CyberWire Daily - Solution Spotlight: Mary Haigh, Global CISO of BAE Systems, on building a cybersecurity team.
Episode Date: September 11, 2024On this Solution Spotlight, guest Dr. Mary Haigh, Global CISO of BAE Systems, speaks with N2K President Simone Petrella about moving beyond the technical to build a cybersecurity team. Learn mor...e about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code n2k. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, Thank you. that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI for joining us.
In today's Solution Spotlight Special Edition, Mary Haig, Global CISO of BAE Systems, speaks with N2K's Simone Petrilla about moving beyond the technical to build a cybersecurity team.
Well, today I am honored to be joined by Dr. Mary Haig, the Global CISO of BAE Systems.
Mary, thank you so much for being with us today.
It's a pleasure to be here.
Just to broadly start off, because I think it's incredibly interesting to our listeners, and I know I did a little bit of research about you. Can you tell us a little
bit about your journey into cybersecurity and being a CISO? Because I think like many,
it is not what we typically expect. Yes, if there is a typical journey, yeah. So I started life as
a semiconductor physicist physicist working on military
thermal cameras of all things and then went into binning out intellectual property out into
businesses so that gave me the kind of business experience of what's the market who are the
competition how do you set up a successful business model how are you going to get investment
and grow it and from that i d dived into cybersecurity because they asked me to go and
work with a cybersecurity business on how they should develop their product. So that took me
into the cyber world about 15 years ago. And I've never left because it was such an interesting
space to be in, in terms of, well, fascinating market, fascinating development, a real sense of purpose and doing
good.
And so I kind of stayed in cyber and in there I've done everything from managing business
groups that were focused on cross-domain solutions.
So how do you connect the internet to top secret and the controls you have in place?
And security monitoring is quite a lot on the technologies and security monitoring so really broadening out and learning about lots of different aspects of cyber security
and there are so many different aspects of cyber security so sort of learning about more and more
of those and managing those as product lines and services and then about three and a half years ago
i got a phone call to say are you interested interested in doing a CISO role at BAE Systems, which was one of those wonderful phone calls where you go immediately, oh, yes, because for me, that was the other side of the fence.
So I'd been doing all of this work on developing products to take to market and understanding all of the customer problems and the market needs.
And now suddenly I had the chance to go on onto that, if you like, that customer side.
So do cybersecurity for yourself
across a company like BA Systems.
And that was pretty exciting.
Can you help describe, because as I understand it,
your role in BA Systems is internal focused
on the company's own security,
but obviously BA Systems also does cybersecurity work
for its customers and clients.
So what's that dynamic like in an organization that both delivers security and security services and products,
but also has to be mindful of its own security controls and programs?
Yeah, I mean, it's actually quite a useful dynamic because there's a good understanding across all levels of the organization that cyber security matters.
You know, you can easily see when you're producing a product or a service to take into a battle space environment,
you know, a defense environment, that stakes are high and cyber is a domain of warfare.
So our products in and of themselves must be resilient against that environment. And of course, that plays back right back through to when you're building them in the environment within the system. So it's not some separate thing, the cybersecurity products to the cybersecurity of our internal infrastructure.
are inextricably linked if you develop our products in a really poor security environment they're not going to perform well in a you know the secrets will already have been leaked if you
like um of how they work so although the from a strict if you like governance model point of view
engineering does the the management of that product side from a what is good cybersecurity, what culture do we want across the whole organization, how do you do good, thinking about risk, thinking about threat, thinking about the controls you put in place.
We try to do that consistently across the organization.
So I work very closely with engineering and with manufacturing to drive that consistency wherever we can.
And in fact, we updated our concept of operations recently, our operating model,
so that it's one operating model describing it, the whole of cybersecurity right across IT,
OT products and internal infrastructure, because they're so linked.
It's fascinating. And I think it's such a unique feature of so many companies like BAE that are
doing kind of that customer facing work, but worrying about their own.
I want to flip on you because I know that, you know, in your role as a leader in your background, I know you have been a big advocate for diversity in the field and women in particular.
And I want to start with a quote that you gave earlier this summer.
