Podcast Summary: CyberWire Daily

Episode: Helen Patton: A platform to talk about security. [CISO] [Career Notes]
Date: September 14, 2025
Host: N2K Networks
Guest: Helen Patton, Advisory CISO at Cisco

Episode Overview

This episode features Helen Patton, Advisory CISO at Cisco, as she narrates her unconventional journey into cybersecurity, reflects on the key lessons and leadership philosophies drawn from her career, and highlights the unique challenges of securing organizations across vastly different industries. With wit and candor, Patton explores how she found her calling, the surprises she encountered, and the values she hopes to leave as her legacy.

Key Discussion Points and Insights

1. Early Life and Accidental Entry into IT & Security

Background:
- Helen Patton grew up in rural Australia during the 1970s and 80s — a time and place where computers were virtually nonexistent.
- As a student, her interests ranged from landscape architecture to economics, with no inkling of a technology career.
First Steps:
- After high school, Patton took a gap year, worked at a bank, and began a part-time business degree in Sydney.
- Meeting her future husband, an American Navy serviceman, she moved to Ohio, USA, and started temp work before landing a job at the Ohio Restaurant Association.
Serendipitous Opportunity:
- In the early 90s, she was tasked with helping convert the office’s IBM mainframe to a client-server SQL database:
  
  "I was the only person in the office under the age of about 40. And so they figured I must be somewhat comfortable with computers. Like, I don't know why they thought that, but they did." (03:44, Helen Patton)
- Hired by the consulting company after the successful migration, she learned IT hands-on, implementing small networks for non-profits.

2. Growth in Security and Challenges in the Early Years

From IT to Security:
- Moved to a software development company, managing their infrastructure and help desk just as viruses such as "I Love You" and Slammer began emerging.
- Forced to create security and disaster recovery programs after repeated disruptions, transitioning from IT administration into security leadership.
Key Insight:

"It ticked me off because I would walk in with my day planned out. Because I'm a planner. I would walk in with my day planned out and someone clicked on something or did something. My CIO...said, 'Damn, we need a security program or a disaster recovery program. And Helen, you're it.'" (06:57, Helen Patton)

3. Enterprise Experience: From Banking to Higher Ed

Banking Sector:
- Joined Bank One as a disaster recovery planner, only for the bank to merge with JP Morgan days later. She unexpectedly found herself at a global scale:
  - "To my surprise, and by accident, I'm now working for one of the biggest Wall street banks." (07:47, Helen Patton)
- Held four different roles over a decade, focusing on technology risk rather than directly on operations.
Transition to Higher Education:
- Became CISO at The Ohio State University, expecting a less complex environment than banking:
  
  "I quite naively thought, oh, I'm going from this really rigorous security organization to an organization where the primary business purpose is teaching kids in classrooms. Like, how technically difficult could that be? ...Oh God, I was so wrong." (08:37, Helen Patton)
- Describes higher education security as “ten times more difficult” than banking due to diversity of technology (from airports and hospitals to nuclear reactors) and a mission centered on openness.
- Unique workplace culture:
  - Command-and-control (“make it so”) worked in banking, but education required persuasion and psychological insight.
  - "I'd go to someone and say, you really should not have local admin rights. And they're like, yeah, make me. I'm like, oh." (08:57, Helen Patton)

4. Philosophy on Leadership, Team Building, and Career Moves

Knowing When to Move On:
- Left Ohio State when she felt she’d built a sustainable program and her skill set had met its match with the university's next stage.
- Enjoys her current role at Cisco and Duo Security, appreciating collaboration across industries and geographies and learning from diverse professionals.
On Leadership Style and Legacy:

"I look to get as much input from as many stakeholders as possible before I make a decision ... Once a decision is made, I tend to be quite forceful about making that happen. I am action oriented, but I'm data driven in my action." (09:07, Helen Patton)
- Misses having her own direct team as an Advisory CISO, with a noticeable fondness for coaching and developing people.
Australian Directness:
- "I think Australians are more direct than Americans... When I became a leader, that served me well. When I wasn't a leader, I was seen as too brash." (09:37, Helen Patton)

5. Giving Back and Legacy in the Security Community

Motivation to Write and Contribute:

"I would like people to think that they feel like I gave back to the community...that I did things that were just a little bit bigger than my own self interest." (10:17, Helen Patton)
- She references her book as part of her efforts to contribute broadly.

Notable Quotes & Memorable Moments

On Accidental Career Beginnings:

"A combination of dumb luck and a little bit of hard work and serendipity." (02:36, Helen Patton)
Shifting Cultures:

"In banking, the idea is not to share data with anybody unless they absolutely have to know it. In higher ed, it's to share data with as many people as you possibly can." (08:57, Helen Patton)
Challenges in Higher Ed Security:

"We had a hotel, we had an airport, we had a nuclear reactor, we had multiple entertainment centers for football and concerts. Eight hospitals, all kinds of stuff, right? And people go, oh, you're higher ed. I'm like, yeah, no, really, you think grades and scheduling. I was like, oh God, I was so wrong." (08:47, Helen Patton)
On Legacy:

"That I did things that were just a little bit bigger than my own self interest. That's what I'd like to think." (10:17, Helen Patton)

Timestamps for Important Segments

[01:43] – Helen Patton introduces herself and recounts her childhood in Australia.
[03:44] – Early accidental entry into IT at the Ohio Restaurant Association.
[06:57] – First significant exposure to cybersecurity and disaster recovery roles.
[07:47] – Joining Bank One and the unplanned transition to JP Morgan.
[08:37] – Taking the CISO role at Ohio State University and the unexpected challenges.
[09:07] – Reflections on leadership style, collaboration, and directness.
[10:17] – Expressing her legacy and motivation for giving back.

