From Uncertainty To Leadership: Navigating The Path To CISO - Hazel McPherson

are you are you all in the right talk I'm Hazel mcfur and I'm going to talk about how I became a ceso and if you're not in the right talk just humor me so hopefully I won't get it wrong and uh it's mainly about me so if I do get it wrong sorry so I'm calling this from uncertainty to leadership because I didn't know what I wanted to be when I grew up in fact that's not entirely true I'm going to skip a few slides just in the interest of time if I can make this work um so to explain a little bit about where I came from I'm going to take you right back to when I was a child and my

first thought about what I wanted to be of course was an astronaut clearly that wasn't for me um I realized there was a lot of physical activity involved in that and I like pizza so that wasn't really going to be my career of choice so I thought actually police officer that's that's a nice respectable career and I was watching quite a lot of the bill at the time so that was very popular and I thought no that that could be good I'll do that and then I realized I probably didn't enjoy confrontation that much but that was a good few years of of my early years that I thought though that's that's for me so after deciding not

confrontation forensic investigator that sounds cool um and I thought was still sticking with the police and it's still kind of interesting bit more sciency um and then I realized what I probably have to see on a day-to-day basis as a forensic investigator and realized that I'm probably not that good with Gore by this time casualty had started on the television so paramedic that was my next choice uh quickly remembered about the gore and went off that idea so what I settled on actually around the age of 16 was graphic designer which was completely different to the other choices slightly uh less exciting but more safe and that was my trajectory through a levels and I did

graphic design and art and applied for a position at Southampton University which I did not get so that was my first disappointing point because I decided this was what I was going to be and somebody told me no you can't do that so I I went through quite a horrific um I call it a horrific dramatizing it quite a lot went through quite a a horrific um interview process where I got on a train for a few hours went to Southampton with thousands of other people it felt like it was hundreds but it felt like millions and basically we in very sort of um I don't know the The Apprentice type style we went through a day of

being interviewed being shown around um and at the end of the day we were taken into two separate rooms and those people in the room that I was in was said thank you very much go home on your train and we didn't get a place and that was the end of that that was the end of university for me um because I decided after that point s University I'm not going so what did happen between the ages of 18 and 24 um as it says up there and don't know not not a lot really I did lots of things but they were all quite different and colorful so this slide depicts some of the things that I did do

before the age of 24 in no particular order I did some telephone sales which was interesting I worked in a warehouse I worked in a kitchen I worked in a factory that did lots of things with eggs that lasted 6 hours I worked for a company that sold holidays on the telephone which was again was sales-based and I also worked for a company that put me in a little Minivan and drove me around the local area every day dropped me off and I went knocking on people's doors to try and sell them windows and conservatories none of which I was very good at particularly the sales stuff so in 2001 during one of my temporary positions I got an opportunity

um to go on a training course somebody had seen something in me which I hadn't seen at the time which meant that they they saw uh potential so what they'd seen was that I was quite good at PowerPoint and my design skills were actually coming through at that point eventually and they thought oh well you know let's see what she can do with Crystal Reports anybody remember Crystal Reports yeah still love a good Crystal report so so I went on a few training courses and they taught me in Crystal Reports and Crystal decisions as it was and SQL server and I did that for a few years and I thought kind of really enjoy this want to do a bit more so I did that

was the start of my journey there's a theme astronaut stay with it so in 2003 I left that organization and that was my sort of first wavy journey I learned some Unix I did some Oracle I learned about telephony system systems and in 2008 I got my first Microsoft certification and for me that was my first professional certification I was very pray of myself if anybody knows you can set any Microsoft exam pass it and get a a few letters so it wasn't brilliant but it was for me very proud moment I became if I can read that a Microsoft certified systems administrator at that point which was more than one exam so I kept going 2009 I applied to

the British computer Society to become a chartered IT professional and as I was filling that application form in with a pen CU it was a pen at the time I thought I'm never going to get this chartered that's something that accountants get or engineers get that's something my academically brilliant brother gets not me but it did I got it and that started another little journey and I learned about hyperv and exchange and then I went to work for the NHS and went backwards a few years but there I learned about more core networking and VMware and solo winds and Apple products and all kinds of other stuff so if we go from 2003 to 2013 in

