SecurityWeek talks to leading Chief Information Security Officers in the payments industry about their role and experience as CISOs. In this edition, we talk to Rinki Sethi (Bill.com); Matthew Donnelly (FreedomPay), and Al Berg (Tassat).
Becoming a CISO
Current senior CISOs have rarely followed a traditional career path: that is, seeing the end target and plotting a route toward it. When they started their journeys, cybersecurity was not the profession it has become – it was more like an informal and evolving necessity. Even today, security retains an element of the wild west from its early days – it changes, sometimes dramatically, almost day by day. Aspiring security leaders can still learn from existing CISOs’ route to the top.
Matthew Donnelly, head of global compliance and security at FreedomPay, is an example of this. His first academic subject was political science, but realized he was more interested in business. He worked in a law firm, and slowly took over an IT role within the firm. He found it interesting and went to night school to learn more about IT and security. From there, 11 years ago, he got an entry level position in FreedomPay – on the help desk as a sysadmin.
But he carried on learning, with coding courses, database courses, and teaching himself the basics of forensics by playing with white hard disks. It didn’t go unnoticed. He was approached by the VP of IT, for a project on PCI validated point to point encryption. He saw an opportunity, grasped it, and owned the project. Now, 11 years after joining the firm’s help desk, he is the head of global compliance and security, encompassing the role of CISO.
Rinki Sethi (CISO at Bill.com) first encountered security as a teenager. Her father had put a keylogger on her computer (tempting for all worried fathers of teenage girls). Sethi objected and removed it. Her father replaced it. “We played this cat and mouse game, but I didn’t know it as cybersecurity back then,” she said. In the end, she wrote a script to search her computer, locate the parental malware, and automatically remove it whenever it appeared.
She went to college and studied computer science engineering. But she got her start in cybersecurity when she was recruited into the role then known as Information Protection. This was the start of a path leading to increasing leadership in some of the nation’s biggest tech names. Before becoming CISO at Bill.com, she worked in security at Walmart, eBay, and Intuit, joined Palo Alto and worked up to VP of information security, became VP of information security at IBM, then VP and CISO at Rubrik, and VP and CISO at Twitter. The motto here is never be afraid of change and opportunity.
Al Berg started as an early network engineer. As the internet evolved, his company received internet connection requests. “Somebody needed to learn about firewalls and T1 lines [now largely replaced by T3, ethernet and fiber] and everything that was involved in that. I just raised my hand for something that sounded new and interesting, and got started in the security side of communications.”
From there he was basically self-taught, by attending hacker conventions and doing things himself, until he became known as the ‘security guy’ – even without formal qualifications. The key, however, was seeing an opportunity that seemed new and interesting, grasping it, and moving forward. He became the technical director in a cybersecurity team that secured the New York Stock Exchange.
He later became CSO at Liquidnet, then CISO at Endava. And then he saw a new and interesting technology at Tassat: blockchain. “This sounds really interesting,” he said, “so, here I am.”
Sethi is the only one of our CISOs with a university academic background that facilitated a career in cybersecurity. Donnelly and Berg were largely self-taught (including night school) for a subject they found interesting. But in all three cases, the CISOs saw opportunities and were unafraid to grasp them – and that is key to progress for any career in any subject area.
For Sethi, it was when her CISO asked her to manage a team following a major phishing attack. For Donnelly, it was when his VP of IT asked him to take on a major project. For Berg it was slightly different – he didn’t wait to be asked, but always put himself forward as new technologies emerged. By being an early occupier of new spaces, he became the natural person to lead in those spaces.
This begs one important question: are people born leaders, or can they teach themselves to become leaders? Usually, it’s a bit of both.
“When I first started,” said Berg, “I thought management was the route taken by people who couldn’t do the real work. But I slowly learned that that there’s a skill to leading. You must learn to delegate – and that’s not easy for an engineer. You must learn not to micromanage – and that’s not easy when you know a better way to do something. You must learn how to learn from others, even your own team members; and allow them to make mistakes – because that’s how people learn. And if you can get and accept help from other leaders, and emulate that, you can learn to be a good leader.”
Sethi says similar. “When I first started to advance my career, I wasn’t a good leader, I was a bad manager. But I rapidly realized that people are not just workers – they also deal with significant events in their personal lives. I’ve always been empathetic, and I realized that a leader must support both the person and the work through difficult situations. So, I watched and tried to learn from other leaders that have inspired me. I tried to learn how to be a good manager and a good leader.”
Building and maintaining the security team
Successful cybersecurity requires a talented cybersecurity team. Gaining and retaining that team is an important part of the CISO’s role. Every CISO can learn from the methods used by other leaders. Everyone aspiring to a security role can learn what potential employers seek, and what they can expect if they gain employment.
