International Women’s Day is a time to reflect on the progress we’ve made to encourage women in all environments. It is also a day to celebrate all the men who have mentored and supported their female counterparts. And though men are helping in axing gender stereotypes, multiple surveys still suggest that women are underrepresented in the tech world. Businesses need to come forward and educate young women about the fact that cybersecurity is chic, and the jobs cover a vast and diverse number of positions. Achieving gender equity is as important as changing the negative stereotypes about the industry.
Today we’re fighting cyber wars and our adversaries know we’re understaffed. To discuss the shortage of talent pool, initiatives for women’s education in cybersecurity, and lack of industry awareness, Pooja Tikekar, Feature Writer at CISO MAG, had a conversation with Monica Verma, Chief Information Security Officer (CISO) at The Norwegian Directorate of Health. Monica has more than 13 years of experience in information and cybersecurity, and has previously held the CISO role and worked as Head of Security, Risk, and Business Continuity for the finance sector. After supporting the financial industry for more than a decade with security, privacy, risk management, digitalization, vendor management, and cloud security, she wanted to contribute to and promote the health sector with her passion and expertise in this area.
Monica is also a board member of Cloud Security Alliance Norway and Women in Cybersecurity Norway. As her contribution towards a safer and more secure society and business world, she leads initiatives such as MonicaTalksCyber.com and the We Talk Cyber podcast series. In 2019, she also won the “The Outstanding Security Performance Awards” for Outstanding Security Adviser in Norway, which is awarded by The Norwegian Business and Industry Security Council.
Monica got interested in technology at the age of 10 when she was invited to see the inside of a cockpit for the first time. She started her career as a developer and an ethical hacker.
Edited excerpts of the interview follow:
The world continues to battle COVID-19, and most industries continue to suffer. Right from the time the pandemic hit, many organizations suffered ransomware and phishing attacks. How are CISOs collaborating in the use of technologies, tools, people, and processes in a smart way?
Over the last decades, we have talked about various technical controls that to date are an important part of basic cyber hygiene. CISOs understand the importance of getting the basics right, even as the digital landscape evolves and gets complex. A lot of the investment done today still goes into that basic hygiene, which in return can help reduce the odds, the impact, or both, when organizations are hit by ransomware or phishing attacks. These include, but are not limited to, backups including offline backups on tapes, (virtual) network segmentation, layered defense approach, multi-factor authentication, antivirus, and spam filters, patching, zero-trust approach to identity and access management, etc.
However, time and again, we have realized that investing in people and protecting the human aspect of cybersecurity is equally critical. The human element and controls around it are an equally important part of basic hygiene. One can have the best technical controls in place but when a user unintentionally clicks a malicious link and these controls are bypassed, the overall consequences can be huge. In fact, we have seen various ransomware attacks and breaches happen as a result of simple but successful phishing attacks. We are seeing a gradual shift in the mindset, from “Humans are the weakest link” to “How can we better protect our users and the human aspect of cybersecurity.” This shift in mindset is critical and needs to continue and take precedence in every organization.
In addition to basic hygiene and preventive controls, it’s equally important to be prepared for when the worst comes. Things can and will go wrong. CISOs are deploying detection and response capabilities, incorporating failsafe and adaptive mechanisms, ensuring up-to-date business continuity plans, and conducting table-top exercises for timely and efficient incident and crisis management. We are also seeing higher collaboration with the national cybersecurity centers and law enforcement agencies in case of cyberattacks, like ransomware, to handle them efficiently and lawfully as well as to reduce the impact on the organizations, their employees, customers, and other actors in the supply chain.
The nature of cyberattacks on health care related to COVID-19 varied greatly and affected the digital landscape. How has it affected the Norwegian Directorate of Health and what key measures have you focused on?
The pandemic changed our (digital) lives drastically and the way we interact, work, and collaborate. It made us more dependent on digital solutions that became even more tightly integrated into our everyday lives. At the same time, our digital life also makes us more vulnerable to loss of information and other consequences as a result of malicious actions, accidents, and mistakes. As a key player in COVID-19 management, the Norwegian Directorate of Health is exposed to an increased threat and risk profile. To support national crisis management, as we go through a challenging time, there has been an increased focus on robustness and our capabilities to better manage risks and cyber crises. Therefore, information security has been and continues to be a high priority within the organization and towards COVID-19 crisis management.
Additionally, there has been an increased focus on security awareness among the employees with regards to the changing digital landscape, increase in cyber risks, and measures to prevent falling prey to phishing and ransomware attacks. The key has been to train the users to educate them, not to trick them. Norwegian Directorate of Health has worked in a structured way to ensure a strengthened security culture, secure work from home, and effective business continuity and crisis management towards increased cyber risk as a result of COVID-19.