10 years I was like a sponge absorbing all those kinds of Technologies at the age of 38 those of you who can do the math will know how old I am now um I had a light bulb moment and it was whilst I was working at the NHS and there was a course that they were looking for volunteers to go on to and that was effectively what we know now as the isc2 healthc care cisp of course I can never remember all the letters but they were looking at bringing that into NHS in in England and they were asking for volunteers to go and sit the course and give feedback to isc2 to tell them whether it was any

good for a UK audience um it was very us Centric lots of the uh governor was all us-based so that was the kind of feedback that they're looking for that was a 5-day course and at that point I think it was probably about half an hour into the course I realized security is for me and that was a lightboard moment because I I came home from that course and everything that I wanted to do after that was 100% security Now be mind 10 years we didn't really call it cyber security in my world it was just something that that you did with the technology so there's another wiggly line coming 2014 I did some iil stuff

was part of my job that I was doing at the moment Prince to that was the course I've just told you about the hcispp if anybody's interested in the letters um then this is when I got home I went to New North umia University not in Newcastle in London because it was whilst I was working full-time and I went pretty much every other weekend London for 2 years and studied cyber security and I never thought that I would go to university when I decided Southampton experience had sort of scarred me for life but I went when I was 38 and I did a masters in cyber security and then I did a sisp as I was

doing that because everybody else was so why not and then I got a scholarship to do the CCNA cyber Ops is what that says which was a new course from Cisco at the time at the point this is this is very Whitt Whistle Stop but at the point where I decided to go to university and get the Masters there was a point that I was like okay I need that certificate I need that backing the academically sort of rubber stamp for me to be able to feel confident to go into a ceso role and that was my ultimate goal to become a ceso somewhere because in my mind that was the Pinnacle of security that was

the aim that I was trying to get to that position and therefore I'd made it so that was important to explain because I sat the certified ceso exam has anybody done that don't I learned very little during that exam and all they really want to relieve me of is a couple of hundred quit a year to keep the certification if you do things like these professional certifications that I've done before the industry ones you'll learn so much more you'll learn about the technology that you're using these these kind of overarching rubber stamped ones if you've done the underlying work first you don't really really learn that much but I wanted it it was nice cuz you know

I'm certified ceso now I then did my iil 4 managing professional transition exam um and that that's important because that reminded me that I enjoyed learning so I signed up to do an MBA yes two masters and at the same point I decided to restart bides in Bristol with some very important people in the room and this is a few months at date now but I've also started a company with those uh some of those same people doing um tech for good type activities so why have I taken you through that Journey it's quite quite an intensive Journey um it's a long one it's taken me a number of years to get here it's not necessarily the path that

I would have thought that i' would have done when I was at at school it's absolutely nowhere near anybody else's path I don't think and the important part is that you can make your own way but you keep have to you know go back and learn new technologies learn new things there was two points in this entire Journey where I thought I need to do something different I need to change it and that was when I realized the start of this one I need to do more kind of manery business type stuff I need to be able to sit at a table with directors and talk to them I need to be able to translate technical stuff into

everyday language I'm not going to do that just by looking at the computer kit St much much more interesting PR pressing buttons but there is the point where you have to if you want to progress you've got to start diversifying your own skills as well so on that topic my takeaway comments would be continue to be curious be curious about the technology but be curious about things that surround it the people every solution isn't a technical solution so the people are really important not just the people that are using the technology but the people that You' got to talk to and interact with every day explore things teaching you what to suck eggs hopefully because if you're in

cyber if you're in technology you've already taken things apart and found out how they go back together again share that knowledge so share environments like this share it with people share it with your family share it with your co-workers don't keep that knowledge to yourself share it with everybody and that's how we improve things and trust trust in yourself trust in each other trust in the process you know if you'd have asked the 16-year-old me whether I best stood here today um being called a ciso and talking to people about how I got there I wouldn't have had a clue what that even meant so you've got to trust in your own abilities and keep following what your

desire is if anybody asked me today why why did I want to be a ceso it's not a really good answer the good answer is now I am I can affect change and I can do things in a capacity as a senior leader that I didn't have the ability to do as a network engineer as a a systems engineer so if that's for you then follow that path if you think ceso that's great you must earn a lot of money depends on the organization that you're working for the stress level is equal to the amount of compens ation that you get my question to you would be why why do you want to be a ceso because