All CISOs wrestles with the same basic problem. Firstly, there is a shortage of cybersecurity talent (the skills gap); and secondly, the ideal candidate should have both experience and qualifications. The difficulty for newcomers is that, unless you get a relevant internship at university, qualifications and experience are mutually exclusive – you can generally gain one, but only at the expense of the other.
For Sethi, the key to building the right team is twofold. Firstly, you need a precise specification of what you are looking for, and you need to question that specification. Do you really need 10 years of experience; do you really need those specific qualifications? Knowing what you really need helps to find the right fit.
Secondly, you need to make the destination appealing. “I think building a strategy where you’re leveraging automation and coming up with innovative ways to solve cybersecurity challenges is what helps draw talent and helps retain talent. At the end of the day, this is a tough field and we’re all fighting for the small talent pool that exists.”
Donnelly is one CISO that specifically seeks relevant experience in candidates but avoids poaching people from other companies. “We follow the company’s standard recruiting process. We have outside recruiters, we have internal recruiters, we’ll go through LinkedIn looking for people with availability and relevant backgrounds.”
He acknowledges the difficulty in finding cybersecurity candidates, but believes it is harder to find compliance candidates. “In compliance, there are more soft skills required. You need the ability to read a lot, digest a mountain of information, understand high level principles all the way down to low level controls, and then have the ability to apply that to our technology stack.”
Berg believes that there are some areas still underused for cybersecurity recruitment. He gives one example: veterans. “People coming out of the military, are diverse, have exceptional training, and a great work ethic,” he comments.
The need for certifications
The need for cybersecurity certifications is often specified on application forms; but different CISOs have different views on their practical relevance. Donnelly takes the more formal approach. “Outside of a few junior roles, they’re very important. Firstly, they show you have the right attitude to go the extra mile to get the certifications. Secondly, they demonstrate you can learn, especially about cybersecurity. I would argue that in many cases they’re more important than a general degree in information technology.”
Berg has a different approach. ‘It would be hypocritical of me to say, ‘I’m not going to accept you because you don’t have any certifications.’ I didn’t have any when I started.” That doesn’t mean he dismisses the value of certifications. He encourages his team to get them – to demonstrate the acquisition of a baseline of knowledge and to further their careers. But in the initial selection, he’s looking more at potential and the ability to learn than the past acquisition of certificates.
Diversity in the security team is generally considered essential. Diversity brings different ways or thinking about and approaching a problem. All three CISOs seek and encourage diversity.
“I’m passionate about diversity,” says Sethi. Companies are attacked by diverse hackers with different ethnicities, different genders and gender alignments, different politics, different religions, different socioeconomics, different motives, and different skill levels. “Internal diversity is the natural way to find creative solutions to different problems – a team that reflects what the real world looks like.”
Berg believes diversity is something you must consciously seek. “The tech industry simply hasn’t done a great job in developing a diverse workforce,” he says. The difficulty is in the need to find the right person from the people available. “There’s value in having a diverse team with different viewpoints, because people solve problems in different ways. But the industry must do a better job of building a pipeline of diverse candidates.”
One area of diversity that all three CISOs will consider is the neurodiverse candidate (typically ADHD and ASD – see Harnessing Neurodiversity Within Cybersecurity Teams for more details). “Absolutely,” says Donnelly. “It’s essential to have people who can think out of the box – people who can detect those new edge cases, because they’re always the cases that get you.”
“There’s an opportunity for neurodiversity in cybersecurity,” adds Berg. He points to the SOC team, where neurodiverse thinking and pattern recognition can add a different dimension to anomaly detection and alert triaging.
Sethi agrees the value of having the neurodiverse ability to think out of the box is valuable to a security team. The problem for smaller companies with relatively small security teams is that diversity is more an aspiration than a readily achievable conclusion. In smaller companies, the CISO cannot afford to choose the third best candidate simply to increase diversity. Candidates from minorities must work harder to get their initial break – and this may require finding a way to gain security certificates even without employment, or while employed elsewhere.
Having built a quality security team, the CISO needs to retain it. The two primary reasons for losing existing staff are people moving to greener pastures (better conditions and remuneration), and people leaving the industry completely through burnout. In both cases, the starting point is equal conditions and remuneration; but the best prevention of staff churn is good relationships – highlighting the importance of the CISO’s soft skills.
The greener pastures departures can be prevented by making current positions too comfortable to leave. One current advantage is that big tech competition has been somewhat tarnished by the massive layoffs of the last eighteen months. “The pastures at places like Google, Meta and Apple – you know, they’re not as great as they used to be,” comments Berg.
With the external pull reduced, stickability can be increased by creating good personal relationships with and within the team. “Being a good partner with your team, is the best way to prevent turnover,” says Berg. “That means giving them interesting tasks. Don’t micromanage. Help them grow. You want people who are smarter than you, and you mustn’t feel threatened by that. Celebrate it – give your staff credit for what they do and make sure that everybody in the organization knows this team member did something great. People need a feeling of progress and accomplishment.”