On one hand, there has been continued focus to ensure basic cyber hygiene is in place, such as the principle of least privilege, network segmentation, patching, etc. On the other hand, there’s been a risk-based approach to include different aspects of people, processes, and technology as a part of the overall information security plan. To ensure that we understand our increased risks and that they are managed effectively, there has been an increased focus on the human aspect of cybersecurity and security awareness, in addition to vendor management, increased robustness, and effective crisis management. Information security is and continues to be an integral part of the overall work done by the Norwegian Directorate of Health.
Leveraging personal devices for working from home became the new normal. But BYODs have a real impact on cybersecurity if not properly accounted for. How are CISOs developing an overarching plan for the security of end-users and clients?
Securing the human element and the endpoints is an important part of the overall cybersecurity strategy and plan. We need a continuous shift in the mindset from “Humans are the weakest link” to “Mistakes will happen.” How can we protect, prevent, adapt and respond better? Additionally, as BYODs and work from home come into the picture, the cybersecurity strategy and plan also require addressing the cyber risks that this evolved digital landscape brings along. To ensure a safer and more secure working environment, the following are some of the key things to consider as a part of the overarching plan:
- The line between the personal and the professional lives has blurred over time. It’s important to adapt your security policies to fit these integrated worlds.
- Perimeter-based security is no longer effective. Apply a zero-trust approach to both your architecture, and identity and access management. Always verify.
- Regular user awareness training is still key. Cybersecurity is about people, processes, and technology. The human aspect of cybersecurity is equally critical and must be addressed.
- When conducting phishing training, keep in mind that the goal behind such training is to educate the users, not to trick them.
- Define and implement your BYOD security policy to ensure acceptable use.
- Maintain your BYOD policy up-to-date and include secure practices such as restricting access to critical and sensitive information from non-managed devices, providing managed devices as alternatives when possible, and defining and implementing which apps are whitelisted, etc.
- Implement technical measures and controls such as Mobile Device Management (MDM), remote secure wipe, Data Loss Prevention (DLP) to safeguard company apps and data on BYOD.
- Shadow-IT is a real concern and often difficult to manage. Deploy discovery tools, monitor your network regularly, and scan for unknown devices.
March 8 is celebrated as International Women’s Day, and women who rise to the position of a CISO are a rare sight. The low representation of women in cybersecurity is linked to a broader problem of their low representation in science and technology. What is the reason for this gap? Is it a business issue or a gender issue?
It’s a social issue. It’s an issue that has affected our society for decades. We as a society, including family, school, businesses, universities, etc. have a social responsibility towards closing the gender gap. Getting girls and women interested in STEM education at schools and in universities is good and important, but it starts way earlier. It starts at home. It starts in kindergarten. It starts with encouraging girls to dream and supporting them in pursuing their dreams.
There is a lot that can be done by everyone for girls and women at different ages and in different environments from home, school, and universities to the corporate world. There is still a huge gender gap because not enough is being done by everyone, and not always for the right reasons. Many, over the last decades, have fought for equal rights and equal opportunities for women. However, there are still many who don’t believe that the gender gap is a real issue that plagues our society. Others want to help, but don’t really know what they can do to contribute and then some do contribute but for the wrong reasons. Unless and until we understand and agree that this is a social issue that needs to be tackled at all levels in all environments, we won’t be able to close the gender gap, in a sustainable way.
There’s a perception that information technology/cybersecurity is an occupation for men. Is it true that women are generally not presented with career opportunities in the industry, or is it because most women are unaware of them?
The key issues are (a) lack of inclusion and openness (b) stereotype that women aren’t best suited for these roles (c) boys’ club culture and (d) “that’s how we have always done it” mindset. The perception is slowly changing. However, breaking the barrier and becoming a part of something that has mostly been a boys’ club with strong stereotypes isn’t easy and requires an active effort and openness from corporations, colleagues, and your network.
Another important aspect that contributes to fewer women approaching or being interested in technology or cybersecurity, is the lack of diverse opinions within the organization and around the table. Women can bring different perspectives to the table, in their ways of thinking, approaching, and solving problems. Many women are not considered for a career opportunity within technology or cybersecurity because of stereotypes. Many others don’t get to know about those opportunities due to lack of inclusion or not being a part of the boys’ club. Many women feel the resistance or are shy to be a part of a world that is more often than not run by the “That’s how we have always done it” mentality. In addition, many corporations still don’t support a work-life balance. In fact, in many cultures, working extremely long hours is considered productive, whereas exactly the opposite might be true.
