![Kayla Williams: Not everything related to cybersecurity is a fire drill. [CISO] [Career Notes] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2Fff8009b6-4578-11f1-8661-d3001a56ae35%2Fimage%2F910aaf148c5fdf3b9f89208a91f19df4.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1920&q=75)
Transcript
A (0:02)
You're listening to the Cyberwire Network, powered by N2K.
B (0:11)
And now a word from our sponsor, the center for Cyber Health and Hazard Strategies, also known as chhs. Looking for a graduate degree that will give you an edge on your professional career? Earn a Master of Science in Law at University of Maryland Carey School of Law. This part time, two year online graduate degree program is designed for experienced professionals to understand laws and policies that impact your industry. Learn from CHHS faculty who are experts in their field. No GRE required. Learn how you can master the law without a JD at Law Umarland Eduardo
A (0:58)
My name is Kayla Williams and I am a Chief Information Security Officer. When I was a child I had wanted to be an archaeologist or paleontologist. I grew up in the time of Jurassic park and the Land Before Time and was absolutely fascinated by dinosaurs and just everything that was going on back millions of years ago. However, as I began to grow up I realized that I did not have the patience for all the education that was going to be required to go through an archaeological or paleontological course. So I shifted focus and wanted to become a lawyer or an accountant. During college I was really determined to become a Chief Financial Officer. My uncle had been a real estate attorney and had told me about his experiences with accountants and how my skill set would really shine in that type of a situation. So I graduated with a degree in accounting. Far from what I wanted to do when I was a child, I began an internship working in a auditing firm in Massachusetts that was auditing municipalities and banks and after graduation while I started and worked through my Master's degree, I continued at a different firm doing the same thing. I realized very early on that external auditing was not for me. So I transferred into the new Global Information Security Group at this organization. That was roughly 2013 that I made that shift and within three months of working in the new environment I got my first Information Security certification through sans and about six months later I was offered the opportunity to move to England and that just absolutely changed my life. I moved to Bristol, England in November of 2013 by myself. I actually made the choice to leave my 3 year old daughter with her father here in the US and I went over there and just began working and it was very different to experience the pub culture and the working culture. I have never had so much tea before in my life. I was able to work not only on many new projects for implementation such as Sailpoint for our Identity and Access Management platform, but the kind of manager that I wanted to be. The type of programs that I wanted to run. And that's really led me down the path that I've continued down within the information security realm. I manage my team by trust. I do not like to micromanage. The world is moving today based on our last two and a half years of COVID and the experience there has really led to a shift in working style and being flexible and not always questioning the motives of your employees and really putting them under the wire really produces better results. If people feel trusted and empowered, they are likely to do more. And I really try to lead my team in that manner. We really try to be the department of no problem versus the department of no. So we do try to focus on how we can be better consultants, advisors and really partners to the rest of the team. And when things pop up, especially if it's going to facilitate the sales process, we do drop everything and do everything we can to, to address the need. Typically we have multiple meetings a day around compliance and security programs. But it's more consultancy versus we have a problem. And I think that's a great way to demonstrate that we have good partnerships with people and that's really important. The security function or compliance function should not be seen as the, the, you know, like I said, the department of no or the roadblock at the end. They should be seen as a partner and looped in at the beginning. Everyone has had experiences where there are people that just disagree with you, don't see the value in what you're doing, or, you know, they see the value, but feel that, you know, right now is not the time for anyone in the security field. We really need to demonstrate through our competencies, through our skills, that, that we are capable of adding value and showing what that is. We shouldn't feel backed into a corner or put on the spot by people that don't understand. Because although technology has been around for a very long time, Chief information security officer roles are, you know, compliance roles, grc, security assurance, it's all relatively new still because technology and things change so quickly. So that mentality is found everywhere in every organization across the world. And in order to kind of move past it, it's the kill them with kindness mentality. Make sure that you are always available, that you are gaining consensus for the things that are going on, that you can prove that you're not dictating anything to them, that you're there to partner. It's just very important. And that's how you win friends, as they say, working together and negotiating. Not everything is a fire drill. When it comes to security, you know, you don't want to cry wolf, as they say. You want to make your case, ask if there's consensus on the risk and if there is partner to move forward. Really building those bridges in the face of adversity and in the face of those people who may be naysayers or disbelievers in something can really go a long way. My best advice would be to ignore the college requirements that are in job recs and for folks that are hiring people to just flat out remove them now. It's an outdated concept in technology. A lot of people have hands on experience because they're sitting at home tinkering away in their own home built lab and trying things out. And I really feel that if you want to move into the information security field, whether it be technical compliance driven, you know, just apply for the role. So for the best advice to people that want to apply for jobs if they're switching from something else, you likely have the complementary skills that are needed to succeed in a security role. You just don't know it yet. I would like to be remembered as somebody who has facilitated collaboration and empathy across my organization and not just within my team, but throughout all the different functional departments. It is really important that everyone understands that we don't have to be best friends, but we need to work together. And we all have a common goal of being successful and making our organizations more money. But we always tend to forget that there are people at the end of the day that are on the other side of the screen and having empathy for the work that they're doing or you know, that their personal situation may come into play as well. And collaborating and being seen as a partner is very important no matter what role you're in.