And you said, I hire for attitude.
And often it's the technical skills that we can't teach. Is there a moment in time, like what was the aha moment
where you came to that philosophy? It was actually in this role and so many people were saying to me,
oh, one of our biggest risks is skill shortages. It's a really small pool of
talent. It's really hard to hire. And I listened to all of that and thought, okay, well, we'll grow
our own. We've got to play a part as good cyber citizens in growing that talent pool. Because if
a massive company like BAE can't do it then who can right so so
we've got to be part of building that pool of people and and I looked at my team and who was in
it and thought they're not all they've not all got cyber security degrees they're not all computer
scientists they're from a massive range of background. I'm a physicist. We've got biologists, a geographer, a dancer, so many different backgrounds.
And yet they were all really strong together.
And actually they were strong partly because of that diversity of background.
And so then when I was actually having some mentoring with a coach and really getting into kind of how do I build teams and how do I think about the behaviors that I want.
And I realized that when I drew that kind of hierarchy of needs, when you're thinking about building a team, it wasn't technical skill that was at the top.
It was those attitudes, that moral code.
skill that was at the top. It was those attitudes, that moral code, because if the team really gels together in a common moral code, we've got each other's backs. We absolutely trust each other.
We've got the same kind of outlook on those fundamental things. Then you have an incredibly
strong foundation to your team and you can build the rest of it after that. It was something that I think I've done for a little bit,
but perhaps not as consciously.
And then when it became a really conscious thing,
it allows you to build it out a little bit more, doesn't it?
Right.
Well, and I love it, and I'm very biased in saying I love this,
because Rick Howard and I have given many a talk
and we have this kind of metaphor that we use
that building a cybersecurity team
is similar to the book Moneyball by Michael Lewis
here in the US around, it is a team-based approach
and we often don't take a team-based approach
to building out our cybersecurity teams.
And, you know, so it's like,
how do you kind of look at the entire playing field
and identify the positions and where people go?
And just because you bring on that superstar,
like having it, even if you have a team, right?
We see this at the Olympics,
like you have a team of all superstars,
that doesn't mean that they all are going to work well together as a team.
So being able to understand that dynamic just as much as the raw skill sets is so important. So I love that.
And if you take your sporting metaphor a step further, the team of superstars are the visible
ones, but behind the team of superstars are the dieticians and the trainers and the psychologists.
And, you know, actually there's a massive range of people that have led to those visible ones being superstars.
And it's the same in the cyber teams that, you know, people like the cybersecurity architects or the head of the SOC or the PENTIS.
They're very visible.
But actually, it's a whole massive load more that happens behind the scenes to deliver a good cybersecurity effect.
Right.
You know, one thing I know that you also
have talked about is the importance of data and how that drives so much of the decision making
and prioritization that happens within your team at BAE. And obviously we're talking a lot about
people, but I would love to understand more. What are some of the things that you and your team are
doing? What does BAE do to sort of embody that data-driven approach to making decisions when it comes to building teams but also
identifying what are your priorities in your security controls and program so there were kind
of two key bits when I came in as a CISO that felt really important because there was a lot of
I call it emotional emotional-based decisions
that were then revisited and re-challenged lots of times.
It took a long time to reach a consensus and a decision.
And that, in a world where, in cybersecurity,
agility is unbelievably important because the threat's changing
and the technologies are changing.
So if you take a long time to work out how to respond to that,
you're behind the curve already.
are changing so if you take a long time to work out how to respond to that you're behind the curve already so there was the data underpinning understanding where your risk is and the
governance model such that you can show that data to the right group of people at the right cadence
at the right time such that they make right decisions you've got the right expertise in
the room to make the decisions and they're then you know that decision then sticks those two things together were really important
so we spent quite a bit of time looking at how do other people do it is the best practice out there
around the dashboards and you can you can you can sketch up what you'd like to see to drive
decisions so we sort of did it from a point of view of
i'm going to need to make these type of decisions so what data would make help me make do that as
opposed to here's a load of data did that help you make the decision because sometimes you can
be overwhelmed the difficult bit then of course is the plumbing behind that so it's easy to sketch
a dashboard but you need the data to be plumbed in and to be consistent across organization such that it does hang together in a dashboard that gives you a good picture across the organization at scale.