Fostering a team spirit is essential. “It’s really important to care about your staff,” says Sethi. “Make sure they feel there’s a career path for them and they’re being heard – that the whole team cares about each of its members. I think that’s the most important part of retaining talent. When you care about someone you want to make sure they’re challenged in the right ways, that they’re happy and they know they’re being heard.”
In short, it is the CISO’s task to ensure that the security team is enthused by interesting tasks, can see a career path involving both remuneration and position, and can speak and be heard. This can reduce turnover. It also plays a major part in preventing burnout.
Burnout is the feeling that work has sucked out all life and energy and you have nothing left to give – and it increasingly affects both CISOs and the whole security team. The effect can lead to people leaving the industry altogether.
Remote working can make this worse. Firstly, enthused people are not good at self-regulating in their own home, and frequently work too many hours without rest. Secondly, it is more difficult for the CISO to recognize and act on the symptoms of overwork.
“You’re not sitting next to that person in the office as much as you used to, and you don’t get the same vibe from them on how they’re doing,” explains Berg. “You must be even more communicative and make a special effort to spend time talking with both individuals and the whole team.” In preventing burnout, it is important that the CISO ensures his team takes adequate breaks from the work, and is seen to practice what he or she preaches.
There is one further reason for staff to leave, but it is more a sign of success than failure. All our CISOs believe in hiring, training, and mentoring exceptional cybersecurity staff. If successful, there will be members of the team that have gone as far as they can go in their current company. The only possibility for further growth is to become a CISO elsewhere. This does happen, but each of our CISOs consider this a sign of their own success and applaud the process.
Talking to successful CISOs about the role of the CISO implies one difficult question: ‘what made you a good CISO?’ We tackle this by asking about the most meaningful advice they received in their journey. This is likely to have become a focal point in their approach to the work.
For Sethi, it was the advice that got her through a personal crisis. “It affected me deeply, and I was a mess. But I had a mentor who said to me, ‘Rinki, you must learn to bounce back fast. As a leader, you’re going to deal with even tougher situations with worse implications and consequences. The best thing you can do is – okay, feel bad about it for a few minutes or however long – but then you can’t dwell on it; you can’t continue to feel bad about it.’ That was the best practical advice I ever received: learn to bounce back fast.”
Donnelly’s best advice was, ‘Don’t react’. “If you react to something, that situation or person controls you. It applies to all people in all situations; when you react, you lose control of the situation, but it becomes critical in cybersecurity, because you mustn’t lose control to the attacker. You must retain personal control over the situation to think clearly and develop a solution.”
Berg’s best advice was to learn how to tell stories. “A lot of the time you must convince people to do things they don’t really want to do, because of a threat that may or may not come to pass, or they simply don’t believe you. You must focus on storytelling to make people understand threats and what they could mean to the business. For example, it’s not my job to make the CEO understand the technology of a vulnerability; my job is to make him understand the need for patching, and maintenance and security hygiene.”
The CEO, he contends, is only concerned about the business effect of this or that technology, not the technology itself. So, the advice is simple: learn to tell the story fit for the audience – and it may not be the same story for all audiences.
A good CISO will always prepare for the future rather than simply respond to the past. It is interesting and informative to see what threats the CISOs can see coming.
For Sethi, the biggest threat is not a specific one, but the industry’s inability to repel threats in general. “The cybersecurity space is growing, but not at the pace we need to keep up with the latest and greatest threats,” she explains. The problem is twofold: firstly, we need more innovation in our tooling and technologies; and secondly, we don’t have the workforce to make effective use of those tools.
So, the biggest threat right now is a failure to keep up with the attackers. “We need to figure out how we can grow the talent pool to keep up with our industry’s need,” she says.
Donnelly’s and Berg’s concerns are variations on a similar theme: social engineering. Donnelly is concerned about external threats coming out of geopolitical tensions because he considers the payment industry to be akin to a utility. “If you can disrupt payments,” he said, “you can disrupt the global economy.”
But he is also concerned about social engineering aimed at his workforce. This is often the starting point for those threats. “If you can take out the social engineering threats, it gives you a little more bandwidth to focus on the external threats.”
Berg is concerned that we continue to make the same mistakes we have made for years – misconfigurations and the failure to manage secrets, etcetera. But he also sees one of these evergreen fails getting worse – succumbing to social engineering. There are more breaches caused by credential thefts than vulnerability exploits, and the problem has been made worse by remote working where the target cannot just turn to a colleague and ask if something looks fishy.
“I’m a firm believer that as we get better on the technical side, it pushes the attackers to become better on the psychological side,” he said. And he believes that artificial intelligence (AI) will promote this with deepfake voice phishing and fraud. “I also think that AI will make social engineering easier and more scalable, being able to generate highly personalized, massive email campaigns.”
Related: CISO Conversations: Complete Series