if it isn't for the right reasons just don't do it to yourself find your place to be find your place wherever that is in the massive umbrella that is cyber security and go for that because you you don't want to be unhappy in an industry that is as rich and important as this so don't follow Dreams Just because that's the the kind of most senior leadership um follow your own dreams but doesn't matter what path you've taken you can get there because if you are curious and you explore you can learn all the skills that you need to get anywhere you want to be so to that message the important thing is that you believe in yourself because

if you don't believe in yourself nobody else will and if you want to talk to me any further about any of that LinkedIn is a good place or there's my email any questions Elana one is being very cheeky are there currently tickets for sale besid Crystal which is in August you know that they are they went on sale at 11 o'cl this morning yep so if you want to go to uh there are tickets available and you'll probably hear us all talk again uh and secondly actually what is the best piece of I know it's really hard to put into singular but if someone wants to be a ceso how do they figure out if that's

for them it's a really good question because actually being at this level in every organization is going to be different so in the organization that I work for which is a financial services organization I would say sort of medium to to large now um it's very focused on governance so there's lots of compliance lots of governance in financial services if that isn't for you that isn't the space a ceso in a different organization might be complet completely different this is one of my bug bears at the moment because the description of ciso is different wherever you look and if it's a small manufacturing organization which I've worked in previously as well they might want you to be completely Hands-On

and they've given you that title because you're the most senior person in the organization but you don't have any staff you're just manager of systems um if you are looking at what I would say is a seeso position it is uh not necessarily a board position but it is a senior leadership position and you have the ability then to shape that organization in terms of strategy and hopefully embed some good processes and procedures for security and you don't compromise on the Integrity of that if you are comfortable being at board meetings being on risk committees talking to people convincing them that often they're going to need to do something that slows projects down that costs more money that isn't popular

that's a lot of my time if if you're not good with relationships and communicating you're not going to enjoy it cuz mostly I'll be invited into meetings to come out with an outcome that might not be the outcome that I want that might be the outcome that's a compromise does that answer your question good anyone else go ask me anything I'll be CED go how do you how do you find the interesting how do you find

comp so my position currently isn't board level position I report into the IT director which is a whole other conversation that I'm happy to have um how does it compare I think I'm quite lucky in the organization that I'm in at the moment because I do get the respect that I think the position deserves and the board are listening to me so and I think I was quite fortunate that when I went into that organization that was the case mostly anyway so I think it's difficult having spoken to other people in other organizations it's difficult for them to get the ear of the board especially when it's a quite a difficult topic to talk about in terms of budget

and time and people and all the rest of it that everybody struggles with I think if you are able to spend time understanding from a finance director's point of view from a sales director's point of view what their concerns are how they shape the business and then work with them to try and find Solutions if you go in you know you you can't do that cuz it's not secure you're never going to win any friends if you start with their position in mind and then take it from there a lot of it is negotiation skills you know I'm not going to use the word manipulation but sometimes that's helpful too but in a very polite and professional

manner a lot of it is so when people think oh I want to be ceso forget about all the technical stuff hopefully you've got a team for that you've got to have an understanding of it and that's easier if you've come up through those technical roles but a lot of it is sitting in meetings talking about risk negotiating bu budgets um finding ways to communicate with people who don't want to do what you need them to do effectively um and talking about governance compliance and risk it's all right anyone else go for it subject I guess you're in charge of recruitment in your team into my team I will be yeah yeah how would youc wom into your team the I work for

to give some cont are struggling in that respect tried everything so is there any insight about attracting women into your team so I I don't have a diversity problem in my team just saying um I I would say that I've been the only woman in technology in it in lots of areas for a long time and it's an ongoing problem unfortunately I thought it might have improved it has slightly but the retention of women into these roles is is now a problem as well so I think it goes beyond your recruitment techniques you've got to look at your culture because when women get into positions I'm talking about myself when I talk about women's as well because when I've

gotten into positions before that have been male dominated with the teams there is a culture that goes with that especially in technology teams and unless you are focusing on changing that as well which is a lot bigger job than just getting some women through the door and on the seats um you're always going to lose them because when you put people into an environment that isn't supportive of their needs why would they stay and I'm I'm talking about really simple stuff such as the temperature of the office the ambient noise whether you ask them to be in the office when at what points in the month do they want to be in the office you know these these all considerations

for women and at one organization they might be more flexible they might have control over their environment and they they stay because they're physically more comfortable most office environments have been designed with men in mind unfortunately and so when you look at why women aren't staying look at where where you're putting them not just about people as well any other questions we at time so do you have any come see me afterwards in the thank you