So we did a lot of work on getting that plumbing in place, which is never the most attractive, exciting thing, but actually is absolutely fundamental to having those dashboards.
exciting thing but actually is absolutely fundamental to having those steps forward but to your point i mean it's so critical to know what business objective you're trying to
accomplish at the get-go because it's so there's so much minutiae and tedium to kind of get all
that data going and it can also be very confusing because there's so much data that we have at our
disposal so how do you really separate that signal from the noise of what
we have?
Yeah, it's what's the question you're trying to answer. Start with the question
and then go to the data. But we were willing to build a few dashboards which we threw away.
So we did have some which we built and then went, yeah, no, that's not actually useful.
So there is a bit of a kind of fail fast approach to it. It is really important to start on the question rather than the data.
We'll be right back.
Do you know the status of your compliance controls right now?
Like right now.
We know that real time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Now, I know BAE is a global company and so has to sort of perform across regulatory schema in many countries. But in the U.S., the Office of the
National Cyber Director and the White House has been making a big push around skills-based hiring,
specifically in the government, in the U.S. government, and even to the point of reclassifying
job codes. And I'm curious where that, if you have seen, again, I know this is on the more of
the customer-client facing side than internally, but has that started to change the way BAE is thinking about its workforce, how it supports those U.S. federal government clients?
And what are they doing in order to sort of evolve to kind of meet those new requirements?
Yeah, we're seeing that push from across FIBO, uk australia um in particular and and i'd sort
of characterize it as cyber security in the grand scheme of things is quite a new space
really and we're trying to professionalize so you know you see my generation coming through
with a whole load of of crazy and fantastic backgrounds that That's brilliant. But we do need to both professionalize
it. So you, particularly for smaller companies, I think it's, you know, it's quite hard if you're
starting from scratch, building a cybersecurity capability, knowing what you're looking for,
because there isn't, well, there is increasingly qualifications, which you can go, yes, if you've
got that, that and that,
then they're good.
But it's a little bit mixed.
So professionalizing it more is an important part of the maturing cybersecurity as a profession,
whilst not losing some of those useful backgrounds.
So we do need to make sure that the professionalization
still brings career changes in
because they're a valuable part of it.
So we're tracking that.
UK Cyber Security Council has done some work on that in the US,
as you've called out, and we're trying to mirror that.
So simple things like our way of describing the roles of cyber security,
we have taken, as it happens the the UK way of describing
it because what I don't want is to hire for a job role and use a totally different term from it than
anyone else in the market because it's really unhelpful um so standardizing the way that we
talk about roles and the development framework. So if you're in
this role, these are the types of the way that you would develop your career in that role.
And taking that deliberately from government developed things, because it's only when
industry gets behind government that you get the momentum to standardize and to professionalize it.
Right. And, you know, as someone who has spent a lot of my time in that space,
it just is a, it takes a lot of strategy and thought that often I think as a security
profession, we don't want to take that step back and do that lift because we're like, well, no,
you have to defend the network now. And that takes a lot of that kind of strategic step back work. So we often get stuck in this in-between purgatory.
Yeah.
And I think it is something that's better to do at a national level
because if I did it and the other defense prime did it,
not only would it take up a lot of our time,
but we'd all come out with something tiny bit different.
And actually those differences don't add value.
So pull together a really good
team at a national level and then everyone else takes it. That's sort of, I think, the most
efficient approach. My last question is I do want to touch on the diversity in the field. One,
because I always love to have a chance to talk to other really amazing industry executives and
women in the field who have really made it to the top of their games.
And, you know, one thing that always frustrates me when we talk about the cybersecurity profession
and the people strategy associated with it is that, you know, I think everyone kind of lines
up and says, we have this need for diversity and we're committed to doing these things. And I think
there's a lot of consensus around that point. But I also think there are still some really major roadblocks
that seem to be preventing us from making any real, like, fast or demonstrative progress. I
mean, it's happening, but it's happening, I think, more slowly than many of us would like.
