In this interview, Clea Ostendorf, Field CISO at Code42, discusses the vital role of diversity and innovation in tackling cybersecurity challenges. Ostendorf emphasizes the importance of welcoming unconventional thinkers and leveraging their fresh perspectives to enhance security posture within organizations. Addressing the burnout crisis in the cybersecurity industry, Ostendorf advocates for prioritizing employee well-being through measures such as rotating duties, supporting professional development, and promoting a healthy work-life balance. Read more of her insights:
In your experience, what are the benefits for an organization in actively seeking and welcoming newcomers who may not fit the traditional mold of cybersecurity professionals? Can you share any success stories or examples where such inclusion has positively impacted an organization's security posture?
Cybersecurity is not the same threat landscape as it was a decade ago or even five years ago. We need to welcome innovative thinkers who can look at the problems the industry is facing and bring in fresh perspectives. How do we do this? Think about the role you are hiring for. An analyst needs to be curious and derive satisfaction from digging into something and tying the pieces together. A security and awareness role requires someone who understands how people learn, how to motivate, and how to engage – educators would do great here. If you have a deluge of alerts, find someone who has worked in a fast-paced, high-stress environment. Technology you can train on innate skills is what we need to hire for if we want to close the gaps in cyber security.
What specific approaches do you recommend for nurturing and retaining individuals who possess a natural curiosity and unconventional thinking in the field of cybersecurity? How can these traits be leveraged to improve security hygiene within an organization?
The cybersecurity industry, like many fast-paced sectors, is facing a burnout crisis. The cortisol levels of many responders are at an all-time high, with seemingly endless threats hitting their systems daily. If we want to retain people in this industry, leaders need to help break down how to prioritize the risk-to-alert ratio as well as provide opportunities for growth and engagement outside of just their day job. For example, rotating duties to reduce burnout, encouraging company-paid industry conferences to learn, and encouraging employees to take PTO.
We also have an opportunity to improve security hygiene and retain talent by expanding the security program outside of the security department. This is where the BISO role has flourished, and the concepts of shifting left began – empowering employees whose job is not security to be part of the solution.
How can organizations balance the need for innovative thinking and challenging conventional norms with the necessity to adhere to established cybersecurity protocols and standards? What role does leadership play in ensuring this balance is maintained?
Organizations should continuously aim to provide their teams with the tools and resources needed to keep pace with rapidly shifting tools, such as generative AI. Security teams must empower users to innovate and explore while also ensuring they have the resources and training to comply with company-wide security standards. By striking a balance between innovation and security, leaders can encourage a culture conducive to educating and fostering growth within the organization.
Leadership must also recognize internal threats may be as simple as unintentionally exposing data simply through human error, opting for the most efficient methods, or unknowingly participating in hackers’ scams. A crucial component of data protection is providing continuous training to employees. Not only should training be frequent, but it should express the “why” behind policies to foster buy-in from teams. By rallying teammates around safeguarding data, security teams can create far more robust data protection as employees become active and responsible partners. Keeping best practices top of mind fights negligence and encourages employees to establish good behaviors that follow company protocols.
Of course, we must also touch on data protection in the age of Generative AI. These tools have introduced new conversations around the need to both invite adoption and encourage innovation while fine-tuning and setting standards around its use. Organizations should adopt a comprehensive approach that considers not only the technological aspects but also accounts for the human and procedural elements in order to strike a balance between innovation and security.
In your perspective, how does the presence of women in cybersecurity enrich and diversify the approaches to tackling digital threats?
It’s been proven that a diverse workforce helps solve problems faster and create more innovation. The role of women in cybersecurity is no different. The greatest change I’ve seen with more women entering the cybersecurity space is in how we approach security. While the traditional path may have been with a stick (blocking, saying no, limited transparency), women in security leadership roles focus on collaboration, partnership, and understanding. These characteristics can be seen in increased real-time training, transparency, and communication around programs such as Insider Threat and explaining the why behind decisions. It’s changing the culture of security internally and industry-wide.
As a woman who has achieved success in the predominantly male-dominated field of cybersecurity, could you share your insights on the challenges you faced and how you overcame them? What advice would you give to young women aspiring to carve out a career in this industry?
The hardest thing I’ve faced is being dismissed because I don’t have the same background. True, I may not have had to build a network or understand the intricacies of coding, but in security, tooling is only one part of the equation. I began to gain confidence when I realized that for all of the tools or results from a penetration test to be effective, you need to have someone who can help drive the people equation. How do you shift left in AppSec? How do you get your employees to be more data secure without slowing down their collaboration?
Security as an industry needs help to adjust to the modern work environment, and aspiring professionals can utilize their existing array of expertise today, the tech skills can be learned. My final words of wisdom: when in doubt, over-prepare and have an opinion on the problem. If you show up with some background knowledge, you can ask the right questions and learn – everyone loves to talk.