and their help desk. I was in the fortunate but unfortunate position of being responsible for networks, servers, desktops. No one had laptops really back then, right when viruses started coming about. So the I love you virus, slammer, worms, those kinds of things. And it ticked me off because I would walk in with my day planned out. Because I'm a planner. I would walk in with my day planned out and someone clicked on something or did something. My cio, who I reported to at the time, said, damn, we need a security program or a disaster recovery program. And Helen, you're it. I left that company and went to work for Bank One as a disaster recovery planner. And five days after I joined Bank One, there was a merger with JP Morgan. So to my surprise, and by accident, I'm now working for one of the biggest Wall street banks. I had four different jobs over the 10 years when I was at JP got to run a global team. It was more of a technology risk officer kind of role than a Cyber, you know, SecOps kind of role. Left there to be the CISO at the Ohio State University, and I was the CISO at OSU. I had no idea what I was getting myself in for. So keeping in mind JP Morgan's one of the biggest banks in the world, but I quite naively thought, oh, I'm going from this really rigorous security organization to an organization where the primary business purpose is teaching kids in classrooms. Like, how technically difficult could that be? That was my thought. I had no idea. And I would argue now that being a CISO or a security person in higher ed is 10 times more difficult than being a security person in a Wall street bank for a number of reasons. One, we have all kinds of technology and all kinds of devices. Like, it's more like running a city. So we had a hotel, we had an airport, we had a nuclear reactor, we had multiple entertainment centers for football and concerts. Eight hospitals, all kinds of stuff, right? And people go, oh, you're higher ed. I'm like, yeah, no, really, you think grades and scheduling. I was like, oh God, I was so wrong. And then add to that you go from a culture where at JP Morgan when Jamie Dimon says make it so, people would go, okay, and they would. Right. Or they'd be fired. Like that was your choice. In higher ed, it's very much bottom up. So I'd go to someone and say, you really should not have local admin rights. And they're like, yeah, make me. I'm like, oh. So I went from being able to do this top down command control kind of approach to security to doing a very psychologically driven how do I get people to want to do cy? If they don't want to do it, they don't have to kind of culture. And you're in an industry where the purpose of the industry is to share data with as many people as you possibly can. Whereas in banking, the idea is not to share data with anybody unless they absolutely have to know it. So I talk about this in the book that I wrote and this is the question of how do you know when it's time to move on from one role to another role? I had reached a point at Ohio State where I felt like I had done what I had set out to do. I had made the changes that I wanted. I had created a team that I felt when I left would was strong enough that they would continue. Not that they'd do what I was doing because they'd get a new leader, but that the program was solid. And I felt that OSU is at a point where the skills I brought to the role were not what they needed in a leader going forward. Then there was the question of, well, if I'm not doing that, then where do I go? And I really loved the culture at Duo and Cisco. I really enjoy working with Wendy Nather and the rest of the advisory CISO team in that it gives me a platform to talk about security things with all industries and all geographies. And with Cisco, I get to work with really smart people who are doing really interesting work. And I'm excited to share that.

C

I.

A

Would like to tell you I think I'm collaborative. I look to get as much input from as many stakeholders as possible before I make a decision and move. Having said that, though, once a decision is made, I tend to be quite forceful about making that happen. I am action oriented, but I'm data driven in my action. And one of the things I miss actually about being an advisory CISO is I don't have a team of people reporting to me anymore because I do really like coaching people and developing people up. I think Australians are more direct than Americans. When I became a leader, that served me well. When I wasn't a leader, I was seen as too brash. So it depended on where I was in my career path, whether that was a good thing or a bad thing to come across as unfiltered, if you will. I do think Australians are not afraid of doing the things they think need to be done, even if that means walking on the grass. I would like people to think that they feel like I gave back to the community and which is again one of the reasons that I've written a book, but that I that I did things that were just a little bit bigger than my own self interest. That's what I'd like to think.

C

And Doug Limu and I always tell you to customize your car insurance and save hundreds with Liberty Mutual. But now we want you to feel it. Cue the emu music.

A

Limu Save yourself money today. Increase your wealth. Customize and save. We save.

C

That may have been too much feeling. Only pay for what you need@libertymutual.com Liberty Liberty Liberty Liberty Savings Fairy Unwritten by Liberty Mutual Insurance Company and affiliates Excludes Massachusetts.