On this Solution Spotlight, guest Dr. Mary Haigh, Global CISO of BAE Systems, speaks with N2K President Simone Petrella about moving beyond the technical to build a cybersecurity team.
Learn more about your ad choices. Visit megaphone.fm/adchoices
CyberWire Daily
Solution Spotlight: Mary Haigh, Global CISO of BAE Systems, on building a cybersecurity team.
On this Solution Spotlight, guest Dr. Mary Haigh, Global CISO of BAE Systems, speaks with N2K President Simone Petrella about moving beyond the technical to build a cybersecurity team. Learn more about your ad choices. Visit megaphone.fm/adchoices
- Duration:
- 27m
- Broadcast on:
- 11 Sep 2024
- Audio Format:
- mp3
You're listening to the CyberWire network, powered by N2K. Defense contractors face immense pressure to comply with CMMC 2.0 security standards, needing a secure, user-friendly file-sharing solution. KiteWorks, a FedRAP moderate authorized solution, supports nearly 90% of CMMC 2.0 level 3 requirements, reducing compliance effort and cost. KiteWorks leverages a zero-trust framework for swift compliance and offers a secure platform for defense data protection needs with advanced security features and ease of use. Its intuitive UI, mobile apps and centralized policy management simplify administration. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with KiteWorks universal secure file-sharing platform, made for defense contractors. Visit kiteworks.com to get started. This episode is brought to you by Microsoft Azure. Turn your ideas into reality with an Azure-free account. Get everything you need to develop apps across cloud and hybrid environments, scale workloads, create cloud-connected mobile experiences and so much more. Discover what you can create with popular services free for 12 months. Learn more at azure.com, that's azure.com, and sign up for a free account to start building in the cloud today. Hello, and thanks for joining us. In today's Solution Spotlight Special Edition, Mary Hague, global CISO of BAE Systems, speaks with N2K's Simone Patrilla about moving beyond the technical to build a cybersecurity team. Well, today I am honored to be joined by Dr. Mary Hague, the global CISO of BAE Systems. Mary, thank you so much for being with us today. It's a pleasure to be here. Just to broadly start off, because I think it's incredibly interesting to our listeners, and I know I did a little bit of research about you. Can you tell us a little bit about your journey into cybersecurity and being a CISO? Because I think like many, it is not what we typically expect. Yes, if there is a typical journey here. So I started live as a semiconductor physicist, working on military thermal cameras, all things, and then I went into building out intellectual property out into businesses. So that gave me the business experience of what's the market, who are the competition, how do you set up a successful business model, how are you going to get investment and grow it. And from that, I dived into cybersecurity because they asked me to go and work with a cybersecurity business on how they should develop their product. So that took me into the cyber world about 15 years ago. And I've never left, because it was such an interesting space to be in in terms of, well, fascinating market, fascinating development, a real sense of purpose and doing good. And so I kind of stayed in cyber, and in there I've done everything from managing business groups that were focused on cross-domain solutions, so how do you connect the internet to top secret and the controls you have in place, and security monitoring is quite a loss on the technologies and security monitoring. So really broadening out and learning about lots of different aspects of cybersecurity. And there are so many different aspects of cybersecurity, so sort of learning about more and more of those and managing those as product lines and services. And then about three and a half years ago, I got a phone call to say, are you interested in doing a CSO role at the systems, which was one of those wonderful phone calls where you go immediately, oh, yes, because that's the, for me, that was the other side of the fence. So I'd been doing all of this work on developing products to take to market and understanding all of the customer problems in the market needs, and now suddenly I had the chance to go on to that, if you like, that customer side. So do cybersecurity for yourself across a company like BA Systems, and that was pretty exciting. Can you help describe, because as I understand it, your role in BA Systems is internal focused on the company's own security, but obviously, BA Systems also does cybersecurity work for its customers and clients. So what's that dynamic like in an organization that both delivers security and security services and products, but also has to be mindful of its own security controls and programs? Yeah, I mean, it's actually quite useful dynamic because there's a good understanding across all levels of the organization that cyber security matters. You can easily see when you're producing a product or a service to take into a battle space environment, you know, a defence environment that stakes a high and cyber is the domain of warfare. So our products in and of themselves must be resilient against that environment. And of course, that plays back right back through to when you're building them in the environment within the system. So it's not some separate thing, the cybersecurity products to the cybersecurity of our internal infrastructure, the two are inextricably linked if you develop our products in a really poor security environment, they're not going to perform well in a, you know, that the secrets will already have been linked, if you like, of how they work. So although they, from a strict, if you like governance model point of view, engineering does the management of that product side from a, what is good cyber security? What culture