CyberWire Daily - Kayla Williams: Not everything related to cybersecurity is a fire drill. [CISO] [Career Notes]
Episode Date: October 2, 2022Kayla Williams, CISO of Devo, sits down to share her story, from graduating with a finance degree to rising to where she is now. She quickly learned that finance was not for her and changed paths,�...�working towards gaining an information security certificate. From there she was able to excel and was offered the opportunity to move to England which changed her life. Working in her new role, she really enjoys thriving with her team. She says "We really try to be the department of no problem versus the department of no." She mentions how her and her team work on a day to day basis together solving issues and yet she says not everything related to cybersecurity needs to be a fire drill. She would rather her and her team build bridges in the face of adversity and in the face of people who may be naysayers. We thank Kayla for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. My name is Kayla Williams, and I am a Chief Information Security Officer.
When I was a child, I had wanted to be an archaeologist or a paleontologist.
I grew up in the time of Jurassic Park and the land before time.
I was absolutely fascinated by dinosaurs and just everything that was going on back millions of years ago.
back millions of years ago. However, as I began to grow up, I realized that I did not have the patience for all the education that was going to be required to go through an archaeological or
paleontological course. So I shifted focus and wanted to become a lawyer or an accountant.
During college, I was really determined to become a chief financial officer. My uncle had been
a real estate attorney and had told me about his experiences with accountants and how
my skillset would really shine in that type of a situation. So I graduated with a degree
in accounting, far from what I wanted to do when I was a child.
I began an internship working in an auditing firm in Massachusetts that was auditing municipalities and banks.
And after graduation, while I started and worked through my master's degree,
I continued at a different firm doing the same thing.
I realized very early on that external auditing was not for me.
So I transferred into the new global information security group at this organization.
That was roughly 2013 that I made that shift. And within three months of working in the new
environment, I got my first information security certification through SANS. And about six months
later, I was offered the opportunity to move to England.
And that just absolutely changed my life. I moved to Bristol, England in November of 2013
by myself. I actually made the choice to leave my three-year-old daughter with her father here in the US. And I went over there
and just began working. And it was very different to experience the pub culture and the working
culture. I've never had so much tea before in my life. I was able to work not only on
many new projects for implementation, such as SailPoint for our identity and access management platform,
but the kind of manager that I wanted to be,
the type of programs that I wanted to run.
And that's really led me down the path that I've continued down
within the information security realm. I manage my team by trust.
I do not like to micromanage.
The world is moving today based on our last two and a half years of COVID and the experience there
has really led to a shift in working style
and being flexible
and not always questioning the motives of your employees
and really putting them under the wire
really produces better results.
If people feel trusted and empowered,
they are likely to do more. And I really try to lead my team in that manner.
We really try to be the department of no problem versus the department of no. So we do try to
focus on how we can be better consultants, advisors, and really partners to the rest of the team.
And when things pop up, especially if it's going to facilitate the sales process,
we do drop everything and do everything we can to address the need. Typically, we have
multiple meetings a day around compliance and security programs, but it's more consultancy
around compliance and security programs,
but it's more consultancy versus we have a problem.
And I think that's a great way to demonstrate that we have good partnerships with people.
And that's really important.
The security function or compliance function
should not be seen as the, you know,
like I said, the department of no
or the roadblock at the end.
They should be seen as a partner
and looped in at the beginning.
Everyone has had experiences
where there are people that just disagree with you,
don't see the value in what you're doing,
or they see the value but feel that
right now is not the time.
For anyone in the security field,
we really need to demonstrate
through our competencies, through our skills,
that we are capable of adding value and showing what that is. We shouldn't feel backed into a
corner or put on the spot by people that don't understand. Because although technology has been
around for a very long time, chief information security Officer roles are, you know, compliance roles, GRC,
security assurance. It's all relatively new still because technology and things change so quickly.
So that mentality is found everywhere in every organization across the world.
And in order to kind of move past it, it's the kill them with kindness mentality.
Make sure that you are always available, that you are gaining consensus for the things that
are going on, that you can prove that you're not dictating anything to them, that you're there to
partner. It's just very important. And that's how you win friends, as they say,
working together and negotiating. Not everything is a fire drill when it comes to security.
You don't want to cry wolf, as they say. You want to make your case, ask if there's consensus on the risk. And if there is, partner to move forward. Really building those bridges in the face of adversity and in the face
of those people who may be naysayers or disbelievers in something can really go a long way.
My best advice would be to ignore the college requirements that are in job recs and for folks that are hiring people to just flat out remove them now.
It's an outdated concept.
In technology, a lot of people have hands-on experience
because they're sitting at home tinkering away in their own home-built labs and trying things out.
I really feel that if you want to move into the information security field,
whether it be technical, compliance-driven, just apply for the role.
So for the best advice to people that want to apply for jobs, if they're switching from
something else, you will likely have the complementary skills that are needed to succeed
in a security role. You just don't know it yet. I would like to be remembered as somebody who
has facilitated collaboration and empathy across my organization and not just within my team, but throughout all the different
functional departments. It is really important that everyone understands that we don't have to
be best friends, but we need to work together. And we all have the common goal of being successful
and making our organizations more money. But we always tend to forget that there are people at the end of the day that are
on the other side of the screen and having empathy for the work that they're doing or,
you know, that their personal situation may come into play as well. And collaborating and
being seen as a partner is very important, no matter what role you're in.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me. Now at a special discount for our listeners.
Bye. slash n2k and enter code n2k at checkout. That's joindelete me.com slash n2k code n2k.