Conclusion

Helen Patton’s journey from rural Australia to global security leadership is as instructive as it is candid and relatable. Her story underlines the importance of adaptability, learning through unexpected twists, and the value of cross-industry experience. Above all, Patton emphasizes giving back to the community and cultivating a professional legacy beyond self-interest—a message she actively embodies through writing, mentoring, and industry engagement.

Transcript

A (0:02)

You're listening to the Cyberwire network. Powered by N2K.

B (0:14)

The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot at Thales. They know cybersecurity can be tough and you can't protect everything, but with Thales you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S Learn more at.

A (1:43)

Hello, my name is Helen Patton and I am an Advisory CISO at Cisco. So I grew up in the country in Australia in the 70s and 80s, so I'm dating myself tremendously and computers were not a thing where I was growing up. I thought I might be a landscape architect, I thought I might be an English teacher, I thought I might be an economist. I'm okay at math but I don't love it. But I like the human interaction which actually served me really well in security once I got there, but no idea about computers, networks, certainly not security. When I was growing up it was a combination of dumb luck and a little bit of hard work and serendipity. I left high school and I did what a lot of Australians do and I took a gap year and I started working in a bank and I really enjoyed having money because I was working and I didn't want to go back to school full time. So I started doing a business degree part time and this was in Sydney, Australia. About that time I met this American Navy guy and we became very good friends and wouldn't you know it, the next thing I know I'm married and I'm living in Ohio. When I was very young and I had no degree, I had no idea what it was like to live in the United States and so I started just doing temp work around Columbus, Ohio, trying to work out which end was up and I ended up in a job at the Ohio Restaurant association as a membership administrator. Right at the time they were doing a database conversion, they had an old IBM 36 mini mainframe. This was in the early 90s, and they wanted to convert it to this newfangled client server, SQL 6, I think, database. And I was the only person in the office under the age of about 40. And so they figured I must be somewhat comfortable with computers. Like, I don't know why they thought that, but they did. And so they assigned me to work with this consulting company that was doing the conversion. And the consulting company hired me off the back of that gig. So I accidentally got into it, and I was really fortunate. I had the guy who ran the company. It was a small business. He taught me on the job. So I spent most of the early 90s on my hands and knees underneath desks of small nonprofits in Ohio doing very small network implementations, getting people comfortable with understanding what Windows 3.1.1 is and why they needed a PC on their desk. And I moved from there to a software development company where I was responsible for infrastructure and their help desk. I was in the fortunate but unfortunate position of being responsible for networks, servers, desktops. No one had laptops really back then, right when viruses started coming about. So the I love you virus, slammer, worms, those kinds of things. And it ticked me off because I would walk in with my day planned out. Because I'm a planner. I would walk in with my day planned out and someone clicked on something or did something. My cio, who I reported to at the time, said, damn, we need a security program or a disaster recovery program. And Helen, you're it. I left that company and went to work for Bank One as a disaster recovery planner. And five days after I joined Bank One, there was a merger with JP Morgan. So to my surprise, and by accident, I'm now working for one of the biggest Wall street banks. I had four different jobs over the 10 years when I was at JP got to run a global team. It was more of a technology risk officer kind of role than a Cyber, you know, SecOps kind of role. Left there to be the CISO at the Ohio State University, and I was the CISO at OSU. I had no idea what I was getting myself in for. So keeping in mind JP Morgan's one of the biggest banks in the world, but I quite naively thought, oh, I'm going from this really rigorous security organization to an organization where the primary business purpose is teaching kids in classrooms. Like, how technically difficult could that be? That was my thought. I had no idea. And I would argue now that being a CISO or a security person in higher ed is 10 times more difficult than being a security person in a Wall street bank for a number of reasons. One, we have all kinds of technology and all kinds of devices. Like, it's more like running a city. So we had a hotel, we had an airport, we had a nuclear reactor, we had multiple entertainment centers for football and concerts. Eight hospitals, all kinds of stuff, right? And people go, oh, you're higher ed. I'm like, yeah, no, really, you think grades and scheduling. I was like, oh God, I was so wrong. And then add to that you go from a culture where at JP Morgan when Jamie Dimon says make it so, people would go, okay, and they would. Right. Or they'd be fired. Like that was your choice. In higher ed, it's very much bottom up. So I'd go to someone and say, you really should not have local admin rights. And they're like, yeah, make me. I'm like, oh. So I went from being able to do this top down command control kind of approach to security to doing a very psychologically driven how do I get people to want to do cy? If they don't want to do it, they don't have to kind of culture. And you're in an industry where the purpose of the industry is to share data with as many people as you possibly can. Whereas in banking, the idea is not to share data with anybody unless they absolutely have to know it. So I talk about this in the book that I wrote and this is the question of how do you know when it's time to move on from one role to another role? I had reached a point at Ohio State where I felt like I had done what I had set out to do. I had made the changes that I wanted. I had created a team that I felt when I left would was strong enough that they would continue. Not that they'd do what I was doing because they'd get a new leader, but that the program was solid. And I felt that OSU is at a point where the skills I brought to the role were not what they needed in a leader going forward. Then there was the question of, well, if I'm not doing that, then where do I go? And I really loved the culture at Duo and Cisco. I really enjoy working with Wendy Nather and the rest of the advisory CISO team in that it gives me a platform to talk about security things with all industries and all geographies. And with Cisco, I get to work with really smart people who are doing really interesting work. And I'm excited to share that.