do we want across the whole organization? How do you do good thinking about risk, thinking about threat, thinking about the controls you put in place? We try to do that consistently across the organization. So I work very closely with engineering and with manufacturing to drive that consistency wherever we can. And in fact, we updated our concept of operations recently, our operating model, so that it's one operating model describing it for whole of cybersecurity, right across IT, OT products and internal infrastructure because they're so linked. It's fascinating. And I think it's such a unique feature of so many companies like BA that are doing kind of that customer facing work, but worrying about their own. I want to flip on you because I know that, you know, in your role as a leader in your background, I know you have been a big advocate for diversity in the field and women in particular. And I want to start with a quote that you gave earlier this summer. And you said, I hire for attitude and often it's the technical skills that we can't teach. Is there a moment in time, like what was the aha moment where you came to that philosophy? It was actually in this role. And so many people were saying to me, oh, one of our biggest risks is skill shortages. It's a really small pool of talent. It's really hard to hire. And I listened to all of that and thought, okay, well, we'll grow our own. We've got to play a part as good cyber citizens in growing that talent pole because if a massive company like BA you can't do it, then who can, right? So we've got to be part of building that pool of people. And I looked at my team and who was in it and thought they're not all, they've not all got cyber security degrees, they're not all computer scientists, they're from a massive range of background. I'm a physicist, we've got biologists, a geographer, a dancer, so many different backgrounds. And yet they were all really strong together. And actually they were strong partly because of that diversity of background. And so then when I was actually having some mentoring with a coach and really getting into how do I build teams and how do I think about the behaviors that I want? And I realized that when I drew that kind of hierarchy of needs, when you're thinking about building a team, it wasn't technical skill that was at the top. It was those attitudes that moral code, because if the team really gels together in a common moral code, we've got each other's backs, we absolutely trust each other, we've got the same kind of outlook on those fundamental things, then you have an incredibly strong foundation to your team and you can build the rest of it after that. It was something that I think I've done for a little bit, but perhaps not as consciously. And then when it became a really conscious thing, it allows you to build it out a little bit more, doesn't it? Right. Well, and I love it and I'm very biased in saying I love this because Rick Howard and I have given many a talk and we have this kind of metaphor that we use that building a cybersky team is similar to the book Moneyball by Michael Lewis here in the U.S. around. It is a team-based approach and we often don't take a team-based approach to building out our cybersecurity teams. And you know, so it's like, how do you kind of look at the entire playing field and identify the positions and where people go? And just because you bring on that superstar, like having it, even if you have a team, right? We see this if the Olympics, like you have a team of all superspers that doesn't mean that they all are going to work well together as a team. So being able to understand that dynamic just as much as the raw skill sets is so important. So I love that. And if you take your sporting metaphor a step further, the team of superstars are the visible ones, but behind the team of superstars are the dieticians and the trainers and the psychologists. And, you know, actually there's a massive range of people that have led to those visible ones being superstars and it's the same in the cyber teams that, you know, people like the cybersecurity architects or the head of the sock open to say, they're very visible, but actually it's a whole massive load more that happens behind the scenes to deliver a good cybersecurity effect. Right. You know, one thing I know that you also have talked about is the importance of data. And how that drives so much of the decision making and prioritization that happens within your team at BAE. And obviously we're talking a lot about people, but I would love to understand more what are some of the things that you and your team are doing? What does BAE do to sort of embody that data-driven approach to making decisions when it comes to building teams, but also identifying what are your priorities in your security controls and program. So there were kind of two key bits when I came in as a CISO that felt really important because there was a lot of, I call it, emotional based decisions that were then revisited and then re-challenged lots of times that took a long time to reach a consensus and a decision and that in a world where in cybersecurity agility is unbelievably important because the threat changing and the technologies are changing. So if you take a long time to work out how to respond to that, you're behind the curve already. So there was the data and the pinning, understanding where your risk is and the governance model such that you can show that data to the right group of people at the right cadence at the right times, such that they make right decisions, you've got the right expertise in the room to make the decisions and that decision then sticks. Those two things together were really important. So we spent quite a bit of time looking at how do other people do it is the best practice out there around the dashboards and you can sketch up what you'd like to see to drive decisions. So we sort of did it from a