A sustainable change requires a leadership that is open, diverse, and inclusive. To build such a leadership, one needs a balanced representation. However, representation is not only about diversity in what we see but also diversity in what we hear. This inclusion of diverse opinions and varied representations of what we hear can help bring different perspectives and openness around the table, allowing more women to be interested in technology and cybersecurity.
Is it viable for governments or educational institutes to launch funding/incentive/scholarship programs for women’s education/ training to create a pool of skilled IT professionals?
Many organizations, governments, and educational institutions have started to build initiatives and scholarship programs to attract more women to STEM education programs or to pursue a career in technology and cybersecurity. It’s not a level playing field yet. We still have a huge gender gap. We need more of these incentives and funding. However, it’s extremely important to ensure these programs are built for the right reasons. Gender equality, diversity, and inclusion are not about fulfilling a quota. They are not about giving scholarships or jobs to a less deserving woman instead of a more qualified man. Gender equality is about allowing equal access to rights, resources, and opportunities. Yes, we absolutely need such initiatives and programs, but they need to be done for the right reasons, with the underlying goals of closing the gender gap and building a diverse and inclusive society. It’s about encouraging more women to consider and get interested in fields that stereotypically have been male-dominated. It’s about providing these women the necessary tools to break those stereotypes with their qualifications, passion, and purpose. It’s about ensuring that our corporate world has a diverse workforce, including at the leadership level.
Gender stereotype is a common phenomenon everywhere. What recruitment efforts must SMBs adopt to welcome higher female enrollment?
Step one is awareness and acceptance of the issue at hand. Step two is changing the mindset at the leadership level. These are the prerequisites to ensure your practical next steps to build diversity are successful and sustainable. Companies can adopt various measures to recruit more women but even before that, it is important to have an open, inclusive, and diverse mindset and leadership.
Organizations can apply both a top-down and a bottom-up approach. Recruiting a diverse and inclusive leadership not only sets the right tone at the top but also provides a better platform for building a diverse and inclusive workforce within the entire organization. Organizations can have internship programs to attract more women in tech. Mentorship programs can be used as an effective tool to help them build skills, self-confidence, and network.
Many other efforts can be done. Encourage, mentor, and support more women within the organization to become a part of the leadership team. Many women don’t apply for jobs unless they fit 100% of the criteria. Advertise your tech or cybersecurity roles in a gender-neutral way and with realistic qualifications, so you are not already excluding a huge chunk of talented applicants from the process. Create maternity and paternity programs for your employees. Encourage and support work-life balance. Have equal pay grades for equally qualified candidates, independent of gender. Provide these benefits and equal opportunities as a part of your recruitment process. Build an inclusive and open environment within your organization to keep your employees motivated and productive. However, for any women’s initiative to be successful and sustainable, it has to be done for the right reasons.
Lastly, what is your advice to young women who wish to climb the upper echelons of security leadership?
There are two key elements to this. The first is understanding and implementing what it takes to be a great leader. The second is to learn to communicate security effectively and tailored to the audience.
1. Good leaders are self-confident but humble. They believe in their mission but also promote and enable others. Women have had to fight for decades for equal opportunities in a male-dominated industry. Knowing your worth is the first step. Knowing and believing that women can have it all, is the second. Women bring diversity and varied perspectives to the table that organizations can benefit from. There is a phrase that my dad used to tell me and my sister while we were growing up – “Never let anyone have you think, even for a moment, that you cannot do or achieve something because you are a woman.” Leadership starts from within.
2. Effective communication is yet another critical element to increase your odds of becoming a part of the security leadership. Independent of which role you have today, if you wish to be an effective security leader, you should train yourself to think and work like a security leader. Understanding, learning, and communicating security effectively and tailored to your audience is critical. To be an asset and a part of the leadership team within an organization, it’s critical that you understand your audience and their needs. Invest time in learning about their overall goals and challenges with security. Invest time in learning the business language. Invest time in conditioning your mind to think like a security leader. Keep an eye out for opportunities and focus on providing value to the leadership. There will be failures. When that happens, reflect on the actions you took, note down your learnings, go back to element one above, remind yourself of your worth, and start again.
About the Author
Pooja Tikekar is a Feature Writer and part of the editorial team at CISO MAG. She writes news reports and feature articles on cybersecurity technologies and trends.
CISO MAG’s March issue on Women in Cybersecurity is out. Preview here. Subscribe now!