CyberWire Daily - Helen Patton: A platform to talk about security. [CISO] [Career Notes]
Episode Date: January 30, 2022Advisory CISO at Cisco, Helen Patton, shares that a combination of dumb luck, hard work and serendipity that got her to where she is today. Growing up in the country in Australia, Helen notes that co...mputers were not really a thing. She happened into technology after moving to the US, as she was the only person in her office under 40. Of course she would be comfortable with computers and able to handle a database conversion, right? That launched her into a career that spanned supporting small nonprofits, working at one of the biggest banks on Wall Street while leading a global team, being the CISO of a major university, and now Advisory CISO at Cisco. Helen recently wrote a book, "Navigating the Cybersecurity Career Path," to help others know when it's time to move on from one role to another role as part of desire to give back to the community. We thank Helen for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. Learn more at zscaler.com slash security.
Hello, my name is Helen Patton and I am an advisory CISO at Cisco.
So I grew up in the country in Australia in the 70s and 80s,
so I'm dating myself tremendously.
And computers were not a thing where I was growing up.
I thought I might be a landscape architect. I thought I might be an English teacher.
I thought I might be an economist.
I'm okay at math, but I don't love it.
But I like the human interaction,
which actually served me really well in security once I got there. But no idea about computers, networks,
certainly not security when I was growing up. It was a combination of dumb luck and a little bit
of hard work and serendipity. I left high school and I did what a lot of Australians do
and I took a gap year and I started working in a bank and I really enjoyed having money because
I was working and I didn't want to go back to school full-time so I started doing a business
degree part-time and this was in Sydney, Australia. About that time, I met this American Navy guy
and we became very good friends and wouldn't you know it, the next thing I know I'm married and I'm
living in Ohio when I was very young and I had no degree. I had no idea what it was like to live in
the United States and so I started just doing temp work around Columbus, Ohio trying to work out
which end was up.
And I ended up in a job at the Ohio Restaurant Association as a membership administrator.
Right at the time they were doing a database conversion, they had an old IBM 36 mini mainframe.
This was in the early 90s. And they wanted to convert it to this newfangled client server, SQL 6, I think, database.
And I was the only person in the office under the age of about 40.
And so they figured I must be somewhat comfortable with computers.
I don't know why they thought that, but they did.
And so they assigned me to work with this consulting company that was doing the conversion.
And the consulting company hired me off the back of that
gig. So I accidentally got into IT and I was really fortunate. I had the guy who ran the
company, it was a small business, he taught me on the job. So I spent most of the early 90s
on my hands and knees underneath desks of small non-profits in Ohio doing very small network implementations,
getting people comfortable with understanding what Windows 3.1.1 is and why they needed a PC
on their desk. And I moved from there to a software development company where I was
responsible for infrastructure and their help desk. I was in the fortunate but unfortunate position of being responsible for networks, servers, desktops. No one had laptops really back then. Right when
viruses started coming about. So the I love you virus, slammer worms, those kinds of things.
And it ticked me off because I would walk in with my day planned out because I'm a planner.
I would walk in with my day planned out and someone clicked on something or did something. My CIO, who I reported to at the time, said,
damn, we need a security program or a disaster recovery program and hell on your it.
I left that company and went to work for Bank One as a disaster recovery planner. And five days after
I joined Bank One, there was a merger with JP Morgan. So to my surprise, and by accident,
I'm now working for one of the biggest Wall Street banks. I had four different jobs over the 10 years
when I was at JP, got to run a global team. It was more of a technology risk officer kind of role than a cyber, you know,
sec ops kind of role. Left there to be the CISO at the Ohio State University and I was the CISO at
OSU. I had no idea what I was getting myself in for. So keeping in mind, JP Morgan's one of the
biggest banks in the world. But I quite naively thought, oh, I'm going from this really rigorous security organisation
to an organisation where the primary business purpose is teaching kids in classrooms.
Like, how technically difficult could that be?
That was my thought.
I had no idea.
And I would argue now that being a CISO or a security person in higher ed is 10 times more
difficult than being a security person in a Wall Street bank for a number of reasons. One,
we have all kinds of technology and all kinds of devices. It's more like running a city. So we had a hotel, we had an airport,
we had a nuclear reactor, we had multiple entertainment centres for football and concerts,
eight hospitals, all kinds of stuff, right? And people go, oh, you're higher ed. And I'm like,
no, really? You think grades and scheduling? I was like, oh God, I was so wrong.
And then add to that, you go from a culture where at JP Morgan, when Jamie Dimon says,
make it so, people would go, okay. And they would, right? Or they'd be fired. Like that was your choice. In higher ed, it's very much bottom up. So I'd go to someone and say, you really should
not have local admin rights. And they're like, yeah, make me. I'm like, oh. So I went from being able to do this top down
command control kind of approach to security to doing a very psychologically driven,
how do I get people to want to do cyber? Because if they don't want to do it, they don't have to
kind of culture. And you're in an industry where the purpose of the industry is to share data
with as many people as you possibly can. Whereas in banking, the idea is not to share data with
anybody unless they absolutely have to know it. So I talk about this in the book that I wrote.
And this is the question of how do you know when it's time to move on from one role to another role?
I had reached a point at Ohio State where I felt like
I had done what I had set out to do.
I had made the changes that I wanted.
I had created a team that I felt when I left
was strong enough that they would continue,
not that they'd do what I was doing because they'd get a new leader,
but that the program was solid.
And I felt that OSU was at a new leader, but that the program was solid. And I felt that
OSU was at a point where the skills I brought to the role were not what they needed in a leader
going forward. Then there was the question of, well, if I'm not doing that, then where do I go?
And I really loved the culture at Duo and Cisco. I really enjoy working with Wendy Nather and the
rest of the advisory CISO team in that it gives me a platform to talk about security things with all industries and all geographies.
And with Cisco, I get to work with really smart people who are doing really interesting work, and I'm excited to share that. I would like to tell you I think I'm collaborative. I look to get as much input
from as many stakeholders as possible before I make a decision and move.
Having said that though, once a decision is made, I tend to be quite forceful about making that
happen. I am action oriented, but I'm data driven in my action. And one of the things I miss actually about being an advisory CISO is I don't
have a team of people reporting to me anymore because I do really like coaching people and
developing people up. I think Australians are more direct than Americans. When I became a leader,
that served me well. When I wasn't't a leader I was seen as too brash
so it depended on where I was in my career path whether that was a good thing or a bad thing to
come across as unfiltered if you will I do think Australians are not afraid of doing the things
they think need to be done even if that means walking on the grass. I would like people to think that they
feel like I gave back to the community, which is, again, one of the reasons that I've written a book,
but that I did things that were just a little bit bigger than my own self-interest. That's
what I'd like to think. Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.Me. I have to say,
DeleteMe is a game changer. Within days of signing up, they started removing my personal information
from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
Today, get 20% off your Delete.me plan when you go to joindelete.me.com slash N2K and use promo code N2K at checkout. Thank you.