point of view of I'm going to need to make these type of decisions so what data would help me do that as opposed to here's a load of data, did that help you make the decision? Because sometimes you can be overwhelmed. The difficult bit then of course is the plumbing behind that. So it's easy to sketch a dashboard but you need the data to be plumbed in and to be consistent across organization such that it does hang together in a dashboard that gives you a good picture across the organization at scale. So we did a lot of work on getting that plumbing in place which is never the most attractive exciting thing but actually is absolutely fundamental to having those dashboards. But at your point, I mean it's so critical to know what business objective you're trying to accomplish at the get go because there's so much minutiae and TDM to kind of get all that data going and it can also be very confusing because there's so much data that we have at our disposal. So how do you really separate that signal from the noise of what we hear? It's what's the question you're trying to answer stuck with the question and then go to the data. But we were willing to build a few dashboards which we threw away. So we did have some which we built and then went you know that's not actually useful. So there is a bit of a kind of fail fast approach to it is really important to start on the question rather than the data. We'll be right back. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by Databrokers. So I decided to try delete me. I have to say delete me is a game changer. Within days of signing up, they started removing my personal information from hundreds of databrokers. I finally have peace of mind knowing my data privacy is protected, DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for DeleteMe. Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to joindeleteme.com/n2k and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com/n2k and enter code N2K at checkout. That's joindeleteme.com/n2k code N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's V-A-N-T-A.com/cyber for $1,000 off Vanta. Now, I know VAE is a global company and so has to perform across regulatory schema in many countries. In the U.S., the Office of the National Cyber Director and the White House has been making a big push around skills-based hiring, specifically in the government and the U.S. government and even to the point of reclassifying job codes. I'm curious where that, if you have seen, again, I know this is on the more of the customer client-facing side than internally, but has that started to change the way BAE is thinking about its workforce, how it supports those U.S. federal government clients and what are they doing in order to sort of evolve to meet those new requirements? Yeah, we're seeing that push from across FIVA, so across the U.S. UK, Australia in particular. I'd sort of characterize it as cybersecurity in the grand scheme of things is quite a new space, really, and we're trying to professionalize, so you see my generation coming through with a whole load of crazy and fantastic backgrounds. That's brilliant, but we do need to both professionalize it, so you, particularly first, smaller companies, I think it's quite hard if you're starting from scratch building a cybersecurity disability, knowing what you're looking for, because there are increasingly qualifications which you can go yes, if you've got that and that, then they're good, but it's a little bit mixed. So, professionalizing it more is an important part of the maturing cybersecurity as a profession, whilst not losing some of those useful backgrounds, so you do need to make sure that the professionalization still brings career changes in, because they're a valuable part of it, so we're tracking that. UK cybersecurity council has done some work on that in the U.S. as you've called out, and we're trying to mirror that, so simple things like our way of describing the roles of cybersecurity we have taken as it happens, the UK way of describing it, because what I don't want is to hire for a job role and use a totally different term from it than anyone else in the market, because it's really unhelpful, so standardizing the way that we talk about roles and the development framework, so if you're in this role, these are the types of the way that you would develop your career in that role, and taking that deliberately from government-developed things, because it's only when industry gets behind government that you get, and the momentum to standardize and to professionalize it. And as someone who has spent a lot of my time in that space, it just takes a lot of strategy and thought that often, I think, as a security profession, we don't want to take that step back and do that lift, because we're like, "Well, no, you have to defend the network now," and that takes a lot of that kind of strategic step back work, so we often get stuck in this, in between purgatory. Yeah, and I think it is something that's better to do at a national level, because if I did it in other view, the defence primed at it, not only would it take up a lot of our time, but we'd all come out with something tiny bit different, and actually those differences don't add value, so pull together a really good team at a national level, and then everyone else takes it, I think the most efficient approach. My last question is, I do want to touch on the diversity in the field, one, because I always love to have a chance to talk to other really amazing industry executives and women in the field who have really made it to the top of their games, and one thing that always frustrates me when we talk about the cybersecurity profession and the people's strategy associated with it is that I think everyone kind of lines up and says, "We have this need for diversity, and we're committed to doing these things," and I think there's a lot of consensus around that point, but I also