“It’s not a job for the faint of heart,” she said. “You’re either constantly worried about whether today is the day that the big thing happens, or you’re having to deal with a big thing happening.”
After living nearly 20 years in New Zealand, it’s a concept native to her adopted country that guides UK-born Suzy Clarke in her leadership role.
“Kaitiakitanga, or guardianship, is a concept that comes from the indigenous people of New Zealand/Aotearoa, the Maori, who talk about being a good ancestor,” said Clarke, executive general manager for security at Xero, a global developer of online accounting software.
“That cultural influence has shaped my thinking about taking the long term view of leaving the security industry better than I found it, and contributing to improving things like gender diversity where I can. One of the things that we’ve been doing recently is asking, are you a good ancestor? Not, are you making the most of what you’ve been given, but are you actually paying it forward?”
Clarke has been working in technology for 24 years, beginning at an IT startup in England. It was there, looking at the company’s firewall logs, that she became fascinated by the fact that this tiny company in England was being targeted.
“Now, I know people were just sort of sweeping the internet. But it really sparked my interest in security, and so it became an area that I specialized in,” she recalled.
She got her start in banks and consultancies, and within a few years had moved to New Zealand where, as a pen tester at a bank, she discovered a very creative side of things in addition to the technical work.
“It was there that I saw the power of a very high-performing team,” she said. “There’s something very special about that moment because it really showed me not only how you could have a really fulfilling, engaged and engaging job, but also how you could build an amazing team by picking the right people.”
With that realization, Clarke understood that she wanted to be in a position to create things.
“I decided that people management and people leadership was more a calling that I wanted to try, and the bank supported me to do that and put me on a training course.”
For the past 14 years, she’s been leading teams in a variety of roles. Her career has included positions at ASB Bank, sustainable clothing maker Icebreaker and Cap Gemini Ernst & Young.
When the opportunity at Xero came up, it brought together three things for Clarke: the security background, the leadership, and a desire to contribute in New Zealand, which allowed her to move there to help plug a cybersecurity skills shortage.
“It offered the opportunity to work for a Kiwi company that was trying to go global and make a positive impact on the world from New Zealand,” she said. “I was absolutely drawn to that.”
The evolving threat environment is a major challenge for all CISOs today, and is something Clarke is very focused on combating.
“I’m always thinking about how we stay ahead of the evolving threats,” she said. “We know the temperature is rising out there, and we have the added challenge of managing those threats while we grow and scale from a New Zealand-based business into a truly global player. This means we need to work very fast and ensure we provide multiple layers of protection to our customers.”
Supply chain risk, the use of artificial intelligence and machine learning as attack tools, and the rise of nation-state assaults on private organizations are major trends she identifies. Threats have accelerated, and there’s also the wild card factor, she said.
“You just don’t know what the really next big thing will be,” she said. “We have to be agile and aware and tuned in enough to switch on and respond when it does appear, because some of the stuff comes out of left field, like the commercialization of ransomware, which has become a business model!”
One of Clarke’s many mentors said something to her that has served as a lodestar: Learn from everyone, be it a barista or a CEO.
“If they’re doing a great job, how is it they’re doing that? What is that amazing thing? And if they’re not doing a good job, then think, that’s not the leader I want to be and learn from that, too.”
It took four or five years before Clarke worked with another female on a security team, and much longer before she reported to a female.
Recently, her team at Xero won the Best Place for Women to Work in Security Award at the inaugural NZ Women in Security Awards. At the time, 33% of Xero’s security team were female, and junior team members were 57% non-male. That’s sharply higher than the industry average of less than 20%, which was the level the team was at when she joined Xero in 2019.
“I know the lived experience of being the only female for years at a time, so I felt the obligation to improve things for the better,” she wrote in a recent article. “Also, as a gay woman, I know the difference between having a diverse team and truly having inclusion.”
Clarke worked closely with Xero’s talent team to identify and approach female security leaders, and tasked colleagues with increasing female diversity within the leadership team. She also broadened the potential talent pool by focusing on candidates who could bring curiosity, culture fit and a hacker mindset to their roles, rather than specific security experience or certifications.
“That included us hiring many new team members from adjacent roles within Xero,” she said.
Xero’s corporate culture encouraged diversity, she said. The company recently installed its first female CEO, and the executive leadership team is more than 40% female.
Another innovation at the company that Clarke takes pride in is the productization of the security function internally.
“It’s us trying to make the engineers’ lives easier and understanding how to enable them more instead of regarding ourselves as separate from everything else that’s going on in this company,” she said. “It’s been incredibly effective.”
Over the years, Clarke has seen the CISO’s role evolve in importance as security increasingly becomes a business concern. She reports to the board, and took a director’s course to understand what directors care about, what language they use, and what perspective they take on a business.
“I literally just sort of stood in their shoes and realized, that’s how they see it,” she said. “And then I was able to align with them more and talk to them in the way they talk to each other.”
Aside from business acumen, today’s successful CISO needs a growth mindset and “deep, deep resilience,” she said, laughing.
With such a high-pressure job, Clarke loves being active and off-screen.
“I love surfing, playing soccer, things where I have to be really present and can’t be fiddling with my phone,” she said. “When you’re out on the water surfing, it’s a multiple hazard environment. You’ve got to be aware of other surfers and the waves and sharks, so it puts you in this really present state. It also gives a sense of connectedness as well, that sense of flow that you get.”
To young security professionals, she advises “stay curious, and find a way to hold on to that beginner’s mindset.”
“Don’t be afraid to ask questions, because sometimes that is the thing that unlocks the solution that other people who are perhaps a bit more expert or experienced are overlooking,” she said.
She also recommends against specializing too early.
“Rotate yourself through a lot of different areas and find the one that lights you up, because there are going to be some hard days in security, and you want to have that high engagement that puts you on the front foot,” she said.
One of the things that Clarke loves best about the security field is “people’s willingness to support each other.”
“We all do lean in to try and help uplift the industry,” she said. “Sometimes we think we’re sort of competing, but on some of the key things in security we need to work together, so it’s more collaborative.”