What do you think is standing in the way of kind of us as leaders in addressing those diversity
and gap and kind of talent issues we've kind of discussed?
And what are some of the things maybe that we can look to implement in the future to be, you know,
I don't want to end on a negative note. I want to be optimistic here that there's a way to kind of
make that forward momentum and progress. Yeah. Well, obviously, recognizing it is an important
first step. And as you say, I think mostly people have done that.
There is sometimes a tendency to go admire the problem and go, oh, it's so big that others, you know,
or if I do this little thing, is it really going to make a difference?
There is no silver bullet.
It's lots of little things.
And the more we just get on and do those.
So if I give some examples, when we look at our talent management we look at our high performers
I always ask the question on the diversity of those high performance high performers when we're
promoting people to fellows so the technical excellence have we got the diversity in there
and in some cases we find we haven't and it all it is a tap on the shoulder. So in our fellows, for example,
we had one female application. So we halted the process. I went out to a load of brilliant women
and said, you know, there's this fellow thing and I think you'd be really good for it. And pretty
much all of them went, I didn't think I was good enough. And all it took was a tap on the shoulder
to say, you're so good enough.
And then they applied.
And now the diversity of our fellows is quite a lot better than it was.
And as soon as you get that momentum in, it grows from there.
Mentoring is another area that's really close to my heart.
It's not that hard to set up a mentoring scheme.
We set up a Women in Cyber Mentoring Scheme. We didn't want it to be just BAE because the value of mentoring is is broad perspectives so I used my industry contacts and we've got
so many different companies involved from governments at the trans research labs in the UK
to Microsoft to some of the big five consultancies PwC they're all involved in it because they can
you know if you set up a good scheme they'll all involved in it because they can, you know,
if you set up a good scheme, they'll all get involved. So we've got this cross-industry
mentoring scheme for women in cyber and the mentors can be men or women. And mentoring
can be such an important moment in people's career, that moment when they just don't feel
like they belong, they don't quite know where they're going, they've had a really bad day
and they didn't feel like they were listened to in a meeting
or they were interrupted so many times.
Just having that mentor that you can ring up and go,
how do I handle this situation?
It's really, you know,
someone really trusting that you can talk to,
can make the difference between someone saying,
do you know what?
I just haven't got the energy anymore
versus, okay,
I know how to handle this. I can bring in some more tools. I can challenge what's happening
and stay in the industry. So never underestimate those small things that you do to really drive
the change. Yeah. Well, and one of the things that has struck me,
and I apologize for using a stat that's very US-centric.
I'd have to relook it for where we are
in kind of the global phenomenon.
But, you know, as we track supply and demand in the US,
and it's all publicly available,
of like what jobs are open and available
and then what's the availability of applicants, where is the the talent pool we've kind of for the first time seen that
we have a surplus of entry-level candidates for roles there are more candidates available than
roles which is a great news story in that we have gotten we're getting more people interested in
entering the field but now to your point we we still have this major gap in the middle.
And, you know, when you talk about mentorship and bringing someone along, like we're not going to be able to fill that gap in the middle or the gap of people who are starting to retire out or, you
know, exit the field at their senior levels until we have some mechanism, not only to mentor, but
bring them through. And it really resonates with me when you talk about like a lot of women, they
won't apply if they don't feel they need all the qualifications.
But the reality is we're not going to be able to grow that talent unless we're part of the solution as industry to get them there.
So it's, you know, it's twofold. It's like, how are we supporting those development pathways to bring people into those positions?
positions and you know that middle ground of people those are the people that that's why retention matters so much that that they do stay in and that you do have a way of really leaning in
and and coaching them and developing them and i'll hook it back that's why the behaviors piece
in your team and the culture matters so much because if you've got that good moral code and
culture in the team do you know what it? It's an inclusive environment. And it being an inclusive environment is massively important to the retention that
everyone's voice is heard and respected. That makes a huge difference to feeling like you belong,
which is just essential.
You've been listening to Mary Haig, Global CISO at BAE Systems,
speaking with N2K's Simone Petrella.
Thanks for joining us for this Solution Spotlight special edition. Solution Spotlight Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.