think there are still some really major roadblocks that seem to be preventing us from making any real, like, fast or demonstrative progress. I mean, it's happening, but it's happening, I think, more slowly than many of us would like. What do you think is standing in the way of kind of us as leaders in addressing those diversity and gap and kind of talent issues we've kind of discussed, and what are some of the things maybe that we can look to implement in the future and to be, you know, I don't want to end on a negative note. I want to be optimistic here that there's a way to kind of make that forward momentum and progress. Yep. Well, obviously recognising it is an important first step, and as you say, I think mostly people have done that. Sometimes a tendency to go admire the problem and go, "Oh, it's so big that others, you know, or if I do this little thing, is it really going to make a difference?" There is no silver bullet, it's lots of little things, and the more we just get on and do those, so if I give some examples, when we look at our talent management and we look at our performers, I always ask the question on the diversity of those high performers. When we're promoting people to fellows, so the technical excellence, have we got the diversity in there? And in some cases, we find we haven't, and all it needs is a tap on the shoulder. So in our fellows, for example, we had one female application, so we halted the process. I went out to a load of brilliant women and said, "You know, there's this fellow thing, and I think you'd be really good for it." And pretty much all of them went, "I didn't think I was good enough," and all it took was a tap on the shoulder to say, "You're so good enough," and then they applied. And now the diversity of our fellows is quite a lot better than it was, and as soon as you get that momentum in it grows from there, mentoring is another area that's really close to my heart. It's not that hard to set up a mentoring scheme, we set up a women's cyber mentoring scheme. We didn't want it to be just BAE, because the value of mentoring is broad perspectives. So I use my industry contacts, and we've got so many different companies involved from governments, the Chinese research labs in the UK, to Microsoft, to some of the big five consultancies, PwC, they're all involved in it, because they can, you know, if you set up a good scheme, they'll all get involved. So we've got this cross-industry mentoring scheme for women, in cyber, and the mentors can be men or women, and mentoring can be such an important moment in people's career. That moment, when they just don't feel like they're belong, they don't quite know where they're going, they've had a really bad day, and they didn't feel like they were listened to in a meeting, or they were interrupted so many times. Just having that mentor that you can bring it up and go, "How do I handle this situation? It's really, you know, someone really trusting that you can talk to, can make the difference between someone saying, "Do you know what? I just haven't got the energy anymore," versus, "Okay, I know how to handle this. I can bring in some more tools. I can challenge what's happening and stay in the industry." So never underestimate those small things that you do to really drive the change. Yeah, well, and one of the things that struck me, and I apologize for using a stat that's very US-centric. I'd have to re-look it for where we are in kind of the global phenomenon, but, you know, as we track supply and demand in the US, and it's all publicly available, of like what jobs are open and available, and then what's the availability of applicants? Where is the talent pool? We've kind of, for the first time, seen that we have a surplus of entry-level candidates for roles. There are more candidates available than roles, which is a great news story in that we have gotten, we're getting more people interested in entering the field. But now, to your point, we still have this major gap in the middle, and, you know, when you talk about mentorship and bringing someone along, like, we're not going to be able to fill that gap in the middle, or the gap of people who are starting to retire out, or, you know, exit the field that they're senior levels, until we have some mechanism not only to mentor, bring them through, and it really resonates with me when you talk about, like, a lot of women, they won't apply if they don't really need all the qualifications. But the reality is, we're not going to be able to grow that talent unless we're part of the solution as industry to get them there. So it's, you know, it's two-fold, it's like, how are we supporting those development pathways to bring people into those positions? Definitely. And, you know, that middle ground of people, those are the people, that's why retention matters so much, that they do stay in, and that you do have a way of really leaning in and coaching them and developing them, and I'll hook it back. That's why the behavior piece in your team and the culture matters so much. Because if you've got that good moral code and culture in the team, do you know what? It's an inclusive environment, and it being an inclusive environment is massively important to the retention, that everyone's voice is heard and respected. That makes a huge difference to feeling like you belong, which is just essential. You've been listening to Mary Hague Global CISO at BAE Systems, speaking with N2K's Simone Petrela. Thanks for joining us for this Solution Spotlight Special Edition. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cyber security challenges we face. It's happening at M-WISE, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-WISE features one-to-one access with industry experts, and fresh insights into the topics that matter most, right now, to frontline practitioners. Register early and save at M-WISE.io/cyberwire that's M-WISE.io/cyberwire. [MUSIC]